Back to Blog
LegalTech & IA

Switzerland's New nDSG: What Changes from GDPR and Why You Should Care

NakedPact Editorial Committee
Reviewer: Carmelo G.
Comitato Editoriale NakedPact
May 30, 2026
10 min read
Switzerland's New nDSG: What Changes from GDPR and Why You Should Care

Switzerland's nDSG vs GDPR: The Showdown You Didn't Know You Needed

If you thought GDPR was the only data protection game in town, think again. Switzerland's new Federal Act on Data Protection (nDSG) came into force on September 1, 2023, and it's shaking things up. But what exactly changed, and how does it compare to the EU's GDPR? Let's dive in—no legal jargon hangover required.

Featured Snippet Bait: The nDSG introduces stricter consent requirements, a privacy by design mandate, and higher fines (up to CHF 250,000) for non-compliance. Unlike GDPR, it applies to private individuals and has no lead supervisory authority.

Key Differences at a Glance

Scope and Applicability

GDPR applies to any organization processing EU residents' data, regardless of location. The nDSG, however, applies to any entity processing data of Swiss residents, but with a twist: it also covers private individuals (like sole proprietors) and has a lower threshold for applicability. If you're a small business in Switzerland, you're likely in scope.

Both laws require explicit consent for sensitive data, but the nDSG is more relaxed on implied consent for non-sensitive data. However, the nDSG introduces a new requirement: you must inform data subjects about profiling with legal implications. Think of it as GDPR's transparency on steroids.

Data Breach Notification

Under GDPR, you must notify the supervisory authority within 72 hours. The nDSG gives you a bit more breathing room: you must notify as soon as possible, but no specific deadline is set. However, if the breach is likely to cause high risk, you must also inform the affected individuals.

Fines and Penalties

Here's where it gets spicy. GDPR fines can reach up to €20 million or 4% of global annual turnover. The nDSG caps fines at CHF 250,000 (about €260,000) for most violations. But don't celebrate yet: the nDSG allows for criminal liability of individuals, including company directors. So, while the fine might be lower, the personal risk is higher.

What This Means for Your Business

If you're already GDPR-compliant, you're not off the hook. The nDSG has its own quirks: a different definition of 'personal data' (includes data of deceased persons), stricter rules on automated individual decisions, and a requirement to maintain a register of processing activities (similar to GDPR's ROPA). Also, the nDSG does not recognize the concept of 'lead supervisory authority'—so if you have multiple establishments in Switzerland, you may need to deal with multiple cantonal data protection authorities.

Reading the nDSG is about as fun as reading the actual law (trust me, I've done it). But here's the good news: you can start by updating your privacy policy, reviewing your consent mechanisms, and ensuring you have a data breach response plan. And if you're feeling overwhelmed, remember: even Swiss chocolate has a recipe—you just need to follow it.

Practical Steps to Compliance

  • Update your privacy notices to include nDSG-specific information (e.g., profiling, data of deceased persons).
  • Review your consent forms—ensure they are explicit for sensitive data and profiling.
  • Implement a data breach notification procedure that meets nDSG's 'as soon as possible' standard.
  • Conduct a data protection impact assessment (DPIA) for high-risk processing.
  • Appoint a data protection advisor (not mandatory, but recommended).

FAQ

Does the nDSG apply to companies outside Switzerland?

Yes, if they process personal data of individuals in Switzerland and the processing is related to offering goods or services to them, or monitoring their behavior.

What are the main penalties under the nDSG?

Fines up to CHF 250,000 for intentional violations, and up to CHF 50,000 for negligence. Individuals can also face criminal liability.

Do I need a Data Protection Officer (DPO) under the nDSG?

No, but you must appoint a data protection advisor if you employ 250 or more people and process sensitive data or engage in profiling.

nDSG Compliance Checklist

  • Update privacy notices Include profiling and deceased data
  • Review consent mechanisms Explicit for sensitive data
  • Implement breach notification procedure Notify as soon as possible
  • Conduct DPIA for high-risk processing Mandatory for profiling
  • Appoint data protection advisor If >250 employees & sensitive data
NakedPact Logo

NakedPact Editorial Committee

Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.

Do you own a website?

Do you own a website?

Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.

🛡️ Protect your rights with one click

Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.

Don't trust, verify.

Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.

Analyze Your Contract Now

Rispettiamo la tua privacy

Usiamo i cookie per migliorare la tua esperienza e personalizzare gli annunci. Scopri di più.

NakedPact Logo

Estensione Chrome

Analizza i contratti e i Termini di Servizio direttamente sul tuo browser con l'estensione NakedPact.