We use analytics to improve the site. Privacy
Everything your website must comply with in 2026: revised Federal Act on Data Protection (FADP/nLPD), cookies, processing register. SME compliance checklist, FDPIC sanctions, concrete examples.
The revised Swiss Federal Act on Data Protection (FADP, locally nLPD) entered into force on 1 September 2023. Many Swiss SMEs thought it was lightweight GDPR and that they had time. In 2026, that's no longer true. The Federal Data Protection and Information Commissioner (FDPIC, locally PFPDT) has multiplied audits since late 2024, and the first sanctions are landing.
CHF 250,000
Maximum fine under the FADP for responsible individuals in case of intentional violation
Federal Act on Data Protection, art. 60 ff
Important note: the FADP sanctions individuals, not companies. The director or person responsible for processing can be personally fined. This is a Swiss particularity that changes the perception of risk for SMEs.
This article reviews what your website must absolutely comply with in 2026, without unnecessary legal jargon. It's an operational guide, not a law course.
If you already process European citizens' data, you may already be GDPR-compliant. Good news: 80% of obligations overlap. But a few notable differences exist.
| Critère | FADP (Switzerland) | GDPR (EU) |
|---|---|---|
| Scope | Sites processing Swiss data | Sites processing EU data |
| Liability | Individual (director) | Company |
| Max fine | CHF 250,000 (individual) | EUR 20M or 4% revenue |
| Data Protection Officer | Recommended advisor, not mandatory | DPO mandatory in some cases |
| Processing register | Mandatory at 250+ employees or high risk | Mandatory (with exceptions) |
| Breach notification | To FDPIC as soon as possible | Within 72h to authority |
| Cookie consent | Implicit opt-in model to clarify | Explicit opt-in mandatory |
Special case: if you reach the EU
If your site also targets European customers (almost always the case for a Swiss SME), GDPR applies in addition to FADP. The stricter of the two regimes prevails. In practice, aiming for GDPR compliance also makes you FADP-compliant.
Here is what your site must imperatively have in 2026 to comply with the FADP. None of these points are optional.
Clear and accessible privacy policy
A permanent footer link to a page explaining what data you collect, why, how long you keep it, and with whom you share it. No jargon. A Swiss SME should be able to write it in one page.
Information at collection
Each form (contact, newsletter, quote) must clearly state the purpose of collection and link to the privacy policy. No checkbox needed in most cases, but the information must be visible.
Compliant cookie consent banner
Accept button AND Reject button of equal size and visibility. No pre-ticked boxes. Non-essential cookies (analytics, marketing) must only fire after explicit acceptance.
Right of access and rectification
Anyone can ask what data you hold about them, and request correction or deletion. You have 30 days to respond. Set up a dedicated email address (for example [email protected]) and an internal process.
Data security (SSL, hosting)
HTTPS mandatory (valid SSL certificate). If you host outside Switzerland/EU, verify that the country offers equivalent protection or set up standard contractual clauses.
Breach notification to FDPIC
In case of a data breach (hacking, accidental leak), you must notify the FDPIC as soon as possible. Prepare an incident response plan in advance, this is not the moment to improvise.
Processing activities register
Mandatory if you have 250+ employees, OR if your processing presents a high risk (sensitive data, profiling). For most Swiss SMEs, it's not mandatory, but strongly recommended to demonstrate compliance in case of an audit.
The FDPIC has two main powers: investigating on its own initiative or following a complaint, and issuing injunctions. Financial sanctions, however, are pronounced by cantonal criminal courts.
+340%
increase in complaints to the FDPIC between 2023 and 2025, since the FADP entered into force
FDPIC Activity Report 2024
In practice for an SME, the immediate risk isn't the fine, but the cost of forced compliance and reputational damage. A public FDPIC file on your company is very hard to erase.
| Critère | Type of infraction | Foreseen sanction |
|---|---|---|
| Insufficient information at collection | Up to CHF 250,000 | individual |
| Violation of duty of care | Up to CHF 250,000 | individual |
| Breach of confidentiality | Up to CHF 250,000 | individual |
| Non-compliance with FDPIC decision | Up to CHF 250,000 | individual |
Some situations deserve specific attention as they concentrate risks for Swiss SMEs.
Google Analytics, Meta Pixel, Hotjar
These tools transfer personal data (IP addresses) outside Switzerland. This requires standard contractual clauses and clear information in the privacy policy. Privacy-respecting alternatives: Plausible, Matomo, Microsoft Clarity (with adapted configuration).
Hosting outside Switzerland/EU
If your site is hosted in the United States (Vercel, Netlify, AWS), verify that the provider certifies the DPF (Data Privacy Framework) and specify the data location in your privacy policy.
Contact forms and email marketing
Double opt-in has become a de facto standard for newsletters. For contact forms, retain data only as long as necessary and specify this duration in your policy.
YouTube videos and third-party embeds
An embedded YouTube video sets a Google cookie before any consent. Solution: use YouTube's privacy-enhanced mode (youtube-nocookie.com) or only display the video after cookie acceptance.
Before panicking, run this quick audit. If you check fewer than 9 boxes out of 12, your site presents a real non-compliance risk.
Express FADP compliance audit
Cost of compliance
For a Swiss SME with a standard site, expect CHF 1,500 to CHF 4,000 for full compliance (audit, consent banner overhaul, policy drafting, register, internal process). That's 50 times less than a fine.
Yes, with no threshold. The FADP applies to any Swiss company that processes personal data, regardless of size. A one-person SME with a simple contact form is concerned. Obligations are lighter (no mandatory register below 250 employees), but the basic principles apply.
If your site only targets Swiss residents, only the FADP applies. If you reach European customers (almost always the case), GDPR also applies. In practice, aiming for GDPR compliance also makes you FADP-compliant since GDPR is stricter.
Check these 4 points: 1) Visible Reject button of equal size to Accept. 2) No pre-ticked boxes. 3) Non-essential cookies loaded only after acceptance. 4) Ability to revisit choices. If even one of these points is missing, your banner isn't compliant.
Not mandatory in Switzerland for most SMEs. The FADP refers to a data protection advisor, recommended but not mandatory (except in special cases: authorities, large-scale processing of sensitive data). For standard Swiss SMEs, designating an internal contact is enough.
Yes, but with precautions. You must: inform in the privacy policy, only load Analytics after cookie consent, configure IP pseudonymisation, sign Google's standard contractual clauses. Simple alternative: Plausible (Swiss, cookieless, compliant by default).
1) Assess the risk for the affected individuals. 2) Notify the FDPIC as soon as possible (online form available). 3) Inform the affected individuals if the risk is high. 4) Document the incident and the measures taken. Prepare this process before an incident occurs: it's too late to improvise on the day.
For a standard Swiss SME site: CHF 1,500 to CHF 4,000 depending on complexity (audit, consent banner, policy drafting, register, internal training). For more complex structures (e-commerce, multi-site, sensitive data processing): CHF 5,000 to CHF 15,000. Always far cheaper than an FDPIC procedure.
All sites we design are FADP and GDPR compliant by default. Consent banner with Accept/Reject, non-essential cookies loaded conditionally, security headers (HSTS, CSP, COOP), custom privacy policy, Vercel hosting with European location.
For SMEs that already have a site and want to bring it into compliance, we offer a targeted audit. In a few hours of work, you know exactly what's wrong and how much fixing it will cost.
Compliance audit of your site
Full FADP audit of your site with an actionable report. You know exactly where you stand and what's left to do.
Request an auditGo deeper on website delivery
Explore our website creation page to review project scope, delivery steps and redesign options.
View our website creation pageEvery collaboration starts with a conversation. Tell us about your project, we'll get back to you within 48h.
