Understanding Swiss Data Protection For Families

Swiss Federal Act on Data Protection (FADP) — 2023 Revision: Summary for Families

We, at the Young Explorers Club, are tracking the 2023 revision of the Swiss Federal Act on Data Protection (FADP). The revision strengthens transparency and expands rights for parents and children. The Federal Data Protection and Information Commissioner (FDPIC) enforces the law and now has wider breach-notification and supervisory powers. We recommend families review and update privacy notices, map and secure student and health records, and adopt technical safeguards.

Key takeaways

• FADP 2023 boosts transparency and grants parents and children clearer rights to access, correct, delete, and object.
• Breach notifications: controllers must notify the FDPIC and affected individuals when a personal-data breach creates a high risk.
• Cross-border transfers: Switzerland benefits from an EU adequacy decision, so transfers from the EU are straightforward. Transfers to non-adequate countries require documented safeguards such as standard contractual clauses or equivalent measures.
• Practical actions for families: update consent and privacy notices; map where student and health records are stored; encrypt sensitive fields; enable two-factor authentication; and use password managers.
• Enforcement and remediation: the FDPIC has broader enforcement powers. Keep written records of requests. Escalate unresolved issues. Request breach reports and evidence that notifications were sent.

What changed (brief)

The 2023 FADP clarifies individual rights and strengthens obligations on controllers. The FDPIC can now require notifications, conduct more invasive supervision, and impose stronger remedial measures. The threshold for notifying affected individuals is when a breach creates a high risk to rights and freedoms.

Cross-border transfers

Switzerland benefits from an EU adequacy decision, which means data flows from EU countries into Switzerland remain simple and do not require additional transfer mechanisms. For transfers to countries that are not recognised as adequate, controllers must put in place documented safeguards such as standard contractual clauses, binding corporate rules, or equivalent technical and organisational measures.

Practical actions for families

1. Update privacy notices and consents — ensure language is clear about rights, retention periods, and contact details for the data controller.
2. Map records — identify where student and health records are stored (cloud providers, local servers, third-party services).
3. Encrypt sensitive fields — encrypt health and other highly sensitive data at rest and in transit.
4. Enable two-factor authentication (2FA) — protect accounts that access school or health systems with strong authentication.
5. Use password managers — generate and store unique strong passwords for each service.
6. Document processors and transfers — keep records of subprocessors and any cross-border transfers, and confirm safeguards for non-adequate destinations.

Enforcement and remediation

The FDPIC now has broader supervisory and enforcement powers. If you suspect misuse or insufficient protection of your child’s data, keep written records of all requests and responses. If an incident occurs, request a breach report and evidence that notifications were sent to the FDPIC and affected individuals. If issues remain unresolved, escalate within the controller organisation and consider contacting the FDPIC directly.

Next steps

For families: review your school and health-provider privacy notices, update consents where needed, and implement the technical steps above. For organisations handling children’s data: ensure processes for handling access, correction, deletion, and breach notification are in place and documented.

If you’d like, we can help draft a checklist tailored to your family or school to implement these recommendations.

https://youtu.be/5n7h0J-X1WI

Quick legal snapshot and cross-border transfers

We, at the Young Explorers Club, treat Swiss data protection as operational law. The Federal Act on Data Protection (FADP) was revised and came into force on 1 September 2023 (FADP 1 September 2023). The Ordinance on Data Protection (ODP) complements the FADP. The Federal Data Protection and Information Commissioner (FDPIC) enforces the rules, runs investigations, issues guidance and handles complaints (Federal Data Protection and Information Commissioner (FDPIC)).

What changed for families — practical points

Focus on these changes that matter to families, all stemming from the 2023 revision (FADP 1 September 2023):

• Stronger transparency and individual rights: parents and children get clearer rights to access, correct and delete personal data. Review your privacy notices and consent forms.
• New breach-notification obligation: organisations must notify the FDPIC and affected individuals when a personal-data breach creates a high risk (breach notification obligation).
• Clearer rules on cross-border data transfers and sensitive data: processing of health or similar sensitive data now needs stricter safeguards and documented legal bases (FADP 1 September 2023).
• Greater enforcement powers for the supervisor: the FDPIC can levy administrative measures and demand corrective steps (Federal Data Protection and Information Commissioner (FDPIC)).

Practical steps we recommend: update parent-facing notices, map where student and health records live, encrypt sensitive fields, and assign a data-incident lead who knows the breach-notification obligation.

