Compliance · Lesson 4 of 4
Swiss Data Protection (nLPD) and Digital Compliance
Sep 2023
New Swiss Federal Act on Data Protection (nFADP / nDSG) in force
GDPR
Swiss nLPD aligned with but not identical to EU GDPR
CHF 250K
Maximum penalty under nLPD (criminal, personal liability)
PFPDT
Federal Data Protection and Information Commissioner — Swiss authority
The New Swiss Data Protection Act (nLPD/nFADP)
Switzerland's new Federal Act on Data Protection (nFADP — Neues Bundesgesetz über den Datenschutz / nDSG) entered into force on September 1, 2023, replacing the 1992 data protection law that had become outdated in the digital age. The law brings Switzerland broadly in line with EU GDPR principles while maintaining Swiss-specific characteristics.
Where nLPD = GDPR
- Lawfulness, purpose limitation, data minimization principles
- Data subject rights: access, rectification, erasure, portability
- Privacy by design and privacy by default requirements
- Data processing agreements with processors
- Security breach notification obligations
- Data Protection Impact Assessment (DPIA) for high-risk processing
Where nLPD Differs from GDPR
- Penalties are personal/criminal vs. GDPR's corporate fines — Swiss penalties up to CHF 250K against individuals (directors, DPO, responsible employees)
- No DPO requirement for SMEs (unlike GDPR's DPO rules)
- Legal basis: "overriding interest" more flexible than GDPR's legitimate interests test
- Data localization: Switzerland is an "adequate" country for EU data transfers post-SCCs update
- Register of processing activities required for companies >250 employees or high-risk processing
Scope: Who Is Subject to nLPD?
Unlike GDPR, nLPD has explicit scope rules for Swiss companies:
- Swiss-based companies: Always subject if processing personal data of individuals (B2C or B2B with individuals)
- Foreign companies processing Swiss residents' data: Subject if they offer goods/services to Switzerland or monitor behavior of Swiss residents
- B2B data: nLPD technically applies to personal data — data about identified individuals even in a business context
- Exclusions: Pure household/personal use; anonymous data; deceased persons
Practical nLPD Compliance Checklist for Swiss Startups
- Privacy Policy / Datenschutzerklärung Must cover: what data collected, why, retention periods, third parties, your contact details, rights of data subjects
- Cookie consent banner Required if using non-essential cookies (analytics, advertising). Must offer genuine opt-out. No pre-ticked boxes.
- Legal basis for each processing activity Document: consent, contract performance, legal obligation, or legitimate interest for each major data processing activity
- Data processing agreements (DPAs) Required with all processors (hosting companies, CRM providers, email platforms, analytics tools)
- International data transfers Document where data goes; use SCCs for non-adequate countries (US → use SCCs or consent)
- Breach notification procedure Must notify PFPDT "as fast as possible" for high-risk breaches; 72 hours is the practical expectation
- Data subject request process Respond within 30 days to access/erasure/portability requests. Free of charge unless manifestly excessive.
- Data retention and deletion schedule Define retention periods; delete or anonymise data when no longer needed
Swiss nLPD vs. EU GDPR: Practical Interaction
If your Swiss company also processes data of EU residents (EEA), you must comply with GDPR as well as nLPD. The two frameworks overlap substantially but have enough differences that you need both addressed in your compliance program.
Good News: EU Adequacy
Switzerland is on the EU list of "adequate" countries for data protection — meaning EU companies can transfer personal data to Switzerland without additional legal mechanisms (unlike transfers to US which require SCCs). The nLPD update helped Switzerland maintain this adequacy status. Post-Brexit analogy: Switzerland is to EU data transfers what UK seeks to maintain via adequacy.
Digital Compliance Beyond Data Protection
| Area | Swiss Requirement | Action Needed |
|---|---|---|
| E-commerce / website terms | Swiss OR requires clear T&Cs for contracts via web; price transparency mandatory | Draft proper website T&Cs and privacy policy in German (and English if international) |
| Digital signature | ZertES Act governs qualified electronic signatures (QES) — equivalent to handwritten | Use SwissID or Swisscom qualified signature for contracts requiring written form |
| Electronic invoicing | No Swiss mandate for B2B e-invoicing yet (unlike EU) — voluntary | Consider eBill or ZUGFeRD format for automated processing |
| Social media / influencer rules | FTC-equivalent disclosure required; SUKO advertising code applies | Label all paid/sponsored content; apply to all channels including Instagram/TikTok |
| Accessibility (digital) | Government websites: WCAG 2.1 AA mandatory. Private sector: recommended but not yet mandatory | Best practice to build accessible digital products; may become mandatory |
Case Study — nLPD Compliance in Practice
DataVault GmbH (Zug) — SaaS for HR Analytics
DataVault provides HR analytics software to Swiss and German companies. They process significant personal data (employee performance data, salary data, biometric data) for corporate clients. Under nLPD (and GDPR for German clients), this is high-risk processing.
Compliance measures implemented:
- Data processing agreements (DPAs) signed with all 28 enterprise clients
- DPIA (Data Protection Impact Assessment) completed for biometric processing module
- Data stored exclusively in Swiss and EU data centers (Equinix Zürich + Frankfurt)
- Employee training program: 2-hour annual nLPD training for all staff
- Breach response plan tested with simulated incident drill
- Privacy by design: data anonymisation built into analytics dashboards (no individual-level data visible to HR managers without specific authorization)
Total compliance investment: CHF 28,000 first year (legal review + DPA templates + training). Ongoing: CHF 8,000/year. Net benefit: 3 enterprise clients specifically cited data compliance as key factor in vendor selection — contracts worth CHF 420,000/year.
Key Takeaways — Lesson 4
- nLPD in force since September 2023 — most Swiss companies need to update privacy policies and implement DPAs with processors
- Key difference from GDPR: penalties are personal/criminal (up to CHF 250K on individuals) not corporate administrative fines
- Switzerland has EU adequacy status — no additional transfer mechanisms needed for EU → Switzerland data flows
- Privacy policy, cookie consent, and DPAs with all service providers are the three non-negotiable minimum requirements
- Data breach notification to PFPDT should be expected within 72 hours for high-risk breaches