The revised Federal Act on Data Protection entered into force on 1 September 2023. SCOVR is architecturally aligned with every key obligation — not through policy alone, but through the structure of the platform itself.
Any organisation that processes personal data of individuals resident in Switzerland must comply — regardless of where the organisation itself is based.
Every company registered and operating in Switzerland that processes personal data of natural persons. No minimum size threshold applies — sole practitioners and multinationals alike are in scope.
Non-resident companies that offer goods or services to individuals in Switzerland, or that monitor their behaviour, must comply. Organisations without a Swiss presence must designate a local representative.
Third parties processing personal data on behalf of a controller must operate under a written contract — Article 9 — that sets out the permissible processing activities, security measures, and sub-processor obligations.
Lawyers, fiduciaries, financial advisors, tax consultants, and accountants — all of whom process sensitive client data — face heightened obligations around professional secrecy and proportionate data handling.
The 1992 Federal Data Protection Act was drafted before smartphones, cloud computing, or widespread internet use. The revised law addresses the reality of modern data processing: automated profiling, cross-border cloud services, sensitive biometric and genetic data, and the structural power imbalance between large platforms and individuals.
The most significant change is not the expanded definitions — it is the shift from a reactive to a proactive compliance model. Organisations can no longer wait for a complaint. They must demonstrate, in advance, that their systems are built with privacy protection embedded from the outset.
For communication tools and collaboration platforms — arguably the most data-intensive category of enterprise software — this means the architecture of the product itself must satisfy the law, not just the policy documents that accompany it. A sovereign, self-hosted, end-to-end encrypted platform satisfies the structural requirements of the revised Act in ways that consumer messaging services cannot.
Expanded definition of sensitive personal data now covers genetic profiles, biometric identifiers (fingerprints, facial geometry), and location data — all subject to stricter processing conditions.
Privacy protection must be embedded into systems from inception. The highest protection level must be active by default — users must not have to opt in to privacy.
Organisations must maintain a documented register of all data processing activities. SMEs presenting limited risk may qualify for an exemption via the Ordinance on Data Protection.
High-risk security incidents must be reported to the Federal Data Protection and Information Commissioner (FDPIC) without delay. Affected individuals must also be notified where necessary.
Automated processing of personal data to evaluate personal characteristics is now explicitly regulated. High-risk profiling (e.g. for creditworthiness or personality analysis) requires explicit consent.
The revised Act imposes proactive duties that cannot be fulfilled through documentation alone — the underlying systems must be built to comply.
Data protection must be built into the architecture of any system that processes personal data. The highest protection level — including encryption and minimum data collection — must be active by default, without any opt-in from users or administrators.
Every third party processing personal data on behalf of your organisation must be bound by a written contract specifying the scope, purpose, security requirements, and sub-processor restrictions. Verbal arrangements are not sufficient.
Controllers and processors must maintain a written register of all processing activities, including data categories, purposes, recipients, retention periods, and security measures. This register must be available to the FDPIC on request.
A DPIA is mandatory before any processing that presents a high risk to individuals' fundamental rights — particularly automated decisions with legal effect, large-scale processing of sensitive data, or systematic monitoring.
Security incidents that are likely to result in high risk to affected individuals must be reported to the FDPIC promptly. The report must describe the nature of the breach, the categories and number of data subjects affected, and the remedial measures taken.
Personal data may only be transferred to countries with adequate protection, or under approved safeguards such as standard contractual clauses. Transfers to jurisdictions under foreign surveillance legislation require explicit legal analysis.
Compliance is demonstrated through architecture, not documentation. Every key obligation is addressed at the platform level — before any policy is written.
The nFADP grants individuals direct rights over their personal data. Each right requires operational fulfilment, not only a written procedure.
Any individual may request confirmation that their personal data is being processed, and receive a copy of that data. Because all SCOVR data resides within your own infrastructure, access requests can be fulfilled immediately — without relying on a third-party vendor to extract records.
Individuals may request correction of inaccurate personal data. Administrative tools within the platform allow operators to locate, review, and update records directly — without routing the request through an external data processor.
Where the legal basis for processing has ceased or consent has been withdrawn, personal data must be deleted. The sovereign architecture means deletion is definitive — data exists in one place, under your control, and erasure is not contingent on a vendor's processes.
Personal data provided on the basis of consent must be deliverable in a structured, machine-readable format. The open standard on which SCOVR is built means data is never locked in a proprietary format — export is a native capability, not a future roadmap item.
Individuals may object to processing carried out on the basis of legitimate interests. Granular access controls allow administrators to restrict processing for specific users, data categories, or channels — without affecting the availability of the platform for other users.
The nFADP regulates decisions made solely by automated processing that produce legal or similarly significant effects. SCOVR performs no automated profiling of users. No algorithmic scoring, behavioural categorisation, or automated decision affecting an individual is carried out on the platform.
