There are some important innovations in the Swiss variant of the data protection law. Everything about the new Swiss Data Protection Act (nDSG or revDSG) that affects marketing. In this article, we explain the most important changes as simply and concisely as possible.

The new law comprises 92 pages and is officially called the Federal Act on Data Protection (Data Protection Act, DSG BBl 2020 7639). For the sake of simplicity, we are referring here to the revDSG, i.e. the new Data Protection Act.

Switzerland has fundamentally revised its data protection law. The new Data Protection Act (revDSG) comes into force on September 1, 2023. We are not lawyers, and cannot give binding legal advice. However, we have summarized the most important changes from the new data protection law, especially with regard to marketing automation and the collection of customer data, and explain in this article what you need to implement in practice.

Privacy Check.

Fill out our questionnaire and find out directly with the data protection check how your data protection is.

The new data protection law in Switzerland - simply explained

Content

Who is affected by the new Swiss Data Protection Act (revDSG)?

The new Swiss Data Protection Act (revDSG) affects all companies based in Switzerland and foreign companies that operate in Switzerland or whose data processing has an impact in Switzerland. The new law does not define in detail when a data processing operation has an “impact” on Switzerland – but if we take the criteria of the EU’s General Data Protection Regulation as a basis – it should already be sufficient if, for example, a foreign company delivers goods to Switzerland.

Since the new Swiss law is based on the European General Data Protection Regulation(GDPR), you must assume that you have an increased need for action, especially if your company is not yet GDPR compliant.

Swiss Data Protection Act: What does the law contain and why was it revised?

The currently valid Swiss “Federal Law on Data Protection” dates back to 1992 – since then, the collection of personal data and its use has greatly increased. On the one hand, the new law is intended to strengthen the self-determination of data subjects with regard to their data and, on the other hand, the new FADP imposes new obligations on companies, in particular with regard to the collection, loss or misuse of personal data.

On the other hand, the revision is intended to ensure that Swiss data protection law is aligned with the General Data Protection Regulation(GDPR) introduced by the European Union in 2018. Swiss companies would be at a striking competitive disadvantage if the EU no longer recognized Switzerland as a third country with an adequate level of data protection.

What are the most important changes in Swiss data protection law?

Scope and coverage: Like the GDPR, the new DPA is limited to the data protection of natural persons. So far, the Data Protection Act also includes legal entities. Also new: genetic and biometric data are considered particularly worthy of protection.

Transparency: Companies are obligated to adequately inform data subjects about any data collection. This applies not only to data requiring special protection, but also to data that is not collected from the data subject. A person responsible for data processing must be named. The purpose of processing, the recipient and the recipient country, if a data export to a foreign country takes place, must be transmitted.

Register of processing activities: Companies with 250 or more employees are required to maintain this. In return, the obligation to keep a register of data collections is eliminated.

Data protection impact assessment: Companies must conduct a documented data protection impact assessment if the data processing entails a high risk for the personality or fundamental rights of the data subjects.

Profiling: Obtaining consent is only mandatory if “it leads to a combination of data that allows an assessment of essential aspects of the personality of a natural person” (Article 5, paragraph g FADP). The law refers to this as “high-risk profiling”.

Privacy-by-Design / Privacy-by-Default (data protection through technology and data protection-friendly default settings): Companies are obliged to take the regulations into account as early as the planning and design stage of applications and, for example, to explicitly request consent from users for data processing that goes beyond what is absolutely necessary and not to achieve this through corresponding default settings.

Practical implementation of the revised Data Protection Act

What do I basically have to consider in order to comply with the new data protection regulations in Switzerland?

Companies based in Switzerland and those involved in data transfers to and from Switzerland must take stock of the processing of personal data in the company: What personal data is collected, for what purpose and how. Personal data is “any information relating to an identified or identifiable natural person” (Art. 5 lit. a DSG). It is actually easiest to assume that all data is also personal data. A risk assessment can be used to check which requirements are placed on data protection compliance. Within the framework of a gap analysis (comparison of actual and target state), entrepreneurs can then identify the necessary steps.

You must make sure that you have a corresponding contract for each third-party provider. For this purpose, there is a standardized Data Processing Agreement (DPA) based on the European model.

The mandatory information on the responsible person and their contact details constitute an imprint obligation under data protection law. You can find more information and tips for practical implementation in the data protection checklist.

The most important facts in brief.
Data Protection Checklist Switzerland.

What do I need to pay attention to? The most important points regarding the new data protection law summarized in a checklist.

new data protection law Switzerland Checklist Aivie

Privacy checklist

What else do I need to consider with regard to digital marketing activities and the use of marketing automation tools?

Email Newsletter Subscriptions and Co – “Leads

Whether you have a special email newsletter form on your website, collect email addresses, phone numbers, etc. on your contact form, or write contact information of visitors on paper during a trade show. Ask people to give explicit consent (opt-in). You must clearly indicate that you want to communicate for marketing or promotional purposes. The user:in gives their consent by clicking on it. Have this consent confirmed again(double opt-in) by sending an e-mail with a corresponding link or by instant messaging or SMS you ask for a specific answer (YES) as confirmation.

However, you as the sender must prove that each recipient:in has given consent. In our marketing automation tool Aivie, the double opt-in process is already integrated. The data must be stored on a secure server. Many services store your data in the USA, for example – and it is to be expected that, as with the EU’s GDPR, this will be declared a non-secure state. At Aivie, we store our data on servers in Switzerland.

Targeted advertising, such as remarketing campaigns

Customer data may not be stored for remarketing Campaignwithout express consent. Some providers such as Google or Facebook use cookies to recognize user:in across different websites (saying “pixel”). Even if you do not yet run remarketing Campaign, you must obtain the consent of your users before using the so-called tracking pixels.

What do I need to be aware of in the event of data security requests and breaches?

As a website operator, you need to ensure that you do not miss any requests from data subjects or authorities such as the FDPIC and respond to them in a timely manner. For example, you must respond to a request for information from a data subject within 30 days (Art. 25 FADP). Important: consider each request carefully and weigh how you respond in each case. It should be noted here that the rights of data subjects are never absolute. Example: A company may not delete personal data for which it is subject to a statutory retention obligation, even upon request.

You should also react quickly and carefully in the event of a data breach and check whether you need to report the incident to the FDPIC and directly to the data subjects. This depends on the risk associated with the breach of data security for the data subjects (Art. 24 FADP). It must be high and concrete. For example, a request to change the password is common after a so-called “data breach”.

Summary

It is long overdue for Switzerland to adapt to international standards when it comes to data protection. However, some details of the DSG are still open, as is the question of when exactly the law will come into force and how exactly it will be implemented in practice. But the principle is clear: Inform your users about what data you collect, how, where, why and for how long. It is also important to be aware that every visitor:to your website has the right to request information about the data collected and, if necessary, to request its deletion.

With the new Swiss Data Protection Act (revDSG), a correctly set up cookie banner becomes more important.
We have the right service for this. With our service, your website will be ready quickly and you can safely sit back and relax.

Leave a Reply