Switzerland's Federal Act on Data Protection (FADP) applies to any processing of personal data carried out in Switzerland, regardless of the size of the company involved. On a leads marketplace, this application takes a particular shape: unlike a classic bilateral data transfer, where a company collects its own customers' details directly, a lead request involves three distinct parties, each carrying its own share of responsibility. Reducing this to a simple exchange between the referral source that captures the request and the company that receives it ignores the central role of the end customer as the data subject under the law, and the specific obligations that fall on each of the three links in the chain.
This dossier sets out this three-party framework as it applies on leads-qualifie.ch: who these three parties are and what structurally sets their situation apart from a bilateral transfer, what the FADP concretely requires around consent, minimisation and data subject rights, why that consent must be traceable rather than simply asserted, what obligations of its own begin for the receiving company the moment it receives a customer's details, and how the platform operator audits active sources to make sure this framework is respected upstream, before a request is even passed on.
The three parties involved in a lead
A lead never moves between two parties but three. The end customer is the data subject under the FADP: their contact details, description of need, and anything that identifies them count as personal data the moment they're entered into a form, spoken over the phone, or filled into an online simulation. It's their request, their data, and they hold the rights the law attaches to that status. The referral source — the site, comparison platform or local network that captures the request the moment it's expressed — occupies a particular position: it's the first point of collection, and therefore the first point where consent must be obtained and clearly explained before any onward transmission. The receiving company, finally, receives the customer's details for the sole purpose of following up on their request — drawing up a quote, booking an appointment, putting together a proposal.
This three-party structure is what legally sets a lead apart from a simple bilateral data transfer. In a classic transfer, the party that collects the data is usually the same one that uses it, which concentrates most obligations on a single entity. On a marketplace, these two functions sit with two different entities — the referral source collects, the receiving company uses — with the platform coordinating the flow between them without ever becoming the end user of the data itself. Each party therefore carries its own share of responsibility under the FADP rather than one entity answering for the whole chain: it's this split, absent from a plain resold list, that calls for a compliance framework built specifically for a three-party model.
What the FADP concretely requires
The first requirement is explicit consent to a specific purpose: the customer must have agreed to be contacted by a professional in the relevant sector for the request they made, and nothing beyond that. Consent given to receive an insurance quote doesn't cover being approached about an unrelated financial product, even if both loosely sit within the same broad sector. The second requirement is data minimisation: only the information needed to process the request should be collected and passed on — contact details, description of the need, coverage area — without extra fields that would needlessly widen the scope of personal data in circulation.
The third requirement is purpose limitation, both over time and in use: data collected for a specific need cannot later be reused for a different purpose without its own separate legal basis. The fourth concerns the rights the law attaches directly to the data subject: the right of access, letting them ask which companies hold their data and why; the right of rectification, if they spot an error in what was passed on; and the right to object, letting them stop any further contact at any time, with no justification required. These four requirements apply regardless of the receiving company's size — the FADP carries no exemption for small businesses on these specific points.
Traceability of consent on a marketplace
Consent that can't be demonstrated doesn't, in practice, carry the same weight as consent that's documented. Simply asserting that a customer "agreed to be contacted" isn't admissible proof if the question is ever raised — by the customer themselves, by the receiving company, or by a supervisory authority. Proper traceability requires several elements captured at the moment of collection itself: a precise timestamp of when consent was given, a retained record of the exact form or checkbox the customer actually used, and above all a record of the exact wording shown to them at that moment — what they were told could happen to their details, including that they might be passed on to one or more professionals in the sector.
This traceability requirement isn't just a theoretical precaution: it has a direct practical consequence for the receiving company. If a customer disputes having consented to be contacted, the company that received their details needs to be able to go back to the platform, and the platform to the referral source, to obtain proof of that consent within a reasonable timeframe. On leads-qualifie.ch, this ability to produce evidence on request is one of the criteria that separates a reliable source from an unreliable one — a referral source unable to reconstruct the origin and exact content of a disputed consent offers a weaker guarantee than one that keeps this record systematically, even if both claim, at the point of transmission, to have followed the law.
The receiving company's own obligations once a lead is passed on
Compliance doesn't end once a properly consented lead is received: it continues, in a different form, the moment the receiving company starts handling the details it has just been given. That company in turn becomes responsible, at its own level, for the personal data it now holds. Its first obligation concerns retention: a customer's details should only be kept for as long as needed to process the request — the time it takes to draw up a quote, carry the commercial relationship through to its conclusion, or whatever separate legal retention period applies for accounting or contractual reasons — not indefinitely by default.
The second obligation concerns security: received details must be protected by reasonable measures — access limited to people who need it, no unprotected exports circulating without oversight. The third concerns the customer's right to object: if they say they no longer want to be contacted, the company must stop any further contact, regardless of channel. The fourth concerns purpose: details received to handle one specific request cannot simply be folded into a general prospecting list or newsletter file without further ado — doing so is a separate act of processing from the one the original consent covered, and needs its own legal basis.
How a serious marketplace audits its sources on this point
No receiving company is in a position to individually audit each of the dozens of sources active on a marketplace — that's precisely the function the platform operator has to take on in their place. On leads-qualifie.ch, this audit focuses specifically on each referral source's consent practices: the wording shown to the customer at the point of capture, whether a timestamp is actually retained, and whether what the source claims lines up with what it can actually produce as evidence if a dispute arises. This audit runs on an ongoing basis, not just when a new source joins the platform, since practices can shift — or slip — after the initial onboarding.
A source that can't demonstrate compliant consent practices sees its flow downgraded in the scoring system pending correction, suspended if the shortfall recurs, or excluded outright for a serious or repeated failure despite warnings. It's this ongoing audit function, largely invisible to the receiving company but decisive for how reliable what it receives actually is, that sets a serious marketplace apart from a plain pass-through that forwards contact details without any concern for how they were obtained upstream. A company buying a contact list from a single provider has, by comparison, no equivalent guarantee: nothing assures it that any audit of that kind was ever carried out on the origin of the data it receives.