Information about the new data protection law in Switzerland

Information about the new data protection law in Switzerland

The new data protection law (nDSG) definitely comes into effect from 01. September 2023 in force. Everything you should know for your website or online shop.

You should adapt your data protection declarations and existing data protection guidelines in a timely manner, because there is no transition period! This time there will be stricter controls and harsher punishments. The competencies of the EDÖP (Federal Data Protection and Information Commissioner) have been expanded for this purpose. If you were previously only able to carry out clarifications, you are now allowed to initiate investigations or proceedings. The fines range up to 250,000 francs. 

The good news first:

  • If you have already dealt with the GDPR in detail in advance and aligned your website or online shop accordingly, then your effort to implement the nDSG will be low.
  • What is particularly new are the information obligation and data security. What this means for you is explained below.
  • And finally: Nobody manages to implement the data protection law 100%, but there are some contradictions and ambiguities in the law. In addition, the effort is not always proportionate. However, it is worth doing your best and adapting the new guidelines in order to avoid any investigations and costly warnings. Because the costs for the plaintiff have been waived with the nDSG, it will now be easier to file a report in the event of a data protection violation. However, only intentional violations are punished, not negligence. The lack of a detailed data protection declaration can already be counted as an intentional violation. 

What needs to be adjusted now if I have a website or an online shop?

The principle is: Any data acquisition is the responsibility of the Information Dutyt. The customer must always be able to understand which data is being used, why and for what purpose, and also know where this data is being transmitted. The easiest way to do this is with a detailed privacy policy. This means that a data protection declaration with the nDSG is mandatory on every website! If the data protection declaration is missing, the obligation to provide information is violated.

However, the information does not necessarily have to be identified with a pop-up window; it is sufficient that the data protection declaration is an integral part of the site. Best installed in the footer and described as data protection. Even with the nDSG, Swiss website visitors still do not need explicit consent to process personal data.

Important: Do not mix the data protection declaration with the general terms and conditions or the legal notice. That’s different information!

The privacy policy – The following information should be present:

  • Identity of the person responsible for the website/online shop or the data protection officer. Users must have the opportunity to contact us at any time and know who to contact. Unlike in Europe, the appointment of a data protection officer is still voluntary.
  • The personal data processed. This includes contact details, browser data, cookies, job applications, etc.
  • General purposes for processing personal data
  • Categories of recipients to whom the personal data is disclosed
  • Services used and service providers on your site (most detailed part)
  • Presence in social media channels
  • Retention of personal data
  • Rights of the data subjects
  • What is your company doing to ensure data security

Important: Whenever you make changes to your website or online shop in which you or third parties collect additional data, you should update this in your data protection declaration!

However, the mere data protection declaration is not enough. The contents of the data protection declaration must also be implemented in the business processes.

This means for you:

  • According toArticle 7 (nDSG)all technical and organizational measures must be taken to ensure that the data protection regulations are adhered to (data protection, password security, secure data storage, https website, etc.)
  • Involve your employees, because they are the ones who handle the data.
  • In the event of data theft or other violations of the nDSG, there is now a new obligation to report to the EDÖP.
  • If third-party providers are used, their data protection regulations must be read and accepted. You must be sure that you can provide a Data Processing Agreement (DPA) for each provider. Depending on the provider, the DPA is part of the general terms and conditions, which you must expressly agree to. If a provider does not have this, then you should not use it for your site.
  • You must ensure that the personal data collected is not used by the provider itself or that the provider sells it. Otherwise you would need the consent of the people concerned, i.e. your customers.
  • Always check the data protection provisions of a tool before implementing it.

Does it need a cookie banner?

  • Cookie banners are only necessary if you have to comply with the GDPR. This means only for Swiss companies that have a branch in the EU or offer a service there.
  • But what if my site has visitors from the EU or I use tools like Google Analytics or Facebook Pixel? This applies to almost every page, but an effort estimate must be made here. If your target group and your customers are not located outside of Switzerland, then only this personal data is relevant for your service. Then all you need is detailed information about the cookies in the data protection declaration and how you can turn them off.
  • For Switzerland, with the revised data protection law, consent to data processing does not need to be explicitly obtained, even for cookies. 

If you want to inform visitors to your website in more detail, you can refer to the use of cookies and the data protection declaration in a pop-up:

If you continue to browse this website, you agree to the use of cookies to support user-friendliness.

You can find more information in our privacy policy 

Justification for the credit check:

  • A credit check is only justified if
    • the person concerned is of legal age
    • the data is not older than 10 years
    • The data will only be passed on to third parties if they are used to process the contract
    • No particularly sensitive personal data is processed and it does not involve high-risk profiling.
  • The tool, including its location and how the data is handled, must be explained in the data protection declaration.
  • Also check whether your credit provider adheres to the revised data protection regulations, no later than September 1st, 2023.
  • Where does the data go? Are these really only needed to process the contract or will they be passed on to third parties. If the latter were the case, then the tool should no longer be used for credit checks from September 1, 2023. 

Newsletter Marketing:

  • The company must now prove the consent of the data subject.
  • Collect only the most necessary data! For example, if you ask for the telephone number when registering for the newsletter, you must be able to explain why.
  • Sending the newsletter is only permitted if you have given your consent (opt-in).
  • The double opt-in procedure is recommended. This means that the customer registers and a confirmation link is then sent to his email address in order to definitely register for the newsletter.
  • Here, too, the data protection regulations of the provider you use must be checked! For example, if you use MailChimp, you must ensure that it does not use the customer data itself or sell it to third parties. This would be a transfer of data to a third party and the company would have to have the consent of the person concerned. On the other hand, it must be checked where the data will be transmitted and the corresponding explanations must be presented transparently in the data protection declaration.
  • The data protection declaration must state which tool is used, including the company’s headquarters.

Other important information:

  • The new law also applies to companies based abroad if they process personal data from Switzerland
  • If you systematically collect sensitive data such as health status or political views, a data protection officer is also needed in Switzerland!

Note: This article can only provide general information on how to get started with the topic. For individual clarifications or if you have any questions or uncertainties, we recommend consulting with professional institutions. 


This website uses cookies. Cookies are used for the user interface and web analytics and help to make this website better. More Information