Reporting a personal data breach (DataBreach)
Personal data breaches (also known as “data breaches”) must be reported to the FDPIC when the new Federal Act on Data Protection (FADP) comes into force on September 1st 2023 if they are likely to result in a high risk for the personality or the fundamental rights of the data subjects.
Until the entry into force of the new Federal Act on Data Protection FADP on September 1st 2023, reporting to the FDPIC is voluntary. Reports received by the FDPIC via the online form until that date will be handled on the basis of the Data Protection Act currently in force.
The FDPIC provides the data controllers with an online form with which they reports can be submitted in a digital and secure manner. After submitting the report, the data controller can download a confirmation with the submitted data.
Only personal data breaches that result in the unintentional or wrongful loss, deletion, destruction or alteration of personal data, or made accessible or disclosed to unauthorised persons, and that are likely to result in a high risk to the personality or fundamental rights of the data subjects must be reported.
If it is necessary for the protection of the data subjects, the data controllers must inform them of the personal data breach.
Further information on notifications is available on the online form. The form is reserved exclusively for notifications by data controllers; data subjects should use the contact form to contact the FDPIC.
Last modification 17.04.2023