nDSG (Swiss Data Protection Act)
The revised Swiss Federal Act on Data Protection (nDSG), effective September 1, 2023, governs how personal data must be handled by businesses operating in or targeting Switzerland.
The nDSG (neues Datenschutzgesetz) is Switzerland’s modernized data protection law, replacing the original 1992 Federal Act on Data Protection (FADP). It came into force on September 1, 2023.
Key Requirements for Businesses
- Transparency: Businesses must inform individuals about the collection and processing of their personal data.
- Data minimization: Only collect data that is necessary for the stated purpose.
- Privacy by design: Data protection must be considered from the design phase of any system.
- Breach notification: Data breaches must be reported to the FDPIC (Federal Data Protection and Information Commissioner) as quickly as possible.
- Data Protection Impact Assessments (DPIA): Required for high-risk processing activities.
Since April 2025, critical infrastructure operators must also report cyberattacks to the BACS (Federal Office for Cybersecurity) within 24 hours, with fines up to CHF 100,000 per day for non-compliance.
Who Does It Apply To?
The nDSG applies to any organization that processes personal data of individuals in Switzerland, regardless of where the organization is based. This means foreign companies targeting Swiss customers must also comply.
Penalties
Unlike the previous law, the nDSG introduces personal liability for responsible individuals, with fines up to CHF 250,000 for willful violations. The fines target individuals, not companies.
How It Differs from GDPR
While similar in spirit to the EU’s GDPR, the nDSG has notable differences:
- Fines are personal (against individuals), not against companies
- No requirement to appoint a Data Protection Officer (though recommended)
- Consent is not always required (legitimate interest can suffice)
- Smaller scope of “sensitive data” categories
Technical Measures the nDSG Expects
The law requires “appropriate technical and organizational measures” to protect personal data. In practice, this means:
- Encryption for data at rest and in transit
- Two-factor authentication for systems handling personal data
- A VPN for remote access to company systems
- A firewall to control network access
- Endpoint protection against malware and ransomware