The Federal Act of 25 September 2020 on Data Protection (Data Protection Act, hereinafter "FADP") and the Ordinance to the Federal Act on Data Protection of 31 August 2022 ("FDPO") are the key statutory codes governing privacy in Switzerland. In addition, every Swiss canton has its own data protection statutes with respect to data processing by cantonal public authorities. Since Switzerland is not a member of the EU, it does not have to comply with the EU General Data Protection Regulation or any other directives applicable in this field.

The FADP applies to data processing by private persons and federal public authorities. This guide is limited to the processing through private persons such as companies.

Federal Supreme Court Cases:
-    Google Street View: 138 II 346: decision regarding the scope of application of the FADP and anonymization of persons and distinctives signs (such as for example car number plate). The court found that Swiss law is applicable and requested Google to take necessary measures to anonymize before publication on the internet.
-    Logistep: 136 II 508: This decision recognised that IP addresses are personal data.

Federal Administrative Court:
-    Helsana: decision A3548/2018: It is prohibited to collect data from basic insurance for use in supplementary bonus insurance.
-    Money House: decision A-4232/2015: The economic intelligence company  Mon-eyhouse establishes personality profiles and must obtain the express consent of data subjects and provide information on processing.

personal data: any information relating to an identified or identifiable natural person. (art. 5 lit. a FADP)
sensitive personal data:
1. data on religious, philosophical, political or trade union-related views or activities,
2. data on health, the private sphere or the racial or ethnic origin,
3. genetic data,
4. biometric data which unequivocally identifies a natural person,
5. data on administrative or criminal proceedings and sanctions,
6. data on social assistance measures; (art. 5 lit. c FADP)

The following key principles are applicable (art. 6 FADP):
1.Personal data must be processed lawfully.
2. Processing must be carried out in good faith and must be proportionate.
3. Personal data may only be collected for a specific purpose which is evident to the data subject; personal data may only be processed in a way that is compatible with such purpose.
4. Personal data is destroyed or anonymized as soon as it is no longer needed with regard to the purpose of the processing.
5. Anyone who processes personal data must ascertain that the data is accurate. 

The FADP applies to private persons and federal bodies. As to the territorial scope of application, the FADP applies to all circumstances that have an effect in Switzerland (even if initiated abroad). The FADP, thus, also have an extraterritorial scope of application. Federal bodies are federal authorities and services as well as persons who are entrusted with federal public tasks (art. 5 lit. I FADP).

Processing is any operation with personal data, irrespective of the means and the procedures applied, and in particular the collection, recording, storage, use, modification, disclosure, archiving, deletion or destruction of data (art. 5 lit. d FADP).

 The processing of personal data must comply with the general principles of data processing. Special rules apply for the processing of personal data by federal bodies. 

The general principles of data processing are: 
- Lawful basis for processing: personal data may only be processed lawfully (art. 6 para. 1 FADP); 
- Proportionality: data processing must be carried out in good faith and must be proportionate (art. 6 para. 2 FADP); 
- The correctness of data: reasonable measures must taken to ensure that the collected data is correct (art. 6 para. 5 FADP); 
- Purpose limitation: personal data may only be processed for the purpose indicated at the time of collection, that is evident to the data subject, or that is provided for by law (art. 6 para. 3 FADP); and 
- Transparency: the collection of personal data and in particular the purpose of its processing must be evident to the data subject (art. 6 para. 3). The controller informs the data subject appropriately about the collection of personal data; such duty of information also applies when data is not collected from the data subject (art. 19 FADP). The controller informs the data subject of a decision which is taken exclusively on the basis of an automated processing, and which has legal effects on the data subject or affects him significantly (automated individual decision-making, art. 21 FADP).
- security: The controller and the processor must ensure, through adequate technical and organizational measures, security of the personal data that appropriately addresses the risk (art. 8 FADP).
 
Data processing by federal bodies is subject to additional requirements. Such processing requires, in addition to the general principles stated above, a statutory basis. The federal body has to notify the data subject of the processing of personal data. 

The processing of personal data is subject to the general principles of data processing (cf. question 5). Special rules apply to the collection of personal data, disclosure of personal data as well as the processing of personal data for research, planning, and statistics by federal bodies. 

