Practical guide for Swiss companies

Data breaches are a constant threat to businesses. But once a leak is detected, who needs to be informed?

In Switzerland, the answer is not always obvious, and obligations vary according to the type of data concerned and the applicable regulations.

Data breaches in Switzerland: who to warn?

Is notification compulsory in Switzerland?

Unlike the European RGPD, the Swiss Data Protection Act (nLPD) imposes specific but less stringent obligations. A company must notify the Federal Data Protection and Information Commissioner (FDPIC) only if the breach entails a high risk for data subjects.

When to notify?

  • If the leak exposes sensitive information (health or financial data, etc.).
  • If those affected are at risk of identity theft or serious harm.

Who to inform first?

When a violation is detected, three main players need to be notified, depending on the situation:

1. The FDPTC

Mandatory in cases of high risk, notification must be made without delay via the official channels of the FDPIC. The FDPIC has recently published a guide to notifying data security breaches.

2. The people involved

If the data leak exposes individuals to direct danger (identity theft, fraud, etc.), they must be informed quickly so that they can take protective measures.

3. Partners and subcontractors

If the leaked data comes from a subcontractor or impacts business partners, it’s essential to warn them so they can react.

What must the notice contain?

To be compliant, the notification must include:
✅ The nature of the breach (e.g. hacking, human error).
✅ The type of data concerned.
✅ The potential impact on individuals and the measures taken.
✅ Recommendations to victims on how to protect themselves.

Best practices for anticipating a leak

🔹 Set up an incident response plan: define a clear procedure for reacting quickly.
🔹 Train employees: raise awareness of cybersecurity risks.
🔹 Secure data: encryption, strong authenticationn and access management limit risks.
🔹 Monitor your systems: Intrusion detection solutions can quickly identify any anomalies.

To remember…

Swiss companies need to be ready to react in the event of a data breach.

Although the law does not require systematic notification, rapid and transparent communication can prevent more serious damage, both for the victims and for the company’s image. Prevention is better than cure!

Source: ICT Journal

nLPD TRAINING

Train yourself and your teams in Switzerland'snew
Data Protection Act
now!

Discover training nLPD TRAINING