On 21 August 2025, the Federal Data Protection and Information Commissioner (FDPIC) announced that it had filed a criminal complaint against the Swiss company Add Conti GmbH, active in the marketing sector.
The case originated from several reports received from citizens, following which the FDPIC launched an investigation on 4 June 2025. As part of the proceedings, the authority requested the company to respond within 30 days to a specific questionnaire, clearly reminding it of the legal obligation to cooperate. This obligation provides for fines of up to CHF 250,000 in cases of intentional non-compliance.
Despite sending the request and receiving confirmation of its delivery, the FDPIC received no reply. A second deadline, granted as an extension, was also ignored by Add Conti GmbH. In light of this behaviour, on 14 August 2025, the authority decided to file a complaint for breach of the duty to cooperate.
According to the reports collected, the company allegedly gathered personal data of residents in Germany without their consent and made it available to German businesses for advertising purposes. Furthermore, Add Conti GmbH reportedly failed to respond both to access requests and to for data deletion requests.
Practical Considerations
1. Duty to cooperate with the authority
The Federal Act on Data Protection (FADP, Art. 49 et seq.) explicitly requires companies to cooperate with the FDPIC during investigations. Failure to do so—as in the case of Add Conti GmbH—not only undermines transparency in the proceedings but also constitutes a criminal offence, punishable by fines of up to CHF 250,000.
2. Principle of lawful data processing
The collection and processing of personal data must be carried out lawfully, proportionately, and transparently. If confirmed, the practices of Add Conti GmbH (collecting data without the knowledge or consent of data subjects and failing to respond to access/deletion requests) would represent direct violations of the fundamental principles enshrined in the FADP (Arts. 6–9).
3. Data subjects’ rights
Individual has the right to be informed about the use of their data, to access it, and, if necessary, to request its deletion. Failure to respond to such requests constitutes a serious violation and undermines trust in companies that handle personal information.
4. Extra-territorial application of the FADP
The case also involves German citizens. This demonstrates how digital marketing activities have international implications and how the FADP imposes strict obligations on companies operating across multiple markets.
Implications for Businesses
The case serves as a further reminder of the importance of transparency and compliance with data protection regulations, especially for companies operating internationally and handling sensitive information. Businesses must establish robust internal processes to manage requests for access, rectification, and deletion, and must bear in mind that non-cooperation with authorities not only exposes them to financial penalties but may also cause significant reputational damage.
For further guidance on how to implement these measures within your organisation, our team of consultants is available to support you.
