Swiss Customers? Why the nFADP Becomes a Personal Liability Risk for German Managing Directors

Just like the GDPR, the nFADP follows the so-called market location principle. What matters is not where your company is based, but where the affected individuals are located. As soon as you process data of people who are in Switzerland, you are involved.

Typical scenarios in the German SME and SaaS sector include:

• E-commerce: You operate an online shop and deliver goods to customers in Switzerland, often recognizable by prices in CHF or a .ch domain.
• B2B SaaS and cloud services: Your software solution is used by Swiss companies or their end users.
• Digital marketing: You track the behavior of website visitors from Switzerland for analytics or advertising purposes.
• HR and recruiting: You employ cross-border workers or process applications from people residing in Switzerland.

Important: The protection of the revFADP applies to all people located in Switzerland, regardless of their nationality.

In Germany and the EU, companies are used to data protection violations affecting the organization. While million-euro fines are painful for the balance sheet, they rarely directly threaten the managing director’s private bank account.

In Switzerland, things are different. The nFADP deliberately aims to discipline those responsible.

• The fine of up to CHF 250,000 affects you privately as a natural person.
• As a rule, the company is not allowed to cover this fine for you, due to recourse and assumption restrictions.
• Since this is a criminal sanction, an entry in the Swiss criminal record may be possible in the worst case.

Just as in German criminal law, there is no “corporate shield” protecting you here. Whoever makes the decisions becomes the focus of Swiss investigators.

A common misunderstanding is based on the wording of the law: under Article 61 nFADP, only intentional conduct is punishable. Many managing directors therefore feel safe and think: “I do not want to harm anyone, so I am not acting intentionally.”

That is a dangerous misconception. Criminal law recognizes the concept of conditional intent. This applies when you consider a breach of duty possible and accept it.

If, in 2026, you know that your company serves Swiss customers or processes data from Switzerland, but you do not take any compliance measures out of convenience or cost reasons, you are accepting the legal violation. Swiss authorities may interpret this systematic disregard of the legal situation as conditional intent. The argument “We did not know” no longer carries weight after more than two years of nFADP practice.

If you are already GDPR-compliant, you have completed around 80% of the work. However, the remaining 20% can decide whether personal liability arises. You urgently need to review and implement the following three differences:

1. Update information obligations, meaning the privacy policy

The nFADP requires all countries to which data is transferred to be specified, meaning third-country transfers. While the GDPR often works with more general wording here, Switzerland requires transparency.

Your task: Add a specific section for Swiss users to your privacy policy and list all recipient countries completely.

Tip: With heyData, you can create and maintain your privacy policy - including country-specific adjustments for Switzerland. Check now whether your policy is revDSG-compliant.

2. Adjust contracts, meaning data processing agreements

A standard data processing agreement under the GDPR is often not sufficient for Swiss customers or service providers. The nFADP not only uses its own terminology, such as “processor” terminology under Swiss law, but Switzerland also maintains its own list of secure third countries independently of the EU.

Your task: Add a “Swiss clause” to your data processing agreements for Swiss business relationships, explicitly including the nFADP and Swiss export rules.

3. Sharpen processes for data subject rights and data breaches

If a Swiss customer requests access to their data under Article 25 nFADP and you refuse or provide incomplete information, personal criminal liability may arise directly. The same applies to a breach of the obligation to report data breaches to the Federal Data Protection and Information Commissioner, the FDPIC.

Your task: Make sure your support and data protection teams immediately recognize and prioritize requests from Switzerland. Ignoring deadlines is not a minor issue.

One often overlooked point is the obligation to appoint a representative in Switzerland under Article 14 nFADP. This applies if your company has no registered office in Switzerland but:

• processes large volumes of data from people in Switzerland,
• the processing poses a high risk to the personality of the affected individuals, for example through profiling or the processing of sensitive health and financial data, and
• the processing takes place regularly.

As a rule of thumb, standard B2C online shops rarely need a representative. However, as soon as you, as a SaaS provider, host sensitive company and user data from Switzerland or carry out intensive tracking, a Swiss representative becomes mandatory. There are now specialized providers that offer this function cost-effectively as an interface to the FDPIC.

Want to know where your company currently stands on revDSG compliance? Find out quickly and easily with heyData's digital audit. Book your free initial consultation.

The revised Swiss Data Protection Act is no longer a paper tiger. In 2026, the nFADP has become a real personal liability risk for German managing directors. Anyone serving the Swiss market can no longer put this topic off.

The good news is that the risk can be minimized with manageable effort. Since most German companies already have a GDPR foundation in place, targeted adjustments to the privacy policy, data processing agreements, and internal processes for access requests are usually enough to get out of the danger zone. Anyone who acts now not only protects the company from reputational damage, but above all protects themselves from significant private fines.

Can the Swiss FDPIC actually take action against me in Germany?

Yes. Swiss penalty orders can also be enforced in Germany through international mutual legal assistance agreements. In addition, if a criminal matter in Switzerland remains unresolved, you risk serious problems and, in the worst case, arrest on your next entry into Switzerland or during your next transit flight through Swiss territory.

Does my data protection officer protect me from liability?

No. A data protection officer has an advisory and monitoring function within the company. Operational and legal responsibility for compliance with the law, including the criminal law component of the nFADP, always remains with the legal representatives, meaning the management.

Does the nFADP also apply in purely B2B business?

Yes. Although the nFADP removed the protection of legal entities, meaning companies, you inevitably process data of natural persons in B2B business: email addresses of contacts, phone numbers of buyers, or login data of employees of your Swiss customer. This means the law is fully applicable.

Do we need to build a completely separate IT infrastructure for Switzerland?

No. Switzerland recognizes the level of data protection in EU member states as adequate. You therefore do not necessarily have to host your Swiss customers’ data on Swiss servers, as long as the contractual basis and transparency in the privacy policy are correct.