The old and current Swiss Data Protection Act (DSG) had become outdated – originally dating back to 1992. Given technological advances and digitalisation, it was no longer fit for purpose. As a result, the data protection law was fundamentally revised. The goal was to align the Swiss data protection law with the EU level and the updated data protection conventions of the Council of Europe. The new Swiss data protection law (nDSG) and the new Data Protection Ordinance (DSV) come into force on 1 September 2023.
nDSG: an overview of the most important rules
The revised Swiss data protection law focuses on the following changes: new requirements have been introduced and the rights of affected individuals have been strengthened. At the same time, some existing regulations have been restricted. In addition, the revision aims to improve transparency in data processing.
The most important changes are:
1. Exclusive protection of natural persons: Only the data of natural persons are protected under the nDSG – the same rights no longer apply to legal entities.
2. Particularly sensitive personal data in the nDSG Particularly sensitive personal data now also include genetic and biometric data (fingerprint, retina scan) as well as data on ethnic origin. In the future, there will be legal consequences in cases of data protection impact assessments, consent, or data disclosures to third parties.
3. Extended duty to inform When collecting personal data, you are obliged to inform the data subject. You must inform them of the purpose of processing, who is responsible, and how they can be contacted.
4. Data protection-friendly default settings and technical data protection The new Swiss data protection law introduces a stricter duty of care. It distinguishes between two terms: privacy by design and privacy by default. Privacy by design refers to compliance with data protection requirements during data processing. These must already be observed during planning to minimise risk. Privacy by default ensures that personal data can only be processed for the specific intended purpose through default settings.
5. Data protection impact assessment If data processing poses a high risk – especially to the fundamental rights or personality of a data subject – a data protection impact assessment is mandatory under the nDSG. This must outline the planned processing, any risks, and countermeasures.
6. Reporting data breaches If a data breach occurs, you as the responsible person must report it promptly. The Federal Data Protection and Information Commissioner (FDPIC) must be informed whether there is a risk to the personality of the data subject. The affected person must also be informed if necessary.
7. Penalties under the new data protection law The catalogue of penalties under the new Swiss data protection law has been expanded: the nDSG provides for significantly stricter criminal sanctions – fines have increased to up to CHF 250,000. Notably, the responsible individual is liable – not the company, unlike under the GDPR. The FDPIC still enforces administrative measures, such as prohibiting data processing or requesting the deletion of specific datasets. Under the new Swiss data protection law, the FDPIC no longer merely issues non-binding recommendations but also has the power to issue binding decisions. Additionally, the FDPIC can initiate administrative investigations and issue binding rulings – these must be challenged by affected companies before the Federal Administrative Court.
8. Profiling This term has now been added to the law. Profiling describes the automated processing of personal data.
The guide to the nDSG
You now know what changes are coming, but you're unsure what steps to take in recruiting? Here’s the solution: our guide gives you all the relevant information on the three most important recruiting obligations under the new Swiss data protection law – clearly laid out and including practical tips to help you implement what you've learned in your recruiting process. Your advantage: you save time reading complex legal texts. Plus, the guide includes a helpful checklist to walk you through the key points step by step.