Switzerland';s revised Federal Act on Data Protection (Bundesgesetz über den Datenschutz, nDSG) entered into force and fundamentally reshaped the compliance landscape for businesses operating in or with Switzerland. Any company that processes personal data of individuals in Switzerland - regardless of where the company is incorporated - must now meet obligations that are materially stricter than those under the old regime and broadly comparable to the EU General Data Protection Regulation (GDPR). Failure to comply exposes individuals within a company, not just the legal entity, to criminal sanctions. This article answers the questions that international business clients ask most frequently about Swiss data protection and privacy law, covering the legal framework, key obligations, cross-border data transfers, breach response, enforcement and practical compliance strategy.
The nDSG (Bundesgesetz über den Datenschutz, Swiss Federal Act on Data Protection) is the primary federal statute governing the processing of personal data in Switzerland. It applies to the processing of data about natural persons - legal entities are no longer protected under the revised act. The territorial scope is broad: the nDSG applies whenever the processing has effects in Switzerland, regardless of where the controller or processor is established. A company headquartered in Singapore or the United Kingdom that markets products to Swiss residents or monitors their behaviour online falls within the act';s scope.
The nDSG distinguishes between controllers (Verantwortliche), who determine the purpose and means of processing, and processors (Auftragsbearbeiter), who process data on behalf of a controller. Both roles carry distinct obligations. Controllers bear primary responsibility for lawfulness, transparency and data subject rights. Processors must act only on documented instructions and implement adequate technical and organisational measures.
Sensitive personal data (besonders schützenswerte Personendaten) receives heightened protection. This category includes data on health, religious or philosophical views, political opinions, trade union membership, genetic and biometric data, and data on administrative or criminal proceedings. Processing sensitive data requires an explicit legal basis - either consent, a statutory provision, an overriding private or public interest, or the data subject';s own disclosure.
A non-obvious risk for international groups is the concept of profiling with high risk (Profiling mit hohem Risiko). The nDSG treats automated processing that allows a personality profile to be assembled as a distinct category requiring explicit consent when it carries a high risk to the data subject';s personality or fundamental rights. Many marketing analytics and credit-scoring tools fall into this category without companies realising it.
The nDSG imposes a layered set of obligations. Understanding which apply to a given business model is the starting point for any compliance programme.
Privacy by design and by default. Under Article 7 nDSG, controllers must structure their systems and processes so that data protection principles are embedded from the outset and only the minimum necessary data is processed by default. This is not a soft recommendation - it is a binding design requirement that regulators can audit.
Records of processing activities. Controllers and processors with more than 250 employees, or those whose processing carries particular risks regardless of size, must maintain a register of processing activities (Verzeichnis der Bearbeitungstätigkeiten). The register must document the purpose of processing, categories of data subjects and data, recipients, retention periods and, where applicable, the legal basis. Smaller businesses that process sensitive data or conduct high-risk profiling are not exempt.
Data protection impact assessments. Where processing is likely to result in a high risk to the personality or fundamental rights of data subjects, the controller must carry out a data protection impact assessment (Datenschutz-Folgenabschätzung, DSFA) before commencing processing. If the DSFA reveals a residual high risk that cannot be mitigated, the controller must consult the Federal Data Protection and Information Commissioner (Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter, EDÖB) before proceeding.
Transparency and privacy notices. Article 19 nDSG requires controllers to inform data subjects at the time of collection about the identity of the controller, the purpose of processing, recipients of data and, where applicable, the fact of transfer abroad. The information must be provided in a clear and accessible form. A common mistake is to copy a GDPR-compliant privacy notice without adapting it to Swiss-specific requirements - for example, the nDSG does not require a legal basis to be cited in the notice in the same way the GDPR does, but the notice must still be substantively complete.
Data subject rights. The nDSG grants individuals the right to information (Auskunftsrecht), the right to data portability, the right to rectification and the right to erasure in defined circumstances. Controllers must respond to access requests within 30 days. This deadline is strict. Organisations that route Swiss access requests through a GDPR response process calibrated to one month often miss the Swiss deadline because of internal escalation delays.
