Data breaches under the FADP: first guidance from the Swiss courts
Published: 17 July 2026
| Published: 17 July 2026 | ||
| AUTHORS |
Philipp Fischer |
Partner |
|
Peter Ling |
Partner |
|
|
Claire Dornier |
Associate |
|
|
Olaf Thorens |
Associate |
|
| Expertise |
Data Protection and Privacy |
The Swiss Federal Administrative Court (“FAC”) has recently issued the first judicial decision interpreting Article 24 of the Federal Act on Data Protection (“FADP”), which governs the notification of data security breaches and the information of affected individuals (link).
This decision clarifies several open questions since the revised FADP entered into force in September 2023 and offers practical guidance to organisations dealing with data security incidents, in particular on how Swiss authorities and courts are likely to interpret breach notification obligations.
Beyond the specific facts of the case, the FAC confirms a preventive and risk-oriented approach to data breach management and suggests a relatively broad interpretation of controllers' obligations under the FADP.
1
Article 24 FADP: the legal framework
Article 24 FADP sets out two distinct obligations in the event of a data security breach.
First, controllers must notify the Federal Data Protection and Information Commissioner (“FDPIC”) as soon as possible where the breach is likely to result in a high risk to the personality or fundamental rights of the affected individuals (Art. 24(1) FADP).
Second, controllers must inform the affected individuals where such information is necessary for their protection or where the FDPIC so requires (Art. 24(4) FADP).
These obligations pursue different objectives. Notification to the FDPIC serves a supervisory purpose and is triggered by the likeliness of a high risk. Information to affected individuals is intended to enable them to take protective measures against the potential consequences of the breach.
Article 24(5) FADP further allows the information of affected individuals to be restricted, postponed or omitted in limited circumstances, e.g., where notification is impossible or would entail disproportionate efforts, or where equivalent information is ensured through a public announcement.
2
Background
The case concerned a security incident affecting a Swiss online retailer whose customer support requests were managed through individual web pages accessible via unique URLs. Due to a technical configuration issue, these URLs became indexed by Microsoft's Bing search engine for several months.
As a result, personal data relating to approximately 19,000 customers became accessible through search results. Depending on the support request, the exposed information included names, email addresses, postal addresses, IBAN numbers, communications with customer support, photographs and voucher codes.
The company notified the FDPIC within two days after becoming aware of the incident.
The FDPIC then ordered the company to inform the affected individuals, without specifying the required form of information, although it referred to the possibility of a public announcement. The company challenged that order before the FAC.
3
A data security breach exists even without proof of actual access
A central aspect of the judgment is the definition of “data security breach”. The FAC held that a breach occurs whenever personal data are disclosed or become accessible to unauthorised persons, and that confidentiality is already compromised where there is merely a possibility that unauthorised persons may access personal data, irrespective of whether actual access can be proved.
In practice, organisations often focus on whether evidence of actual access or exfiltration. The FAC makes clear that this is not decisive under Swiss law: the mere possibility that personal data may have become accessible to unauthorised persons can be sufficient to qualify as a data security breach.
This confirms a relatively low threshold for qualifying incidents as data security breaches under the FADP and implies that organisations may need to assess and document a broader range of incidents than previously anticipated.
4
Informing affected individuals: a preventive mechanism irrespective of proven harm
The judgment also clarifies the purpose of Article 24(4) FADP.
The FAC emphasised that the obligation to inform affected individuals is not primarily intended to create transparency or to sanction the controller but to enable affected individuals to take measures to protect themselves or mitigate the potential consequences of the breach.
This has implications for the assessment of necessity: the key question is not whether the risk is particularly severe or whether damage has already occurred, but whether the information would allow affected individuals to take meaningful protective measures.
In casu, the disclosure of names, postal addresses and IBAN numbers exposed affected individuals to risks including identity theft, social engineering attacks and fraudulent direct debit transactions.
The Court thus considered that affected individuals could benefit from being informed, for example by exercising increased vigilance, monitoring their bank accounts or paying closer attention to suspicious communications.
This interpretation arguably broadens the situations in which information of affected individuals may be required. In practice, data breaches often involve circumstances where affected individuals could take at least some precautionary measures if informed of the incident.
The company argued in particular that no customer had reported any misuse of their information and that there was no indication that the risks associated with the incident had materialised. The FAC rejected this reasoning.
Because the information obligation under Article 24(4) FADP serves a preventive function, enabling affected individuals to act before damage occurs, the absence of proven harm does not remove the need to consider whether they should be informed. Article 24 FADP is indeed fundamentally based on risk prevention rather than on the existence of actual damage.
