Overview of the New Data Protection Act 2023 and Its Impact on Companies

In this age of information, the use of personal data is at the core of most business models. With digital transformation accelerating, the way companies collect, process, store, and transfer data has evolved rapidly. To keep up with these changes, Switzerland introduced a completely revised Federal Act on Data Protection (nFADP or nDSG), which came into force on 1 September 2023.

This new legal framework modernizes Swiss data protection law, aligns it more closely with international standards such as the EU General Data Protection Regulation (GDPR), and introduces several new rights for individuals (data subjects) and obligations for companies. This article provides a detailed overview of the key elements of the revised law, who it affects, what’s changed, and what steps Swiss and international companies must take to ensure compliance.

Key changes at a glance

The nDSG introduces several key changes that bring it closer to the GDPR while still maintaining certain distinctions unique to the Swiss context. Here is an overview of the updates, which we will explore in more detail in subsequent sections:

• The law only applies to the data of natural persons.
• Sensitive data categories now include biometric, genetic, and ethnicity data.
• The impact principle means the law also applies to foreign companies if their data processing impacts Swiss residents.
• Privacy by design and by default becomes mandatory.
• Information obligations apply to all data collection.
• Register of processing activities is required (with exemptions for low-risk SMEs).
• Profiling and high-risk profiling are now defined and regulated.
• Data protection impact assessments (DPIAs) are mandatory for high-risk processing.
• Breach notification to the FDPIC is required, but without an explicit 72-hour deadline.
• Rights of data subjects are extended (e.g., data portability).
• Fines up to CHF 250,000 for intentional violations apply to natural persons.
• International data transfers are subject to stricter requirements.

Why was the law revised?

The previous Swiss Data Protection Act dated all the way back to 1992, a time before the internet was part of everyday life. Since then, we have seen massive evolution in technology, e-commerce, and social dynamics. Data has become an indispensable part of modern commerce, used not only to manage customer relationships but to train algorithms, personalize services, target advertising, and automate business processes.

Furthermore, the EU recently tightened and modernized their data protection regulations in 2018 with the new General Data Protection Act (GDPR), so it became imperative for Switzerland to adapt their data protection laws to fit the current societal circumstances and align more closely with the updated EU laws.

Three main factors triggered the revision:

1. Technological and social evolution: The explosion of digital services, cloud computing, social networks, smart devices, and artificial intelligence demanded an updated regulatory framework for data protection.
2. International alignment: The EU’s GDPR, in force since May 2018, raised the global bar for data protection. Switzerland needed to make its own legislation compatible with global standards to maintain its status as a country with an adequate level of data protection and thereby facilitate the free flow of personal data between Switzerland and the EU.
3. Transparency and individual rights: Consumers are increasingly aware of their “digital footprint”, and concerns over the proper protection and control of personal data have risen significantly in recent years. The revised law aims to strengthen “informational self-determination” (the right to control one’s own personal data) by improving transparency and accountability.

Who and what does the new law protect?

Switzerland’s new data protection law explicitly protects natural persons, not legal entities. This is a key departure from the original Swiss Federal Act on Data Protection (FADP) of 1992, which also offered data protection to companies and other organizations.

The nDSG primarily aims to protect the personality and fundamental rights of individuals whose data is processed. It reinforces the principle that individuals should retain control over how their personal information is collected, used, and shared (strengthens “self-determination” over personal data). It also enhances the transparency of data processing so that people are more informed about what personal data is being collected and how it is used.

Furthermore, the law has expanded the scope of what constitutes “sensitive personal data”. In addition to data concerning health, religious or political beliefs, and criminal records (which were all recognized as sensitive personal data in the original FADP), the revised law also recognizes:

• Biometric data (e.g., fingerprint or facial recognition)
• Genetic data (e.g., DNA analysis)
• Ethnic origin
• Social assistance measures and administrative or criminal sanctions

This broader definition provides even greater protection to individuals and impacts how businesses assess their data risks and compliance obligations.

Who must comply with the nDSG?

The nDSG applies to:

• Private companies and public organizations in Switzerland that process personal data.
• Foreign companies whose data processing has an effect in Switzerland. For example, those that provide goods or services to people in Switzerland or collect and process data on them.