Note: In addition, the personality rights of the data subject must be respected. These include i.e. the prohibition to process data pertaining to a person against that person's explicit wish without any justification and the prohibition to disclose sensitive personal data to third parties without justification (art. 31  FADP). 
A violation of personality rights exists in particular if:
a. personal data is processed in contravention with the principles set forth in Articles 6 and 8;
b. personal data is processed against the data subject’s express declaration of intent;
c. sensitive personal data is disclosed to third parties without consent by the data subject.

Storage, security, and retention of personal data must comply with the general principles of data processing (cf. question 5). In addition, the FDPO describes in more detail the technical and organizational measures that must be taken regarding storage, security, and retention of personal data both for private persons processing data (art. 1 et seqq. FDPO) and for federal bodies (art. 6 et seqq. FDPO). Such measures include specific protections for the systems against i.a. destruction, loss, and unauthorized alteration.

The controller shall notify the Federal Data Protection and Information Commissioner (FDPIC) as soon as possible of a data security breach that is probable to result in a high risk to the personality rights or the fundamental rights of the data subject (art. 24 FADP).

Data subjects have the right to request information and correction from the controller of a data file.
Note: Any person may request information from the controller of a data file as to whether data concerning them is being processed as such (art. 25 para. 1-2 FADP). Restrictions are only possible if there is a statutory provision for such restrictions or if such restrictions are required to protect the overriding interests of third parties or the request for information is manifestly unfounded in particular if it pursues a purpose that is contrary to data protection or is obviously of a frivolous nature (art. 26 para. 1 FADP). 
Any data subject may request from the controller of a data file at any time that incorrect data be corrected (art. 6 para. 5 FADP).

If the consent of the data subject is required, such consent is only valid if it has been given freely and for one or several specific processing activities and after adequate information.
Consent must be given explicitly for:
a. the processing of sensitive personal data;
b. high-risk profiling by a private person; or
c. profiling by a federal body.
(art. 6 para. 6 and 7 FADP)

Under the FDPA, the FDPIC does not issue any authorization.

Yes. Under the FDPA, personal data may be transferred abroad if the destination country provides an adequate level of data protection or if appropriate safeguards/exceptions are in place. The Swiss Federal Council maintains a list of countries deemed adequate (published as Annex 1 to the FDPO), which includes all EU/EEA countries and the UK and, under certain conditions further specified below, the US (note: this list is not identical to the EU’s adequacy list). If a country is not adequate, the FADP prohibits transfers unless the controller implements legally approved safeguards or meets an exception (Art. 16–17 FADP). Acceptable safeguards include standard data protection clauses (similar to the EU’s SCCs) approved or recognized by the FDPIC, bespoke contractual clauses ensuring adequate protection, or binding corporate rules for intra-group transfers. When using contractual data protection provisions, such clauses must be communicated before their first use to the FDPIC. For binding corporate rules, they must be approved by the FDPIC, or by a foreign authority which is responsible for data protection and belongs to a state which guarantees adequate protection.

The law’s exceptions allow transfers with explicit consent of the data subject, when necessary for a contract with or in the interest of the data subject, for establishment/exercise/enforcement of legal claims or safeguard an overriding public interests, to protect life or physical integrity (if consent cannot be obtained in time), if the data subject has made the data public and has not expressly prohibited its processing, or if the data comes from a public register. In all cases, the controller must ensure the transfer does not seriously endanger the personality rights of the individuals. Notably, even remote access to data in Switzerland from abroad counts as an overseas disclosure under Swiss law. Upon request, the FDPIC must inform about some specific disclosures.

According to the new Swiss–US Data Privacy Framework, Switzerland recognizes certified US organizations under this framework as providing adequate protection, so transfers to those US companies are permitted without additional safeguards. Controllers should also consult FDPIC guidance on cross-border transfers and ensure any required notifications to the FDPIC (e.g. use of non-standard clauses or novel safeguards) are made in advance as required by law.

Swiss law primarily uses the term “breach of data security” (often simply “data breach”). Art. 5 lit. h FADP defines a “breach of data security” as a security breach which leads to an unintentional or unlawful loss, deletion, destruction or modification or unauthorized disclosure of personal data. In other words, any incident where personal data is compromised – whether through theft, hacking, inadvertent exposure, alteration, or loss – qualifies as a data breach under this definition. The law itself does not explicitly define a broader category of “incidents,” but in practice a security incident would refer to any event that could jeopardize data security. 

