Table of content
Since the entry into force of the new LPD (nFADP) and the strengthening of the powers of the Federal Data Protection and Information Commissioner (PFPDT), the climate has changed in Switzerland. Audits are no longer science fiction.
A simple complaint from an unhappy customer ("I can't unsubscribe"), a whistleblower from a competitor, or a minor data leak can trigger an administrative investigation.
Unlike the European GDPR, which penalizes the company (fine % of revenue), the Swiss nFADP targets the personal criminal liability of executives (fine up to CHF 250,000 against the individual).
If the PFPDT knocks on your door tomorrow morning, they will not ask if you have "tried" to be compliant. They will ask for proof. Here are the 5 technical documents you must be able to produce within 48 hours.
1. The Processing Activities Register (Data Mapping)
This is fundamental. You need to know what data you collect, why, and where it goes.
The PFPDT's question: "Prove to me that you have control over your data flows."
What to provide: A comprehensive and up-to-date inventory.
Bad answer: "We use Google Analytics and Facebook, I think."
Good answer: A document listing each tool (Tag), the category of data (IP, Email, Behavior), the purpose (Marketing, Stats), the retention period, and the hosting location.
A-Track tip: A static Excel file created in 2023 is no longer sufficient. Your register must reflect the current technical reality of your site (which changes with each update).
2. The Consent Logs (CMP Logs)
Having a cookie banner on your site proves nothing. The PFPDT will want to verify that the banner actually works.
The PFPDT's question: "How do you prove that Mr. Dupont accepted advertising tracking on January 12, 2026, at 2:02 PM?"
What to provide: An extract of the logs from your CMP (Consent Management Platform). This file contains:
The consent ID (anonymous).
The date and time (Timestamp).
The version of the accepted privacy policy.
The details of the accepted categories (Marketing: YES, Stats: NO).
If you are using a free or poorly configured plugin that does not store these logs, you are legally exposed.
3. The Data Protection Impact Assessment (DPIA) for Transfers Outside Switzerland
If you use American tools (Google Ads, Meta, Mailchimp) or Chinese tools (TikTok), you are exporting data of Swiss citizens to countries deemed "inadequate" (unless under a specific DPF framework).
The PFPDT's question: "What technical measures have you taken to protect these transferred data?"
What to provide: Technical documentation proving that you minimize the risk. This is where Server-Side Tracking becomes your best advocate. It allows you to prove that you have:
Anonimized IP addresses before sending.
Hashed (pseudonymized) emails.
Blocked the sending of sensitive data.
4. Proof of
Are you unsure if you have these 5 documents?
A-Track conducts "White Audits" (Mock Audit). We act as the PFPDT, we test your compliance, and we deliver the proof file ready to be presented.