The new Swiss Data Protection Act (nDSG) will officially come into force on September 1, 2023. It follows the General Data Protection Regulation (GDPR), which was adopted by the European Union in 2018.

Overview of all new features?

In this article, we present the key changes in detail and explain new and amended terminology. Since the nDSG rarely affects private individuals, the article focuses primarily on the short- and long-term implications for SMEs.

How companies stay competitive:

To remain competitive, Swiss companies must maintain the free movement of data to the EU. Our checklist provides an informative overview and lays the foundation for stress-free and uncomplicated restructuring today.

Note: This is intended as assistance, but does not constitute legal advice. We accept no liability.

Short on time?

1/ nDSG summarized in brief:

Valid from: September 1, 2023
Objective: Improved protection of the personal rights and fundamental rights of Swiss citizens when their personal data is processed
Model: European Union GDPR from 2018
Applies to: Primarily companies and associations
Advantages for SMEs: Stay competitive, avoid fines, and strengthen customer trust
nDSG vs. GDPR: An overview of the 11 most important differences
Use the privacy generator and save with the code onlineKarma10

2/ nDSG: The 5 key changes

1. Natural persons

In its entirety, the new law now "only" applies to the data of natural persons. The processing of data relating to legal entities is no longer fully covered by the protection afforded by the nDSG.

The nDSG does not protect the rights of a company. However, the personal rights of a company's employees continue to be protected under the new law.

2. Genetic and biometric data

According to the new data protection law, genetic and biometric personal data will in future be classified as particularly sensitive data. Data in this category is subject to stricter due diligence requirements and the obligation to obtain consent before any processing (e.g., with cookie banners).

Personal data:

Master data (e.g., name, date of birth, IBAN)
Movement data (physical & digital tracking)
Profiling data (automatic evaluation of interests, preferences, performance, etc.)

Personal data requiring special protection:

Data relating to health, appearance, and identity (e.g., genetic data, biometric data, health data)
Data on worldview (political and trade union involvement/beliefs, religious views)
Data on measures/sanctions (e.g., criminal proceedings, enforcement, social assistance measures)

3. "Privacy by Design" & "Privacy by Default"

With the help of these two principles, the nDSG aims to better protect personal data. They refer to data protection through technology and privacy-friendly default settings.

4. Introduction of a data protection impact assessment

The data protection impact assessment (DPIA) is a tool adopted from the GDPR. It includes:

Description of the planned data processing
Assessment of the risks to the privacy and fundamental rights of the individuals concerned
Measures to protect privacy and fundamental rights

5. Extended duty to provide information

The extended duty to provide information applies from September onwards to all collection of personal data and no longer only to particularly sensitive data. Data subjects can find out about the scope and purpose of processing in the privacy policy .

Further information on the changes brought about by the new Data Protection Act can be found on the website of the EDÖBwebsite.

3/ Checklist: Prepare in 7 steps

The nDSG not only protects the rights of Swiss citizens, but also preserves the **competitiveness** of Swiss companies. With our checklist, SMEs can avoid heavy fines and damage to their reputation.

1. What personal data do I process?

In the case of particularly sensitive personal data, such as biometric and genetic data, the voluntary consent of users is required in advance. Companies use cookie banners with a consent option for this purpose.

Anyone who processes other people's personal data must provide transparent and easily understandable information about this. Companies have various options for storing this information:

Privacy Policy
terms and conditions
Separate letter
consent form
Informative cookie banners

2. Does my website comply with privacy by design?

Privacy by design means that the technical structure of a product or service must protect and respect the privacy of users. Care must be taken to ensure that the systems are designed appropriately in technical and organizational terms.

Examples of appropriate measures:

Data minimization: Only personal data that is absolutely necessary for business transactions is collected and processed.

Selective password protection: Access to data is only permitted to employees who need it for their work.

Deletion policy: Taking into account the statutory retention requirements , personal data is automatically deleted after a certain period of time.

3. Does my website comply with privacy by default?

Privacy by default describes privacy-friendly default settings that are active without user intervention. Software, such as apps and websites, must therefore be designed in such a way that the processing of personal data is limited to the minimum necessary.

Common examples are:

Anonymization of IP addresses in Google Analytics
Requesting truly necessary data (e.g., contact form)
Strict access restrictions for social media profiles and posts
Restrictions on app access to websites

Is there a cookie banner requirement in Switzerland?

There is no blanket cookie banner requirement in Switzerland as there is in the EU. For most Swiss companies, cookie banners are only mandatory when using particularly sensitive data.

However, this applies explicitly only to Swiss users. If Swiss websites have visitors from the EU, the GDPR and the cookie banner requirement apply .

Learn more about cookie policies

4. Do I need to conduct a data protection impact assessment?

An impact assessment is necessary if there is a potentially high risk to data security during processing. A high risk arises in accordance with Art. 22 of the DSG, in particular:

When using new technologies
From the nature and scope of the processing
From the circumstances of the processing
For the purpose of processing

According to the nDSG, a DSFA is mandatory , for example, when processing particularly sensitive data or when systematically monitoring public areas.

5. Do I have a legally compliant privacy policy?

Companies may need to adapt their existing privacy policies due to the more extensive obligations. Previous adaptations to the EU's GDPR may not be sufficient.

A legally compliant privacy policy must contain information about all data processing activities and be easy to find (e.g., in the footer). Visitors to a website must also be made aware of the privacy policy (e.g., in contact forms). It must provide information about:

Identity and contact details of the controller (e.g., company)
purpose of processing
Recipients of data transfers
Data categories in the case of procurement by third parties (e.g., marketing agency)
Country information for exports abroad

Use the Datenschutzpartner generator to create a customized privacy policy. Our customers can save up to 10% with the code onlineKarma10.

Start generator

6. Do I need a record of all data processing operations?

In companies with more than 250 employees, all data processing must be recorded in future. The content of the directory is specified by law and is based on the content of the privacy policy.

The directory should also include the retention period for personal data and a general description of the measures taken to ensure data security.

7. When do I need to report to the EDÖB?

The Federal Data Protection and Information Commissioner (FDPIC) plays an intensive supervisory role with regard to the new Data Protection Act. Any data protection breaches must be reported to the FDPIC immediately.

Currently, there is a mandatory reporting requirement for cyberattacks on critical infrastructure is currently being planned. In this case, the National Cyber Security Center (NCSC) would also have to be informed.

Request support now

4/ Criminal liability: What are the penalties for data protection violations?

Don't worry, under Swiss law, only deliberate breaches of duty will be punishable from September 1, 2023. A breach of confidentiality, for example, will not result in criminal consequences if the disclosure was unintentional. However, if the breach was intentional, the following criminal sanctions may apply:

❗ Fines of up to CHF 250,000.

❗ Administrative investigation proceedings by the EDÖB.

❗ Failure to comply with the FDPIC: fines of up to CHF 250,000.

❗ Civil law actions (e.g., injunctions or damages).

A fine of CHF 250,000 is payable in particular for the following offenses:

Violation of the duty to provide information (e.g., incorrect privacy policy)

Violation of data security (e.g., privacy by design and default)

Breach of disclosure obligations

Lack of protective measures or consent when disclosing personal data to countries without an adequate level of protection

No contract with contractual partners

The Swiss Data Protection Act generally imposes sanctions directly on the responsible persons. In the case of fines of up to CHF 50,000, it is usually the company that has to pay, as a costly investigation into liability by the FDPIC is not justified.

5/ For SMEs: What measures are generally advisable?

Beyond the website, SMEs should take further steps to ensure compliance with data protection regulations. The following measures will ensure a quick and straightforward restructuring process: