The Federal Data Protection and Information Commissioner (FDPIC) has published his 2024/2025 activity report. In his press release, he headlines ‘Increased intervention against data protection violations and new highs in access requests under the Freedom of Information Act’ and draws a much-noticed summary of digitalisation and fundamental rights, both in the public sector such as the judiciary, police, security and health, but also in business and society. In the private sector, the following topics stand out in particular:
Cyberattack on OneLog: Risks associated with login solutions
The FDPIC documents a targeted cyberattack on the OneLog login platform. The incident clearly shows that cloud-based authentication services are becoming attractive targets for hackers – with potentially far-reaching consequences for thousands of private individuals. The report calls for strict security and incident response processes at identity providers. Those responsible not only have a duty to report data security breaches (Art. 24 para. 1 FADP), they must also continuously inform the FDPIC about the measures taken and the next steps.
Duty of representation (Art. 14 FADP): Clear responsibility in the private sector
The FADP now clearly requires representation in accordance with Art. 14 FADP for private individuals domiciled or resident abroad who process personal data. This means that anyone who processes data extensively and regularly – e.g. in the context of private online platforms or community services – must appoint an elected or appointed person who is responsible for compliance with the FADP. This strengthens the traceability of data protection-relevant processes. To this end, companies and other private individuals can appoint a representative as a point of contact for both the data subjects and the FDPIC.
BPS Legal offers representation in accordance with Art. 14 FADP, possibly in combination with the role of Swiss data protection advisor in accordance with Art. 10 FADP. Please feel free to contact us.
Cross-platform tracking: on the watchdog’s radar
Particularly interesting for online marketing: the FDPIC is focussing on cross-platform tracking, e.g. using cookies or fingerprinting. The FDPIC notes that such methods in the private sphere often take place in a legal vacuum – and calls for clear rules on transparency, consent and documentation. Without suitable technical and organisational measures, there is a risk of fines and loss of reputation. When using third-party services and third-party cookies by website and app operators, information obligations, design rights of the data subjects and responsibilities must be observed.
Data protection is becoming part of the corporate culture
In the 2024/2025 activity report, the FDPIC shows that data protection is being taken increasingly seriously in the private sector. From cloud security to tracking regulation – the figures speak for themselves. For platform operators, SMEs and private individuals, proactive legal advice is more important than ever to create legal certainty and trust. The full report is available from the FDPIC at: https://backend.edoeb.admin.ch/fileservice/sdweb-docs-prod-edoebch-files/files/2025/07/01/de77df3c-8cdb-4a72-9109-6783d8218fbc.pdf
Contact us for non-binding advice on data protection law and digitalisation.
FAQ: Questions and answers on data protection for SMEs and platform operators
The incident shows that centralised login services pose a high security risk. Platform operators must ensure that authentication processes are specially protected – with strong passwords, two-factor authentication and a functioning security and emergency management system. Data security breaches must also be reported quickly.
Companies based abroad that systematically process personal data of people in Switzerland must appoint a data protection representative in Switzerland. Smaller operators of websites or platforms may also be affected – for example, if they regularly process data from Swiss users. The representative must be identified transparently in the data protection notice.
Anyone who tracks user behaviour across different websites and devices requires the explicit consent of the data subjects. The use of cookies, pixels or fingerprinting tools without clear consent is contrary to data protection law. SMEs need to review and adapt their cookie banners and tracking processes both technically and legally.
If a company carries out particularly risky data processing – such as systematic tracking, profiling or the processing of health data – a data protection impact assessment is often required. The FDPIC’s latest report shows an increase in the number of such audits of data controllers. SMEs should clarify at an early stage whether a DPIA is necessary in order to prevent subsequent legal consequences.
The new Data Protection Act requires data security breaches to be reported to the FDPIC immediately – if there is a high risk for the data subjects. Delayed or incomplete reporting can be considered a breach of duty. SMEs should establish clear internal reporting processes.
