Compare 13 Swiss Federal Act on Data Protection compliance partners delivering revFADP (in force since 1 September 2023) gap assessments, processing registers, data-protection impact assessments, cross-border transfer governance under FDPIC adequacy decisions and Standard Contractual Clauses, breach notification within 72 hours where reasonable, and the Swiss-US Data Privacy Framework and EU-US Data Privacy Framework alignment. Engagements cover the controller and processor responsibilities under the revFADP, the data subject rights handling for access, rectification, erasure, and data portability, the data protection officer or representative engagement for organisations without a Swiss establishment, the Federal Data Protection and Information Commissioner (FDPIC) interaction model, the multi-jurisdiction alignment with EU GDPR, and the sector-specific overlays for financial services, healthcare, and federal contracting. Listings cover Swiss data-protection boutiques, Big Four practices in Zurich and Geneva, international privacy law firms, India-heritage SIs, and the audit firms delivering FADP alongside ISO 27701 and FINMA-regulated programmes. No partner pays for placement on this directory.
FADP programmes break into four workstreams. Scoping and gap assessment, where the partner determines the applicability of the revFADP to the organisation considering Swiss establishment, processing of Swiss residents' personal data, or use of Swiss infrastructure, runs the gap assessment against the legacy 1992 DPA position and against EU GDPR posture, and identifies the high-impact changes including the explicit consent standards for sensitive personal data, the expanded definition of personal data including profiling, and the new criminal liability for natural persons in certain breach scenarios. Records, DPIA, and policies, where the partner builds the processing register under Article 12, conducts data protection impact assessments for high-risk processing including profiling and large-scale processing of sensitive personal data, updates privacy notices to meet the heightened transparency standards under Articles 19-21, and refreshes the data-processor contracts. Cross-border transfers and FDPIC engagement, where the partner reviews transfers under the FDPIC adequacy list, deploys Standard Contractual Clauses where adequacy is absent, configures the Swiss-US Data Privacy Framework for transfers to certified US organisations, and runs the FDPIC interaction including breach notifications and consultation requests. Operations and ongoing run, where the partner stands up the data subject rights handling within Swiss timelines, designs the breach detection and reporting workflow, and integrates the FADP register with the wider EU GDPR and global privacy programme.
Three procurement archetypes recur. Swiss law firms (VISCHER, Walder Wyss, Lenz & Staehelin, Kellerhals Carrard) lead at organisations where FDPIC engagement, complex cross-border structures, criminal liability exposure, and Swiss legal interpretation matter most. They are typically lead counsel for multinationals with material Swiss operations. Big Four Switzerland practices (PwC, EY, KPMG, Deloitte) lead at multinational programmes where FADP sits inside a broader EU GDPR, UK GDPR, and global privacy posture, and where FINMA, FINMA Circular 2023/1 operational risk, or pharma regulatory overlays matter. Privacy boutiques and India-heritage SIs lead at SME programmes and at scaled multinationals where managed run, register maintenance, and unit cost dominate. Friction point: many organisations under-scope the revFADP work assuming GDPR compliance is sufficient. Swiss law introduces specific obligations including the criminal liability for natural persons, narrower exemption for the joint controller doctrine, and stricter rules on profiling and automated decisions. The Swiss-US Data Privacy Framework provides adequacy for certified US recipients but does not cover non-certified ones, and the FDPIC has actively published transfer guidance during 2024-2025. Buyers should validate the assumption that GDPR cover is sufficient before deciding scope.
For complementary research see privacy management platforms, consent management platforms, data discovery platforms, data subject request tools, and GRC platforms. For adjacent services see EU GDPR services, OneTrust implementation, ISO 27701 implementation, ISO 27001 implementation, IT governance and compliance, and Microsoft Purview implementation.
Tell us what you're evaluating and we'll send a tailored shortlist of vendors that actually fit — no vendor funding, no pay-to-play.
6,000+ vendors · 893 comparisons · 48 country guides · Independent & vendor-neutral