nDSG (Switzerland) vs. GDPR (EU)
The new Swiss Data Protection Act (nDSG) came into force on September 1. Although it is based on the EU's General Data Protection Regulation (GDPR), it also differs from it in some respects.
When do the differences matter?
With its new data protection law, Switzerland is taking a more liberal approach. Companies generally do not need the consent of users, but must comply with an extended duty to provide information.
Optimal protection for SMEs:
Both laws appear to be very similar, but differ from each other in important aspects. With our comparison, SMEs remain legally compliant and avoid potential sanctions.
Note: This is intended as assistance, but does not constitute legal advice. We accept no liability.
Short on time?
GDPR to nDSG
The nDSG not only improves data protection, but also preserves the free movement of data with the EU. Every SME that already meets the requirements of the GDPR now needs to take action. Our comparison helps companies prepare according to their needs and maintain their competitiveness.
Note: Our checklist prepares SMEs for the most important changes in seven steps.
The 11 most important differences at a glance:
| GDPR | nDSG | |
|---|---|---|
| 1. Sanctions | Fines of up to EUR 20 million or 4% of the company's global annual turnover, whichever is higher, imposed on the responsible company. | Penalties for violating regulations can be as high as CHF 250,000. With some exceptions, the penalty is linked to the responsible natural person. |
| 2. Reporting data breaches | Obligation to report data breaches that pose a risk to the individuals concerned to the data protection authority within 72 hours. If there is a high risk to the individual, the individual must be notified. | Obligation, if necessary to protect the persons concerned. The EDÖB must only be informed by the controller in the event of a high risk, i.e., if it is necessary to protect the person concerned. In this case, there is no 72-hour deadline, but rather "as soon as possible." |
| 3. Data exports | The European Commission decides on admissibility. EU standard contractual clauses and binding internal company regulations are applicable. | The same concept. The Federal Council decides on the admissibility of data exports. The same standard contractual clauses and binding internal company regulations as in the EU apply. |
| 4. Appointment of a data protection officer | Mandatory if the company carries out regular and systematic monitoring on a large scale or processes special categories of data on a large scale, in accordance with Art. 37. | Not mandatory, but strongly recommended. Designation facilitates data processing that poses a high risk to the privacy or fundamental rights of the data subject. |
| 5. Data protection impact assessment | If, despite the measures taken, there is still a high risk, consultation with supervisory authorities is mandatory. | If there is a high risk to the personality or fundamental rights of the persons concerned, a data protection impact assessment (DPIA) must be carried out. If the risk persists despite the measures taken, it is possible to consult a data protection officer or the FDPIC. |
| 6. Data protection representation | Companies based outside an EU/EEA country that offer their services to customers in EU/EEA countries, process data, or observe behavior must appoint an official representative in the EU/EEA. | If data processing is carried out by a controller based abroad, a representative must be appointed in Switzerland. The same applies if the data processing involves a high risk, is comprehensive, or is carried out on a regular basis. |
| 7. Profiling | General obligation to obtain consent. | General obligation to obtain consent only in the case of high-risk profiling with high risk. |
| 8. Duty to provide information | Obligation to inform the data subject when personal data is collected. | The controller must inform the data subject about the collection of personal data, even if the data is not collected from the data subject (in accordance with Art. 18a). |
| 9. Processing of personal data | The processing of personal data is generally prohibited unless there is a legal basis for doing so (e.g., consent, contract, legal obligation). | Here, the processing of personal data is generally permitted, unless there is an impermissible violation of personal rights. |
| 10. Right to information | Data subjects have the right to obtain information about their processed personal data. This includes, among other things, the purposes of processing and the origin of the data. | Similar to the GDPR, but with more exceptions. For example, access may be denied if the privacy of third parties or overriding interests are affected. |
| 11. Record of processing activities | Companies must keep a record of their processing activities in accordance with Article 37. | Those responsible or order processors keep a record of processing activities with a minimum content requirement. An exception is made for companies with fewer than 250 employees and data processing with low risks of personal rights violations. However, there is no exception for high-riskprofiling or large-scale processing of particularly sensitive data. |
Cookie banners for Swiss websites?
According to the new data protection law, cookie banners are not mandatory in Switzerland (source: EDÖB). EU regulations, on the other hand, require cookie banners that obtain the consent of users.
If Swiss websites use cookies, operators must provide information on data collection in a transparent, understandable, and easily accessible manner. The processing of particularly sensitive personal data in Switzerland continues to require consent.
What does a legally compliant cookie banner look like?
Consent banners must not activate cookies by default, force users to give their consent, or interpret browsing the site as consent.
It is not permissible to make access to the website dependent on consent. It is important that cookie banners allow for voluntary consent and offer the option to agree to or reject individual cookies.
What guidelines apply to cookie banners?
According to the EDÖB, operators must comply with the requirements of the European Parliament and Council's ePrivacy Directive on the processing of personal data and the protection of privacy in the electronic communications sector when using cookies for web tracking purposes.
When must Swiss websites be GDPR-compliant?
The applicable legislation depends on the location of the users. For visitors from the EU, Swiss websites must also comply with the requirements of the GDPR, such as cookie banners.
Swiss organizations must decide individually whether cookie banners are necessary for their websites. We are happy to assist with the assessment and any technical implementation required.
Conclusion
The nDSG is coming and will set new standards for data protection in Switzerland. At first glance, it primarily improves protection for Swiss citizens and is based on the EU's GDPR.
However, if you take a closer look, you will see some important differences that SMEs should be aware of. By adapting to the new guidelines, Swiss companies and associations are preparing themselves as best they can for September 1. In doing so, they are not only strengthening customer confidence and their market position, but also withstanding the pressure of digitalization.
Don't waste any time and start preparing today !
We are even better at digital marketing than data protection. As an innovative online marketing agency , we are the right partner when it comes to developing a customized and successful marketing strategy.
