The Ruling: A Specific Kind of Bad Faith
On April 17, 2026, Switzerland's Federal Data Protection and Information Commissioner (FDPIC) issued a binding ruling against two connected entities — Cream della Cream Switzerland GmbH and Philipp Plein International AG — for violations of the new Federal Act on Data Protection (nFADP). The ruling entered legal force on June 30, 2026, after the 30-day appeal period lapsed without the parties contesting the proceedings.
The FDPIC found that the companies used personal data — email addresses and phone numbers collected at the point of online purchase — for advertising purposes after data subjects had explicitly objected. That alone would be a violation. But the case was compounded by a second, more troubling pattern: in multiple instances, the companies had explicitly confirmed to customers that their data had been deleted, only to continue sending them promotional communications. The FDPIC described this conduct as a "manifest breach of the principle of good faith."
What the Law Requires
The nFADP, which entered force in September 2023 as Switzerland's first major data-protection overhaul in three decades, establishes clear obligations for data controllers. Article 6 sets out fundamental processing principles — lawfulness, proportionality, and good faith. Article 30(2)(b) requires controllers to delete or anonymise personal data upon request when the legal basis for processing no longer exists. Article 31 sets out the narrow justification grounds for continued processing, none of which extend to marketing a data subject who has objected and been told their data no longer exists.
The ruling orders both companies to immediately cease all advertising-related data processing when a data subject objects, and to delete personal data upon valid request. It was issued under threat of criminal penalty — Swiss law provides for fines of up to CHF 250,000 against responsible individuals for wilful nFADP violations, though notably that ceiling targets natural persons rather than corporate entities.
The Steelman for Robust Enforcement
Before assessing the scope of the ruling or the FDPIC's enforcement toolkit, the case for this action should be stated plainly: the conduct here was not ambiguous over-collection or fine-print consent failures. These were companies that told customers "your data is deleted" — a factual statement that terminated any reasonable expectation of further contact — and then sent more emails anyway. That kind of active deception corrodes the opt-out infrastructure that the nFADP relies upon. If companies can confirm deletion and keep processing, the right to erasure becomes a formality with no operational content. The FDPIC was on solid ground, and the specific violation cited — the good-faith principle under Article 6 — maps precisely onto what happened.
The FDPIC's own guidance on direct marketing is unambiguous: email marketing requires explicit opt-in or a prior customer relationship with a clear opt-out opportunity at collection. Once a data subject objects, the processing basis terminates immediately. Cream della Cream and Philipp Plein appear to have known this — the deletion confirmations were not an accidental system glitch but a customer-service response that was then contradicted by the marketing stack.
The Enforcement Gap
Where the analysis gets more difficult is at the level of remedy. The FDPIC's core power is injunctive: it can order companies to stop processing, delete data, or modify systems. What it cannot do is impose administrative fines directly on companies — a capability that sits at the centre of the EU's General Data Protection Regulation, where violations can trigger penalties of up to €20 million or 4% of global annual turnover. The FDPIC can refer matters to cantonal prosecutors, who may pursue criminal fines of up to CHF 250,000 against responsible individuals, but no automatic corporate fine follows.
This matters for companies like Philipp Plein International, a Swiss-headquartered luxury fashion group with a genuinely global footprint. A CHF 250,000 ceiling on individual criminal liability is unlikely to alter the cost-benefit calculus for marketing decisions made at commercial scale. The International Comparative Legal Guide's 2025–2026 Switzerland Data Protection Report notes that as of November 2024, the FDPIC had opened 26 preliminary inquiries and investigations under the nFADP, with only seven concluded — a ratio that reflects both resource constraints and procedural complexity.
The ruling is also notable for what it does not include: the FDPIC has not publicly stated whether it will refer the case to cantonal authorities for criminal prosecution. An injunctive order alone gives the affected companies a clear compliance path without a financial sting proportionate to any revenue advantage gained from the unlawful marketing.
Switzerland Is Not an Island
Philipp Plein International's customer data spans far beyond Swiss borders, which means the same conduct potentially touches data subjects covered by the GDPR. Switzerland is not an EU member, and the nFADP — while GDPR-inspired — differs on several axes, including the absence of direct administrative fines at the regulator level. But for a company selling internationally, a Swiss FDPIC ruling sets a low floor; EU supervisory authorities could independently assess identical conduct under substantially stricter rules.
The case also signals a shift in the FDPIC's posture. Under the predecessor 1992 Data Protection Act, the commissioner operated almost entirely in advisory mode, issuing recommendations rather than rulings. The nFADP changed that, giving the FDPIC binding decision-making power. The Cream della Cream / Philipp Plein ruling is the clearest application of that power to a commercial marketing context to date.
What Swiss Data Controllers Should Take Away
This ruling establishes a narrow but clear precedent: the nFADP's good-faith principle has real enforcement weight, and sending a deletion confirmation while keeping data in the marketing pipeline is a violation the FDPIC is prepared to rule on publicly. For B2C e-commerce operators in Switzerland, the operational implication is concrete — deletion workflows and marketing suppression lists must be technically integrated, not just promised. A deletion confirmation cannot go out until the deletion has actually executed.
The ruling does not break new interpretive ground. The obligations under Articles 6, 30, and 31 were never ambiguous on these facts. What it does is demonstrate that Swiss enforcement has moved from theoretical to operational for direct marketing. The FDPIC's enforcement toolkit remains thinner than the GDPR's, but the willingness to use it publicly against a named international brand is no longer in doubt.