Unlike comparable frameworks in other jurisdictions, the nFADP does not impose administrative fines on organisations. Instead, criminal penalties are levied directly against the individuals responsible for the violation. The Federal Data Protection and Information Commissioner investigates potential breaches and issues binding remedial orders — which, if not complied with, are referred to cantonal prosecution authorities.
Prosecution targets individuals who wilfully violate the information obligations of the Act, breach professional secrecy, or make personal data accessible to an unauthorised third party. The personal exposure this creates — up to CHF 250,000 per individual — means that a compliance failure is not merely a reputational or financial issue for the organisation: it is a criminal matter for the persons responsible.
The FDPIC has broad investigative powers: it may open proceedings on its own initiative, require organisations to hand over documentation, and issue enforceable orders requiring remediation within a set timeframe. Non-compliance with an FDPIC order triggers cantonal criminal prosecution.
The platform is built on a published, open protocol. Any technically competent authority — including the FDPIC — can audit the data flows, encryption implementation, and processing logic without vendor cooperation.
There are no undisclosed sub-processors, background analytics services, or third-party data integrations. The FDPIC register entry for your deployment reflects all processing activities because all processing occurs within your sovereign environment.
Pre-built breach notification templates and incident response playbooks are aligned with the FDPIC reporting format — enabling the required notification to be completed within the expected timeframe even under pressure.
A complete Data Protection Impact Assessment documentation set is provided with every deployment — covering data flows, encryption mechanisms, access controls, and risk mitigations — ready for FDPIC review or internal governance.
If an FDPIC order requires a change to processing activities, the self-hosted architecture means changes can be implemented immediately — without waiting for a vendor to update a multi-tenant platform affecting thousands of other customers.
All data — messages, files, call recordings, user profiles — is stored on servers physically located in Switzerland. No data transits through foreign cloud infrastructure. Art. 16–17 transfer obligations are satisfied by architecture.
Every message, file, and call is encrypted with keys that never leave the recipient's device. No server operator — including SCOVR — can read the content of communications. Art. 7 privacy-by-default is satisfied before any configuration is applied.
Granular permissions at the room, channel, and user level ensure that personal data is accessible only to those with a documented legal basis to process it. Over-permissioned access — a primary driver of insider incidents — is prevented structurally.
Every access event, administrative action, and message delivery is logged in an immutable, exportable record. This constitutes the processing activity register required under Art. 12 — generated automatically, without manual documentation effort.
The platform is built on a published, non-proprietary protocol maintained by an independent non-profit foundation. Your organisation can migrate, self-host, or switch providers at any time — without permission, without penalty, and without data loss.
A compliance programme that relies entirely on internal policies and training cannot satisfy the structural requirements of the revised Act. Article 7 does not say that organisations must have a policy on privacy by design — it says that data protection must be built into the technology from the outset, and that the highest protection level must be the default state.
Consumer-grade cloud messaging platforms are architecturally incompatible with this requirement. They process data on shared infrastructure, collect metadata for product improvement, route communications through servers in jurisdictions subject to foreign surveillance law, and cannot provide the data residency guarantees that Art. 16 demands.
A sovereign, self-hosted, end-to-end encrypted communications platform built on an open standard is the only category of solution that satisfies the structural requirements of the nFADP at the platform level. Every other approach — DPAs, contractual safeguards, consent mechanisms — supplements the architecture but cannot replace it.
Every deployment includes documentation, DPAs, and architectural features aligned with the nFADP and the supporting standards that competent authorities expect.
Architecture and processes aligned with every key obligation of the revised Act: written processor contracts under Art. 9, privacy by design under Art. 7, processing register under Art. 12, breach notification under Art. 24, and cross-border transfer controls under Art. 16–17.
End-to-end encryption is not a configurable option — it is the default state of every channel and communication on the platform. No administrator action is required to achieve the highest protection level that Art. 7 mandates.
Every deployment includes a written Data Processing Agreement that satisfies the requirements of Art. 9 — defining the scope of processing, permissible sub-processors, security obligations, and the data subject rights fulfilment process.
Pre-built incident response documentation, breach notification templates aligned with FDPIC reporting requirements, and built-in anomaly monitoring ensure that any qualifying incident can be reported within the timeframe the Act expects.
Platform and operational processes certified to ISO 27001. Independently audited security controls, documented risk management, and a formal information security management system available for due diligence review and FDPIC enquiry.
Built on a published protocol maintained by an independent non-profit foundation. Any competent technical authority — including the FDPIC — can audit the data flows and processing logic. There are no proprietary components that resist independent review.
Specific answers to the nFADP questions legal, compliance, and IT teams ask most often.
Book a private briefing with our compliance team. We will review your current communications infrastructure against the specific requirements of the revised Act and design a deployment that satisfies them structurally — before any processing begins.