On June 26, 2026, Switzerland's Federal Data Protection and Information Commissioner (FDPIC) published a binding ruling against Cream della Cream Switzerland GmbH and Philipp Plein International AG, finding both companies violated the new Federal Act on Data Protection (nFADP / DSG) by continuing to use customers' email addresses and phone numbers for marketing after explicit objections — and, in multiple documented cases, after formally confirming to those customers that their data had been deleted.
The ruling, dated April 17, 2026, is the fourth formal binding decision issued under the nFADP since it entered force on September 1, 2023. It represents the most egregious category of data protection violation: not a technical lapse or a contested balancing test, but a direct breach of a factual representation made to customers about the fate of their personal data.
What Happened
The FDPIC opened formal investigation proceedings under Article 49 DSG after receiving multiple consumer complaints about plein.com, the luxury fashion brand's e-commerce platform. The investigation established a clear pattern: customers who had purchased from the site and subsequently objected to the marketing use of their data — email addresses and phone numbers collected at checkout — received formal confirmation that the data had been deleted. Marketing communications then continued regardless.
The commissioner found violations of three DSG provisions. Article 6 DSG establishes foundational data processing principles, including lawfulness and good faith (Treu und Glauben). The ruling characterises the gap between confirmed deletion and continued marketing as a manifest breach of the good faith principle. Article 30(2)(b) DSG establishes the right to request erasure and to object to processing; both rights were exercised and ignored. Article 31 DSG, which lists justifications that can override a data subject's objection — consent, overriding legitimate interest, legal obligation — offered the companies no escape. The FDPIC found no valid justification for the continued marketing processing.
The FDPIC ordered both companies to immediately cease all marketing-related processing for individuals who had objected, to honour deletion requests, and to refrain from further processing of data belonging to those who had exercised their rights — under explicit criminal penalty threat (Strafandrohung). Neither company participated in the proceedings. The ruling became legally binding after the standard appeal period elapsed.
The Strongest Case for Regulation
Before examining the enforcement architecture, the conduct itself deserves direct assessment. This is not a contested privacy scenario — not algorithmic profiling, not legitimate-interest balancing, not a good-faith error in consent management. The companies made an explicit factual representation to customers — their data had been deleted — and then acted contrary to it. Swiss data protection law treats the good faith principle under Article 6 as foundational precisely because personal data creates information asymmetries that individuals cannot monitor or correct without legal protection. The FDPIC's ruling is well-grounded and legally correct.
For this reason, critics of the nFADP's narrow objection rights framework — which lacks the freestanding objection right to legitimate-interests processing that GDPR Article 21 provides — cannot use this case as evidence of overreach. The companies promised deletion and kept marketing. The regulator acted. That sequence is exactly what data protection law exists to address.
The Structural Gap: Binding Orders Without Organizational Fines
Here the analysis becomes more complicated, and the nFADP's architecture shows a significant limitation.
The FDPIC cannot levy financial penalties on organizations. Switzerland's data protection law deliberately uses a criminal enforcement model: penalties for violations are imposed by cantonal prosecution authorities on responsible natural persons, capped at CHF 250,000 per individual. There is no provision for imposing administrative fines on corporate entities — no equivalent of GDPR's Article 83, which allows supervisory authorities to issue fines up to €20 million or 4% of annual global turnover.
The distinction matters considerably when the violator is a global luxury brand. Philipp Plein International AG operates across dozens of markets with revenues running into the hundreds of millions annually. A CHF 250,000 individual criminal penalty — roughly EUR 263,000 — may represent meaningful personal consequences for a named executive, but it does not alter the corporate cost-benefit calculus that drives data misuse at scale. The structural incentive to persist in profitable data use until caught, absorb a compliance order, and wait for the next investigation cycle is not adequately disrupted by individual criminal exposure alone. The FDPIC may file a criminal complaint against a responsible individual at either company, but cannot itself fine Philipp Plein International AG as an entity.
GDPR enforcement in comparable cases has reached eight-figure sums against luxury and retail-sector controllers. Those penalties introduce genuine cost into corporate data governance decisions. Switzerland's model, by design, does not.
Switzerland's Defense — and Where It Holds
Switzerland's criminal enforcement model reflects a considered policy choice that deserves serious engagement rather than dismissal. Administrative fine systems can produce perverse dynamics: regulators accumulate revenue from large, visible companies, creating institutional incentives to pursue high-profile targets rather than the most harmful actors. Criminal proceedings impose personal accountability on actual decision-makers rather than allowing liability to dissolve into a corporate abstraction with a paying-out-of-pocket indifference. The FDPIC's 2024/2025 annual report noted that 76% of its mediation proceedings reached mutually agreed solutions — suggesting the soft-power compliance pathway functions effectively for the broad majority of actors who engage in good faith.
The model also reduces burden for compliant businesses: no mandatory data protection officer requirement, no organizational exposure to nine-figure penalties for technical lapses, and a regulatory posture better calibrated to the risk tolerance of startups and SMEs that make up much of Switzerland's technology sector. These are genuine advantages.
The problem is that they apply almost exclusively to good-faith actors who make mistakes. For actors who knowingly continue processing personal data after explicit objections and after confirming deletion, softer tools are structurally insufficient. Proportionate regulation means not just proportionate restrictions, but proportionate penalties — and a CHF 250,000 individual cap is not proportionate to the revenues of a global luxury conglomerate.
A Thin Enforcement Record, Building Slowly
The nFADP has now been in force for nearly three years and has produced four formal binding rulings. The FDPIC's 2024/2025 annual report noted roughly a 30% increase in enforcement staff and characterised the period as establishing the first proceedings under the new law. The institutional machinery is building. The question is whether it will be equipped, when fully operational, with penalty tools proportionate to the actors it must discipline.
Switzerland's parliament has not signalled any intention to revisit the nFADP's criminal-only penalty structure. Until it does, rulings like the one against the Philipp Plein entities will remain legally important precedents — and inadequate deterrents for any global brand that can treat a CHF 250,000 individual exposure as a manageable compliance cost.