nDSG: The new data protection law

Personal data characterizes our everyday business. This includes, for example, names, (e-mail) addresses or dates of birth of customers and our own employees, employees of customers or suppliers and other contact persons. Swiss companies are subject to different laws and regulations for their data processing. These include the Swiss Data Protection Act, but also the EU GDPR and industry-specific regulations and guidelines, depending on the context and clientele.

The “old” Data Protection Act has been revised. The new version (nDSG) applies from September 1st 2023 and brings new requirements. There is no further grace period for companies. They must comply with the new requirements immediately.

What does the new Data Protection Act say?
The nDSG is intended to protect people from excessive, surprising, unfair or otherwise unlawful use of their personal data. Accordingly, the new Data Protection Act regulates the protection of so-called “natural persons” with regard to data describing them.

Who must comply with the nDSG?
The nDSG applies in the private sector and to federal authorities. It protects private individuals and also applies to all private organizations that process personal data as data controllers or order processors in the local area of application. This means all sole proprietorships, stock corporations organized under private law, limited liability companies, associations or foundations.

The nDSG does not apply to municipalities or cantons and their authorities. Thus, it does not apply to schools, for example. There, cantonal data protection laws apply with, however, largely similar rules to those of the nDSG.

What is the difference between the DPA and the GDPR?
The EU GDPR (the EU’s General Data Protection Regulation) is the data protection law for the EU. The nDSG is the counterpart for Switzerland. The rules are not congruent, but from today’s perspective equivalent.

How long may employee records be kept?
The employer may keep the personnel files of employees for the entire duration of the employment relationship and then for a limited period for archiving purposes (rule of thumb: plus five years).

How long may I retain customer data?
Customer data may be retained for as long as the purpose requires. Customers have a contractual exchange relationship with the company. Contracts result in limitation periods of between five and ten years.

Is a cookie banner on the website mandatory?
According to Swiss law, the cookie banner is not mandatory. But beware: If a company cannot exclude that the website is visited by EU citizens, the Swiss website must also list a cookie banner. If companies use tracking services or cookies on their website, they are legally obliged to use a corresponding cookie banner according to the GDPR. So it makes sense to be on the safe side.

What must be mentioned in the privacy policy on the website?
The privacy policy for a website should provide transparency about how third-party personal data relates to the company.

The minimum information of a privacy policy is the following:

• Who is responsible for the website content and how to contact this person?
• What is the purpose of processing the data collected on the website? (Purpose of processing)
• Which responsible person has access to the personal data disclosed via the website?
• To which countries are the personal data transferred?

What should be considered for contact forms on the website?
Contact forms should refer to the general privacy policy on the company’s website. Purpose: To provide transparency and demonstrate how the company will use incoming messages.

What’s at stake for companies?
Ignoring the new data protection law can have consequences not only for the responsible person in a company, but also for the company itself, especially for its reputation. Personal fines of up to 250,000 Swiss francs can be imposed if responsible persons violate their duties to inform, provide information and cooperate. In such cases, the Federal Data Protection and Information Commissioner (FDPIC) may file charges with the competent prosecution authority.