The Swiss federal law on data protection (DSG)

a map of Switzerland with a white cross on it

The Swiss Data Protection Act (DSG) is now a revised version of the first DSG, which came into force in 1992. From September 1, 2023, the new law will come into force with the revised and updated changes to reflect the current needs of today’s internet environment. The aim of this regulation is to protect the privacy and fundamental rights of the persons whose data is being processed.

“This law aims to protect the privacy and fundamental rights of natural persons about whom personal data are processed.”

The main changes compared to the first publication are that companies must now explain why they collect personal data from their customers and that they must clearly state which third parties are involved in sharing their personal data. Individuals also now have the right to know how long their data will be stored and for what purpose.

Who does the DSG apply to?

The DSG applies to natural persons (formerly legal persons) and to commercial and non-commercial organizations that process personal data of Swiss citizens.

The geographical scope of the DSG works similar to that of the GDPR. The exact definition here is that this ordinance applies to data protection matters that “have effects in Switzerland, even if they are caused abroad”.

…”which have an effect in Switzerland, even if they are initiated abroad”.

Obligations according to the DSG

Obligations of controllers and processors

Comparable to the requirements of the GDPR, the DSG now requires companies to create a “record of processing activities” (Art. 12 DSG). The responsible person and the order processor are primarily responsible for this. This must contain the following:

Identity of the responsible persons
purpose of data processing
Description of categories of data subjects and personal data
category of recipients
if possible, the retention period of the personal data or the criteria used to determine this period;
if possible, a general description of the measures taken to ensure data security
if the data is transferred abroad, indication of the country and the guarantees that ensure adequate data protection.

rights of the data subject

As already mentioned, this law focuses on the protection of the personal data of the data subject. Thus, the data subject is protected with the following rights:

the right to receive information about the processing of your personal data (Articles 25-27 revDSG),
the right to request the person responsible to hand over his or her personal data or to transmit it in machine-readable form to another person responsible free of charge. (Articles 28 and 29 revDSG),
the right that his data will not be used for automated individual decisions in which algorithms are used without a human intervening in the process (Art. 21 revDSG),
If sensitive personal data is processed or personality profiles are created, consent must be expressly given. The consent of the data subject is required.

Enforcement of the DSG

The role of the Federal Data Protection and Information Commissioner (FDPIC)

The FDPIC is responsible for the application of and compliance with the FADP. He is also responsible for clarification, advice and the protection of personal data in Switzerland. The agency is appointed by the Bundesrat (the executive body of the Swiss federal government).

Sanctions and fines for legal violations

If a person violates the laws of the DSG, they will be fined up to CHF 250,000. As with the GDPR, the penalty is not tied to the company, but to the responsible natural person.

What you should do to comply with the DSG

Start now and make sure you are ready before the FADP comes into force in September 2023. Companies based in Switzerland, or if you do business in Switzerland, should take the following measures:

Record all your data processing activities that are relevant to the law.
Have a valid privacy policy that meets all the requirements of the GDPR.
Make sure you appoint a data protection officer (DPO) to set policies and procedures in line with the FDPIC.
If you need to obtain consent to process personal data, ensure that you use a CMP that allows valid consent to be captured and stored. The consent that needs to be obtained can be displayed in the form of a consent banner that should appear on the user’s first visit to your online store or company website.

Conclusion

Not surprisingly, the current version of the DSG is being redesigned to keep up with technological developments. And even if you’re already GDPR compliant, you may still need to take some action. Make sure your organization is compliant and has a legally compliant consent tool in place.

You are not quite sure whether your company meets the upcoming requirements of the DSG? Speak to one of our experts or check with our consent management tool here .

more comments

Polnische Flagge mit Text “Polnische DSB gibt Hinweise zur Whistleblower-Richtlinie”

Legal, News

Polish DPA on Compliance with the Whistleblower Protection Act

On August 7, the President of the Polish Data Protection Authority (UODO), together with other members of the Authority and external experts, organized a seminar to support companies in the implementation in their business processes. The main points of discussion are summarized here: Expanding the definition of a Whistleblower During the seminar, it was clarified […]

Webinar Cookie Consent Solution set up and install correctly

Videos

Webinar: consentmanager Cookie Consent Solution: How to set up and install it correctly

On September 3rd, our webinar on the topic of “How to set up and install consentmanager cookie consent solution correctly” took place. In this webinar, Jan Winkler , CEO of consentmanager , led us through the most important functions and gave valuable insights into the new user interface of the consentmanager CMP interface. The webinar […]