Yes. the controller shall notify the FDPIC as soon as possible of a data security breach that is probable to result in a high risk to the personality rights or the fundamental rights of the data subject. Thus, only those incidents that are probable to result in a high risk to the personality rights or the fundamental rights of the data subject must be notified to the FDPIC (art. 24 FADP).
There is no fixed 72-hour deadline as under the GDPR; however, notification is required "as soon as possible". Notifications can be submitted through the FDPIC’s online breach reporting portal. The content of the notification should include a description of the breach, its consequences, and measures taken (art. 15 FDPO specifies the details to provide). If a breach does not pose likely high risk, there is no obligation to notify the FDPIC (though voluntary notification is possible).
The controller must inform affected data subjects of a breach if it is necessary for their protection or if the FDPIC orders the controller to do so (art. 24 para. 4 FADP). In practice, this means that if individuals may need to take action to protect themselves (e.g. reset passwords, cancel credit cards) or if knowing about the breach is in their interest, they should be notified. This obligation to inform data subjects exists even if the breach is not deemed “high risk”.

The Federal Data Protection and Information Commissioner is the privacy regulator in Switzerland. 
The FDPIC is an independent federal authority responsible for supervising and enforcing the FADP with respect to private-sector entities and federal public bodies. The FDPIC’s duties include monitoring compliance, conducting investigations into suspected violations, issuing administrative measures if data protection provisions are breached (e.g. it can order a company to stop processing certain data or to implement specific safeguards or binding orders to correct unlawful practices), and advising on data protection issues. However, the FDPIC does not directly issue fines – enforcement of penalties (which are criminal fines) is handled by the courts/prosecutors upon referral.

A data breach in Switzerland can lead to several legal and regulatory consequences:
•    Regulatory Investigation and Remedial Orders: The FDPIC may open an investigation into the breach, especially if it appears laws were violated (e.g. inadequate security measures or failure to notify as required). The FDPIC has authority to issue administrative measures – for example, ordering the controller to remedy deficiencies, cease certain processing activities, or comply with specific directives. In extreme cases, the FDPIC can even temporarily or permanently ban a transfer of data abroad or require data deletion to protect individuals’ rights.
•    Notification Obligations: As discussed above, the controller may have to notify the FDPIC and/or affected individuals of the breach. Failing to fulfill these notification duties can prompt the FDPIC to issue an order compelling compliance.
•    Administrative Fines/Sanctions: The FADP provides for criminal sanctions (fines) up to CHF 250,000 for certain willful violations of the law. These penalties, unlike GDPR, are directed at responsible individuals within the organization (such as executives) rather than the company as an entity. For example, if a breach occurred because the company willfully failed to implement minimum data security measures, or if a person willfully provided false information to data subjects or the authority, or ignored an FDPIC binding order, that responsible person can be fined. Similarly, willful non-compliance with cross-border transfer rules or outsourcing requirements are sanctionable offenses. That said, inadvertent breaches or mistakes (negligence) are not criminally punished under the FADP.
•    Civil Liability: Data subjects whose privacy is harmed by a breach can pursue civil remedies. Under the Swiss Civil Code, an individual may file a claim for damages and moral harm (compensation) and seek injunctions or other relief for personal injury caused by unlawful data processing. For instance, if a person suffers financial loss or emotional harm due to a company’s data breach, they could sue for compensation. Swiss law (Art. 28 Swiss Civil Code and Art. 32 FADP) also allows individuals to demand cessation of privacy-infringing processing and deletion of personal data, which could be invoked in breach scenarios.

In the case of contractual relationships between the parties, civil claims based on the agreement and claims for breach of contract are available. 

