The new Swiss Data Protection Act (nDSG) officially comes into force on September 1, 2023. It follows the General Data Protection Regulation (GDPR), which was adopted by the European Union in 2018.

Overview of all changes?

In this article, we present the key changes in detail and explain new and modified terms. Since the nDSG rarely affects private individuals, this article primarily focuses on the short- and long-term implications for SMEs.

How businesses stay competitive:

To remain competitive, Swiss companies must maintain free data traffic with the EU. Our checklist provides an informative overview and already lays the groundwork for a stress-free and straightforward restructuring.

Note: This is a guide, not legal advice. We assume no liability.

Short on time?

1/ nDSG: A Compact Summary

Effective from: September 1, 2023
Objective: To enhance the protection of the personal and fundamental rights of Swiss citizens when their personal data is processed
Inspired by: The European Union's GDPR from 2018
Applies to: Primarily businesses and associations
Benefit for SMEs: Stay competitive, avoid fines, and strengthen customer trust
nDSG vs. GDPR: The 11 Most Important Differences at a Glance
Use the Data Protection Generator and save with the code onlineKarma10

2/ nDSG: The 5 Key Changes

1. Individuals

The new law, in its full scope, now “only” applies to the data of individuals. The processing of data belonging to legal entities is no longer fully covered by the nDSG.

The nDSG does not protect the rights of a company. However, the personal rights of a company's employees remain protected under the new law.

2. Genetic and Biometric Data

According to the new data protection law, genetic and biometric personal data will now be considered particularly sensitive data. For this type of data, stricter due diligence is required, and consent must be obtained before any processing (e.g., via a cookie banner).

Personal Data:

Basic Data (e.g., Name, Date of Birth, IBAN)
Activity Data (physical & digital tracking)
Profiling Data (automatic evaluation of interests, preferences, performance, etc.)

Particularly Sensitive Personal Data:

Data on Health, Appearance & Identity (e.g., genetic data, biometric data, health data)
Data on Beliefs (political and trade union activities/convictions, religious views)
Data on Measures/Sanctions (e.g., criminal proceedings, enforcement, social welfare measures)

3. »Privacy by Design« & »Privacy by Default«

These two principles are intended by the nDSG to better protect personal data. They refer to data protection through technology and privacy-friendly default settings.

4. Introduction of a Data Protection Impact Assessment

The Data Protection Impact Assessment (DPIA) is a tool adopted from the GDPR. It includes:

Description of the intended data processing
Assessment of the risks to the personal rights and fundamental freedoms of the data subjects
Measures to protect personal rights and fundamental freedoms

5. Extended Information Obligation

The extended information obligation applies from September to every collection of personal data, and no longer only to sensitive data. Data subjects can be informed about the scope and purpose of processing in the Privacy Policy.

Further information on the changes introduced by the new Data Protection Act can be found on the website of the FDPIC.

3/ Checklist: Prepare in 7 Steps

The new Data Protection Act not only protects the rights of Swiss citizens but also preserves the **competitiveness** of Swiss companies. With our checklist, SMEs can avoid significant fines and reputational damage.

1. What personal data do I process?

For sensitive personal data, such as biometric and genetic data, prior voluntary consent from users is required. Companies typically use cookie banners with consent options for this.

Anyone processing other personal data must provide information about it transparently and in an easily understandable manner. Companies have several options for presenting this information:

Privacy Policy
General Terms and Conditions
Separate Document
Consent Form
Informative Cookie Banners

2. Does my website comply with Privacy by Design?

Privacy by Design means that the technical structure of a product or service must protect and respect user privacy. This requires an appropriate technical and organizational design of the systems.

Examples of suitable measures:

Data Minimization: Only personal data strictly necessary for business operations is collected and processed.

Restricted Access: Access to data is only granted to employees who require it for their work.

Data Deletion Policy: Taking into account statutory retention obligations, personal data is automatically deleted after a certain period.

3. Does my website comply with Privacy by Default?

Privacy by Default describes privacy-friendly default settings that are active without any user intervention. This means that software, including apps and websites, must be designed so that the processing of personal data is limited to the necessary minimum.

Common examples include:

Anonymizing IP addresses in Google Analytics
Requesting only essential data (e.g., in contact forms)
Strict access limitations for social media profiles and posts
Restrictions on app access to websites

Is a cookie banner mandatory in Switzerland?

Unlike in the EU, there is no general cookie banner requirement in Switzerland. For most Swiss companies, cookie banners are only mandatory when processing particularly sensitive data.

However, this applies explicitly only to Swiss users. If Swiss websites have visitors from the EU, the GDPR and the cookie banner requirement apply.

Learn more about cookie policies

4. Do I need to conduct a Data Protection Impact Assessment?

An impact assessment is required when data processing poses a potentially high risk to data security. According to Art. 22 of the DPA, a high risk arises particularly:

When using new technologies
Due to the type and scope of processing
Based on the circumstances of processing
Because of the purpose of processing

A DPIA is mandatory under the new DPA (nDSG), for instance, when processing particularly sensitive data or systematically monitoring public areas.

5. Do I have a legally compliant Privacy Policy?

Companies may need to update their existing Privacy Policies due to the expanded obligations. Previous adjustments made for the EU GDPR may not be sufficient.

A legally compliant Privacy Policy must include information about all data processing activities and be easily accessible (e.g., in the footer). Website visitors must also be informed about the data protection provisions (e.g., in contact forms). It must provide details on:

The identity and contact details of the data controller (e.g., the company)
Purpose of processing
Recipients in case of data transfer
Data categories when collected by third parties (e.g., a marketing agency)
Country of Origin for Exports Abroad

Use the Datenschutzpartner generator to create a customized Privacy Policy. Our clients can save up to 10% with the code onlineKarma10.

Start Generator

6. Do I need a record of all data processing activities?

Companies with more than 250 employees will be required to record every data processing activity. The content of this record is legally defined and aligns with the information in the privacy policy.

Additionally, this record should include the retention period for personal data and a general description of the measures taken to ensure data security.

7. When do I need to report to the FDPIC?

The Federal Data Protection and Information Commissioner (FDPIC) plays a significant supervisory role under the new Data Protection Act. In the event of a data breach, it must be reported to the FDPIC immediately.

Currently, a reporting obligation for cyberattacks on critical infrastructures is being planned. In such cases, the National Cyber Security Centre (NCSC) would also need to be informed.

Request Support Now

4/ Criminal Liability: What are the penalties for data protection violations?

Rest assured, under Swiss law, as of September 1, 2023, only a deliberate breach of duty is punishable. For instance, a breach of confidentiality will not lead to criminal consequences if the disclosure was unintentional. However, in cases of intent, the following criminal sanctions may apply:

❗ Fines of up to CHF 250,000.

❗ Administrative investigative proceedings by the FDPIC.

❗ For disregarding the FDPIC: Fines of up to CHF 250,000.

❗ Civil lawsuits (e.g., injunctions or damages).

A fine of CHF 250,000 is particularly applicable for these offenses:

Breach of the duty to inform (e.g., an incorrect privacy policy)

Breach of data security (e.g., Privacy by Design & Default)

Breach of information disclosure obligations

Missing protective measures or consent when disclosing personal data to countries without an adequate level of protection

Missing contract with contractual partners

The Swiss Data Protection Act generally sanctions the responsible individuals directly. However, for fines up to CHF 50,000, the company usually pays, as an extensive investigation into fault by the FDPIC is not deemed justified.

5/ For SMEs: Which measures are generally advisable?

Beyond the website, additional steps are advisable for SMEs to ensure data protection compliance. The following measures facilitate a quick and straightforward restructuring: