[codicts-css-switcher id=”346″]

Global Law Experts Logo
subject access request procedure Switzerland 2026

How to Make a Subject Access Request (DSAR) in Switzerland, Step-by-step Process, Timelines & Templates (2026)

By Global Law Experts
– posted 1 hour ago

Under the revised Swiss Federal Act on Data Protection (nFADP), every natural person has the right to request access to the personal data a controller holds about them, a right commonly exercised through a data subject access request, or DSAR. The subject access request procedure Switzerland 2026 framework places clear obligations on both private-sector controllers and federal public bodies: acknowledge the request, verify identity, locate the data, and deliver a response within a defined timeframe. This guide sets out the complete operational process for data protection officers, in-house counsel and compliance teams who need to receive, handle and close DSARs in line with the nFADP and guidance published by the Swiss Federal Data Protection and Information Commissioner (EDÖB/FDPIC).

Whether you are building a DSAR standard operating procedure from scratch or updating an existing one for 2026 compliance, the numbered steps, timeline tables, document checklists and ready-to-use templates below provide a practitioner-ready framework.

Overview of the Subject Access Request Process and Who It Applies To

A subject access request in Switzerland is a formal exercise of the right to information guaranteed by Article 25 nFADP. Any data subject, employee, customer, prospective client or any other individual, may ask a controller to confirm whether personal data concerning them is being processed and, if so, to provide the categories of data held, the purpose of processing, retention periods, the recipients or categories of recipients to whom data has been disclosed, and the source of the data if it was not collected directly from the subject.

The obligation applies to private-sector controllers (companies, associations, sole traders) and federal public bodies. Cantonal authorities are subject to their own cantonal data protection legislation, although the principles are substantially similar. The EDÖB publishes sample DSAR letter templates on its official Right to Information page, and these provide a reliable starting point for both data subjects making requests and controllers structuring their responses.

On receipt of a DSAR, the controller must act without undue delay. In practice, this means the response clock starts the moment a valid, identity-verified request is received. The six-step procedure below translates the statutory obligation into an operational workflow that compliance teams can adopt directly.

Eligibility and Prerequisites

The right to information under the nFADP is available to natural persons. Legal entities do not hold an equivalent right under Swiss data protection law. A data subject need not be a Swiss citizen or resident to exercise the right, any natural person whose data is processed by a Swiss controller (or a controller otherwise subject to the nFADP) may submit a request. This is particularly relevant for multinational organisations with customers or employees outside Switzerland.

A data subject may appoint a representative to submit a DSAR on their behalf. In such cases, the representative must provide a signed power of attorney or, if an attorney-at-law, a signed mandate. Parents or legal guardians may exercise the right on behalf of minors or persons under guardianship.

For federal public bodies, the subject access request procedure may overlap with the Federal Act on Freedom of Information in the Administration (FoIA). Where a request concerns official documents rather than personal data, the FoIA procedure, administered separately by the EDÖB, applies with its own deadlines. Controllers in the public sector should triage incoming requests early to determine whether the nFADP or the FoIA governs the response. The EDÖB’s guidance on access to official documents provides the relevant criteria.

There are no formality requirements for a DSAR under the nFADP: a request may be submitted in writing (letter or email), orally, or via an online portal if the controller offers one. However, controllers are entitled to verify the identity of the requester before disclosing any personal data.

Step-by-Step DSAR Procedure Under the nFADP

The following six steps represent the operational sequence for handling a DSAR in Switzerland. The timeline table below summarises each step, the responsible function, and typical duration. All steps should be completed within the overall 30-day response window in standard cases.

Step Who Does It Typical Duration
1. Acknowledge receipt and log request DPO / Privacy Ops Within 1–3 business days
2. Verify identity and authority DPO / Privacy Ops 0–7 calendar days (up to 14 days if documents needed)
3. Clarify and scope request DPO + Requester 7–14 days for clarification (pauses response clock)
4. Locate and collect data across systems IT, Records Owners, Processors 7–21 days (varies by volume and system complexity)
5. Review, redact, and conduct legal review Legal, DPO 3–14 days (risk-based)
6. Deliver response securely and record completion DPO / Legal Deliver within 30 days total; extend and notify if complex

Step 1: Receive and Acknowledge the DSAR

As soon as a DSAR is received, regardless of the channel (email, letter, portal, verbal), the DPO or designated privacy function should log the request in a case-tracking system. Record the date of receipt, the requester’s name and contact details, the scope of the request, and assign a unique reference number. Acknowledge receipt within one to three business days using a standard acknowledgement template.

