The revised Data Protection Act (nDSG) has been in force in Switzerland since 1 September 2023 – without a transition period. Companies that have been hesitant to act are now under pressure to do so. The new law not only brings new obligations, but also personal risks for management and executives.
At the Lunch & Law event on 16 March 2023 in Winterthur, the data protection team at Probst Partner AG explained why urgent action is now required and how companies can approach the new data protection law in a pragmatic and practical manner.
The new Data Protection Act has ‘teeth’
The revision of the DSG has significantly tightened the sanctions system. The new penalties include:
- Fines of up to CHF 250,000
- Personal criminal liability of natural persons
- Liability even in cases of conditional intent
- No insurance coverage in many cases
- Free access to civil lawsuits for violations of personal rights
At the same time, the powers of the Federal Data Protection and Information Commissioner (FDPIC) have been massively expanded. Data protection is therefore no longer just a matter of compliance, but a real liability issue for managers.
What companies must do now, at a minimum
1. Create an inventory of data processing
The first step is to systematically record all processing of personal data within the company.
Although certain SMEs are exempt from the inventory (fewer than 250 employees, no high risk), it is still strongly recommended, as it serves as a central working tool for further measures.
2. Draft data protection declarations correctly
Data protection declarations are becoming increasingly important.
In particular, they must contain:
- Identity of the controller
- Purposes of processing
- Data categories
- Recipients or categories of recipients
- Cross-border transfers, including guarantees
- Automated individual decision-making (if applicable)
The statement must be precise, understandable, transparent and easily accessible – usually on the website.
3. Review contracts with service providers
All external data processing requires a processing contract.
The following are now mandatory:
- Approval requirement for subcontractors
- Clear rules for reporting data breaches
- Documentation requirement for all external processing
In practice, failure often stems not from legal requirements, but from a lack of overview of service providers.
4. Carefully check international disclosures
Data transfers abroad, for example to cloud providers or affiliated companies abroad, are particularly critical.
A distinction is made between:
- secure third countries (EU/EEA)
- insecure third countries (e.g. USA, China)
Additional guarantees are necessary for insecure countries:
- standard contractual clauses
- transfer impact assessments
- technical protection
Recommendation: Give preference to providers based in Switzerland/EU/EEA
5. Embed data protection in your organisation
Data protection is not a one-off project, but an ongoing process:
- Training of employees
- Clear responsibilities
- Structured handling of requests for information
- Reporting of data security breaches
- Deletion concepts and archiving
Data protection must be integrated into business processes – from system selection to data deletion.
Conclusion: It is high time – and it is feasible.
The new data protection law is not an end in itself. Those who take a structured approach avoid fines, liability risks and damage to their image. Those who remain inactive risk a lot. ‘Start with implementation. It is feasible.’
The presentation for the event is here viewable
