leads-qualifie.chSuisse

Published on March 7, 2026

FADP & leads: the three-party framework

Why the FADP applies differently on a leads marketplace: three parties with distinct responsibilities — end customer, referral source, receiving company — not a simple bilateral transfer.

Switzerland's Federal Act on Data Protection (FADP) applies to any processing of personal data carried out in Switzerland, regardless of the size of the company involved. On a leads marketplace, this application takes a particular shape: unlike a classic bilateral data transfer, where a company collects its own customers' details directly, a lead request involves three distinct parties, each carrying its own share of responsibility. Reducing this to a simple exchange between the referral source that captures the request and the company that receives it ignores the central role of the end customer as the data subject under the law, and the specific obligations that fall on each of the three links in the chain.

This dossier sets out this three-party framework as it applies on leads-qualifie.ch: who these three parties are and what structurally sets their situation apart from a bilateral transfer, what the FADP concretely requires around consent, minimisation and data subject rights, why that consent must be traceable rather than simply asserted, what obligations of its own begin for the receiving company the moment it receives a customer's details, and how the platform operator audits active sources to make sure this framework is respected upstream, before a request is even passed on.

The three parties involved in a lead

A lead never moves between two parties but three. The end customer is the data subject under the FADP: their contact details, description of need, and anything that identifies them count as personal data the moment they're entered into a form, spoken over the phone, or filled into an online simulation. It's their request, their data, and they hold the rights the law attaches to that status. The referral source — the site, comparison platform or local network that captures the request the moment it's expressed — occupies a particular position: it's the first point of collection, and therefore the first point where consent must be obtained and clearly explained before any onward transmission. The receiving company, finally, receives the customer's details for the sole purpose of following up on their request — drawing up a quote, booking an appointment, putting together a proposal.

This three-party structure is what legally sets a lead apart from a simple bilateral data transfer. In a classic transfer, the party that collects the data is usually the same one that uses it, which concentrates most obligations on a single entity. On a marketplace, these two functions sit with two different entities — the referral source collects, the receiving company uses — with the platform coordinating the flow between them without ever becoming the end user of the data itself. Each party therefore carries its own share of responsibility under the FADP rather than one entity answering for the whole chain: it's this split, absent from a plain resold list, that calls for a compliance framework built specifically for a three-party model.

What the FADP concretely requires

The first requirement is explicit consent to a specific purpose: the customer must have agreed to be contacted by a professional in the relevant sector for the request they made, and nothing beyond that. Consent given to receive an insurance quote doesn't cover being approached about an unrelated financial product, even if both loosely sit within the same broad sector. The second requirement is data minimisation: only the information needed to process the request should be collected and passed on — contact details, description of the need, coverage area — without extra fields that would needlessly widen the scope of personal data in circulation.

The third requirement is purpose limitation, both over time and in use: data collected for a specific need cannot later be reused for a different purpose without its own separate legal basis. The fourth concerns the rights the law attaches directly to the data subject: the right of access, letting them ask which companies hold their data and why; the right of rectification, if they spot an error in what was passed on; and the right to object, letting them stop any further contact at any time, with no justification required. These four requirements apply regardless of the receiving company's size — the FADP carries no exemption for small businesses on these specific points.

Traceability of consent on a marketplace

Consent that can't be demonstrated doesn't, in practice, carry the same weight as consent that's documented. Simply asserting that a customer "agreed to be contacted" isn't admissible proof if the question is ever raised — by the customer themselves, by the receiving company, or by a supervisory authority. Proper traceability requires several elements captured at the moment of collection itself: a precise timestamp of when consent was given, a retained record of the exact form or checkbox the customer actually used, and above all a record of the exact wording shown to them at that moment — what they were told could happen to their details, including that they might be passed on to one or more professionals in the sector.

