nFADP and QR Codes: What Swiss SMEs Need to Know in 2026

What is the nFADP?

The revised Swiss Federal Act on Data Protection (nFADP, or "neues Datenschutzgesetz" in German, nDSG) entered into force on 1 September 2023 and replaces the earlier Data Protection Act of 1992. It's strongly aligned with the EU GDPR but not identical — and this matters for Swiss SMEs.

Key points:

• It protects only natural persons (unlike before, when companies were also covered)
• It applies extraterritorially — foreign providers processing Swiss persons' data must also comply
• The supervisory authority is the FDPIC (Federal Data Protection and Information Commissioner)
• Fines up to CHF 250,000 for violations (private responsible person), CHF 50,000 for companies — lower than GDPR

Where nFADP touches QR codes

If you as a Swiss SME use dynamic QR codes, two data protection aspects matter:

1. What's captured on scan? (scan tracking)
2. Where is data processed? (provider hosting)

Both aspects aren't merely "nice to know" — they have concrete legal consequences if a data breach occurs or a customer requests information.

Aspect 1: What may be captured on scan

Every scan of a dynamic QR code captures at minimum:

• IP address (at least temporarily for geolocation)
• Timestamp
• User-agent (device, browser, OS)

Which of this is "personal data"?

The IP address is considered personal data under nFADP (and GDPR), if it can be used to identify a person. For dynamic IPs from mobile networks, this is practically impossible — but legally it can still be classified as personal data.

What obligations arise?

If personal data are processed, you must:

• Inform (privacy policy)
• Apply data minimization — capture only what's needed
• Ensure purpose limitation — use scan data only for the original analysis
• Guarantee data security — encrypted transmission (HTTPS), secure storage
• Conclude a data processing agreement (DPA) with the QR code provider

How QRTool handles this

QRTool captures IP addresses only temporarily (for geolocation), hashes them immediately after lookup, and stores only country/city. There is no personally identifiable storage. A DPA is provided to paying customers on request.

Aspect 2: Hosting and data location

nFADP generally allows EU processing — the EU has "adequate protection level". For the USA, this is not automatic. Data transfer to the USA is permitted only under specific conditions:

• EU-US Data Privacy Framework (comparable to former Privacy Shield)
• Standard Contractual Clauses (SCC) as contractual basis
• Binding Corporate Rules (BCR) for intra-group transfers
• Swiss equivalent to DPF (in force since 2024)

Which provider is therefore "nFADP-compliant"?

Three categories should be distinguished:

| Hosting location | nFADP status | Example provider | |---|---|---| | Switzerland | Fully compliant, no third-country transfer | QRTool | | EU | Compliant with privacy policy + DPA | qr-code-generator.com, QRCodeMonkey (Bitly Europe Berlin) | | USA | Only with Data Privacy Framework + DPA; higher overhead | Bitly, Uniqode, Beaconstac |

Swiss SMEs operating in regulated industries (banks, insurance, hospitals, public administration) typically choose Swiss hosting to avoid the data export entirely.

Concrete obligations for Swiss SMEs

1. Adjust your privacy policy

If you use dynamic QR codes with scan tracking, add at minimum:

• Who is the provider (name + location)
• Which data is collected (IP, time, device — if applicable)
• How long stored
• Where data is processed (Switzerland, EU, USA)
• Legal basis (legitimate interest, contract fulfillment)

2. Data processing agreement

For every provider processing data on your behalf, you need a DPA. With QRTool, this is provided on request.

3. Register of processing activities

Since 2023 mandatory: an internal register of all data processing with purpose, data categories, recipients, and retention periods. QR code scans belong in there — even if they look anonymous.

4. Breach notification

If data is compromised, you must notify the FDPIC within reasonable time — for "high risk" to affected persons even inform them. So: choose only providers with demonstrable security.

What you legally have to do as a controller

Even if you're just a customer of a QR code provider, you remain legally responsible under data protection law. Concretely that means:

1. Vet the provider — location, hosting, security, certifications
2. Sign a contract — DPA with clear task allocation
3. If needed, conduct a Data Protection Impact Assessment (DPIA), if processing involves "high risk" for those affected (rarely needed for pure scan tracking)

Frequently asked questions

Do I need a cookie banner for a QR code with tracking?

Not necessarily. If no personal data is processed directly (only anonymous aggregates) and no cookies are set, no banner is required. On the target webpage, the usual cookie rules of your own analytics tool apply.

What's the difference between nFADP and GDPR?

Practically, the two are similar. Notable differences: nFADP protects only natural persons, has lower fines, and different bureaucracy. Anyone GDPR-compliant is usually also nFADP-compliant — but not necessarily vice versa.

What if I have customers outside Switzerland?

If you process EU citizens' data, GDPR also applies. Both laws are compatible — safest is to follow the stricter rule.

Are QR code providers automatically processors?

Yes — if they capture and analyze scan data on your behalf, they are processors (Art. 5 lit. k nFADP). A DPA is legally required.

What does nFADP compliance cost?

For most Swiss SMEs, the additional effort is minor: adjust privacy policy (one-time 2–4 hours), DPA with provider (free), maintain register of processing (hours per quarter). Real effort starts when data is transferred to unsafe third countries or large data volumes are processed.

Verdict

For Swiss SMEs, nFADP isn't a hurdle but a clear orientation framework: anyone choosing a provider with Swiss hosting, anonymized tracking data, and a properly maintained privacy policy and DPA is on the safe side. Anyone betting on US providers takes on additional compliance obligations and should think hard whether it brings more than a Swiss provider.