nDSG (Switzerland) vs. GDPR (EU)
The new Swiss Data Protection Act (nDSG) came into force on September 1st. While it is based on the EU's General Data Protection Regulation (GDPR), it also has its differences.
When do these differences matter?
With the new Data Protection Act, Switzerland adopts a more liberal approach. Companies generally do not need user consent but must adhere to expanded information requirements.
Optimal Protection for SMEs:
Both laws appear very similar, yet they differ in important aspects. Our comparison helps SMEs remain legally compliant and avoid potential sanctions.
Note: This is a guide, not legal advice. We assume no liability.
Short on time?
GDPR to nDSG
The nDSG not only improves data protection but also safeguards the free flow of data with the EU. For every SME that already meets GDPR requirements, action is now needed. Our comparison helps companies prepare according to their needs and maintain their competitiveness.
Note: Our checklist prepares SMEs for the most important changes in 7 steps.
The 11 Key Differences at a Glance:
| GDPR | nDSG | |
|---|---|---|
| 1. Sanctions | Fines for the responsible company up to EUR 20 million or 4% of the company's worldwide annual turnover. | In case of violations, criminal fines up to CHF 250,000. With some exceptions, the penalty is linked to the responsible natural person. |
| 2. Reporting Data Breaches | Obligation to report data breaches with risks to affected individuals to the data protection authority within 72 hours. If there is a high risk to personal rights, the individual must be notified. | Mandatory if required to protect the individuals concerned. The FDPIC (Federal Data Protection and Information Commissioner) only needs to be informed by the data controller in situations of high risk, specifically when it is essential for the protection of the data subject. There is no 72-hour deadline; instead, notification must occur 'as quickly as possible'. |
| 3. Data Exports | The European Commission decides on the admissibility. EU Standard Contractual Clauses and binding corporate rules are applicable. | The same concept applies. The Federal Council decides on the admissibility of data exports. The same Standard Contractual Clauses and binding corporate rules as in the EU are applicable. |
| 4. Appointment of a Data Protection Officer | Mandatory if the company conducts large-scale regular and systematic monitoring or processes special categories of data on a large scale, according to Art. 37. | Not mandatory, but explicitly recommended. Appointing one simplifies data processing that carries a high risk to the personality or fundamental rights of the data subject. |
| 5. Data Protection Impact Assessment | If a high risk persists despite implemented measures, then consultation with supervisory authorities is mandatory. | If there is a high risk to the personality or fundamental rights of data subjects, a Data Protection Impact Assessment (DPIA) must be carried out. If the risk continues to exist despite the measures, then consultation with a Data Protection Officer or the FDPIC is possible. |
| 6. Data Protection Representation | Companies based outside an EU/EEA country that offer their services to customers in EU/EEA countries, process data, or monitor behavior, must appoint an official representative in the EU/EEA. | When data is processed by a controller based abroad, a representative in Switzerland must be appointed. This also applies if the data processing involves a high risk, is extensive, or regular. |
| 7. Profiling | General obligation to obtain consent. | General obligation to obtain consent only for profiling with high risk. |
| 8. Duty to Inform | Obligation to inform the data subject when personal data is collected. | The data controller must inform the data subject about the collection of personal data, even if the data is not collected directly from the data subject (according to Art. 18a). |
| 9. Processing of Personal Data | The processing of personal data is generally prohibited unless there is a legal basis (e.g., consent, contract, legal obligation). | Here, the processing of personal data is generally permitted, unless there is an unlawful infringement of personality rights. |
| 10. Right of Access | Data subjects have the right to receive information regarding their processed personal data. This includes, among other things, processing purposes and data origin. | Similar to the GDPR, but with more exceptions. For instance, access can be denied if the privacy of third parties or overriding interests are affected. |
| 11. Register of Processing Activities | Companies must maintain a register of their processing activities, in accordance with Art. 37. | Controllers or processors must maintain a register of processing activities with minimum content requirements. An exception applies to companies with fewer than 250 employees and data processing activities that pose low risks to personal privacy. However, there is no exception for high-risk profiling or the large-scale processing of sensitive data. |
Cookie Banners for Swiss Websites?
Under the new Data Protection Act, cookie banners are not mandatory in Switzerland (Source: FDPIC). However, EU regulations require cookie banners that obtain user consent.
If Swiss websites use cookies, operators must provide information about data collection in a transparent, understandable, and easily accessible manner. The processing of sensitive personal data still requires consent in Switzerland.
What does a legally compliant cookie banner look like?
Consent banners must not activate cookies by default, force users to consent, or interpret browsing the site as consent.
It is not permissible to make website access dependent on consent. It is important that cookie banners allow for voluntary consent and offer the option to agree to or reject individual cookies.
Which guidelines apply to cookie banners?
According to the FDPIC, when using cookies for web tracking purposes, operators must consider the requirements of the ePrivacy Directive of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector.
When do Swiss websites need to be GDPR compliant?
The applicable legislation depends on the location of the users. Therefore, for visitors from the EU, Swiss websites must also meet GDPR requirements, such as cookie banners.
Swiss organizations must individually decide whether cookie banners are necessary for their website. We are happy to assist with the assessment and the required technical implementation.
Conclusion
The new FADP is coming and will set new standards for data protection in Switzerland. At first glance, it primarily improves protection for Swiss citizens and is based on the EU's GDPR.
However, a closer look reveals some important differences that SMEs should consider. By adapting to the new guidelines, Swiss companies and associations are preparing optimally for September 1st. This not only strengthens customer trust and market position but also helps them withstand the pressures of digitalization.
Don't lose time – start preparing today!
We are even better at digital marketing than data protection.🙂 As an innovative online marketing agency, we are the right partner for a customized and successful marketing strategy.