This traceability requirement isn't just a theoretical precaution: it has a direct practical consequence for the receiving company. If a customer disputes having consented to be contacted, the company that received their details needs to be able to go back to the platform, and the platform to the referral source, to obtain proof of that consent within a reasonable timeframe. On leads-qualifie.ch, this ability to produce evidence on request is one of the criteria that separates a reliable source from an unreliable one — a referral source unable to reconstruct the origin and exact content of a disputed consent offers a weaker guarantee than one that keeps this record systematically, even if both claim, at the point of transmission, to have followed the law.

The receiving company's own obligations once a lead is passed on

Compliance doesn't end once a properly consented lead is received: it continues, in a different form, the moment the receiving company starts handling the details it has just been given. That company in turn becomes responsible, at its own level, for the personal data it now holds. Its first obligation concerns retention: a customer's details should only be kept for as long as needed to process the request — the time it takes to draw up a quote, carry the commercial relationship through to its conclusion, or whatever separate legal retention period applies for accounting or contractual reasons — not indefinitely by default.

The second obligation concerns security: received details must be protected by reasonable measures — access limited to people who need it, no unprotected exports circulating without oversight. The third concerns the customer's right to object: if they say they no longer want to be contacted, the company must stop any further contact, regardless of channel. The fourth concerns purpose: details received to handle one specific request cannot simply be folded into a general prospecting list or newsletter file without further ado — doing so is a separate act of processing from the one the original consent covered, and needs its own legal basis.

How a serious marketplace audits its sources on this point

No receiving company is in a position to individually audit each of the dozens of sources active on a marketplace — that's precisely the function the platform operator has to take on in their place. On leads-qualifie.ch, this audit focuses specifically on each referral source's consent practices: the wording shown to the customer at the point of capture, whether a timestamp is actually retained, and whether what the source claims lines up with what it can actually produce as evidence if a dispute arises. This audit runs on an ongoing basis, not just when a new source joins the platform, since practices can shift — or slip — after the initial onboarding.

A source that can't demonstrate compliant consent practices sees its flow downgraded in the scoring system pending correction, suspended if the shortfall recurs, or excluded outright for a serious or repeated failure despite warnings. It's this ongoing audit function, largely invisible to the receiving company but decisive for how reliable what it receives actually is, that sets a serious marketplace apart from a plain pass-through that forwards contact details without any concern for how they were obtained upstream. A company buying a contact list from a single provider has, by comparison, no equivalent guarantee: nothing assures it that any audit of that kind was ever carried out on the origin of the data it receives.

Also worth reading on the marketplace

Three more dossiers chosen for their thematic closeness to this one — keep exploring the marketplace.

Ready to join the marketplace?

Publish a request or browse the category catalogue to see how leads-qualifie.ch connects companies and lead generators across Switzerland.

Frequently asked questions

Who is responsible if a customer complains about being contacted without having consented?

Responsibility splits by role: the platform investigates the source behind the request and can sanction it if consent is missing, while the receiving company must stop all contact immediately and document how it handled the complaint.

Does one consent cover every company that receives a shared lead?

Yes, provided this was clearly disclosed to the customer at the point of capture — the wording shown must state that the request may be passed on to several professionals in the sector, not just to a single unnamed recipient.

How long can a receiving company keep the data from a lead it received?

Only for as long as needed to process the request and the commercial relationship that follows. Once the case is closed, dropped, or has no separate legal retention requirement attached, the details should be deleted rather than kept by default.

What should happen if a customer asks for their data to be deleted after receiving a quote?

The request should be honoured within a reasonable timeframe, subject to any separate legal retention duty (accounting records, for instance), and the platform should be told if the customer says the original source shouldn't have contacted them.

Is the marketplace itself audited on this point?

Yes: the consent and traceability practices applied to referral sources are reviewed regularly by the operator, held to the same standard imposed on the sources themselves — a check that doesn't stop once a source has been onboarded.

This dossier applies to all these categories

The mechanism described in this dossier applies across every category on the marketplace. A few entry points to see it in practice:

Configure my request