Zum Inhalt springen
Design anpassen
Anpassen
Schriftgröße
Serif / Sans
Sans / Sans
Rundung
Abstand
Container-Breite
Seitenabstand
Sektionsabstand
Innenabstand
Schatten
Rahmen

Data Protection

The new Swiss Data Protection Act: What businesses need to know

The revDSG has been in force since September 2023. Here's a practical checklist of what Swiss companies should have implemented by now: and what many still haven't.

Dr. Anna Berger Dr. Anna Berger 15 March 2026 2 Min. Lesezeit
The new Swiss Data Protection Act: What businesses need to know

The revised Federal Act on Data Protection (revDSG) entered into force on 1 September 2023. Over two years later, many Swiss businesses: particularly SMEs: still have gaps in their compliance.

What changed

The revDSG aligns Swiss data protection law more closely with the EU’s GDPR. Key changes include:

  • Scope: Only natural persons are now protected (legal entities are excluded).
  • Data Protection Impact Assessments: Required when processing poses a high risk to personality or fundamental rights.
  • Data breach notification: Breaches likely to pose a high risk must be reported to the FDPIC as quickly as possible.
  • Profiling: High-risk profiling now requires explicit consent.
  • Criminal sanctions: Intentional violations can result in fines of up to CHF 250,000: against individuals, not the company.

The practical checklist

Based on our advisory work, here is what every Swiss business should have in place:

  1. Privacy policy updated to reflect revDSG requirements (not just GDPR copy-paste)
  2. Record of processing activities (mandatory for companies with 250+ employees, recommended for all)
  3. Data breach response plan with clear internal escalation paths
  4. Processor agreements (Auftragsbearbeitungsverträge) with all service providers handling personal data
  5. Cross-border transfer safeguards: the Federal Council’s adequacy list is narrower than the EU’s
  6. Cookie and tracking consent aligned with current FDPIC guidance

What we see in practice

The most common gaps are inadequate processor agreements and missing breach notification procedures. Many companies updated their privacy policies but stopped there.

“Compliance isn’t a document: it’s an operational capability. The privacy policy is the tip of the iceberg.” : Dr. Anna Berger

Our recommendation

Start with a gap analysis. Map your data flows, identify your processors, and test your breach response. If you haven’t done this yet, the risk isn’t theoretical: the FDPIC has been increasingly active.

We offer a structured half-day workshop that gets SMEs from zero to a practical compliance roadmap. Get in touch if this is relevant for your business.

Dr. Anna Berger

Geschrieben von

Dr. Anna Berger

Managing Partner

Dr. Anna Berger specializes in corporate and employment law. With over 15 years of experience advising Swiss SMEs, she brings a pragmatic approach to complex legal questions.

Berger & Roth

Clarity in every case.

Boutique law firm in Zurich for corporate, employment, and commercial law, direct, discreet, and focused on outcomes.

A question about your case?

Book an initial consultation, confidential, without obligation, and directly with the lawyer who will handle your case.