Skip to content

More proceedings, greater transparency, stronger enforcement: the 32nd Annual Report of the Federal Data Protection and Information Commissioner (FDPIC) clearly shows that data protection has become increasingly important in Switzerland. Companies must prepare for stricter supervision and more rigorous enforcement of the law.

One year after the new DSG came into force: an initial review

With the publication of its 32nd Annual Report, the Federal Data Protection and Information Commissioner (FDPIC) gives an account of a reporting year characterised by far-reaching changes. The report covers the period from 1 April 2024 to 31 March 2025. The focus is on the revised Data Protection Act (revDPA), the entry into force of which has not only set new formal standards but has also, in practice, triggered a significantly more active supervisory role.

Enhanced supervisory role: from advisor to regulator

For the first time, the FDPIC was able to make full use of its powers, which had been expanded under the revDSG (Art. 49 et seq.). With a staff increase of around 30 %, the authority took more decisive action against data protection breaches and sent a clear message to businesses and public authorities. The formal proceedings that have been concluded not only clarify administrative practice but also mark a noticeable paradigm shift: whereas the focus used to be on advice and raising awareness, legal enforcement and administrative sanctions are now increasingly taking centre stage.

 

Transparency under pressure: requests for access and administrative culture

Another key focus of the report is the growing public interest in government transparency. The number of requests for access under the Federal Act on the Openness of Government (BGÖ) rose by almost 30 %. Despite high settlement rates in conciliation proceedings, there were significant backlogs in processing. The FDPIC takes a critical view of the trend towards exempting administrative activities from the BGÖ by means of exceptions under specific legislation – for example, in the areas of financial market supervision or police data processing. This runs counter to the constitutional principles of transparency and accountability (see Art. 6 of the Federal Constitution).

Wide range of topics: from cyber-attacks to social scoring

The report also covers a broad spectrum of topics. It addresses surveillance technologies such as widespread facial recognition and social scoring, documents individual cases such as the ransomware attack on the company Xplain, and examines the data protection requirements for tenancy application forms and the transfer of medical data in sport. The FDPIC is increasingly positioning itself as a legally knowledgeable authority that is also able to contextualise complex technical and societal developments.

What does this mean for businesses and public authorities?

For businesses, the report is a clear call for active compliance. Data protection impact assessments (DPIAs) – for example, when introducing AI-supported analytical tools – are a key risk management tool. In the event of data breaches, they must be able to submit qualified notifications in accordance with Article 24 of the Data Protection Act (DPA) within the prescribed time limit and inform those affected appropriately. The right of access under Article 25 of the DPA is also coming under increasing scrutiny: incomplete or delayed responses may lead to investigations in future.

Furthermore, it is becoming clear that even smaller organisational units may come under greater scrutiny if they process particularly sensitive data or implement data-intensive processes. The report makes it unequivocally clear: data protection is not a one-off project, but an ongoing process that must be embedded at organisational, technical and cultural levels.

Public authorities have a dual obligation: they must comply with the principles of data protection whilst simultaneously fulfilling their statutory duty of transparency. The FDPIC strongly urges that administrative units must not undermine this obligation through formal or technical barriers. Advancing digitalisation requires the early and consistent integration of data protection requirements.

Outlook: case law, resources and regulatory density

The report shows that the FDPIC increasingly sees itself as an active regulatory authority. The combination of enhanced supervision, the establishment of binding practices and public communication strengthens confidence in processes under the rule of law – but also places greater demands on organisations. The extent to which this new approach is tenable will become apparent in the case law of the Federal Administrative Court and the Federal Supreme Court. In practical terms, it is important to note that data protection is compliance. And compliance is not optional.

It will be interesting to see to what extent the cantonal data protection authorities align themselves with this new regulatory dynamic and whether a uniform enforcement standard develops. International cooperation – for example with the European Data Protection Board – could also play a greater role in future, particularly in cross-border cases. Companies should closely monitor regulatory developments so that they can respond at an early stage.

Sources