Switzerland's New nDSG: What Changes from GDPR and Why You Should Care

Table of Contents
Switzerland's nDSG vs GDPR: The Showdown You Didn't Know You Needed
If you thought GDPR was the only data protection game in town, think again. Switzerland's new Federal Act on Data Protection (nDSG) came into force on September 1, 2023, and it's shaking things up. But what exactly changed, and how does it compare to the EU's GDPR? Let's dive in—no legal jargon hangover required.
Featured Snippet Bait: The nDSG introduces stricter consent requirements, a privacy by design mandate, and higher fines (up to CHF 250,000) for non-compliance. Unlike GDPR, it applies to private individuals and has no lead supervisory authority.
Key Differences at a Glance
Scope and Applicability
GDPR applies to any organization processing EU residents' data, regardless of location. The nDSG, however, applies to any entity processing data of Swiss residents, but with a twist: it also covers private individuals (like sole proprietors) and has a lower threshold for applicability. If you're a small business in Switzerland, you're likely in scope.
Consent and Processing Grounds
Both laws require explicit consent for sensitive data, but the nDSG is more relaxed on implied consent for non-sensitive data. However, the nDSG introduces a new requirement: you must inform data subjects about profiling with legal implications. Think of it as GDPR's transparency on steroids.
Data Breach Notification
Under GDPR, you must notify the supervisory authority within 72 hours. The nDSG gives you a bit more breathing room: you must notify as soon as possible, but no specific deadline is set. However, if the breach is likely to cause high risk, you must also inform the affected individuals.
Fines and Penalties
Here's where it gets spicy. GDPR fines can reach up to €20 million or 4% of global annual turnover. The nDSG caps fines at CHF 250,000 (about €260,000) for most violations. But don't celebrate yet: the nDSG allows for criminal liability of individuals, including company directors. So, while the fine might be lower, the personal risk is higher.
What This Means for Your Business
If you're already GDPR-compliant, you're not off the hook. The nDSG has its own quirks: a different definition of 'personal data' (includes data of deceased persons), stricter rules on automated individual decisions, and a requirement to maintain a register of processing activities (similar to GDPR's ROPA). Also, the nDSG does not recognize the concept of 'lead supervisory authority'—so if you have multiple establishments in Switzerland, you may need to deal with multiple cantonal data protection authorities.
Reading the nDSG is about as fun as reading the actual law (trust me, I've done it). But here's the good news: you can start by updating your privacy policy, reviewing your consent mechanisms, and ensuring you have a data breach response plan. And if you're feeling overwhelmed, remember: even Swiss chocolate has a recipe—you just need to follow it.
Practical Steps to Compliance
- Update your privacy notices to include nDSG-specific information (e.g., profiling, data of deceased persons).
- Review your consent forms—ensure they are explicit for sensitive data and profiling.
- Implement a data breach notification procedure that meets nDSG's 'as soon as possible' standard.
- Conduct a data protection impact assessment (DPIA) for high-risk processing.
- Appoint a data protection advisor (not mandatory, but recommended).
FAQ
Does the nDSG apply to companies outside Switzerland?
Yes, if they process personal data of individuals in Switzerland and the processing is related to offering goods or services to them, or monitoring their behavior.
What are the main penalties under the nDSG?
Fines up to CHF 250,000 for intentional violations, and up to CHF 50,000 for negligence. Individuals can also face criminal liability.
Do I need a Data Protection Officer (DPO) under the nDSG?
No, but you must appoint a data protection advisor if you employ 250 or more people and process sensitive data or engage in profiling.

NakedPact Editorial Committee
Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.
Sources and Legal References

Do you own a website?
Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.
Recommended Readings

Brazil’s Data Watchdog Just Put Porn Sites on Notice: Are You Ready for the LGPD Check?

The Phantom Contract: How Generative AI Is Creating Invisible Contract Traps (and How to Defend Yourself)
420,000 Binance Accounts on the Dark Web: The Security Illusion and the Infostealer Threat
🛡️ Protect your rights with one click
Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.
Don't trust, verify.
Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.
Analyze Your Contract Now