Switzerland's revised Federal Act on Data Protection (nFADP, also known as revDSG or nDSG) has been in force since 1 September 2023. For Swiss SMEs, getting compliant can feel daunting β but in practice, the vast majority of obligations affecting your website come down to 15 concrete points. Work through this checklist, check off what you have already implemented, and identify what still needs attention.
Why Your Website Is at the Heart of nFADP Compliance
Your website is often the first point at which personal data is collected: IP addresses, cookies, contact forms, advertising pixels. It is also where your visitors exercise their rights (access, rectification, erasure). The nFADP β supplemented by the Data Protection Ordinance (DPO) β sets precise obligations at every step of this journey.
Sanctions are personal: up to CHF 250,000 against the responsible person (Art. 60 nFADP). This is not an abstract corporate fine β it is a liability that falls directly on the business owner or manager.
The 15-Point nFADP Checklist for Your Website
1. Privacy Policy Published and Accessible
What it is: A document describing what data you collect, why, for how long, and who has access to it.
nFADP article: Art. 19 nFADP β duty to provide information at the time of data collection.
How to implement: Publish a dedicated page (e.g. /privacy-policy). Write it in plain, accessible language without excessive legal jargon. It must cover: the identity of the controller, purposes of processing, categories of data, recipients, retention periods, and the rights of data subjects.
2. Cookie Banner with Prior Opt-in Consent
What it is: A mechanism that prevents non-essential cookies from being set until the user has given explicit consent.
nFADP article: Art. 45c TCA (Telecommunications Act) β consent required for non-necessary cookies.
How to implement: Consent must be freely given, informed, specific, and unambiguous. An "Accept all" button is sufficient if declining is equally easy. Silence or simply scrolling down the page does not constitute valid consent.
3. Cookie Categorisation
What it is: Presenting cookies by category (necessary, analytics, marketing, preferences) with a description of each service used.
nFADP article: Art. 19 nFADP and Art. 45c TCA β granularity of information and user choice.
How to implement: In your cookie banner or cookie policy, list every third-party service (Google Analytics, Meta Pixel, Hotjar, etc.) with its category, lifespan, and the country where data is processed. Allow users to accept or decline by category.
4. Scripts Blocked Until Consent Is Given
What it is: Third-party trackers (Google Analytics, Facebook Pixel, etc.) must not load before the user has consented.
nFADP article: Art. 45c TCA β setting cookies without consent is unlawful.
How to implement: Use a Consent Management Platform (CMP) that loads scripts conditionally. Technically, this means that <script> tags for third-party services must have their type attribute set to text/plain until consent is granted, then activated dynamically.
Good to know: PrivaScan automatically checks points 1 to 4 by crawling your site and detecting cookies set before consent, scripts missing from your privacy policy, and the absence or non-compliance of your banner.
5. Privacy Policy Linked From Every Page
What it is: A visible link to your privacy policy accessible from any page on the website.
nFADP article: Art. 19 nFADP β the information must be easily accessible.
How to implement: Include the link in the footer of your website. Do not hide it in a deep dropdown menu. The link text should be explicit: "Privacy Policy" or "Data Protection".
6. Disclosure in Contact Forms
What it is: Informing the user, directly in or beside the form, about how their data will be used.
nFADP article: Art. 19 nFADP β information must be provided at the time of collection.
How to implement: Add a short notice below each form (contact, quote request, registration) such as: "Your data is used solely to respond to your request. Learn more." A checkbox is optional if the purpose is obvious, but recommended for commercial sign-ups.
7. Double Opt-in for Newsletters
What it is: After signing up, the user receives a confirmation email they must validate before being added to your list.
nFADP article: Art. 6 nFADP (lawfulness of processing) + Swiss anti-spam legislation (UWG).
How to implement: Configure your email marketing tool (Mailchimp, Brevo, etc.) in double opt-in mode. Retain proof of consent (date, IP address, form version). In the event of a dispute, it is your responsibility to prove that consent was obtained.
8. Third-Party Services Listed in the Privacy Policy
What it is: Every external service integrated into your site (hosting, analytics, CRM, support chat, etc.) must be mentioned.
nFADP article: Art. 19 para. 2 nFADP β obligation to disclose recipients of the data.
How to implement: Take an inventory of all the tools you use: Google Analytics, Stripe, Intercom, HubSpot, Cloudflare, your hosting provider, etc. For each one, include: the name of the service, its role, the country of processing, and a link to its own privacy policy.
9. Data Processing Agreements (DPAs) with Processors
What it is: A contractual agreement with every provider that processes personal data on your behalf (your hosting provider, CRM tool, email service, etc.).
nFADP article: Art. 9 nFADP β obligation to enter into a written contract with data processors.
