FADP (Swiss Federal Act on Data Protection)

The Swiss Federal Act on Data Protection (FADP/nDSG) is Switzerland's comprehensive data protection law, revised in 2023 to align with GDPR standards while preserving Swiss-specific provisions including enhanced protections for genetic and biometric data.

Definition

The Swiss Federal Act on Data Protection (FADP, known in German as the Datenschutzgesetz or DSG, and in its revised form as nDSG) is Switzerland’s primary data protection statute. The fully revised FADP entered into force on September 1, 2023, replacing the original 1992 law. The revision was driven by two imperatives: maintaining Switzerland’s EU adequacy determination (essential for unimpeded cross-border data flows with the EU), and modernizing protections for the realities of cloud computing, artificial intelligence, and global data transfers.

The FADP applies to the processing of personal data of natural persons by private entities and federal bodies. Unlike GDPR, the FADP does not protect legal entities’ data (a departure from the 1992 version, which did). It introduces principles of privacy by design, privacy by default, data protection impact assessments, and mandatory breach notification—aligning structurally with GDPR while retaining Swiss-specific characteristics including criminal penalties against individuals (not just organizations) and the jurisdiction of the Federal Data Protection and Information Commissioner (FDPIC).

Why It Matters

Switzerland processes a disproportionate volume of global financial, pharmaceutical, and trade data relative to its population of 8.9 million. The country hosts approximately 25% of the world’s cross-border wealth management assets, totaling over CHF 2.4 trillion according to the Swiss Bankers Association. Zurich and Geneva rank among the world’s top five financial centers. The FADP governs data protection across this entire ecosystem.

The EU’s adequacy determination for Switzerland—last renewed in 2024 following the FADP revision—is economically critical. Without it, every data transfer between EU organizations and Swiss entities would require Standard Contractual Clauses, Binding Corporate Rules, or other supplementary safeguards. The adequacy determination enables frictionless data flows worth billions in annual commercial activity.

The revised FADP introduced criminal penalties for willful violations: fines of up to CHF 250,000 imposed on responsible individuals (not the organization), enforceable through Swiss criminal procedure. This personal liability model creates accountability that corporate fines alone may not achieve.

How It Works

The FADP operates through principles, obligations, and enforcement mechanisms:

Processing principles: Processing must be lawful, proportionate, and purpose-limited. Sensitive personal data—genetic, biometric, health, religious, ethnic—requires explicit consent or a statutory basis.
Privacy by design and default: Article 7 requires privacy protections from the outset and privacy-protective default settings—echoing GDPR Article 25.
Data protection impact assessments: High-risk processing requires a DPIA prior to deployment. Residual high risks require FDPIC consultation.
Cross-border transfers: Data may only leave Switzerland if the receiving country provides adequate protection or appropriate safeguards are in place.
Breach notification: Controllers must notify the FDPIC “as soon as possible” of high-risk breaches—marginally more flexible than GDPR’s 72-hour deadline.
Enforcement: The FDPIC has investigatory powers. Criminal enforcement is handled by cantonal prosecution authorities.

Stealth Cloud Relevance

Stealth Cloud is domiciled as a Swiss Verein in Zug, placing it directly under FADP jurisdiction. This is a deliberate choice. Swiss data protection law offers three structural advantages for a privacy-first platform: equivalence with GDPR (enabling EU adequacy), criminal accountability for individuals (not just corporate fines), and a legal tradition that treats privacy as a constitutional right (Article 13 of the Swiss Federal Constitution).

The FADP’s requirements for privacy by design and data protection by default are not compliance burdens for Stealth Cloud—they are descriptions of its architecture. PII stripping at the client enforces data minimization. Zero-persistence architecture eliminates storage limitation concerns. Cryptographic shredding makes breach notification largely moot: if no personal data persists, a breach cannot expose personal data.

Stealth Cloud’s Swiss domicile also provides jurisdictional clarity. Swiss law applies. The FDPIC has oversight. Data processing occurs on Cloudflare’s edge network under zero-knowledge principles. The legal framework is defined, the technical architecture is provable, and the alignment between the two is architectural—not aspirational.

The Stealth Cloud Perspective

Switzerland built its data protection law on the principle that privacy is a constitutional right, not a regulatory concession. Stealth Cloud chose Swiss domicile because the FADP codifies the same conviction that drives its architecture: privacy is not a feature to be toggled—it is a condition to be engineered into every layer of the system.