Appointment of a representative in Switzerland. Foreign controllers whose processing affects data subjects in Switzerland and who do not have an establishment in Switzerland must designate a representative in Switzerland (Vertreter in der Schweiz) if the processing is carried out on a large scale, involves sensitive data or includes high-risk profiling. The representative must be named in the privacy notice and serves as the point of contact for data subjects and the EDÖB.
To receive a checklist on nDSG compliance obligations for foreign businesses operating in Switzerland, send a request to info@vlolawfirm.com.
Switzerland is not a member of the EU and operates its own cross-border transfer regime, which is similar to but legally distinct from the GDPR framework. The nDSG permits transfers of personal data abroad only if the destination country provides an adequate level of data protection, or if one of the alternative safeguards applies.
Adequacy determinations. The Federal Council (Bundesrat) maintains a list of countries and territories that it has recognised as providing adequate protection. The EU and EEA member states are on this list, as are several other jurisdictions. The United States is not on the list as a whole - transfers to US entities require a separate safeguard. Controllers must verify the current list before each new transfer arrangement, because adequacy status can change.
Standard contractual clauses. Where the destination country is not on the adequacy list, the most common mechanism is the use of standard contractual clauses (Standarddatenschutzklauseln). Switzerland has its own set of approved clauses, issued by the EDÖB. A frequent and costly mistake is to rely solely on the EU Standard Contractual Clauses (SCCs) without adapting them for Swiss law. The EDÖB has confirmed that EU SCCs can be used as a basis but must be supplemented with a Swiss addendum or equivalent adaptation to be valid under the nDSG.
Binding corporate rules. Multinational groups can use binding corporate rules (BCR) approved by the EDÖB as a transfer mechanism for intra-group flows. The approval process is resource-intensive and typically takes several months, but it provides a durable solution for complex group structures.
Derogations. The nDSG provides a limited set of derogations permitting transfers without an adequacy decision or safeguard: explicit consent of the data subject, performance of a contract with the data subject, overriding public interest, establishment or exercise of legal claims, and vital interests of the data subject. These derogations are narrow and cannot substitute for a systematic transfer mechanism in ongoing commercial operations.
In practice, it is important to consider that Switzerland and the EU have aligned their frameworks but remain legally separate. A business that has completed its GDPR transfer compliance work cannot assume that Swiss compliance is automatically achieved. Each transfer to a third country must be assessed under both regimes independently if the business processes data of both EU and Swiss residents.
A non-obvious risk is the treatment of cloud services. When a Swiss-based controller uses a cloud provider whose infrastructure is located outside Switzerland, this constitutes a transfer abroad even if the controller never actively sends data to another country. Controllers must map all cloud and SaaS dependencies and ensure that each involves a valid transfer mechanism.
The nDSG introduced mandatory breach notification, which did not exist under the old regime. Understanding the mechanics is essential for any business that processes Swiss personal data.
Notification to the EDÖB. Under Article 24 nDSG, a controller must notify the EDÖB as soon as possible if a data security breach is likely to result in a high risk to the personality or fundamental rights of the data subjects. The act does not specify a fixed number of days, but the EDÖB';s guidance and the legislative history indicate that notification should occur within 72 hours of the controller becoming aware of the breach, mirroring the GDPR standard in practice. Delay beyond this window without documented justification creates enforcement exposure.
Notification to data subjects. Where the high risk to data subjects cannot be mitigated by the controller';s own measures, the controller must also notify the affected individuals. The notification must describe the nature of the breach, its likely consequences and the measures taken or proposed. Vague or generic notifications that do not allow data subjects to take protective action are insufficient.
Processor obligations. Processors must notify the controller without undue delay upon becoming aware of a breach. The contract between controller and processor (Auftragsbearbeitungsvertrag) should specify the notification timeline - typically within 24 hours - to allow the controller to meet its own regulatory deadline. Many businesses discover during a breach that their processor agreements lack this clause, which then delays the entire response.
Practical scenarios. Consider three situations that arise frequently:
To receive a checklist on data breach response steps under Swiss law, send a request to info@vlolawfirm.com.
