Ready for the new Google Consent Mode v2? Learn more »
Legal

The Swiss federal law on data protection (DSG)


a map of Switzerland with a white cross on it

What is the DSG?

The Swiss Data Protection Act (DSG) is now a revised version of the first DSG, which came into force in 1992. From September 1, 2023, the new law will come into force with the revised and updated changes to reflect the current needs of today’s internet environment. The aim of this regulation is to protect the privacy and fundamental rights of the persons whose data is being processed.

“This law aims to protect the privacy and fundamental rights of natural persons about whom personal data are processed.”

The main changes compared to the first publication are that companies must now explain why they collect personal data from their customers and that they must clearly state which third parties are involved in sharing their personal data. Individuals also now have the right to know how long their data will be stored and for what purpose.

Who does the DSG apply to?

The DSG applies to natural persons (formerly legal persons) and to commercial and non-commercial organizations that process personal data of Swiss citizens.

The geographical scope of the DSG works similar to that of the GDPR. The exact definition here is that this ordinance applies to data protection matters that “have effects in Switzerland, even if they are caused abroad”.

…”which have an effect in Switzerland, even if they are initiated abroad”.

Obligations according to the DSG

Obligations of controllers and processors

Comparable to the requirements of the GDPR, the DSG now requires companies to create a “record of processing activities” (Art. 12 DSG). The responsible person and the order processor are primarily responsible for this. This must contain the following:

  • Identity of the responsible persons
  • purpose of data processing
  • Description of categories of data subjects and personal data
  • category of recipients
  • if possible, the retention period of the personal data or the criteria used to determine this period;
  • if possible, a general description of the measures taken to ensure data security
  • if the data is transferred abroad, indication of the country and the guarantees that ensure adequate data protection.

rights of the data subject

As already mentioned, this law focuses on the protection of the personal data of the data subject. Thus, the data subject is protected with the following rights:

  • the right to receive information about the processing of your personal data (Articles 25-27 revDSG),
  • the right to request the person responsible to hand over his or her personal data or to transmit it in machine-readable form to another person responsible free of charge. (Articles 28 and 29 revDSG),
  • the right that his data will not be used for automated individual decisions in which algorithms are used without a human intervening in the process (Art. 21 revDSG),
  • If sensitive personal data is processed or personality profiles are created, consent must be expressly given. The consent of the data subject is required.

Enforcement of the DSG

The role of the Federal Data Protection and Information Commissioner (FDPIC)

The FDPIC is responsible for the application of and compliance with the FADP. He is also responsible for clarification, advice and the protection of personal data in Switzerland. The agency is appointed by the Bundesrat (the executive body of the Swiss federal government).

Sanctions and fines for legal violations

If a person violates the laws of the DSG, they will be fined up to CHF 250,000. As with the GDPR, the penalty is not tied to the company, but to the responsible natural person.

What you should do to comply with the DSG

Start now and make sure you are ready before the FADP comes into force in September 2023. Companies based in Switzerland, or if you do business in Switzerland, should take the following measures:

  • Record all your data processing activities that are relevant to the law.
  • Have a valid privacy policy that meets all the requirements of the GDPR.
  • Make sure you appoint a data protection officer (DPO) to set policies and procedures in line with the FDPIC.
  • If you need to obtain consent to process personal data, ensure that you use a CMP that allows valid consent to be captured and stored. The consent that needs to be obtained can be displayed in the form of a consent banner that should appear on the user’s first visit to your online store or company website.

Conclusion

Not surprisingly, the current version of the DSG is being redesigned to keep up with technological developments. And even if you’re already GDPR compliant, you may still need to take some action. Make sure your organization is compliant and has a legally compliant consent tool in place.

You are not quite sure whether your company meets the upcoming requirements of the DSG? Speak to one of our experts or check with our consent management tool here .


more comments

EDPB opinion on pay or consent model
Legal, News

The latest decision of the EDPB on “consent or pay” models for online platforms

The Dutch, Norwegian and German (Hamburg) regulators asked the European Data Protection Board (EDPB) for guidance on whether large online platforms can implement ‘consent or pay’ models for behavioural advertising based on valid and freely given consent. This was prompted by Meta’s introduction of a subscription model in October 2023, where users were given the […]
New regulations US 2024
Legal

New US data protection laws come into force in 2024: Update your US-specific privacy settings

In the United States, new data privacy laws will take effect in the second half of 2024 – in Florida, Texas, Oregon and Montana . Companies that operate in these states or have customers in these states will need to review their data privacy practices to ensure compliance with the new data privacy laws. To […]