The GDPR in Switzerland
What recruiters in Switzerland need to know now
Swiss companies are also affected by the EU GDPR – especially in recruiting. Find out when you need to comply, what your obligations are, and how to stay compliant with minimal effort.
Data privacy | Vanessa Hunkeler-Bolliger

The GDPR explained in brief

The General Data Protection Regulation (GDPR) is the central framework governing the handling of personal data in the EU. It sets the rules for how data must be processed, stored, and deleted—with the aim of protecting the privacy of natural persons. Especially in recruiting, where sensitive information is processed daily, this is a crucial issue.

Key principles of the GDPR:

  • Right to access, rectification, and erasure
  • Privacy by Design: Data protection is integrated into the system architecture from the outset.
  • Privacy by Default: Data protection is enabled by default—without users having to take action.
  • Purpose limitation & storage limitation: Application data may only be stored as long as it is truly needed.

Personal Data

But what exactly are personal data? And how long can they be stored? Personal data refers to any information that relates to an identified or identifiable natural person. In other words, any data that can be (even indirectly) assigned to a person—such as their name, phone number, or bank details. A distinction is made between general and special categories of personal data: Special personal data such as genetic, biometric, or ethnic information enjoy a higher level of protection. Personal data may only be stored as long as they serve a specific purpose. This is prescribed by the principle of storage limitation. This also applies, for example, to job applications: When storing an application from a natural person from the EU, personal data are being processed.

The GDPR in Switzerland: Who is affected?

In principle, the Swiss Federal Act on Data Protection (FADP) applies in Switzerland. However, Swiss companies must also engage with the GDPR—especially if they maintain business relationships with the EU based on the marketplace principle. Internal processes, contracts, policies, and privacy notices should therefore be thoroughly reviewed. The consequence: As soon as Swiss companies receive and process personal data from natural persons in the EU, they must comply with the EU GDPR. This is particularly relevant in the context of goods and/or services, or when tracking the behavior of individuals. Does the company have a branch in the EU? Is there a client in the EU involved? Or does a Swiss company process personal data on behalf of an EU-based business? In these cases, GDPR rules also apply in Switzerland, along with an adequacy decision.

Is the company in Switzerland affected by the GDPR because there is a clear intent to engage in trade? Then the following obligations apply:

  • Informing the data subject and obtaining their consent to data processing
  • Guaranteeing “Privacy by Design” and “Privacy by Default”
  • Appointing a data protection representative in the EU
  • Reporting data breaches to the supervisory authority
  • Conducting a Data Protection Impact Assessment (DPIA)

Data protection officers in Switzerland for the GDPR

Whether internal or external: A competent person who manages data protection is worth their weight in gold—especially in recruiting. They can define, review, and coordinate the necessary processes. If your company is subject to the GDPR, you will also need an official representative based in an EU member state as a point of contact for supervisory authorities and data subjects.

GDPR violations: severe penalties possible

In the case of serious breaches, fines of up to 4% of global annual turnover or up to 20 million euros can be imposed—whichever amount is higher. And this is no mere theory: there are already court rulings—even in a recruiting context. For example, one company was fined for mistakenly sending application data to third parties without promptly informing the affected candidate. Even Googling candidates without transparent notice can violate the GDPR. So, companies are well advised to handle applicant data with extreme care.

Conclusion: GDPR also affects Swiss companies

Swiss companies that process personal data of EU citizens may fall under the GDPR if their offering specifically targets the EU market—under the marketplace principle.
This means: Even if a company is based in Switzerland, violating the GDPR can have serious financial and reputational consequences—especially if applicant or employee data are not properly protected or processed. In recruiting, where sensitive data flows in daily, clean and compliant data processing is essential. Data protection is no longer a “nice-to-have” but a business-critical issue that plays a strategic role—and should be tackled proactively.
Even if your company is based in Switzerland, under certain conditions it is still obligated to comply with the GDPR. It is therefore worth reviewing your current situation and processes, raising staff awareness, and increasing data protection standards—particularly in recruiting.

Not sure where to start? Our e-recruiting solution fully maps all processes from application to deletion in complete compliance with the GDPR—including consent management, transparent communication, and automated deletion deadlines.


Try it now and see how simple data-secure recruiting can be!

Try it now- for free!