New IFPDT guide on data security breaches

On February 6, 2025, the EDÖB – PFPDT – IFPDT published a new guide on data breaches and informing the affected individuals (data breach), in accordance with Article 24 of the Federal Data Protection Act (LPD).

Key guidelines

1. Reporting security breaches to the IFPDT

Notification subject

Description of the breach: nature, duration, scope, and consequences.
The IFPDT uses this information to assess possible actions to protect the affected individuals.

Obligation to notify

Notification must be sent without delay if the breach underlines a high risk to the rights or personality of the individuals involved.
The notification must include all required information (Article 15 OPDa).
If the IFPDT learns of the breach from other sources, it may order an ex post notification.

Right to communicate

Voluntary notifications can be made for breaches that do not present a high risk (these not through the portal), especially if there is a strong public or media interest.

Submission of notification

Mandatory notifications must be sent via the official portal.

Criteria for “High Risk”

  1. Severity of consequences (data sensitivity, type of breach, impact on affected individuals).
  2. Likelihood of consequences (the data controller should not wait for certainty before notifying).

Sanctions

No direct sanction for failing to notify, however non-compliance with minimum security requirements can lead to criminal consequences (Article 61(c) LPD).

2. Information to affected individuals

Obligation to Inform

Individuals must be notified if necessary for their protection (e.g., password change, credit card blocking) or at the order of the IFPDT.
The IFPDT may order communication for public interest reasons.

Methods of information

Communication should be clear and understandable.
As a rule, individuals must be informed individually.

Sanctions for failure to inform

The IFPDT can impose an obligation to inform even if delayed, in addition to other administrative measures.

This guide clarifies the responsibilities of organizations in the case of a data breach and emphasizes the importance of a proactive approach to security and transparency.

DISCOVER MORE

Condividi:

Articoli recenti

Trova altre notizie
Tutte le notizie

Request an advice

In order to get information about our services, fill the contact form so one of our representatives will contact you as soon as possible.

+41 91 921.00.38

info@privacydesk.ch

By clicking on SEND you declare that you have read the privacy notice for purposes a) and b) – privacy policy pursuant to LPD.

© 2025 Privacy Desk Suisse SA. All right reserved    |   Privacy Desk Suisse SA    |   6900 Lugano, Corso Elvezia n. 16     |   Privacy Notice    |   Cookie Policy