This is known as the “impact principle” and is comparable to the GDPR’s “marketplace principle”. It basically adds an extraterritorial scope of application to the law, meaning it also applies to data processing conducted abroad if it impacts individuals in Switzerland.

In other words, if personal data is processed outside Switzerland but impacts individuals within the country, the foreign data processor is also subject to the new Data Protection Act. In such cases, they may also be required to appoint a legal representative in Switzerland, in accordance with Articles 14 and 15 nDSG.

While SMEs are not excluded from compliance, they may benefit from limited exemptions — particularly around the obligation to maintain a processing register — provided they don’t process sensitive data on a large scale or engage in high-risk profiling.

What are the new obligations for companies?

1.      Data protection by design and default

Article 7 of the nDSG requires companies to integrate data protection into systems and processes from the outset (data protection by design) and ensure that the default settings of a product or service automatically provide the highest level of data protection (data protection by default). This means:

• Minimizing the collection of personal data.
• Configuring products and services to use the strictest privacy settings by default.
• Ensuring only necessary data is processed for a specific purpose.

2.      Information obligations

To ensure transparent data processing and enable individuals to exercise their data protection rights, there are stricter obligations to inform data subjects when collecting personal data (Art. 19 nDSG).

Companies must inform individuals at the time of data collection, regardless of whether the data is obtained directly or from a third party. The Act does not explicitly state how companies must share the information; it only states what information they must provide. The minimum details include:

• Identity and contact details of the controller
• Purpose of processing
• Categories of data and recipients
• Destination country if data is transferred abroad

3.      Register of processing activities

Controllers and processors of data must maintain a register of all data processing activities (Art. 12 nDSG). The register must include details such as the purpose of collection and processing, recipients of the data and recipient countries if transferred abroad, categories of data subjects and data collected/processed, data retention periods and the measures taken to guarantee data security.

Companies with fewer than 250 employees (most SMEs) are exempt from these requirements provided their “data processing poses a negligible risk of harm to the personality of the data subjects” (Art. 12, Para. 5 nDSG). In other words, they do not process sensitive data on a large scale or engage in high-risk profiling.

4.      Data protection impact assessments (DPIAs)

Companies must assess data protection risks by conducting a data protection impact assessment (DPIA) if a planned data processing activity is likely to pose a high risk to the personality or fundamental rights of individuals (Art. 22 nDSG). This includes the large-scale processing of sensitive personal data or the systematic monitoring of public areas (e.g., surveillance cameras in a shopping center for the use of behavioral tracking).

The DPIA must describe the intended processing, assess the risks involved, and outline measures to mitigate those risks. Companies are exempt from this obligation if the processing is required by law. Additionally, a DPIA is not mandatory if the system or service is certified for its intended use (Art. 13 nDSG), or if it follows a code of conduct (Art. 11 nDSG) that:

• Is based on a prior DPIA,
• Includes sufficient safeguards for data protection,
• Has been submitted to the FDPIC.

5.      Obligation to report data security breaches

In the event of a data security breach that poses a high risk to data subjects, companies must notify the FDPIC “as quickly as possible” (Art. 24 nDSG).

The company must specify the nature of the breach, its consequences and the protective measures it has taken or plans to take in response. Companies must also inform affected individuals if necessary for their protection or if requested by the FDPIC.

Unlike the GDPR, the law does not specify a 72-hour deadline, but delays can still trigger enforcement action and penalties.

6.      Data transfers abroad

Personal data may only be transferred abroad if the destination country offers an adequate level of protection, as recognized by the Swiss Federal Council (Art. 16 nDSG).

If not, to ensure adequate data protection, companies must use:

• Standard contractual clauses
• Binding corporate rules
• Specific contractual guarantees approved by the FDPIC

Controllers must also inform data subjects about the recipient countries and the protective measures used.

Expanded rights for data subjects

The revised law strengthens individuals’ rights and enhances transparency. Key rights include:

• Right to information: Individuals can request details on how and why their data is processed.
• Right to correction: Individuals can request that inaccurate or incomplete personal data be corrected without delay.
• Right to data portability: Individuals can request a copy of their data in a standard electronic format or ask that it be transferred directly to another provider given no unreasonable effort is required. For example, if a client decides to switch tax advisors, they can request that their current advisor transfer all relevant personal data — such as income records, past tax filings, and correspondence with authorities — to the new advisor in a structured electronic format. This ensures continuity in service and avoids the need to recompile historical data manually.
• Right to object to automated decisions: A person can contest decisions made solely through automated processing and request human review (e.g., automatic credit scoring or insurance assessments).