Sample acknowledgement email:

Subject: Acknowledgement of your data access request – Reference [REF-XXXX]

Dear [Name],

We confirm receipt of your request for access to your personal data, received on [date]. Your request has been assigned reference number [REF-XXXX]. We will respond within 30 days from the date we have verified your identity. If we require additional information, we will contact you promptly.

Kind regards, [Controller name / DPO contact]

Step 2: Verify Identity and Authority

Before disclosing any personal data, the controller must verify the requester’s identity. Acceptable documents typically include a government-issued photo ID (passport or identity card) and, where necessary, a proof of address issued within the last three months. If the request is submitted by a representative, a signed power of attorney or attorney mandate must accompany the request. Where identity cannot be confirmed from the documents provided, the controller may ask for additional verification, this does not constitute a refusal, but the response clock does not begin until identity is satisfactorily established.

Step 3: Scope the Request and Manage Breadth

Overly broad or ambiguous requests are common. The nFADP does not require a data subject to specify particular datasets or time ranges, but controllers may seek clarification to ensure the response is targeted and efficient. Contact the requester to narrow the scope if the request covers multiple systems, decades of records, or categories of data that span different business units. Document the clarification exchange. The period during which clarification is outstanding pauses the response clock.

Step 4: Locate, Collect, and Export Data

IT teams and records owners should search all relevant systems: CRM platforms, HR systems, email archives, paper files, backup media, and any third-party processors. Where personal data is held by a processor (including a processor located outside Switzerland), the controller remains responsible for ensuring the data is included. For organisations with cross-border data flows, particularly those relying on the Swiss–US Data Privacy Framework, confirm that the transfer mechanism covers disclosure back to the controller for DSAR fulfilment and that no local blocking statutes prevent production.

Step 5: Review, Redact, and Conduct Legal Review

Before delivering the response, legal counsel should review the compiled dataset. Redact personal data of third parties unless the third party has consented or disclosure is otherwise lawful. Identify any statutory exemptions that may apply, Article 26 nFADP permits restrictions on the right to information where disclosure would compromise an overriding private interest of a third party, the controller’s own overriding interest, or a public interest (particularly law enforcement or regulatory investigations). Privileged material (legal professional privilege, litigation privilege) should be flagged and, where appropriate, withheld with an explanation.

Common DSAR refusal grounds include: the request is manifestly unfounded or excessive (e.g., repeated identical requests within a short period); statutory exemptions under Article 26 nFADP apply; or the data is processed exclusively for archiving purposes in the public interest. When refusing in whole or in part, the controller must provide reasons in writing.

Sample partial-refusal wording:

We have provided all personal data to which you are entitled under Article 25 nFADP. Certain records have been withheld or redacted under Article 26 nFADP because disclosure would compromise the overriding private interests of third parties. You have the right to seek mediation from the EDÖB or to bring proceedings before the competent court.

Step 6: Respond, Deliver Securely, and Record Completion

Deliver the response in a commonly used electronic format (such as PDF) via a secure channel. Where the data subject has requested physical copies, send by registered post. Retain proof of delivery. Update the case-tracking system with the date of response, the scope of data disclosed, any redactions applied, and the legal basis for any refusal. Inform the data subject of their right to seek recourse through the EDÖB or the courts if they are dissatisfied with the response.

Sample DSAR letter Switzerland (for data subjects):

To: [Controller name and address]

From: [Full name, address, email]

Date: [Date]

Subject: Request for access to personal data under Article 25 nFADP

I request access to all personal data you hold about me, including but not limited to: the categories of data processed, the purposes of processing, the retention periods, and any recipients to whom my data has been disclosed. Please also inform me of the source of any data not collected directly from me. I enclose a copy of my [passport/ID card] for identity verification. Please respond within 30 days as required by the nFADP.

Yours faithfully, [Signature]

Documents Needed for a DSAR in Switzerland

The documents needed for a DSAR vary slightly depending on who is making the request and the sensitivity of the data involved. The table below sets out the standard checklist that controllers should require and data subjects should be prepared to provide.

Document Notes
Government photo ID (passport or identity card) Issued by a national authority. Photocopy or secure eID accepted. Must confirm name and date of birth. Electronic identity (e-ID) accepted where supported by the controller.
Proof of address (utility bill or bank statement) Issued within the last 3 months. Supports identity verification where the name alone is insufficient.
Account or customer identifier Customer number, account number, or registered email address. Helps scope the search across internal systems.
Power of attorney or written authorisation (if representative) Signed and dated. If submitted by an attorney-at-law, include a signed mandate. Certified copy may be requested for high-risk disclosures.
Additional identity verification for high-risk requests Notarised or certified copies, or in-person verification, may be required where the request concerns sensitive personal data (e.g., health, biometric, or criminal records).

Overseas applicants should note that controllers may request apostilled or certified copies of identity documents where standard verification is not possible remotely. In practice, many controllers accept a clear colour scan of a passport data page sent via an encrypted channel.

FADP DSAR Timeline and Key Deadlines

The nFADP requires controllers to provide the requested information within 30 days of receiving a valid, identity-verified request. The EDÖB’s guidance on the right to information confirms this as the standard operational benchmark. This 30-day period is measured in calendar days, not business days.

Where a request is particularly complex, for example, involving large volumes of data, multiple systems, or consultations with third parties, the controller may extend the response period. In such cases, the controller must notify the data subject of the extension, the reasons for it, and the revised deadline before the original 30-day period expires. Industry observers expect that extensions beyond 60 days would attract regulator scrutiny unless exceptional circumstances are documented.

The response clock begins when the controller has received both the request and sufficient information to verify the requester’s identity. If the controller asks for additional identity documentation, the clock pauses until the documents are received. Similarly, if the controller seeks clarification on the scope of the request, the clock pauses until the data subject responds.

For federal public bodies handling requests under the FoIA rather than the nFADP, a separate 20-day decision deadline applies. The EDÖB’s guidance on access to official documents sets out this timeline. Controllers in the public sector must therefore triage incoming requests to determine which deadline applies.

Extension notification template:

Dear [Name], We are writing regarding your data access request (Reference [REF-XXXX]). Due to the complexity of your request, which involves data held across [number] systems and requires consultation with [third parties/processors], we require additional time to compile a complete response. We expect to deliver our response by [new date]. If you have questions, please contact [DPO contact details].

DSAR Fees Switzerland, Costs and Financial Considerations

Under the nFADP, the right to information is exercised free of charge in the vast majority of cases. The EDÖB’s guidance confirms that controllers should not charge data subjects for responding to a DSAR. An exception exists where a request is manifestly unfounded or excessive, for example, where a data subject submits repeated identical requests without reasonable justification. In such cases, the controller may charge a reasonable fee or, in extreme circumstances, decline to act on the request. The controller bears the burden of demonstrating that a request meets this threshold.

Item Amount / Guidance Notes
Statutory fee to data subject Usually FREE Charging permitted only for manifestly unfounded or excessive requests.
Internal processing, IT search and export Variable (est. 8–30 staff hours) Depends on number of systems, data volume, and format requirements.
Legal review and redaction Variable Higher for requests involving privileged material or third-party data.
Identity verification (certified copies) Varies by notary Cost typically borne by the requester where they choose certified copies.

Compliance teams should build internal cost models for DSAR handling, budgeting for staff time, IT resources and legal review, even though these costs cannot ordinarily be passed to the data subject.

What Changes in 2026 for the Subject Access Request Procedure in Switzerland

The revised FADP (nFADP), which entered into force on 1 September 2023, has been the governing framework for DSARs since that date. In 2026, the practical effects of the revised law are now fully embedded in regulator enforcement expectations. The EDÖB has indicated increased scrutiny of controllers that fail to meet the 30-day response standard or that apply statutory exemptions too broadly.

A significant development for cross-border DSARs is the Swiss–US Data Privacy Framework (DPF). The DPF provides a recognised transfer mechanism for personal data flows from Switzerland to participating US organisations. For DSAR fulfilment, this means that a Swiss controller whose data is processed or stored by a US-based processor participating in the DPF can require the processor to produce the data without needing to rely on supplementary transfer safeguards. Controllers should update their data-processing agreements and cross-border inventory to reflect DPF participation status.

Operationally, compliance teams should review their DSAR SOPs for 2026 to ensure they reflect the following updates: explicit cross-border data-flow mapping that accounts for DPF-certified processors; updated DPO responsibilities as articulated in the nFADP; and revised template language that references the current statutory provisions. The EDÖB’s published templates and guidance pages should be checked periodically, as the regulator updates its materials to reflect enforcement priorities.

Common Pitfalls and How to Avoid Them

  • Failing to log the request on day of receipt. Without prompt logging, response deadlines are missed and audit trails are incomplete. Use a centralised case-tracking system with automated deadline alerts.
  • Delayed identity verification. Waiting weeks to request ID wastes calendar time. Ask for identity documents in the acknowledgement email.
  • Over-redaction of response data. Redacting more than is necessary under Article 26 nFADP risks a justified complaint to the EDÖB. Apply redactions narrowly and document the legal basis for each.
  • Missing third-party personal data in the response. Failing to include all categories of personal data held, including metadata, logs and notes, is a frequent compliance gap. Conduct a comprehensive system-by-system search.
  • Failing to notify processors. When data is held by processors, the controller must ensure timely collection. Issue processor instructions early in the process.
  • Mishandling cross-border requests. Assuming data stored abroad is outside scope, or failing to verify transfer mechanisms, creates legal risk. Map cross-border data flows before DSARs arrive.
  • Charging without justification. Imposing a fee on a standard DSAR breaches the nFADP. Only charge where the request is genuinely manifestly unfounded or excessive, and document the reasoning.
  • Failing to use templates. Ad hoc responses increase error rates and inconsistency. Adopt standardised templates for acknowledgement, response, and refusal.
  • Unclear scope communication. Not asking for clarification on vague requests leads to over-production or under-production of data. Seek clarification early and in writing.
  • No record of delivery. Without proof that the response was delivered, the controller cannot demonstrate compliance. Use registered post or secure electronic delivery with read receipts.

