Since 2010, the Global Law Experts annual awards have been celebrating excellence, innovation and performance across the legal communities from around the world.
posted 2 hours ago
Under the revised Swiss Federal Act on Data Protection (nFADP), every natural person has the right to request access to the personal data a controller holds about them, a right commonly exercised through a data subject access request, or DSAR. The subject access request procedure Switzerland 2026 framework places clear obligations on both private-sector controllers and federal public bodies: acknowledge the request, verify identity, locate the data, and deliver a response within a defined timeframe. This guide sets out the complete operational process for data protection officers, in-house counsel and compliance teams who need to receive, handle and close DSARs in line with the nFADP and guidance published by the Swiss Federal Data Protection and Information Commissioner (EDÖB/FDPIC).
Whether you are building a DSAR standard operating procedure from scratch or updating an existing one for 2026 compliance, the numbered steps, timeline tables, document checklists and ready-to-use templates below provide a practitioner-ready framework.
A subject access request in Switzerland is a formal exercise of the right to information guaranteed by Article 25 nFADP. Any data subject, employee, customer, prospective client or any other individual, may ask a controller to confirm whether personal data concerning them is being processed and, if so, to provide the categories of data held, the purpose of processing, retention periods, the recipients or categories of recipients to whom data has been disclosed, and the source of the data if it was not collected directly from the subject.
The obligation applies to private-sector controllers (companies, associations, sole traders) and federal public bodies. Cantonal authorities are subject to their own cantonal data protection legislation, although the principles are substantially similar. The EDÖB publishes sample DSAR letter templates on its official Right to Information page, and these provide a reliable starting point for both data subjects making requests and controllers structuring their responses.
On receipt of a DSAR, the controller must act without undue delay. In practice, this means the response clock starts the moment a valid, identity-verified request is received. The six-step procedure below translates the statutory obligation into an operational workflow that compliance teams can adopt directly.
The right to information under the nFADP is available to natural persons. Legal entities do not hold an equivalent right under Swiss data protection law. A data subject need not be a Swiss citizen or resident to exercise the right, any natural person whose data is processed by a Swiss controller (or a controller otherwise subject to the nFADP) may submit a request. This is particularly relevant for multinational organisations with customers or employees outside Switzerland.
A data subject may appoint a representative to submit a DSAR on their behalf. In such cases, the representative must provide a signed power of attorney or, if an attorney-at-law, a signed mandate. Parents or legal guardians may exercise the right on behalf of minors or persons under guardianship.
For federal public bodies, the subject access request procedure may overlap with the Federal Act on Freedom of Information in the Administration (FoIA). Where a request concerns official documents rather than personal data, the FoIA procedure, administered separately by the EDÖB, applies with its own deadlines. Controllers in the public sector should triage incoming requests early to determine whether the nFADP or the FoIA governs the response. The EDÖB’s guidance on access to official documents provides the relevant criteria.
There are no formality requirements for a DSAR under the nFADP: a request may be submitted in writing (letter or email), orally, or via an online portal if the controller offers one. However, controllers are entitled to verify the identity of the requester before disclosing any personal data.
The following six steps represent the operational sequence for handling a DSAR in Switzerland. The timeline table below summarises each step, the responsible function, and typical duration. All steps should be completed within the overall 30-day response window in standard cases.
| Step | Who Does It | Typical Duration |
|---|---|---|
| 1. Acknowledge receipt and log request | DPO / Privacy Ops | Within 1–3 business days |
| 2. Verify identity and authority | DPO / Privacy Ops | 0–7 calendar days (up to 14 days if documents needed) |
| 3. Clarify and scope request | DPO + Requester | 7–14 days for clarification (pauses response clock) |
| 4. Locate and collect data across systems | IT, Records Owners, Processors | 7–21 days (varies by volume and system complexity) |
| 5. Review, redact, and conduct legal review | Legal, DPO | 3–14 days (risk-based) |
| 6. Deliver response securely and record completion | DPO / Legal | Deliver within 30 days total; extend and notify if complex |
As soon as a DSAR is received, regardless of the channel (email, letter, portal, verbal), the DPO or designated privacy function should log the request in a case-tracking system. Record the date of receipt, the requester’s name and contact details, the scope of the request, and assign a unique reference number. Acknowledge receipt within one to three business days using a standard acknowledgement template.
