Swiss nDSG vs. EU GDPR
New Data Protection Rules in Switzerland – What Companies & Associations Need to Know Now
The new Swiss Data Protection Act (nDSG) comes into effect on September 1, 2023.
The nDSG (or revDSG) aims to harmonize with the EU General Data Protection Regulation (GDPR) and is intended to better protect the data of Swiss citizens through adaptation to technological developments.
In an era where technology is rapidly evolving and AI applications like ChatGPT play an increasingly significant role in our lives, ensuring privacy and data protection is more crucial than ever. The nDSG promises a modern version of data protection. 🔭
A 🧭 alignment of the nDSG with the GDPR is evident, even if the nDSG does not fully align with the GDPR in all cases. Generally, the new Swiss law is less strict, and only in a few specific areas is it more restrictive than the European one.
The European Data Protection Law also applies to many Swiss organizations.
You can find out when and how the GDPR applies to Swiss companies & associations in the GDPR Switzerland Checklist. 🧾
As a result, some organizations must comply with both European and Swiss data protection laws. Therefore, there is also a need for action for organizations that already meet GDPR requirements. 🎬
Here you will learn about the important differences between the two data protection laws:
nLPD vs. GDPR: 11 key differences
| GDPR | nDSG | |
|---|---|---|
| Sanctions | Fines for the responsible company up to EUR 20 million or 4% of the company's worldwide annual turnover. | In case of violations, criminal fines up to CHF 250,000. With some exceptions, the penalty is linked to the responsible natural person. |
| Reporting Data Breaches | Obligation to report data breaches with risks to affected individuals to the data protection authority within 72 hours. If there is a high risk to personal rights, the individual must be notified. | Mandatory if necessary to protect affected individuals. The FDPIC only needs to be informed by the controller in cases of high risk, meaning when it is necessary to protect the data subject. There is no 72-hour deadline, but rather “as quickly as possible”. |
| Data Exports | The European Commission decides on the admissibility. EU Standard Contractual Clauses and binding corporate rules are applicable. | The same concept applies. The Federal Council decides on the admissibility of data exports. The same Standard Contractual Clauses and binding corporate rules as in the EU are applicable. |
| Appointment of a Data Protection Officer | Mandatory if the company conducts large-scale regular and systematic monitoring or processes special categories of data on a large scale, according to Art. 37. | Not mandatory, but explicitly recommended. Appointing one simplifies data processing that carries a high risk to the personality or fundamental rights of the data subject. |
| Data Protection Impact Assessment | If a high risk persists despite implemented measures, then consultation with supervisory authorities is mandatory. | If there is a high risk to the personality or fundamental rights of data subjects, a Data Protection Impact Assessment (DPIA) must be carried out. If the risk continues to exist despite the measures, then consultation with a Data Protection Officer or the FDPIC is possible. |
| Data Protection Representative | Companies based outside an EU/EEA country that offer their services to customers in EU/EEA countries, process data, or monitor behavior, must appoint an official representative in the EU/EEA. | When data is processed by a controller based abroad, a representative in Switzerland must be appointed. This also applies if the data processing involves a high risk, is extensive, or regular. |
| Profiling | General obligation to obtain consent. | General obligation to obtain consent only for profiling with high risk. |
| Duty to Inform | Obligation to inform the data subject when personal data is collected. | The data controller must inform the data subject about the collection of personal data, even if the data is not collected directly from the data subject (according to Art. 18a). |
| Processing of Personal Data | The processing of personal data is generally prohibited unless there is a legal basis (e.g., consent, contract, legal obligation). | Here, the processing of personal data is generally permitted, unless there is an unlawful infringement of personality rights. |
| Right of Access | Data subjects have the right to receive information regarding their processed personal data. This includes, among other things, processing purposes and data origin. | Similar to the GDPR, but with more exceptions. For instance, access can be denied if the privacy of third parties or overriding interests are affected. |
| Record of Processing Activities | Companies must maintain a register of their processing activities, in accordance with Art. 37. | Controllers/processors maintain a record of processing activities with minimum content requirements. An exception applies to companies with fewer than 250 employees and data processing activities with low risks for personal injury. However, there is no exception for high-risk profiling or large-scale processing of sensitive data. |
The new Swiss Data Protection Law ensures that free data traffic with the EU can continue and guarantees the competitiveness of Swiss companies. It is important to adhere to the regulations to avoid high fines and reputational damage, and to foster customer trust. 🤝
And what about cookies?🍪
“No, the new data protection law in Switzerland does not mandate cookie banners. Switzerland does not adopt the EU Cookie Directive.”
According to Martin Steiger, the new data protection law in Switzerland does not mandate cookie banners. This means Switzerland has not adopted the EU Cookie Directive.
Instead of explicit consent, Swiss law focuses on informing users and providing an opt-out option. Those responsible only need to ensure that data processing is limited to the necessary minimum.
Optional privacy settings only require pre-set restrictions if actual choices are available. 💡
Despite the new law, the use of cookie banners in Switzerland therefore remains voluntary. 💪
✅ In brief:
For websites hosted in Switzerland, simply providing information about cookie usage in the privacy policy is sufficient.
Visitors from the EU continue to be protected by their own data protection laws and must therefore explicitly consent to the use of cookies.
Conclusion
The nDSG (new Data Protection Act) enters the stage, ready to redefine Switzerland's data protection landscape. It significantly strengthens data protection for Swiss citizens and aligns with the GDPR.
However, as with any exciting game, there are differences to consider – the nDSG and GDPR are not identical and therefore require an adjustment of our data protection practices.
With proper preparation, Swiss companies and associations strengthen their market position and their reliability towards their clients. Game on! 💾
Don't lose time preparing for the new law! ⏰
Disclaimer
This article is for informational purposes only and does not constitute binding legal advice. Please note that the interpretation of laws can vary depending on the context and situation. We are not lawyers and recommend familiarizing yourself thoroughly with the new law and preparing adequately for the upcoming changes. We are happy to answer any questions.
Are you looking for a marketing agency that combines professionalism and creativity? 🧑💻🌈
Then contact us! 😊👇