Digital Marketing

An overview of the new Swiss Data Protection Act (DSG) 2023

Written by Kevin Kyburz

Published on

Data protection for individuals in Switzerland has been regulated by the Swiss Data Protection Act (DSG) since 1992. This law is intended to protect the privacy and fundamental rights of individuals. The new version will come into force on September 1, 2023, with all its accompanying regulations and without a transition period. Switzerland's new data protection law is moving closer to the General Data Protection Regulation (GDPR) applicable in the EU, but sets its own priorities.

Digitalization has necessitated a complete overhaul and takes into account the technological changes in society. For private individuals, this means increased transparency and greater rights regarding the processing and storage of their personal data. In this article, I explain what Switzerland's new data protection law is, what new regulations need to be observed, and how the new GDPR affects your company website.

Who is affected by the new Swiss Data Protection Act?

In principle, the new GDPR applies to all Swiss companies that process personal data of Swiss citizens. International companies based in Switzerland and companies that conduct cross-border business must also comply with the new data protection law. Data processing includes not only the actual processing of data, but also its storage and archiving.

Companies will be required to justify why they collect personal information. They must disclose which third parties they make this personal data available to. Natural persons will also have the right to inquire how long their personal data will be stored and what it will be used for. Any private individual may request that incorrect data be corrected—without giving reasons.

What is "personal data" and what does "process" mean?

Personal data is any personal information relating to a specific or identifiable natural person. This term is very broadly defined in law and can even include individual IP addresses or email addresses. The word "process" is used in just as broad a sense.

Processing describes all activities related to the handling of personal data. This includes the collection, storage, retention, modification, use, and disclosure of data. It also includes the deletion, archiving, and destruction of data. The nDSG applies only to private individuals, not to legal entities.

The five most important changes in the new Swiss DSG

The new Swiss Data Protection Act (DSG) deals with the protection of personal data of natural persons. Genetic and biometric data are considered particularly sensitive personal data. The new Swiss Data Protection Act is based on the high level of data protection provided by the EU General Data Protection Regulation (GDPR). Here are the most important changes:

  • For greater transparency, companies are required to inform data subjects precisely how their personal data will be used. This no longer applies only to particularly sensitive data, but also in cases where the data is not collected from the data subject. Companies are required to appoint a data protection officer.
  • If data processing poses a high risk to the privacy or fundamental rights of the data subject, the company must carry out a data protection impact assessment. This assesses the following risks for data subjects whose data has not been processed in accordance with the law.
  • Through privacy-friendly settings and the use of technology (privacy by design and privacy by default), companies undertake to establish rules that take data protection into account as early as the planning and design stages of applications. Alternatively, consent must be obtained from users.
  • When it comes to profiling, obtaining consent is only mandatory if "it leads to a combination of data that allows for an assessment of essential aspects of a natural person's personality" (Article 5, paragraph g nDSG). The law considers this to be "high-risk profiling."

With the new DSG, extended information obligations will apply to companies from September 1, 2023. These are summarized in the directory for the processing of personal data, which I will explain in more detail in the next section.

New introduction Directory of processing activities

The most important change in the new DSG lies in the maintenance of a "directory of processing activities" in accordance with Article 12 of the DSG. If you process a lot of personal data, you are required to create and maintain such a record. To be compliant with the new DSG, the record must contain at least the following information:

  • The personal data of the controller;
  • The specific purpose of the processing;
  • A categorization and description of affected individuals and personal data;
  • A categorization of recipients;
  • The duration of storage or a determination of the storage period;
  • A general description of the package of measures designed to ensure the data security of those affected (both technically and organizationally);
  • If foreign companies are involved, the country must be specified. At the same time, guarantees regarding data protection must be provided.

This directory was first introduced in Switzerland. It is based on the European Union's GDPR, records all data flows, and documents the specific purpose of the processing. This is intended to provide a better general overview of data processing.

Exceptions to data protection in accordance with the DSG

Almost all companies are required to maintain such a directory. The new GDPR provides for an exception for small companies with fewer than 250 employees and for the processing of data with a low risk to privacy.

Reporting obligations in the event of violations

The new Swiss Data Protection Act stipulates in Article 24 DSG that violations of data protection law must be reported. If you are responsible for data protection in your company, you are obliged to report data security violations to the EDÖB. The abbreviation EDÖB stands for the"Federal Data Protection and Information Commissioner,"who is responsible for supervising federal data protection regulations.

All data security breaches in data processing must be reported. The report must be made as soon as possible. Only breaches of the personal rights and fundamental rights of the persons concerned are subject to reporting. According to Article 49(1) of the new FADP, the FDPIC must investigate all violations of the new FADP ex officio. If the violation of data protection law is only minor, an investigation may be waived in accordance with Article 49(2) nFADP. If your company has been affected by a cyberattack, you do not need to report it.

At the same time, the revision of the Data Protection Act gives the EDÖB more powers. It can impose faster sanctions if a company fails to comply with the new data protection law. It can report violations, but has no power to impose sanctions. Prosecution of violations is handled by the cantonal prosecution authorities.