Electronic direct marketing (emails, SMS, automated calls, fax, etc.) in Switzerland is primarily regulated by the Federal Act Against Unfair Competition (UCA), rather than the FADP. The UCA sets rules to prevent spam and intrusive marketing practices, with a focus on opt-in consent for unsolicited communications.
•    Email/SMS Marketing – Opt-In Rule: Sending unsolicited mass advertising via electronic means (for example, marketing emails, text messages or similar automated messaging) generally requires prior consent of the recipient under the UCA. In other words, Switzerland follows an “opt-in” regime for electronic marketing: the default is that you cannot send bulk commercial messages to someone who has not agreed to receive them. The UCA does recognize a limited exception for existing customer relationships: if a business obtained a customer’s contact details in the context of a sale or contract, and provided that customer a clear opt-out opportunity at the time of data collection, the business may send that customer marketing about similar products or services even without explicit consent. 
•    Information and Opt-Out in Messages: Every marketing email or SMS must identify the sender and provide an easy, free means to opt out of future messages. Typically, this means including the sender’s valid name and contact address and an “unsubscribe” link or instructions. Concealing the sender or making opt-out difficult would violate the UCA.
•    Business-to-Business (B2B) vs B2C: Notably, these rules apply to both consumer and business recipients. Swiss law does not distinguish between B2C and B2B for mass communications – sending unsolicited ads to company email addresses or fax machines is also covered by the opt-in requirement. All recipients (individual or corporate) are protected from unwanted spam.
•    Telemarketing Calls: Telemarketing by telephone is permitted in Switzerland in principle, but I i’s subject to specific restrictions to prevent abuse. First, callers must respect the “Do-Not-Call” indications in the public phone directory. Calling such a number for marketing is considered an unfair practice (illegal). Also, telemarketers are required to display a valid caller ID number that is registered (no hidden or spoofed numbers). If a person’s number is unlisted (not in the directory at all), that is treated as if they opted out, so unsolicited calls to unlisted numbers are forbidden by the UCA. Marketing calls should also cease if the called party objects. 

Yes. In addition to the general FADP, certain industries in Switzerland are governed by sector-specific privacy or confidentiality laws that impose additional requirements:
•    Healthcare and Medical Data: Swiss law (federal and cantonal) contains special provisions for medical and health data. For example, the Human Research Act governs personal data in research involving human subjects (requiring consent or ethics approval for certain data uses). 
•    Financial Sector (Banking/Insurance): Swiss financial institutions are subject to bank-client and other professional secrecy laws (with respect to banks often referred to as Swiss banking secrecy). The Swiss Banking Act (Arts. 47 ff.) mandates that banks must keep client financial information confidential, with violations potentially resulting in criminal penalties. Similarly, securities dealers, insurance companies, and other financial institutions have confidentiality obligations in their sector-specific regulations. These laws mean that even if the FADP would permit certain processing, a bank might be prohibited from sharing personal data without client consent due to banking secrecy. 
•    Telecommunications and ICT: Telecommunications operators are governed by the Federal Telecommunications Act (TCA), which includes privacy-related provisions. Operators must ensure the confidentiality of communications (protecting the content of phone calls, emails, etc., as well as metadata) and abide by specific data retention and lawful interception laws. The TCA also regulates the use of cookies and similar technologies for internet services (requiring user information and opt-out ability). Telecom and internet service providers thus have duties both under the FADP and their sector law to secure user data and maintain secrecy of communications.
•    Employment Data: While there is no separate “employment privacy act,” the Swiss Code of Obligations and labor law principles limit how employers can handle employee personal data. Employers may only process employee data if it concerns the employee’s suitability for the job or is necessary for performance of the employment contract (Art. 328b CO). Monitoring of employees (emails, internet usage, CCTV in workplace) is tightly regulated by data protection principles and public labor law (it must be proportional and transparent). Certain industries (e.g. federal government jobs) have additional rules for personnel data.
•    Professional Secrecy: Many professions have confidentiality obligations by law, which indirectly create privacy requirements. Attorneys in Switzerland must keep client information secret (Attorney-Client privilege, in cantonal laws and the Federal Lawyer’s Act); doctors and healthcare providers have medical secrecy obligations (Swiss Criminal Code art. 321 punishes breach of professional secrecy). 
•    Other Sectors: There are various other laws with privacy provisions: e.g., the Federal Statistics Act for personal data in official statistics, the Federal Human Genetic Testing Act for genetic data, the Police and Intelligence Service laws for handling of personal data by authorities, etc. Companies in regulated sectors like telecommunications, postal services, healthcare, finance, education, and transport should be aware of any special data handling rules in their governing laws.
Importantly, these sector-specific requirements apply in addition to the FADP. Compliance with the FADP is necessary but may not be sufficient if a sector law sets a higher standard. 

Under the FADP, the appointment of a Data Protection Officer (DPO) – in German called a data protection adviser (Datenschutzberater) – is optional for private-sector companies. There is no general mandatory DPO requirement like under the EU GDPR. Private controllers may voluntarily designate a DPO and may then benefit from certain exemptions (e.g. for certain high-risk situations where a DPO can substitute for consulting the FDPIC). 

