Switzerland’s new data protection law: What SMEs need to know

Neues Datenschutzgesetz Schweiz

Switzerland’s new data protection law: What SMEs need to know


Data protection in Switzerland

In 1992, the Data Protection Act came into force in Switzerland. In almost 30 years, the collection and use of data has changed a lot. For this reason, the new Data Protection Act (nDGS) will come into force on 1 September 2023 to regulate the handling and protection of data in a modern manner. With this step, Switzerland is reacting to the adaptation of the EU’s data protection law. All companies based in Switzerland and foreign companies that operate in Switzerland or process data in Switzerland are affected by the new law.
We present the most important changes in the Data Protection Act and explain which obligations your company must fulfil. We will also show you the best way to implement the new rules in your SME.


The most important adjustments in the revised Data Protection Act

  • The revised Data Protection Act only protects natural persons. The protection of legal persons is waived.
  • Data subjects must be adequately informed when a company collects and uses their data. This is also the case if a company does not obtain the data from the data subjects themselves.
  • The register of data collection is replaced by the register of processing activities. This must be maintained by companies that have more than 250 employees or that process large amounts of particularly sensitive data.
  • Companies must prepare a data protection impact assessment if the processing of the data poses a high risk to the personality or fundamental rights of a data subject.
  • In the case of high-risk profiling, the data subject must consent to the data processing. High-risk profiling exists when there is a risk to the personality and fundamental rights of the data subject as a result of the processing of data.


The company’s obligations under the Data Protection Act

Analysis of the collected data

In the EU, companies are not allowed to collect personal data unless there is a justification for doing so. In contrast, companies in Switzerland are generally allowed to collect and process data, even without a justifiable reason. However, the data collected must serve a specific purpose and cannot be collected and stored for possible future purposes.
In certain cases, SMEs must obtain consent from data subjects in order to process their data. Consent is required when:

  • Data requiring special protection are processed
  • High risk profiling exists
  • Profiling is carried out by a federal body

In doing so, a company must be able to prove that data subjects have given their consent. The higher the risk of a data breach, the greater the requirements for the validity of consent.
Data that is particularly worthy of protection includes:

  • Data on religious, ideological, political or trade union activities or views
  • Data about health, privacy, race or ethnicity
  • Genetic data
  • Biometric data that uniquely identify a person
  • Data on administrative and criminal prosecutions or sanction
  • Data on social assistance measures
Inform affected persons

Companies are obliged to inform data subjects that their data is being collected and processed. In doing so, the company must provide information on the following points precisely, understandably and in an easily accessible form:

  • Identity and contact details of the data protection officer in the company
  • Purpose of processing the data
  • Recipients of the data, insofar as they are passed on
  • Whether the data will be given abroad and what security measures will be taken if the country does not have adequate data protection in place
Rights of the data subjects

Anyone who believes that their rights are being violated by the processing of data can request information from a company. Companies must provide information on the following points

  • Identity and contact details of the data protection officer in the company
  • What data is processed
  • The purpose of processing the data
  • The retention period of the data or the criteria used to determine how long the data is retained
  • Information on the origin of the data, if not collected by the company itself
  • Where applicable, the existence of an automated individual decision, as well as the logic on which the decision is based
  • The recipients or category of recipients to whom personal data are disclosed, if the company discloses data

A company may refuse or defer information if a request is manifestly unfounded or outweighs the interests of third parties.

Data exports

The legal situation has hardly changed when it comes to exporting data abroad. Companies are entitled to export data abroad as long as these countries have adequate data security measures in place. Data exports can also be made to countries that do not have adequate protection. In this case, companies must show what measures are taken to ensure the protection of the data.
A justification by the company is necessary for the export of the data. Examples of such justification may be the consent of the data subjects, a contractual obligation or an overriding public interest. In any case, data subjects must be adequately informed about where a company exports their data.


Recommendations for companies

Regulate responsibility

Appoint a data protection officer in advance who is responsible for ensuring data protection law in the company. The data controller must be informed about processes in which data is used and know how to proceed in the event of violations of the Data Protection Act. In addition, this person is deposited as a contact person in the company.

Get an overview

Get an overview of what data is available in your SME. Ask yourself the following questions:

  • What data is available in the company?
  • What is this data used for?
  • How long will this data be stored?
  • How is the security of the data guaranteed?
Identify gaps

Analyse the processes in your company and find out where there are gaps in relation to the new data protection law. The best way to do this is to carry out a GAP analysis, which compares the current status of the company with the requirements and shows where measures need to be taken.

Customise documents

Create a privacy policy or adapt the existing document on your website. It is important that the identity of the data controller, the purpose of processing the data and the recipients of the data, if the data is disclosed, are listed.

Check IT security

Check the IT security in your company to ensure that data is adequately protected. If you find gaps that pose a risk to data security, these must be urgently rectified. It is worth working with an IT specialist on this step.

Process requests

If data subjects ask for information about the use of their data, the procedure must be regulated. Designate at least one person in the company to deal with enquiries, define how enquiries are to be dealt with and the time limit within which an enquiry is to be answered.

Sensitise employees

Make your employees aware of the topic of data protection again and again and inform them appropriately about it. Staff training also helps to keep your staff’s knowledge up to date.

Continuously optimise processes

After the revised Data Protection Act has been implemented in the company, you should regularly check whether the processes are running optimally and whether data is adequately protected in the company. This way, you can be sure that security risks that arise over time are eliminated and that your company is always up to date.



With the entry into force of Switzerland’s new data protection law, companies are facing a number of changes.
Those who are well prepared ensure that data protection regulations are complied with and fines avoided, data is secure in the company and customer trust is strengthened. It is therefore advisable to deal with the issue appropriately and to implement the adjustments carefully in the company. The company’s data security and internal processes should also be regularly reviewed in order to be able to prevent possible breaches.
To be prepared for the new law, it is advisable to prepare well in advance. If the responsibilities in the company are clearly regulated and the processes are optimised to the new law, problems and fines can be avoided and customer confidence strengthened.


primeAD AG