The new Swiss data protection law is approaching - what happens next?

Our chief information security officer (CISO) answers the most frequently asked questions.

The revision of the Swiss Data Protection Act changes important provisions regarding the processing of personal data. Companies must observe stricter rules and adapt their existing guidelines and data protection declarations by the time this revision comes into force. We discuss this with our CISO, Michael Ruppe.

Michael, why is a new Swiss Data Protection Act (nDSG) necessary?

The short answer to this question is that we live in a thoroughly digitized society. The basic version of the current data protection law is no longer up to date and comes from a time when Google and smartphones didn’t yet play such a major role. So it's high time to adapt to the current circumstances.

When does the new Data Protection Act (nDSG) come into force?

As of September 1, 2023 - and without a transition period.

What data is affected by the new law?

The nDSG focuses on transparency regarding data processing and the rights of the persons concerned. It’s therefore particularly concerned with personal data: All information relating to an identified or identifiable natural person, such as name, address, date of birth, and IP address.

What happens if the data protection regulations are not complied with?

This is the central question. Under the new Data Protection Act, private individuals, i.e., managers carrying out their function, are also liable, in addition to the company. In the case of intentional violations of the nDSG, such as violations of the duties to inform, provide information, cooperate or exercise due diligence, private individuals can be fined up to 250,000 Swiss Francs.

As such, the changes in the law create various challenges and require different approaches for different functions. Learn more here (in german).

What is one of the most sensitive issues regarding the implementation of the nDSG?

Currently, there is no ideally developed and conclusive solution for handling personal data in backups. In the event of deletion requests, this will certainly present a challenge - ensuring proper handling of backups at the same time as meeting the requirement for data deletion. Until this question is clarified in a legally indisputable way, this will be one of the most sensitive points in terms of implementation.

Is there an obligation for cookie banners in the Swiss nDSG?

The new data protection law does not require a cookie banner. But beware: if the company is also subject to the GDPR, then the EU directives regarding cookie banners apply.

Does data protection equal data security?

No, these are two different issues. The most important question in data protection is "Am I allowed to collect and process this personal data?" In data security, the focus is on "How do I protect data from being accessed by unauthorized persons?" In addition, there is the defined "Privacy by design" principle, which states that data processing must be technically and organizationally designed in the planning phase to comply with data protection regulations.

And finally: What is your personal tip for how to handle the nDSG?

Good planning for implementation - because full compliance with the new legal requirements cannot be achieved overnight. This also requires that, ideally, one has already begun to implement initial measures.