Appendix, Downloadable Templates and Checklists

The following templates and checklists are available for download to support your DSAR handling process:

  • DSAR letter template (for data subjects). Plain-text and PDF versions of a sample subject access request letter based on Article 25 nFADP.
  • Acknowledgement email template. Standard acknowledgement for controllers to send within 1–3 business days of receipt.
  • Refusal / partial refusal templates (3 variants). Templates covering full refusal (manifestly unfounded), partial refusal (Article 26 exemption), and extension notification.
  • Identity verification checklist (printable). A one-page checklist of acceptable identity documents, representative authorisation requirements, and escalation steps for high-risk requests.

To locate a qualified data privacy lawyer in Switzerland, consult the directory for practitioners experienced in nFADP compliance, cross-border DSARs and regulatory engagement with the EDÖB.

Need Legal Advice?

This article was produced by Global Law Experts. For specialist advice on this topic, contact Alexandros Manousakis at Privintelligent Solutions, a member of the Global Law Experts network.

Sources

  1. Swiss Federal Data Protection and Information Commissioner (EDÖB), Right to Information
  2. Federal Act on Data Protection (FADP / nFADP), Official Text
  3. Swiss Federal Council / Federal Chancellery, nFADP Guidance
  4. Swiss–US Data Privacy Framework, Official Announcement (U.S. Department of Commerce)
  5. EDÖB, Access to Official Documents

FAQs

How do I make a subject access request in Switzerland?
Write to the controller (the organisation that holds your data) requesting access to all personal data held about you under Article 25 nFADP. Include your full name, contact details, a copy of your government-issued photo ID, and any account or reference numbers that help identify your records. The EDÖB publishes sample DSAR letter templates on its Right to Information page. You may submit the request by letter, email, or online portal.
The standard response period is 30 calendar days from the date the controller has verified the requester’s identity. If the request is complex, the controller may extend this period but must notify the data subject of the extension and the revised deadline before the original 30 days expire.
At a minimum, include a clear copy of a government-issued photo ID (passport or identity card). A proof of address issued within the last three months may also be requested. If a representative submits the request, include a signed power of attorney or attorney mandate.
DSARs are free of charge in the vast majority of cases. A controller may charge a reasonable fee or decline to act only where the request is manifestly unfounded or excessive. Partial refusal is permitted under Article 26 nFADP where disclosure would compromise overriding private interests of third parties, the controller’s own interests, or a public interest. Reasons for any refusal must be provided in writing.
Non-Swiss residents may submit a DSAR to any controller subject to the nFADP. The same procedure applies. Overseas applicants may need to provide certified or apostilled copies of identity documents, and may appoint a representative with a valid power of attorney.
If the controller fails to respond within the applicable timeframe, the data subject may escalate the matter to the EDÖB by filing a complaint. The data subject may also bring proceedings before the competent Swiss court. The EDÖB has the authority to investigate and recommend corrective measures. Persistent non-compliance may result in administrative sanctions.
how to get a civil marriage in Abu Dhabi 2026
By Global Law Experts

posted 1 hour ago

icc arbitration rules bangladesh
By Global Law Experts

posted 2 hours ago

Find the right Legal Expert for your business

The premier guide to leading legal professionals throughout the world

Specialism
Country
Practice Area
LAWYERS RECOGNIZED
0
EVALUATIONS OF LAWYERS BY THEIR PEERS
0 m+
PRACTICE AREAS
0
COUNTRIES AROUND THE WORLD
0
Join
who are already getting the benefits
0

Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.

Naturally you can unsubscribe at any time.

About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Global Law Experts App

Now Available on the App & Google Play Stores.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Contact Us

Stay Informed

Join Mailing List
About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Global Law Experts App

Now Available on the App & Google Play Stores.

Contact Us

Stay Informed

GLE

Lawyer Profile Page - Lead Capture
GLE-Logo-White
Lawyer Profile Page - Lead Capture

How to Make a Subject Access Request (DSAR) in Switzerland, Step-by-step Process, Timelines & Templates (2026)

Send welcome message

Custom Message