Sample acknowledgement email:
Subject: Acknowledgement of your data access request – Reference [REF-XXXX]
Dear [Name],
We confirm receipt of your request for access to your personal data, received on [date]. Your request has been assigned reference number [REF-XXXX]. We will respond within 30 days from the date we have verified your identity. If we require additional information, we will contact you promptly.
Kind regards, [Controller name / DPO contact]
Before disclosing any personal data, the controller must verify the requester’s identity. Acceptable documents typically include a government-issued photo ID (passport or identity card) and, where necessary, a proof of address issued within the last three months. If the request is submitted by a representative, a signed power of attorney or attorney mandate must accompany the request. Where identity cannot be confirmed from the documents provided, the controller may ask for additional verification, this does not constitute a refusal, but the response clock does not begin until identity is satisfactorily established.
Overly broad or ambiguous requests are common. The nFADP does not require a data subject to specify particular datasets or time ranges, but controllers may seek clarification to ensure the response is targeted and efficient. Contact the requester to narrow the scope if the request covers multiple systems, decades of records, or categories of data that span different business units. Document the clarification exchange. The period during which clarification is outstanding pauses the response clock.
IT teams and records owners should search all relevant systems: CRM platforms, HR systems, email archives, paper files, backup media, and any third-party processors. Where personal data is held by a processor (including a processor located outside Switzerland), the controller remains responsible for ensuring the data is included. For organisations with cross-border data flows, particularly those relying on the Swiss–US Data Privacy Framework, confirm that the transfer mechanism covers disclosure back to the controller for DSAR fulfilment and that no local blocking statutes prevent production.
Before delivering the response, legal counsel should review the compiled dataset. Redact personal data of third parties unless the third party has consented or disclosure is otherwise lawful. Identify any statutory exemptions that may apply, Article 26 nFADP permits restrictions on the right to information where disclosure would compromise an overriding private interest of a third party, the controller’s own overriding interest, or a public interest (particularly law enforcement or regulatory investigations). Privileged material (legal professional privilege, litigation privilege) should be flagged and, where appropriate, withheld with an explanation.
Common DSAR refusal grounds include: the request is manifestly unfounded or excessive (e.g., repeated identical requests within a short period); statutory exemptions under Article 26 nFADP apply; or the data is processed exclusively for archiving purposes in the public interest. When refusing in whole or in part, the controller must provide reasons in writing.
Sample partial-refusal wording:
We have provided all personal data to which you are entitled under Article 25 nFADP. Certain records have been withheld or redacted under Article 26 nFADP because disclosure would compromise the overriding private interests of third parties. You have the right to seek mediation from the EDÖB or to bring proceedings before the competent court.
Deliver the response in a commonly used electronic format (such as PDF) via a secure channel. Where the data subject has requested physical copies, send by registered post. Retain proof of delivery. Update the case-tracking system with the date of response, the scope of data disclosed, any redactions applied, and the legal basis for any refusal. Inform the data subject of their right to seek recourse through the EDÖB or the courts if they are dissatisfied with the response.
Sample DSAR letter Switzerland (for data subjects):
To: [Controller name and address]
From: [Full name, address, email]
Date: [Date]
Subject: Request for access to personal data under Article 25 nFADP
I request access to all personal data you hold about me, including but not limited to: the categories of data processed, the purposes of processing, the retention periods, and any recipients to whom my data has been disclosed. Please also inform me of the source of any data not collected directly from me. I enclose a copy of my [passport/ID card] for identity verification. Please respond within 30 days as required by the nFADP.
Yours faithfully, [Signature]
The documents needed for a DSAR vary slightly depending on who is making the request and the sensitivity of the data involved. The table below sets out the standard checklist that controllers should require and data subjects should be prepared to provide.
| Document | Notes |
|---|---|
| Government photo ID (passport or identity card) | Issued by a national authority. Photocopy or secure eID accepted. Must confirm name and date of birth. Electronic identity (e-ID) accepted where supported by the controller. |
| Proof of address (utility bill or bank statement) | Issued within the last 3 months. Supports identity verification where the name alone is insufficient. |
| Account or customer identifier | Customer number, account number, or registered email address. Helps scope the search across internal systems. |
| Power of attorney or written authorisation (if representative) | Signed and dated. If submitted by an attorney-at-law, include a signed mandate. Certified copy may be requested for high-risk disclosures. |
| Additional identity verification for high-risk requests | Notarised or certified copies, or in-person verification, may be required where the request concerns sensitive personal data (e.g., health, biometric, or criminal records). |
Overseas applicants should note that controllers may request apostilled or certified copies of identity documents where standard verification is not possible remotely. In practice, many controllers accept a clear colour scan of a passport data page sent via an encrypted channel.