The enforcement architecture of the nDSG differs significantly from the GDPR and is a source of genuine surprise for international clients.
Criminal sanctions, not administrative fines. Unlike the GDPR, which imposes administrative fines on legal entities of up to 4% of global annual turnover, the nDSG primarily imposes criminal sanctions on natural persons - directors, managers and employees who are responsible for the violation. Fines of up to CHF 250,000 can be imposed on individuals. The company itself is not the primary target of criminal prosecution, although it can be held liable in certain circumstances under Swiss criminal law if the identification of the responsible individual within the company is not possible.
This distinction has profound practical implications. A GDPR-trained compliance officer who focuses on entity-level risk management may underestimate the personal exposure of executives and data protection officers under Swiss law. Directors of Swiss subsidiaries of foreign groups are personally at risk if they knowingly authorise non-compliant processing.
The EDÖB';s powers. The Federal Data Protection and Information Commissioner (EDÖB) is the supervisory authority. The EDÖB can conduct investigations, issue recommendations and, under the nDSG, issue binding orders (Verfügungen) requiring controllers or processors to modify or cease processing. The EDÖB can also refer matters to cantonal criminal prosecution authorities. The EDÖB does not itself impose fines - criminal prosecution is handled by the cantonal authorities.
Investigative triggers. The EDÖB opens investigations on its own initiative, following complaints from data subjects, or following mandatory breach notifications. A data subject complaint is a common trigger. International businesses that dismiss Swiss consumer complaints as low-priority may find that a single unresolved complaint escalates into a formal EDÖB investigation.
Cantonal data protection laws. Switzerland';s federal structure means that cantonal data protection laws apply to cantonal and municipal authorities. Private sector businesses are governed by the federal nDSG. However, businesses that provide services to cantonal public bodies may encounter cantonal requirements in their contracts, which can be stricter than the federal standard.
Many underappreciate the reputational dimension of EDÖB proceedings. The EDÖB publishes summaries of completed investigations and orders on its website. For businesses whose Swiss market position depends on trust - financial services, healthcare, technology - a published adverse finding can cause disproportionate commercial damage relative to the formal sanction.
A compliance programme that is fit for purpose under the nDSG requires more than a policy document. It requires operational integration across legal, IT, HR and procurement functions.
Gap analysis as the starting point. The first step is a structured gap analysis comparing current processing activities against nDSG requirements. For businesses already GDPR-compliant, the gap is often narrower than expected, but it is never zero. Key areas of divergence include the transfer mechanism for US cloud providers, the Swiss-specific breach notification process, the representative requirement and the criminal liability framework.
Data mapping and the processing register. Effective compliance depends on knowing what data is processed, where it is stored, who has access and how long it is retained. Many businesses have data maps prepared for GDPR purposes that are outdated or incomplete. A Swiss-specific data map should capture all processing activities that touch Swiss residents'; data, including those carried out by processors and sub-processors.
Vendor management. Every processor that handles Swiss personal data on behalf of the controller must be covered by a written data processing agreement (Auftragsbearbeitungsvertrag) that meets the requirements of Article 9 nDSG. The agreement must specify the subject matter and duration of processing, the nature and purpose of processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. Standard GDPR data processing agreements often lack Swiss-specific provisions and must be reviewed and supplemented.
Training and accountability. The nDSG does not mandate the appointment of a data protection officer (DPO) for private sector entities, unlike the GDPR. However, many businesses appoint a data protection advisor (Datenschutzberater) on a voluntary basis. A voluntary advisor can assist with internal compliance but does not carry the same formal status or protections as a GDPR DPO. Regardless of whether a formal advisor is appointed, staff who handle personal data must receive regular training on nDSG obligations.
Cost and resource considerations. Building a compliant programme from scratch involves legal advisory fees, IT system changes, staff training and ongoing monitoring. For a mid-sized business, initial legal advisory costs typically start from the low thousands of CHF for a focused gap analysis and rise significantly for a full programme build. Ongoing compliance monitoring and annual review add further cost. The business economics are straightforward: the cost of a compliance programme is substantially lower than the cost of managing an EDÖB investigation, a criminal prosecution of a director or a major breach response.