How to implement: Most large providers (Google, AWS, Stripe, Brevo) offer a DPA (Data Processing Agreement) to sign in their account settings or on request. Sign them and archive them. For smaller Swiss or European providers, a contractual addendum is sufficient.
10. SSL/TLS Encryption Active Across the Entire Site
What it is: Your website must be accessible only via HTTPS with a valid SSL/TLS certificate, on all pages without exception.
nFADP article: Art. 8 nFADP β obligation to implement adequate technical and organisational measures (data security).
How to implement: Verify that your hosting provider supplies an SSL certificate (Let's Encrypt is free). Configure automatic redirection from HTTP to HTTPS. Ensure there is no mixed content (images or scripts loaded over HTTP on an HTTPS page).
11. Retention Periods Defined and Documented
What it is: For every category of data you collect, you must define how long you retain it, then delete it.
nFADP article: Art. 6 para. 4 nFADP β principle of data minimisation and storage limitation.
How to implement: Create a simple table listing: data category, purpose, retention period, legal basis for retention. Examples: contact data (3 years after last interaction), order data (10 years for accounting obligations), server logs (90 days). Automate deletion in your tools where possible.
12. Procedure for Exercising Rights (Access, Rectification, Erasure)
What it is: Your visitors have the right to know what data you hold about them, to have it corrected, and to have it deleted.
nFADP article: Art. 25 (right of access), Art. 32 (right to rectification/erasure) nFADP.
How to implement: Publish in your privacy policy a dedicated email address (e.g. privacy@yourcompany.ch) for receiving requests. Define an internal process: identity verification of the requester, response deadline (maximum 30 days), deletion procedure across your various tools.
13. Data Processing Register
What it is: An internal inventory documenting all personal data processing activities in your organisation.
nFADP article: Art. 12 nFADP β mandatory for companies whose processing presents high risk; strongly recommended for all SMEs.
How to implement: List every processing activity (customer management, billing, marketing, HR, support, etc.) with: purpose, data categories, recipients, countries of processing, retention periods, security measures. A spreadsheet is sufficient to start; dedicated tools like PrivaGuard make management and updating easier.
14. Safeguards for Cross-Border Data Transfers
What it is: If you use services whose servers are outside Switzerland (USA, India, etc.), you must ensure adequate safeguards protect the transferred data.
nFADP article: Art. 16-18 nFADP β disclosure of personal data abroad.
How to implement: Check for each provider where data is physically stored. For transfers to countries without an adequate level of protection recognised by the FDPIC (the list is available at edoeb.admin.ch), you must rely on standard contractual clauses (SCCs) or binding corporate rules. Mention these safeguards in your privacy policy.
15. Regular Audit Schedule
What it is: Planning periodic reviews of your compliance to keep your site current with legal and technical developments.
nFADP article: General accountability principle (Art. 5 and 8 nFADP) β the controller must be able to demonstrate compliance at any time.
How to implement: Set a minimum annual audit (or after any major change to your site or technology stack). Review: the list of active cookies, processor contracts, applied retention periods, data access rights, and the privacy policy. Document each audit.
Summary Table
| # | Checkpoint | nFADP Article | Priority |
|---|---|---|---|
| 1 | Privacy policy published | Art. 19 | Critical |
| 2 | Cookie banner with opt-in | Art. 45c TCA | Critical |
| 3 | Cookie categorisation | Art. 19 + 45c TCA | Critical |
| 4 | Scripts blocked before consent | Art. 45c TCA | Critical |
| 5 | Link on every page | Art. 19 | High |
| 6 | Disclosure in forms | Art. 19 | High |
| 7 | Double opt-in for newsletters | Art. 6 + UWG | High |
| 8 | Third-party services listed | Art. 19 para. 2 | High |
| 9 | DPAs with processors | Art. 9 | High |
| 10 | SSL/TLS across entire site | Art. 8 | High |
| 11 | Retention periods defined | Art. 6 para. 4 | Medium |
| 12 | Rights exercise procedure | Art. 25, 32 | Medium |
| 13 | Processing register | Art. 12 | Medium |
| 14 | Cross-border transfer safeguards | Art. 16-18 | Medium |
| 15 | Regular audit schedule | Art. 5, 8 | Ongoing |
Where to Start
If you are starting from scratch, focus first on the first 4 points β they represent the legal minimum visible to your visitors and to the FDPIC. Points 5 to 10 follow naturally, then internal documentation (11β15) consolidates your overall compliance posture.
Do not let complexity paralyse you: imperfect but evolving compliance is better than complete inaction. The nFADP takes good faith and demonstrated efforts into account when assessing sanctions.
Start with an automated diagnosis: PrivaScan analyses your website in minutes and checks points 1 to 4 of this checklist β detecting cookies set before consent, undeclared third-party scripts, and the compliance of your banner. Free, no sign-up required, with a detailed report delivered immediately.