Switzerland's revised data protection law came into force on 1 September 2023, replacing a framework that dated back to 1992. The new Federal Act on Data Protection β known in French as nLPD and in German as nDSG β introduces concrete obligations for tens of thousands of Swiss SMEs around cookies, privacy policies, and data breach handling. This guide walks you through what changed and what you need to do.
What is the nLPD?
The nLPD (read the official text on fedlex.admin.ch) is a complete overhaul of Swiss data protection law. It draws heavily from the EU's GDPR while preserving several Swiss-specific features.
Key characteristics:
- It protects natural persons only β unlike the GDPR, legal entities are not covered
- The supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC)
- It applies to any organisation processing personal data of people residing in Switzerland, regardless of company size
Key Obligations for SMEs
Five core requirements every Swiss SME should address now:
-
Transparency and privacy policy β clearly inform your users about what data you collect, for what purpose, with whom you share it, and how long you retain it. The policy must be written in plain, accessible language.
-
Consent for non-essential cookies β before placing analytics, advertising, or tracking cookies, you must obtain freely given, informed, specific, and unambiguous consent. A "by continuing to browse you agree" banner no longer meets the standard.
-
Data breach notification β if personal data is leaked or accessed without authorisation, you must notify the FDPIC without undue delay. Best practice β mirroring GDPR β is within 72 hours of becoming aware of the breach.
-
Record of processing activities (Art. 12 nLPD) β mandatory for organisations with 250 or more employees, or whose processing activities carry high risks. Even below that threshold, maintaining a register is strongly recommended and signals good-faith compliance.
-
Data Protection Impact Assessment (DPIA) β required for any processing that is likely to result in a high risk to the personality or fundamental rights of data subjects (extensive profiling, biometric data, health data, etc.).
How nLPD Differs from the GDPR
The nLPD and the GDPR share the same foundational principles but differ in important ways for Swiss businesses:
| Aspect | nLPD (Switzerland) | GDPR (EU) |
|---|---|---|
| Scope | Natural persons only | Natural and legal persons |
| Fines | Up to CHF 250,000 (responsible individual) | Up to β¬20 million or 4% of global turnover |
| EU representative | Not required for Swiss companies | Required when serving EU customers |
| Data Protection Officer | Recommended, not mandatory | Mandatory in certain cases |
If your business has customers in the EU, you must comply with the GDPR as well. Both laws can apply simultaneously.
How to Achieve Compliance: Practical Steps
A pragmatic action plan for Swiss SMEs:
- Audit your website β identify every active cookie and tracker (Google Analytics, Meta Pixel, Hotjar, etc.) using an automated scanner that captures dynamically loaded scripts
- Deploy a compliant consent banner β refusal must be as easy as acceptance, and third-party scripts must be blocked until consent is granted
- Write or update your privacy policy β cover all processing activities including third-party cookies, with names, purposes, and retention periods
- Build a processing register β even a simplified register demonstrates genuine compliance intent during an FDPIC inquiry
- Set up an internal breach response procedure β know who is responsible, what to document, and how quickly to notify
Take the first step toward compliance by scanning your website for free. PrivaGuard detects every active cookie and tracker, categorises them, and shows you exactly what falls short of nLPD requirements.