top of page

The new Data Protection Act (Switzerland) will come into force on September 1, 2023

(Source: VRD /

If you haven't noticed yet, on Friday, September 1st, 23, the new Swiss data protection law will come into force. And that immediately, because the transition period will then have expired. What does that mean now for market workers for Swiss consumers and for B2B marketing to companies. Where we can see an innovation to the GDPR.

Here are the most important changes summarized by Reto Fanger, lawyer and founder of Lawyer Fanger.

Most important changes in the revision

Compared to the applicable law, this has led to the following most important innovations:

  • None Protection of data from legal entities: In the future, only natural persons will be protected, while legal persons (e.g. AG, GmbH etc. ) can no longer rely on the revDSG for their protection. You remain protected by company law and other existing provisions of the legal system (e.g. protection of personality according to ZGB, UWG). Comment TP "It remains to be seen whether the Swiss UWG is already designed for this today. We're looking forward to the first cases.

  • Personal data that is particularly worthy of protection: The list of personal data that is particularly worthy of protection has been expanded to include genetic data and biometric data (e.g. fingerprint or retina scan). Qualified legal consequences will therefore also apply here in the future, for example in the case of consent, the data protection impact assessment or the disclosure of data to third parties.

  • Profiling and high-risk profiling: Profiling is any type of automated processing of personal data in order to evaluate certain personal aspects of a natural person. High-risk profiling occurs when personal data is processed automatically and linking data allows essential aspects of personality to be assessed. In the case of high-risk profiling, any required consent must be given explicitly.

  • Order processor: The order processing relationship (outsourcing, e.g. to the cloud) can be justified by contract or law. The processor has to process the data in the same way as the person responsible. The person responsible has to make sure that the processor is able to guarantee data security. The transfer to a subcontractor requires the prior approval of the person responsible.

  • Data protection through technology and data protection-friendly default settings: From the planning stage, the person responsible must design the data processing in such a way that the data protection regulations and in particular the processing principles are observed (privacy by design). Furthermore, the default settings must be set in such a way that the processing of personal data is limited to the minimum necessary for the purpose of use, unless the person concerned determines otherwise (privacy by default).

  • Extension of information requirements: When collecting personal data, data subjects must be informed of the following minimum requirements: Identity and contact details of the person responsible, purpose of processing, any recipients or categories of recipients to whom personal data is disclosed as well as, in the case of notification abroad, also the state or the international body and, if necessary, the guarantees for the protection of personal data.

  • Expansion of information obligations: Affected persons are now entitled to any information that is necessary for them to assert their rights under the revDSG. The information is therefore not limited to the minimum information defined in the end.

  • Right to data transferability: With the right to data disclosure and data transfer (data portability), the person concerned can request the release of their personal data or their transfer to another person responsible in machine-readable form free of charge.

  • Automated case-by-case decision: The person responsible must inform the person concerned about a decision that is based exclusively on automated processing and which has a legal consequence for them or significantly affects them. The person concerned must have the opportunity to present their point of view and can request that the decision be reviewed by a natural person.

  • Data protection impact assessment: The person responsible is also obliged to carry out a data protection impact assessment if data processing can entail a high risk for the personality or the fundamental rights of the person concerned. The planned processing, the resulting risks and suitable countermeasures must be described.

  • Reporting of data protection violations: In the event of a data protection violation, the person responsible must notify the FDPIC as soon as possible if there are major risks to the personality or fundamental rights of the persons concerned. In addition, as a rule, those affected must also be informed if this is necessary for their protection. The processor must also report a breach of data security as quickly as possible to the person responsible, who then has to take further steps.

  • Sanctions: Natural persons can now be fined up to CHF 250,000 in the event of intentional violation of the information and disclosure obligations as well as the duty of care. The contingent intent is sufficient, which is why criminal liability already exists if an injury that has actually occurred was accepted. This means that – in contrast to the GDPR, which only focuses on companies or organizations – those responsible in the company such as CEOs, CIOs or other functions can be sanctioned directly according to the revised DSG. Responsibility lies with the cantonal public prosecutors.

More Infos under Link


bottom of page