Quick answer: Switzerland's revised Federal Act on Data Protection (nDSG/revDSG) came into force on September 1, 2023. It aligns Swiss privacy law with GDPR but has key differences: no requirement to appoint a DPO, criminal liability for individuals(not companies), and no mandatory data breach notification to data subjects. Here's what you need to know for compliance.
What Is the nDSG?
The nDSG (neues Datenschutzgesetz) is Switzerland's modernized data protection law, replacing the original 1992 Federal Act on Data Protection (DSG). The revision was driven by two factors:
- EU adequacy: Switzerland needed to maintain its "adequate" status under GDPR Article 45 for seamless EU-Swiss data transfers
- Modernization: The 1992 law predated smartphones, cloud computing, and big data — it was fundamentally outdated
The nDSG applies to any processing of personal data of natural persons (legal entities are no longer covered, unlike the old DSG). It applies to companies located in Switzerland andforeign companies whose data processing has effects in Switzerland.
nDSG vs GDPR: Key Differences
| Aspect | Swiss nDSG | EU GDPR |
|---|---|---|
| Scope | Natural persons only | Natural persons only |
| DPO requirement | Not mandatory (voluntary "Data Protection Advisor") | Mandatory for public bodies, large-scale processing |
| Legal basis for processing | No need for explicit legal basis for private sector (good faith principle) | Must have one of 6 legal bases (Art. 6) |
| Consent | Required only for sensitive data, profiling, cross-border transfers | Required for many processing activities |
| Data breach notification | Report to FDPIC "as soon as possible" — no fixed deadline | 72 hours to DPA |
| Notify data subjects | Only if necessary for their protection or if FDPIC requires it | Required if high risk |
| Fines | Up to CHF 250,000 — against individuals (not companies) | Up to €20M or 4% of revenue — against companies |
| DPIA | Required for high-risk processing (similar to GDPR) | Required for high-risk processing |
| Records of processing | Required (exemption for SMEs <250 employees with low-risk processing) | Required (exemption for <250 employees) |
| Cross-border transfers | Adequacy list maintained by Federal Council (largely mirrors EU) | Adequacy decisions by European Commission |
| Supervisory authority | FDPIC (Federal Data Protection and Information Commissioner) | National DPAs (CNIL, ICO, BfDI, etc.) |
Critical Difference: Criminal Liability
Unlike GDPR, the nDSG imposes criminal penalties on individuals, not companies. This means:
- The person responsible for the violation (CEO, CISO, DPO, project manager) can be personally fined up to CHF 250,000
- Violations are prosecuted by cantonal prosecution authorities, not the FDPIC
- The FDPIC can investigate and issue recommendations but cannot impose fines directly
- Criminal sanctions require intentional violations (not mere negligence, except for duty of care violations)
Sanctionable offenses include: failure to provide information to data subjects, failure to report data breaches, unauthorized cross-border transfers, failure to comply with minimum data security requirements, and failure to appoint a representative in Switzerland (when required).
nDSG Compliance Checklist
| # | Action | Priority |
|---|---|---|
| 1 | Update privacy policy to include all nDSG-required information (identity of controller, purpose, recipients, cross-border transfers, retention periods, data subject rights) | Critical |
| 2 | Implement "Privacy by Design" and "Privacy by Default" (Art. 7) — data minimization, purpose limitation, default privacy settings | Critical |
| 3 | Create Records of Processing Activities (Art. 12) — unless SME exemption applies | Critical |
| 4 | Conduct Data Protection Impact Assessment for high-risk processing (Art. 22) | High |
| 5 | Review cross-border data transfers — ensure adequate country or appropriate safeguards (SCCs, BCRs) | High |
| 6 | Implement data breach notification process to FDPIC (Art. 24) | High |
| 7 | Update website cookie consent for Swiss users — consent required for non-essential cookies under the Telecommunications Act (FMG) | High |
| 8 | Ensure data subject rights mechanisms: access, rectification, deletion, data portability (Art. 25-29) | High |
| 9 | Appoint a representative in Switzerland if you're a foreign controller with regular processing of Swiss data (Art. 14) | Medium |
| 10 | Consider appointing a voluntary Data Protection Advisor (Art. 10) — provides benefits for DPIA consultation | Medium |
Website-Specific Requirements
- Privacy policy: Must be available in the language(s) your Swiss visitors use (German, French, Italian, English). Must identify the controller, processing purposes, recipients, and cross-border transfers
- Cookie consent: While the nDSG itself doesn't require cookie consent, the Swiss Telecommunications Act (FMG Art. 45c) requires informing users about cookies and offering a way to refuse — similar to ePrivacy but less strict than GDPR. In practice, most Swiss sites implement GDPR-style consent banners
- Third-party scripts: Any data transfer to foreign recipients (Google Analytics, Meta Pixel, etc.) must be disclosed and adequacy/safeguards must be in place
- Security measures: Implement appropriate technical and organizational measures (encryption, access controls, logging)
Cross-Border Data Transfers
The nDSG mirrors GDPR's approach to cross-border transfers. The Federal Council maintains anadequacy list of countries with adequate data protection. For transfers to non-adequate countries, you need:
- Standard Contractual Clauses (SCCs) — the FDPIC accepts EU SCCs
- Binding Corporate Rules (BCRs)
- Explicit consent from the data subject
- Necessity for contract performance
Key note: The US is not on Switzerland's adequacy list (unlike the EU-US DPF). However, the Swiss-US Data Privacy Framework was approved in September 2024, covering certified US companies.
Frequently Asked Questions
Does the nDSG apply to my company if I'm based in the EU?
Yes, if your data processing has "effects in Switzerland" — i.e., you target Swiss customers, have Swiss users, or process data of Swiss residents. You may also need to appoint a representative in Switzerland (Art. 14) if you regularly process personal data of Swiss persons on a large scale.
Do I need a DPO under the nDSG?
No, unlike GDPR, a Data Protection Advisor (the nDSG equivalent of a DPO) isvoluntary. However, appointing one provides advantages: you can consult them instead of the FDPIC for DPIAs, and it demonstrates good faith compliance efforts.
How do I check if my website complies with the nDSG?
Use PrivacyChecker to scan your website. Our tool checks for privacy policy completeness, cookie consent implementation, third-party data transfers, security headers, and more — covering both GDPR and nDSG requirements in one scan.