The nFADP requires controllers to provide the requested information within 30 days of receiving a valid, identity-verified request. The EDÖB’s guidance on the right to information confirms this as the standard operational benchmark. This 30-day period is measured in calendar days, not business days.
Where a request is particularly complex, for example, involving large volumes of data, multiple systems, or consultations with third parties, the controller may extend the response period. In such cases, the controller must notify the data subject of the extension, the reasons for it, and the revised deadline before the original 30-day period expires. Industry observers expect that extensions beyond 60 days would attract regulator scrutiny unless exceptional circumstances are documented.
The response clock begins when the controller has received both the request and sufficient information to verify the requester’s identity. If the controller asks for additional identity documentation, the clock pauses until the documents are received. Similarly, if the controller seeks clarification on the scope of the request, the clock pauses until the data subject responds.
For federal public bodies handling requests under the FoIA rather than the nFADP, a separate 20-day decision deadline applies. The EDÖB’s guidance on access to official documents sets out this timeline. Controllers in the public sector must therefore triage incoming requests to determine which deadline applies.
Extension notification template:
Dear [Name], We are writing regarding your data access request (Reference [REF-XXXX]). Due to the complexity of your request, which involves data held across [number] systems and requires consultation with [third parties/processors], we require additional time to compile a complete response. We expect to deliver our response by [new date]. If you have questions, please contact [DPO contact details].
Under the nFADP, the right to information is exercised free of charge in the vast majority of cases. The EDÖB’s guidance confirms that controllers should not charge data subjects for responding to a DSAR. An exception exists where a request is manifestly unfounded or excessive, for example, where a data subject submits repeated identical requests without reasonable justification. In such cases, the controller may charge a reasonable fee or, in extreme circumstances, decline to act on the request. The controller bears the burden of demonstrating that a request meets this threshold.
| Item | Amount / Guidance | Notes |
|---|---|---|
| Statutory fee to data subject | Usually FREE | Charging permitted only for manifestly unfounded or excessive requests. |
| Internal processing, IT search and export | Variable (est. 8–30 staff hours) | Depends on number of systems, data volume, and format requirements. |
| Legal review and redaction | Variable | Higher for requests involving privileged material or third-party data. |
| Identity verification (certified copies) | Varies by notary | Cost typically borne by the requester where they choose certified copies. |
Compliance teams should build internal cost models for DSAR handling, budgeting for staff time, IT resources and legal review, even though these costs cannot ordinarily be passed to the data subject.
The revised FADP (nFADP), which entered into force on 1 September 2023, has been the governing framework for DSARs since that date. In 2026, the practical effects of the revised law are now fully embedded in regulator enforcement expectations. The EDÖB has indicated increased scrutiny of controllers that fail to meet the 30-day response standard or that apply statutory exemptions too broadly.
A significant development for cross-border DSARs is the Swiss–US Data Privacy Framework (DPF). The DPF provides a recognised transfer mechanism for personal data flows from Switzerland to participating US organisations. For DSAR fulfilment, this means that a Swiss controller whose data is processed or stored by a US-based processor participating in the DPF can require the processor to produce the data without needing to rely on supplementary transfer safeguards. Controllers should update their data-processing agreements and cross-border inventory to reflect DPF participation status.
Operationally, compliance teams should review their DSAR SOPs for 2026 to ensure they reflect the following updates: explicit cross-border data-flow mapping that accounts for DPF-certified processors; updated DPO responsibilities as articulated in the nFADP; and revised template language that references the current statutory provisions. The EDÖB’s published templates and guidance pages should be checked periodically, as the regulator updates its materials to reflect enforcement priorities.
The following templates and checklists are available for download to support your DSAR handling process:
To locate a qualified data privacy lawyer in Switzerland, consult the directory for practitioners experienced in nFADP compliance, cross-border DSARs and regulatory engagement with the EDÖB.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Alexandros Manousakis at Privintelligent Solutions, a member of the Global Law Experts network.
Member
No results available
posted 2 hours ago
posted 3 hours ago
posted 4 hours ago
posted 5 hours ago
No results available
Find the right Legal Expert for your business
Sign up for the latest advisor briefings and news within Global Advisory Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Advisory Experts is dedicated to providing exceptional advisory services to clients around the world. With a vast network of highly skilled and experienced advisors, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.