Cross-border transfers: simple rules and an example

Switzerland holds an EU adequacy decision, so transfers from the EU to Switzerland are straightforward (EU adequacy decision). Transfers from Switzerland to countries without an adequacy decision require appropriate safeguards. Acceptable measures include:

• An adequacy decision by the receiving jurisdiction,
• Standard Contractual Clauses (SCCs) or contractual clauses modeled on SCCs,
• Other documented suitable safeguards that provide equivalent protection (cross-border data transfers, standard contractual clauses).

Practical example: if a school’s student-record database is hacked, we must evaluate the risk and, when the breach creates a high risk to individuals, notify the FDPIC and affected parents under the breach-notification obligation (Federal Data Protection and Information Commissioner (FDPIC); FADP 1 September 2023).

• Immediate containment and forensic check
• Prompt parent communication with clear next steps
• Review of whether records were transferred abroad and, if so, which safeguard applies

For a deeper look at how we assess operational safeguards alongside safety, see our page on camp safety.

Core rights families should expect (plain-language explanations)

We, at the young explorers club, expect families to have clear, usable data rights under Swiss law. We’ll explain each right in plain language and give practical steps you can follow.

Right to be informed (transparency)

Controllers must tell you what personal data they collect about your child, why they collect it, how long they’ll keep it, and who they share it with. Ask for that explanation in simple terms. For example, if an app collects location or profile data to show nearby activities, the app provider must explain that use and the retention period. This is the right to be informed.

Right of access

You can ask a controller what data they hold about your child and request a copy. Make the request in writing if you want a clear record. A straightforward question to use is: “What data do you hold about my child?” Keep a copy of your request and note the date.

Right of correction / rectification

You can ask for factual errors to be fixed. This is the right of correction. Common examples include wrong birthdates, misspelled names, or incorrect medical notes in school records. Correct records quickly to avoid future problems.

How to correct data — a short flow

1. Identify the controller responsible for the record (school, app provider, camp admin).
2. Send a written request citing the FADP right of correction and clearly state the change needed.
3. Set an expectation of two weeks for a response.
4. If the controller ignores the request, escalate to the FDPIC.

Right to deletion / erasure (where applicable)

You can ask for data to be deleted when there’s no lawful basis to keep it. Deletion isn’t absolute. Controllers can refuse if law requires them to retain data (for example, mandatory reporting or accounting rules). Ask the controller to explain any refusal in writing.

Right to object

You can object to certain processing, like profiling or direct marketing. The controller must consider your objection and either stop the processing or show compelling lawful grounds to continue. If the objection concerns marketing, controllers usually must stop.

Sensitive personal data protections

Some categories get stricter treatment. Examples include health and vaccination records, genetic data, biometric identifiers (like facial recognition), religion, and political opinions. These often require explicit consent, especially for children, or another strong legal basis before processing.

Lawful basis for processing

Any processing must be lawful, fair and tied to a specified purpose. Consent is required in many cases, particularly for sensitive personal data and when children are involved. Other lawful bases include:

• Contract performance — for instance, school administration needs certain data to provide education;
• Legal obligation — such as mandatory health reporting.

Quick one-line examples

• Right of access — “What data do you hold about my child?”
• Right to be informed — “This app will collect microphone and location data to provide X features.”
• Right of correction — “Please correct my child’s birthdate in school records.”
• Right to deletion — “Please delete photos of my child taken after the end of camp if you lack a lawful basis to keep them.”
• Right to object — “I object to profiling for targeted ads; please stop processing my child’s data for that purpose.”

If you want practical follow-up tips after camp or examples of parent conversations about data handling, see what parents notice for common points families raise.

Children, parental consent and practical age considerations

We, at the young explorers club, treat children’s personal data as especially sensitive. Many online services set age limits and often require parental consent to create accounts. Parents and guardians can be held responsible for consenting to processing of minors’ data in schools, apps and health settings, so I recommend reviewing every privacy notice you encounter.

Parental responsibility and common contexts

Parents should expect children’s data to appear in several predictable places: schools and school platforms, extracurricular providers and camps, health professionals and patient records, and apps or games used at home. Always check the terms and privacy notices before agreeing to anything. You should confirm whether the organisation acts as controller or processor, since that determines who answers your questions and who must fulfil data subject rights.

What to ask providers

Ask providers these direct questions before consenting; I’ve listed phrases you can reuse when needed:

• Who is the data controller and who is your contact for privacy questions?
• What categories of personal data do you collect about my child?
• Do you share any of this data with third parties, and which ones? Are transfers made to other countries?
• What is the retention period and how do you decide when to delete data?
• What legal basis do you use for processing my child’s data (consent, contract, public interest, etc.)?
• Do you require explicit consent for sensitive data (health, biometric, special categories)?
• Ready-to-use sentence to send providers: Under the Swiss FADP, please provide (1) the categories of personal data you hold about my child, (2) the retention period, and (3) any third parties receiving this data.

Practical tips and immediate actions

I recommend you always review the service’s age limits in the terms of service and insist on explicit consent where sensitive information is involved. Keep records of any consents you give and the documents you receive. If a provider’s answers are vague, ask for them in writing and consider escalating to the controller’s designated privacy contact. For ongoing resources and examples about how we handle camp paperwork and parent communications, check terms and our posts for clear templates and sample requests.

Practical security steps and recommended tools for families

We keep digital hygiene simple and repeatable so families can protect data without extra stress. We use strong, unique passphrases and recommend a password manager to store them. We insist on Two-factor authentication (2FA) for email, cloud storage and any account with personal data. We enable device encryption and encrypted backups on phones, tablets and laptops. We update devices and apps automatically where possible. We turn off unnecessary location sharing and set Screen Time limits on kids’ devices. For younger children, we enforce router-level parental controls.

Action checklist

Use this quick checklist each time you set up a device or app:

• Enable Two-factor authentication (2FA) on every account that supports it.
• Set Screen Time limits and content restrictions on children’s devices (Apple Screen Time or equivalent).
• Turn off unnecessary location services and review app permissions.
• Use strong passphrases and a password manager for family accounts.
• Keep encrypted backups of important data (cloud or local).
• Activate router parental controls for home network filtering and schedules.

Parental-control and privacy tools, and how I audit apps

I pick tools by function and provenance. Apple Screen Time handles device and app limits as well as content controls and is free on Apple devices. Google Family Link gives account management and app approvals for kids and is free for basic use. Microsoft Family Safety offers screen time, content filters and activity reports with both free and paid tiers. Swisscom Family Protection runs at the ISP level and provides parental controls via subscription; it’s Switzerland‑based and useful for whole‑home protection. AVM Fritz!Box parental controls work at the router level and are widely available in Switzerland.

For dedicated apps, Qustodio, Norton Family, Bark and Kaspersky Safe Kids offer web filtering, monitoring and alerts on paid plans; Qustodio and Norton use subscription models, Bark focuses on risky-content alerts, and Kaspersky mixes free and paid features. OpenDNS FamilyShield gives basic DNS-level filtering for free. For private communications and storage I recommend Proton Mail, Tresorit and Proton Drive — all privacy-focused and Switzerland-based options, with paid tiers for advanced features. For VPN needs I suggest Proton VPN, but verify current rankings before choosing.

When I audit an app I follow a short routine:

1. Check age rating and the list of permissions requested.
2. Read the privacy policy and search for terms like “data retention” and “third-party sharing”.
3. Confirm data location — whether data is processed outside Switzerland.
4. Look for a stated legal basis for processing personal data.
5. If permissions or data flows feel excessive, remove the app or restrict access with parental controls.

For practical how‑tos and extra safety reading while planning family travel or camp stays, I point families to our safety tips page for more context.

Where family data commonly flows — schools, healthcare, clubs — and what to do if something goes wrong

We, at the young explorers club, see family data move through a predictable set of controllers and processors. Typical actors include local education authorities and schools, healthcare providers, leisure organisations and the commercial services they use.

Common examples:

• Controllers: canton education authorities and schools.
• Processors: school administration platforms and third‑party grading apps, outsourced IT firms.
• Other holders: GP practices, clinics, sports clubs, daycares, and commercial apps or cloud services used by those organisations.

Schools often hold attendance, grades, photos, CCTV footage, behavioural reports and contact details. Healthcare providers hold health and vaccination records — that’s sensitive personal data — and clinics may also share limited details with insurers or specialists. Commercial apps can add location, contact‑tracing details or analytics.

A plain‑language explanation of controller vs processor helps parents act confidently: a data controller decides why and how data is processed — for example a canton’s education authority or a school. A processor acts on instructions from that controller — for example a third‑party grading app or an outsourced IT firm. Ask to see who is which when you query a provider.

Key questions parents should ask any controller or processor are straightforward. Request:

• the purpose of processing;
• retention periods for each category of data;
• the categories of recipients, including any cross‑border transfers to third countries;
• the security measures in place.

Use this exact line when contacting a school IT admin if you want a quick, formal request: “Under the Swiss FADP, please confirm (1) the controller for my child’s data, (2) the categories of personal data you hold, (3) retention periods, and (4) any third‑party recipients or cross‑border transfers.”

We recommend keeping a simple log of authorisations and consents you sign. Periodically request an export copy of your child’s school records and keep timestamps for every request and reply. If you want guidance on assessing institutional practices beyond data — including camp operations that intersect with privacy — see how to evaluate safety for camps here: evaluate safety.

Immediate steps after learning of a breach

When a breach appears, act quickly and record everything. Start with these actions:

• Change passwords for affected accounts and enable two‑factor authentication.
• Ask the controller for a full incident report: scope, data types involved, remediation steps and timelines.
• Monitor for identity theft and unusual account activity; consider a credit freeze if financial data leaked.
• Request evidence of notifications sent to regulators and affected persons, and note dates of all communications.
• File a complaint with the FDPIC if the controller fails to respond or mitigate risks.

Change passwords and enable 2FA on affected accounts, ask the controller for a breach report (what happened, data involved, remedial steps), document dates and communications, and report to the FDPIC if you are not satisfied. Controllers must notify the FDPIC when a security incident creates a high risk to individuals’ rights, and they must inform affected persons when required under the revised FADP.

Statistics, trends and trusted resources to consult before you act

We, at the young explorers club, monitor Swiss digital trends so parents and staff can make safer choices. Roughly 97% of households have internet access (FSO). Smartphone penetration sits around 90–95% among adults (OFCOM/FSO). Teen social‑network use ranges from about 85–95% (JAMES/OFCOM). Update these figures from FSO and OFCOM before you publish any formal guidance.

FDPIC activity gives a useful snapshot of real‑world issues. FDPIC annual complaints — X complaints in YEAR (FDPIC) — show which questions keep coming up: consent and data retention, disclosures to third parties, and concerns about minors’ profiles. Check FDPIC guidance on children and young people (FDPIC guidance) for concrete recommendations on parental responsibility and age‑appropriate consent.

The revised Federal Act on Data Protection (FADP) (1 September 2023) raises expectations for data controllers and changes some compliance routines. Read the FADP text and the complementary Ordinance on Data Protection (ODP) to see where your camp or family needs to act. I recommend focusing on data minimization, documented lawful bases for processing, and clear retention schedules.

Practical tech choices matter. I suggest encrypted email and cloud storage for sensitive family or camp records; consider Proton Mail and Tresorit for Swiss‑based privacy options. Enable two‑factor authentication, use strong password managers, and set social‑network privacy settings before kids create accounts. We build these practices into our camp sign‑up and communications.

Trusted resources and reading list

Consult these primary sources and guidance documents:

• Federal Act on Data Protection (FADP) — Swiss Confederation
• Ordinance on Data Protection (ODP) — Swiss Confederation
• Federal Data Protection and Information Commissioner (FDPIC) — guidance documents and annual report
• FDPIC guidance on children and young people
• Swiss Federal Statistical Office (FSO) — household and internet statistics
• Swiss Federal Office of Communications (OFCOM) — JAMES youth and communications studies
• JAMES Swiss Youth and Media Study (OFCOM)
• Proton Mail and Tresorit for encrypted services
• Recent reports from legal firms and data‑protection consultancies on the revised FADP
• Selected press and analysis pieces covering the revised FADP

For quick, practical tips aimed at families travelling with kids or attending camp, see our blog for actionable checklists and examples. We recommend that camps publish clear privacy notices, run brief parent workshops on account safety, and document consent whenever a child’s image or data will be used.

Sources

Swiss Confederation — Federal Act on Data Protection (FADP)

Swiss Confederation — Ordinance on Data Protection (ODP)

Federal Data Protection and Information Commissioner (FDPIC) — Home

Federal Data Protection and Information Commissioner (FDPIC) — Data protection and children and young people

Federal Data Protection and Information Commissioner (FDPIC) — Annual report

Swiss Federal Statistical Office (FSO) — Information society / ICT statistics for households

Federal Office of Communications (OFCOM / BAKOM) — JAMES (Youth and Media Study)

Proton — Proton Mail — Secure email

Proton — Proton Drive — Encrypted cloud storage

Tresorit — Encrypted cloud storage and security blog

Swisscom — Family Protection (parental controls)

Qustodio — Parental control software

OpenDNS / Cisco Umbrella — FamilyShield / Home Internet Security

AVM — FRITZ!Box — Router and parental control features