How do you make your website compliant with the new GDPR?

If you operate an online shop or website in Switzerland, you must adapt your site to the new Swiss Data Protection Act. These recommendations are intended to help you make your website compliant with data protection regulations. You should note the following points:

Defining personal data – Article 5 of the new Federal Act on Data Protection (FADP) defines personal data as "any information relating to an identified or identifiable natural person." Processing is defined as "any handling of personal data, regardless of the means and procedures used, in particular the collection, storage, retention, use, modification, disclosure, archiving, deletion, or destruction of data"(Article 5, d nDSG).

Securing outsourcing of services – If you use services from other companies, including agencies, for your website, you must comply with Article 9, paragraphs 1-3 of the nDSG. According to this, your partners may only process data in the same way as you are required to do as the website operator. As processors, such companies must be able to guarantee data security. Outsourcing activities to contractors remains legally permitted.

Secure data export – According to Article 16, paragraph 1 of the new Federal Act on Data Protection (FADP), data can be exported without any problems to countries that guarantee an adequate standard of data protection. These include the EU member states, the United Kingdom, Canada, Israel, and New Zealand. If you exchange data with foreign companies, you can check the FDPIC's list of countries to see which countries are considered secure.

Up-to-date privacy policy – Check whether your website's privacy policy is up to date and complete. According to Article 19, paragraph 1 of the nDSG, website operators are obliged to inform users about the collection of their personal data. According to Art. 19 para. 2 ff. nDSG, it must be clear who is responsible for the website, who processes the personal data, and for what purpose. Are data exports secure, and what rights do the persons concerned have?

Responding correctly to requests – If you receive requests from individuals regarding the use of their data, you must respond to these requests within 30 days in accordance with Article 25 ff of the new Data Protection Act. Each request must be carefully reviewed and the individual concerned must be identified. Individuals have the right to access and delete their personal data. It is important to note that every request from individuals in this regard must be responded to.

If you violate Switzerland's new data protection regulation, you will face financial consequences. Individuals will be fined up to 250,000 Swiss francs for violations. Intentional actions and disregard for information obligations will be punished. Companies must pay fines of up to 50,000 Swiss francs if the responsible persons cannot be identified. Particularly serious violations can even result in prison sentences.

nDSG versus EU GDPR – the biggest difference

The new Swiss Data Protection Act is based on the stricter EU General Data Protection Regulation. There are several differences. The key point is that data subjects do not have to give their explicit consent to data processing. This is only required in cases involving particularly sensitive personal data with a high risk. It is mandatory to inform individuals of planned data processing.

Does the EU's GDPR also apply in Switzerland?

Although Switzerland is not part of the EU, the GDPR is also relevant for Swiss companies. This applies in particular in cases where data processing involves personal data of EU citizens or where contractual relationships with contractors in other European countries exist. The new GDPR also applies to data processing that has an impact in Switzerland, even if it was initiated abroad.

The nDSG – a brief summary

The new DSG will come into force in Switzerland on September 1, 2023. The main aim of this revision of the law is to take account of technological progress and developments in data protection law in neighboring countries. The new data protection law regulates additional information obligations towards persons whose data is processed. The aim is to achieve greater transparency and additional data security.

Companies must take external and internal measures to make data processing more secure. If adjustments are necessary, they must be completed before the federal law comes into force in September 2023. Data protection officers must raise employee awareness of data security, which must be actively practiced. Data protection certifications create trust and promote the company's image.

LinkedIn
Kevin Kyburz

Kevin Kyburz

Founder and CEO

From my very first steps on the internet, I was overwhelmed by the unlimited possibilities. Twenty years have passed since then, and my interest has not waned in the slightest. Today, I combine my passion for SEO, marketing, and WordPress within this:matters.

Posts on similar topics

New Hosting Foundation, Smarter Optimizer & Dr.FLARE Reloaded - Performance Redefined

Hosting and Security

New Hosting Foundation, Smart Optimizer & Dr.FLARE Reloaded: Performance Redefined

Kevin Kyburz

Kevin Kyburz

PHP 8.4 Cover Image

Development

PHP 8.4: New Features and Improvements for the Programming Language

Kevin Kyburz

Kevin Kyburz

Multilingual WooCommerce with Weglot

WordPress

Multilingual WooCommerce: Reaching International Customers with a WordPress Shop in Multiple Languages

Kevin Kyburz

Kevin Kyburz

A Message to Our Customers thismatters

News from this:matters

An update for our customers

Kevin Kyburz

Kevin Kyburz

this:matters Logo

this:matters is your agency for WordPress (development, hosting, support), content marketing, and communication.

schwyz next logo

Contact

this:matters GmbH
Hasen 64
6424 Lauerz

+41 41 511 21 21

Email

hello@thismatters.agency

Menu

About us

Team

Blog

Imprint

Privacy Policy

Media

Sitemap

Popular

What is WordPress?

What is Cloudflare?

What is Google Search Console?

Cloudflare Partner

What is Interaction to Next Paint (INP)

Dr.FLARE Reloaded - Google Chrome Extension

© 2026 this:matters | Made with A Heart in Switzerland