How are the new data protection laws enforced?

The nDSG strengthens enforcement of the law through enhanced regulatory oversight, personal accountability, and potential financial penalties. Companies and individuals must take these changes seriously, as violations can lead to investigations, orders, and heavy personal fines.

One of the most notable differences between the nDSG and the GDPR is who can be fined:

• Under the nDSG, natural persons (such as directors, managers, or employees) can be fined up to CHF 250,000 for intentional violations.
• Companies can be fined up to CHF 50,000 only if identifying the responsible person would require disproportionate effort.

The law focuses on personal accountability to ensure that data protection is taken seriously at every level of an organization. By contrast, the GDPR primarily imposes sanctions on the company or data controller as a legal entity, with fines of up to EUR 20 million or 4% of global annual turnover, whichever is higher.

The Federal Data Protection and Information Commissioner (FDPIC) has expanded powers, including:

• Issuing binding orders
• Conducting investigations and inspections
• Recommending corrective actions

Although the FDPIC cannot impose fines directly, it can refer cases to the relevant cantonal prosecution authorities.

What should Swiss companies do now to ensure compliance with the nDSG?

Switzerland’s new data protection act makes rigorous data protection a priority for businesses. Companies must adopt a structured and ongoing approach to data protection to ensure compliance and avoid penalties. Here are some practical steps and actions that companies can take right now:

• Conduct a data protection audit or gap analysis to identify compliance gaps
• Update internal privacy policies, contracts, and website notices
• Appoint a data protection advisor (optional, but highly advised for high-risk processing)
• Train employees on data protection awareness and responsibilities
• Review processing activities and establish a register if legally required
• Ensure appropriate technical and organizational measures are in place for storing, using, transferring, and deleting data in compliance with the law
• Develop a breach response plan to detect, assess, and report incidents swiftly
• Assess and document international data transfers and safeguards used

What are the benefits of complying with the new Data Protection Act?

Switzerland’s new data protection law needn’t be seen as just an additional burden on companies, and investing in good data protection isn’t only about avoiding legal risks.

Businesses that take proactive steps to improve their data processing systems and strengthen data security benefit from greater customer trust, improved efficiency, and reduced risk. In turn, Switzerland’s broader economy and business landscape are strengthened by consistent, transparent data practices.

Advantages for companies

• Stronger customer trust: Clients are more likely to do business with companies that respect data privacy, especially in sensitive sectors like healthcare, finance, and tech.
• Improved operational efficiency: A structured approach to data management helps reduce redundancies, identify inefficiencies, and improve internal workflows.
• Lower risk exposure: Compliance reduces the likelihood of enforcement actions, costly penalties, or reputational damage.
• Enables international partnerships: Meeting Swiss and EU data protection standards facilitates cross-border data transfers and smoother compliance with international clients’ expectations.
• Competitive advantage: Companies with solid data security often gain a reputation for professionalism, which can give them an edge in such competitive markets.

Advantages for the Swiss economy at large

• Aligns with EU standards: Compliance with international standards ensures that Switzerland continues to be recognized as a country with an adequate level of data protection, which is essential for smooth data exchange with EU partners.
• Boosts digital innovation: A clear legal framework encourages startups and SMEs to pursue new tech-driven solutions.
• Attracts international investment: Multinational companies are more likely to invest or establish branches in countries with robust data protection laws.
• Raises overall business standards: Industry-wide compliance lifts the baseline for corporate responsibility, cybersecurity, and transparency.

Final thoughts

Switzerland’s revised Data Protection Act brings the country’s legal framework in line with modern data realities. While the obligations for companies have increased, it also provides greater opportunities to build trust, demonstrate professionalism, and operate securely in an increasingly data-driven economy.

Whether you’re a small startup or an established international business, understanding and implementing the nDSG’s requirements is a valuable investment in long-term success and an essential aspect of corporate compliance.