That said, one may question whether this reasoning goes slightly too far in one respect: for a genuine risk assessment, the fact that no complaints or damage materialised over an extended period across a sizeable group of individuals is not entirely irrelevant to the probability of harm, even if – as the FAC rightly holds – it cannot on its own eliminate the need to consider notification.
5
Public announcements as an alternative to individual notification
The company also argued that it was no longer able to identify all affected individuals because remediation measures had been prioritised over preserving the information required to reconstruct the list of affected customers.
The FAC accepted that individual notification may, in certain circumstances, be impossible or disproportionate, and emphasised that Article 24(5)(c) FADP expressly allows a public announcement to replace individual notification where equivalent information can thereby be ensured.
Importantly, the Court considered that such a public communication remains proportionate even if it also reaches individuals who were not affected by the incident.
The judgment also makes clear that reputational concerns cannot justify avoiding communication where the requirements of Article 24 FADP are met. The interests of affected individuals generally prevail over the controller's concerns about its public image.
However, Article 24(5)(c) FADP does not create a standalone obligation to make a public announcement. It merely allows such an announcement to substitute for individual notification. Where an order, like the one at issue here, finds individual notification disproportionate without clarifying that a public announcement would satisfy it, organisations should seek clarification from the FDPIC – or, if necessary, the courts – on precisely what form of communication is expected before taking further steps.
6
Practical implications for organisations
The judgment provides several practical lessons for organisations subject to the FADP:
- Reassess incident qualification procedures: controllers should not focus exclusively on evidence of actual access or misuse. Incidents involving a potential loss of confidentiality may already qualify as data security breaches requiring assessment under Article 24 FADP.
- Document breach assessments carefully: given the FAC's broad interpretation, organisations should ensure that their assessment of a security incident, including the nature of the exposed data and the potential consequences for affected individuals, is properly documented.
- Consider notification obligations at an early stage: incident response should encompass not only the question of whether the FDPIC must be notified, but also whether affected individuals should be informed. These obligations follow different legal criteria and must not be conflated.
- Preserve information necessary for future notifications: the case illustrates the tension between immediate technical remediation and preserving information required to identify affected individuals. Incident response procedures should anticipate this and ensure that necessary data for potential notifications are retained.
On a related note, Swiss organizations subject to the European General Data Protection Regulation (GDPR) as per its Article 3 para. 2-3 should also bear in mind that data breach notification requirements thereunder follow different standards than those under the FADP. Accordingly, where a Swiss organization subject to the GDPR suffers a data breach affecting EU data subjects, it should carry out a separate, dedicated assessment to determine whether and how the relevant supervisory authorities and affected individuals must be informed. In this respect, it should be recalled that the GDPR's one-stop-shop mechanism will not apply to Swiss organisations.
7
Conclusion
This first judicial interpretation of Article 24 FADP marks an important milestone in Swiss data protection law.
The FAC confirms that a data security breach may exist even where no actual access to, or misuse of, personal data can be established and clarifies that the obligation to inform affected individuals serves a preventive purpose: the decisive question is whether the information enables them to take measures to protect themselves against the potential consequences of the breach.
More broadly, the decision provides welcome guidance on several key aspects of Article 24 FADP, including the notion of a data security breach, the purpose of informing affected individuals and the circumstances in which a public announcement may replace individual notification.
For organisations, the judgment underscores the importance of implementing robust incident response procedures that address not only the technical containment and remediation of security incidents, but also the assessment, documentation and management of notification obligations under the FADP.
Let’s talk
| CONTACTS |
Guy Vermeil |
Partner, Head of Technology and Outsourcing, Geneva guy.vermeil@lenzstaehelin.com Tel: +41 58 450 70 00 |
|
Claire Tistounet |
Associate, Geneva claire.tistounet@lenzstaehelin.com Tel: +41 58 450 70 00 |
|
|
Claire Dornier |
Associate, Geneva claire.dornier@lenzstaehelin.com Tel: +41 58 450 70 00 |
|
|
Olaf Thorens |
Associate, Geneva olaf.thorens@lenzstaehelin.com Tel: +41 58 450 70 00 |
|
|
Peter Ling |
Partner, Zurich peter.ling@lenzstaehelin.com Tel: +41 58 450 80 00 |
|
|
Lukas Morscher |
Partner, Head of Technology and Outsourcing, Zurich lukas.morscher@lenzstaehelin.com Tel: +41 58 450 80 00 |
|
|
Lukas Stephan Staub |
Associate, Zurich lukas.staub@lenzstaehelin.com Tel: +41 58 450 80 00 |
|
|
Jil Eichenberger |
Associate, Zurich jil.eichenberger@lenzstaehelin.com Tel: +41 58 450 80 00 |