Switzerland: Federal Data Protection and Information Commissioner issued guidelines on reporting data security breaches

On 6 February 2025, the Swiss Federal Data Protection and Information Commissioner (FDPIC) adopted guidelines outlining the requirements for reporting data security breaches. These guidelines specify the legal obligations for data controllers to notify the FDPIC of breaches that pose a likely high risk to the personality or fundamental rights of data subjects, as defined under Article 24 of the Federal Act on Data Protection (FADP). Controllers must report data security breaches to the FDPIC immediately if the breach poses a high risk to the personality or fundamental rights of data subjects. The report should detail the circumstances, implications, type, time, duration, extent, and effects of the breach. Further, controllers must assess the severity and likelihood of consequences to determine if a high risk exists, considering factors such as the type of data affected and the nature of the breach.