Switzerland Switzerland FDPIC nFADP data protection

Switzerland's Philipp Plein Ruling Shows the nFADP's Bite Is in Binding Orders, Not Fines

FDPIC's ruling against Cream della Cream and Philipp Plein shows Swiss privacy law works through injunctions, not EU-style fines.

FDPIC vs. GDPR: How Swiss Enforcement Differs People of Internet Research · Switzerland CHF 250,000 Max criminal fine, individuals Targets willful violations by exec… €20M / 4% GDPR max corporate fine EU authorities can fine companies … 30 days Appeal window before final Neither company appealed the FDPIC… peopleofinternet.com
FDPIC vs. GDPR: How Swiss Enforcement … People of Internet Research · Switzerland CHF 250,000 Max criminal fine, individuals €20M / 4% GDPR max corporate fine 30 days Appeal window before final peopleofinternet.com

Key Takeaways

The Swiss Federal Data Protection and Information Commissioner (FDPIC) has concluded a formal investigation into Cream della Cream Switzerland GmbH and Philipp Plein International AG, finding that the companies kept sending marketing emails and SMS to customers who had objected to the processing — and in several cases, to customers the companies had already told their data was deleted. The ruling, dated 17 April 2026 and published 26 June 2026, is now legally final: neither company appealed within the 30-day window, and neither participated in the proceedings at all.

What actually happened

According to the FDPIC, the case began with multiple customer complaints. People who had bought Philipp Plein merchandise online started receiving unsolicited advertising by email and SMS — some of it, per the regulator's findings, sent via SMS with no functioning opt-out and via email unsubscribe links that didn't lead anywhere. When customers formally objected or requested deletion, the companies either ignored the request or confirmed the data had been deleted while continuing to advertise to the same address or number regardless.

The FDPIC tried the soft approach first: an informal reminder of the companies' obligations under the revised Federal Act on Data Protection (nFADP), in force since September 2023. When that produced no change, the office opened a formal investigation under Article 49 of the Act. The ruling found violations of the good-faith principle in Article 6 nFADP and of the objection and deletion rights in Articles 30 and 31. The order compels the companies to immediately stop processing data for marketing once someone objects, delete personal data on request, and stop processing data belonging to anyone who has already exercised those rights — issued, in the regulator's words, "unter Strafandrohung" (under threat of penalty).

The steelman: this is exactly what an objection right is for

The strongest case for aggressive enforcement here is straightforward. An opt-out right that a company can quietly ignore isn't a right — it's a suggestion. Confirming to a customer that their data has been deleted while continuing to text them is not a technical lapse; it's a direct, verifiable misrepresentation of what the company did. If regulators let representations like that slide, every future deletion confirmation from every company becomes less credible, and the entire architecture of consent-based marketing — which depends on people trusting that "unsubscribe" and "delete" mean what they say — erodes. Switzerland's nFADP was built, in part, to align with the Council of Europe's Convention 108+ and to close exactly this kind of gap between stated policy and actual practice. On the facts as the FDPIC describes them, this was not an edge case requiring difficult judgment calls; it was a company continuing to do the thing it told customers, and its regulator, it had stopped doing.

Why the enforcement architecture still matters more than the headline

What's easy to miss in coverage of this ruling is that the FDPIC did not fine anyone. It couldn't. Unlike EU data protection authorities, which can levy administrative fines up to €20 million or 4% of global turnover under the GDPR, the FDPIC has no power to impose monetary sanctions directly. As IAPP's analysis of the revised law laid out when the nFADP took effect, the Swiss model substitutes a binding administrative order — enforceable, but not punitive on its own — for the EU's corporate-fine model. Separately, the nFADP does carry a criminal liability track, with fines up to CHF 250,000 aimed at the individual executives or data protection officers who willfully violate specific provisions, and up to CHF 50,000 against the company only if no responsible individual can be identified. Notably, the FDPIC's order in this case invoked Articles 6, 30, and 31 — the data processing and rights provisions — not the criminal penalty articles, and named no individual.

That distinction is the real story, and it's a point in favor of Switzerland's approach rather than against it. A regime built around correction — stop the unlawful processing, delete the data, prove compliance — gets the practical remedy customers actually want (their inbox and phone left alone) without requiring a protracted, adversarial fine litigation process that can take years and mostly enriches lawyers. The Philipp Plein case took roughly two years from apparent first complaints to a final, binding, appeal-exhausted order — fast by the standards of GDPR fine appeals, several of which are still working through European courts half a decade after the underlying conduct.

The proportionality test

The substance of the ruling is defensible on its own terms: continuing to market to people who were told their data was gone is a bad-faith practice that any credible privacy regime should stop, and Switzerland's law did stop it, without a company having to face an existential fine. The risk to watch is on the criminal side, where the threat of a CHF 250,000 personal fine against a named executive — rather than a corporate fine scaled to revenue — could push compliance decisions toward individual risk-aversion rather than institutional fixes. This case didn't go there. If future FDPIC rulings start naming individuals for garden-variety marketing-consent failures rather than reserving criminal exposure for willful, serious violations, that would be worth revisiting. For now, the Philipp Plein ruling is a proportionate use of a proportionate tool.

Sources & Citations

  1. FDPIC ruling against Cream della Cream and Philipp Plein
  2. Federal Act on Data Protection (nFADP), Fedlex
  3. FDPIC: The new FDPIC's role
  4. IAPP: Ready for the new Swiss data protection law?