If a private company chooses to appoint a DPO, the FADP sets standards for this role (Art. 10 FADP and 23 FDPO). The DPO should have the necessary expertise in data protection and an independent advisory function. This means the DPO must operate free of conflicts of interest and should not receive instructions from the company on how to carry out their DPO tasks. The DPO’s core responsibilities include supporting and monitoring compliance: advising the controller and its employees on data protection obligations, training staff, providing input on DPIAs, and serving as a contact point for data subjects and the FDPIC. To fulfill these duties, the organization must empower the DPO with sufficient resources and access to information (e.g. access to processing systems and decision-makers). The DPO’s contact details must be published and notified to the FDPIC if the DPO is meant to be an official point of contact.

The revised FADP introduced record-keeping requirements similar to the GDPR’s. According to article 12 FADP, data controllers must maintain an internal record of their data processing activities (often called a ROPA – Record of Processing Activities) in writing or electronic form. This record should contain key information such as: the identity of the controller, the purposes of processing, a description of the categories of data subjects and the categories of the processed personal data; the categories of the recipients; if possible the period of storage of the personal data or the criteria to determine the period of storage; if possible a general description of the measures to guarantee data security pursuant to Article 8; in case of disclosure of data abroad, the name of the state in question and the guarantees according to Article 16 paragraph 2 FADP.
Processors (private person that processes personal data on behalf of the controller) also must keep records, albeit a simpler version focusing on the categories of processing carried out for each controller, and a description of security measures and transfer details.
There is an exemption for small businesses: controllers with fewer than 250 employees, as well as individual (natural person) controllers, are not required to maintain a ROPA unless their processing falls into higher-risk categories (art. 24 FDPO). Specifically, even a small organization must keep records if (a) it is processing sensitive personal data on a large scale, or (b) it is engaging in high-risk profiling. 
Beyond the ROPA, the FADP and its ordinance impose other documentation obligations as part of accountability. Controllers must document Data Protection Impact Assessments (DPIAs) when they are carried out – including the rationale for the DPIA, the methodology, results, and any measures taken (and if consultation with FDPIC was required) for at least two years after the end of data processing. Data breaches that must be notified to the FDPIC must also be documented and the documentation shall be retained from the time of the report for a minimum of two years. The FDPIC can request to see such documentation if investigating an incident. 

The FADP introduces an obligation for controllers to perform Data Protection Impact Assessments (DPIAs) in certain situations. A DPIA is required whenever a planned data processing activity could result in a high risk to the personality or fundamental rights of data subjects (art. 22 FADP). In essence, if you intend to undertake processing that is potentially very invasive or sensitive – especially involving new technologies or methods – you must first evaluate its risks and design appropriate measures via a DPIA (Art. 22 FADP).
The law and FDPIC guidance highlight a few scenarios per se likely to trigger a DPIA: for example, processing sensitive personal data on a large scale (e.g. large medical databases, extensive biometric profiling) or systematic monitoring of publicly accessible areas (e.g. deploying a network of CCTV cameras in public spaces or tracking individuals’ movements). More generally, any processing using new technology or combining datasets in a way that significantly impacts individuals’ privacy should be screened for DPIA necessity. The FDPIC has not published an exhaustive list, but the rule of thumb is to err on the side of conducting a DPIA for high-risk projects.
What a DPIA entails: The controller must assess the nature, scope, context, extend, and purposes of the processing and identify potential risks to individuals’ rights. Then, the DPIA should evaluate the controls or safeguards to mitigate those risks. The output is a documented report identifying residual risk level. The FDPO provides some details on DPIA content (similar to GDPR, including systematic description of processing, necessity/proportionality assessment, risk analysis, and measures planned).
Consultation: If a DPIA shows that despite planned safeguards, the processing still poses a high residual risk to individuals, the controller must consult the FDPIC before commencing the processing (art. 23 FDPA).

When sharing personal data with third parties – whether outsourcing to a service provider (processor) or disclosing data to another controller – Swiss law imposes certain obligations to ensure ongoing protection of the data.
Engaging Processors (Vendor Management): If a controller uses a third-party company (vendor) to process personal data on its behalf (e.g., cloud IT provider), the FADP requires that:
a. the data is processed only in a manner permitted for the controller itself; and b. no statutory or contractual duty of confidentiality prohibits the assignment. The controller must ensure in particular that the processor is able to guarantee data security, and the processor may only assign the processing to a third party with the prior authorisation of the controller (art. 9 FADP).
Swiss law does not require the contract to be in a specific form (written form is recommended for evidence). The FDPIC’s guidance on outsourcing (outsourcing factsheet) emphasizes that controllers remain responsible for compliance even after transferring data to a vendor. This means due diligence in selecting processors is important, and controllers should choose vendors that provide sufficient guarantees of data protection. In case of outsourcing abroad, the provision regarding cross border disclosure of personal data must be complied with. 

