Ensure and accelerate nLPD and GDPR compliance in your organization with Snowflake

If you run a business in Switzerland and process personal data, you are personally responsible for protecting it. Not your company. Not your CIO. You. That is what the nFADP (new Federal Act on Data Protection) provides for; it came into force on September 1, 2023, with no transitional period whatsoever. On the day it became applicable, all companies were supposed to be compliant. [myright.ch]

The Swiss particularity — and this is what fundamentally distinguishes the nFADP from the European GDPR — lies in the fact that criminal sanctions directly target natural persons. The CEO, the CTO, the DPO, or even the decision-making employee may be personally sentenced to a fine of up to CHF 250,000. This fine cannot be paid by the company. Above CHF 5,000, it results in a criminal record entry. [dsg-lpd.ch]

Add the European dimension. If your company processes data relating to individuals in the EU — which is the case for a considerable share of Swiss companies — the GDPR applies in parallel, with a ceiling of €20 million or 4 % of annual worldwide turnover. This time, the company itself is targeted. The two regimes are cumulative: the nFADP exposes the executive personally, while the GDPR exposes the company financially. [eur-lex.europa.eu]

Why is this critical in 2026?
The FDPIC is no longer just observing. For those who were counting on a flexible enforcement of the law, the figures invite a rethink. In the first 14 months of the nFADP’s application, the FDPIC received 1,183 reports from citizens and organizations, in addition to 293 security breach notifications filed by companies themselves — nearly 1,500 incoming signals in total. Of that volume, 86 led to “low-threshold” interventions — amicable compliance actions, around 90 % of which were followed voluntarily. The most serious situations resulted in 26 preliminary and formal investigations. In 2024/2025, the number of reported security breaches increased again to reach 363. The trend is clear: the flow of reports is widening and supervisory activity is intensifying at every level. [edoeb.admin.ch] [swissprivacy.law]
Concrete cases are multiplying. In April 2024, the FDPIC called out Digitec Galaxus, one of Switzerland’s largest e-commerce players, for violating the principles of transparency and proportionality in the processing of customer data. Formal recommendations were issued, and compliance was completed at the end of 2025 under FDPIC supervision. Even leading players are not immune. [edoeb.admin.ch]
On the European side, the healthcare sector is particularly exposed. A Portuguese hospital was fined €400,000 because 985 doctor accounts were active in its IT system — including temporary staff who had already left the institution — while only 296 doctors were actually practicing there. In France, medical software publisher Cegedim Santé was fined €800,000 for processing pseudonymized health data without authorization, sourced from 25,000 medical practices. In total, the CNIL issued 87 sanctions in 2024, amounting to €55 million. [cio-online.com] [cnil.fr] [village-justice.com]
At the same time, artificial intelligence is accelerating detection — on both sides. The AI helping you analyze your data is also helping regulators inspect it. The FDPIC is strengthening its investigative capabilities. Automated audit tools can now scan massive volumes in just a few hours. If you have not yet done this work on your own data, a regulator will do it for you — and the conclusions will not work in your favor.
Yet PII is not limited to emails and names. In a typical corporate environment, there are dozens of types of sensitive data: 13-digit Swiss social security numbers, Swiss-format IBANs, insurance policy numbers, dates of birth, medical data (diagnoses, treatments, medications). The native classification tools of cloud platforms detect standard patterns, but Swiss-specific features and special-category data (GDPR Art. 9, nFADP Art. 5(c)) systematically escape them. [eur-lex.europa.eu]
Advice for decision-makers
The window for moving from a reactive posture to proactive governance is narrowing. Here are the priority actions to launch without delay:
Map all tables and columns likely to contain PII across your data environment, including Swiss specifics (Swiss social security numbers, CH IBANs, insurance numbers).
Automate detection using AI tools capable of semantic analysis, and not only regex-based pattern matching, in order to cover medical data and special categories under the GDPR (Art. 9) and the nFADP (Art. 5(c)).
Deploy role-based masking policies so that each employee can access only the data strictly necessary for their role — the access minimization principle required by both regulations.
Favor solutions in which data never leaves your compliance perimeter: whatever the environment — Snowflake, Databricks, or otherwise —, no transfer to third-party LLMs or servers outside your legal jurisdiction, especially in the healthcare, finance, and public sectors.
Set up continuous governance monitoring with a coverage report that can be used at any time — this is precisely the kind of documentation the FDPIC expects during an inspection.
Document the chain of responsibility internally: who is the controller, who decides on access rights, who is able to respond to the FDPIC. The nFADP sanctions the decision-maker — this designation must be made explicit.
Anticipate the cumulative regulatory burden by assessing now the combined impact of the nFADP, the GDPR and, for the companies concerned, the European AI Act, whose main provisions have been applying progressively since 2025.
Would you like to know more? Fill in the form to receive the rest of the article!