A common mistake is to treat Swiss data protection compliance as a one-time project rather than an ongoing programme. The nDSG requires controllers to review and update their data protection impact assessments when processing activities change, to keep the processing register current and to reassess transfer mechanisms when the adequacy list is updated. Businesses that complete an initial compliance project and then allow it to go stale face growing exposure over time.
In practice, it is important to consider that Swiss data protection law intersects with other legal regimes. Employment law governs the processing of employee data and imposes additional constraints on monitoring and profiling of staff. Banking secrecy (Bankgeheimnis) under the Federal Banking Act imposes obligations that interact with nDSG requirements for financial institutions. Healthcare providers must comply with cantonal health data laws in addition to the nDSG. A compliance programme that addresses only the nDSG in isolation may miss significant obligations.
To receive a checklist on building a Swiss nDSG compliance programme for international businesses, send a request to info@vlolawfirm.com.
What is the most significant practical risk for a foreign company that ignores Swiss data protection law?
The most immediate risk is criminal liability for individuals within the company who are responsible for the non-compliant processing. Unlike the GDPR, the nDSG targets natural persons rather than legal entities as the primary subjects of criminal sanctions. A director or manager who knowingly authorises the processing of Swiss residents'; data without a valid legal basis, or who fails to implement required security measures, can face a personal fine of up to CHF 250,000. Beyond the financial penalty, a criminal conviction in Switzerland can affect professional reputation and, in some jurisdictions, trigger reporting obligations to other regulators. Foreign companies that assume Swiss law is unenforceable against them because they have no Swiss establishment are mistaken - the EDÖB can refer matters to cantonal prosecutors, and Swiss criminal law has extraterritorial reach in certain circumstances.
How long does an EDÖB investigation typically take, and what does it cost a business to respond?
EDÖB investigations vary considerably in duration depending on complexity. A straightforward investigation triggered by a single data subject complaint may conclude within several months. A complex investigation involving a large-scale breach or systemic non-compliance can extend over one to two years. The cost to a business of responding to an investigation includes legal advisory fees for preparing submissions, internal management time, potential IT forensic costs and, if the investigation results in a binding order, the cost of implementing required changes. Legal advisory fees for managing an investigation typically start from the mid-thousands of CHF and can reach the high tens of thousands for complex matters. The indirect costs - management distraction, reputational impact and potential loss of Swiss business relationships - are often larger than the direct legal costs.
Should a business comply with Swiss nDSG separately from GDPR, or is a combined approach sufficient?
A combined approach is a reasonable starting point but is never sufficient on its own. The nDSG and GDPR share many principles - lawfulness, purpose limitation, data minimisation, accuracy, storage limitation and integrity - and a business that has built a mature GDPR programme has a strong foundation. However, several Swiss-specific requirements have no direct GDPR equivalent or differ in material ways: the criminal liability framework targeting individuals, the Swiss adequacy list and transfer mechanism requirements, the Swiss breach notification process, the representative requirement for foreign controllers, and the interaction with Swiss banking secrecy and employment law. A practical approach is to conduct a focused Swiss gap analysis against an existing GDPR compliance programme, identify the delta and address it with targeted measures rather than rebuilding the entire programme from scratch.
Swiss data protection law under the nDSG is a mature and enforceable regime that imposes real obligations on any business processing personal data of individuals in Switzerland. The combination of criminal liability for individuals, a broad territorial scope, strict transfer rules and mandatory breach notification makes non-compliance a material business risk. A structured compliance programme - built on accurate data mapping, valid transfer mechanisms, robust breach response procedures and regular staff training - is the most effective way to manage that risk.
Our law firm VLO Law Firms has experience supporting clients in Switzerland on data protection and privacy matters. We can assist with nDSG gap analyses, drafting data processing agreements and privacy notices, advising on cross-border transfer mechanisms, supporting breach response and representing clients in EDÖB proceedings. To receive a consultation, contact: info@vlolawfirm.com.