There are two categories of criminal provisions:
-    Breach of obligations to provide access and information or to cooperate:
On complaint, private persons are liable to a fine of up to 250,000 Swiss Francs if they:
a. breach their obligations under Articles 19 (duty of information when collecting personal data), 21 (duty of information in the case of an automated individual decision) and 25 – 27 (provision re access right) by willfully providing false or incomplete information;
b. willfully fail:
1. to inform the data subject pursuant to Articles 19 paragraph 1 (duty of information when collecting personal data) and 21 paragraph 1(duty of information in the case of an automated individual decision); or
2. to provide the data subject with the information required under Article 19 paragraph 2 (duty of information when collecting personal data).
In addition, private persons are liable to a fine of up to 250,000 Swiss Francs if, in violation of Article 49 paragraph 3, they willfully provide false information to the FDPIC in the context of an investigation or willfully refuse to cooperate.
-    Violation of duties of diligence
On complaint, private persons are liable to a fine of up to 250,000 Swiss Francs if they willfully:
a. disclose personal data abroad in violation of Article 16 paragraphs 1 and 2 and without the conditions set forth in Article 17 being met;
b. assign the data processing to a processor without the conditions set forth in Article 9 paragraphs 1 and 2 being met;
c. fail to comply with the minimum data security requirements which the Federal Council has issued under Article 8 paragraph 3.
Other violations of the FADP cannot be fined, in particular,
non-compliance with the general data processing principles are not subject to criminal
sanctions nor is the failure to notify the FDPIC about data security breaches. 
The aspect that Swiss law fines individuals accountable for non-compliance with certain data protection provisions makes an essential difference to the GDPR, which imposes sanctions on undertakings. Under Swiss law, however, the individual (in an undertaking) who infringed the data protection provisions punishable by fine, i.e., the individual who actually committed the violation (cf. Federal Act on Administrative Criminal Law (ACLA)), is to be held criminally liable. That individual does not necessarily need to hold a managing position. Thus, any employee managing relevant data processing activities who willfully decides to violate the FADP, for example, by transferring data to an inadequate country, without safeguard guarantees, may be subject to criminal prosecution. Whether the violation has been committed by the individual itself or by giving another individual under its purview a corresponding instruction is not relevant. On the contrary, those who merely follow instructions or otherwise contribute to the violation in a subordinate role, cannot be fined under the FADP.
Violations of the FADP subject to criminal sanctions may only be prosecuted upon criminal complaint rather than ex officio. Any person who suffers harm due to the infringement of the criminal provisions, i.e., the data subject, is entitled to request that the person responsible for such infringement be prosecuted. It must do so within three months as of the day that the person entitled to file a complaint discovers both the violation and the identity of the suspect. Only contraventions in proceedings before the FDPIC are prosecuted ex officio.
The FDPIC is not entitled to file a complaint but might report an offence to the competent cantonal law enforcement authorities and exercise the rights of a private claimant in the criminal proceedings. These authorities, and not the FDPIC, are responsible for enforcing the criminal provisions.
The FDPIC can investigate breaches of data protection regulations, notably through administrative measures: the FDPIC may order that the processing is fully or partially adjusted, suspended or terminated and that the personal data is fully or partially deleted or destroyed. He may defer or prohibit disclosure abroad if it violates the requirements under the FDPA or specific provisions on the disclosure of personal data abroad in other Federal Acts. If during the investigation the federal body or the private person has taken the necessary measures to restore compliance with the data protection regulations, the FDPIC may limit himself to issuing a warning. 

Data controller must maintain technical and organizational measures, keep processing records (unless the exemption for small and medium sized companies applies), and update privacy documentation. Periodic internal audits are recommended though not explicitly mandated. Training and regular reviews of notices, consent mechanisms, and vendor agreements are expected under the accountability principle.

The revised FADP only came into force in September 2023. Authorities, data controllers and data subjects must first gain practical experience with the new law and pertinent case law must develop.