If your website collects any personal data β and virtually every website does β Swiss law requires you to tell people about it. The new Federal Act on Data Protection (nFADP), which entered into force on 1 September 2023, places a clear transparency obligation on data controllers through Art. 19 nFADP: you must inform individuals when you collect their data, and that information must be accessible, clear, and complete. The primary vehicle for meeting this obligation is a privacy policy.
This guide walks you through exactly what your Swiss privacy policy must include, how to structure it, where to publish it, and when to update it.
Why every Swiss website needs a privacy policy
The moment your website processes personal data, Art. 19 nFADP applies. In practice, this obligation is triggered by almost any modern website that:
- Uses web analytics (Google Analytics, Matomo, Plausible, etc.)
- Embeds a contact or registration form
- Runs advertising trackers (Meta Pixel, LinkedIn Insight Tag, Google Ads remarketing)
- Operates an e-commerce store or user account system
- Loads third-party content such as YouTube embeds, Google Maps, or social sharing buttons
The absence of a privacy policy β or a materially incomplete one β exposes the controller to complaints filed with the Federal Data Protection and Information Commissioner (FDPIC). Intentional violations can result in fines of up to CHF 250,000, levied against the responsible natural person (not the company as a legal entity).
If you also have users in the European Union, Art. 13 GDPR applies in parallel and imposes broadly similar β but not identical β requirements. A well-drafted privacy policy can satisfy both laws simultaneously.
What your privacy policy must contain under nFADP
Art. 19 nFADP, further specified by the Data Protection Ordinance (DPO), sets out the minimum information that must be disclosed. The following nine elements are mandatory.
1. Identity and contact details of the controller
State the legal name and full postal address of your organisation, along with a dedicated email address for data protection enquiries. If you have appointed a representative in Switzerland or the EU, name them here as well.
2. Purposes and legal bases for processing
For each category of processing, explain why you process the data (purpose) and on what basis (consent, performance of a contract, legitimate interest, legal obligation). Vague statements like "to improve our services" are insufficient β specific, concrete purposes are required.
3. Categories of personal data processed
List the types of data you actually collect: identification data (name, email address), usage data (IP address, pages visited, session duration), payment data, contractual data, and so on. Group logically rather than exhaustively listing every field.
4. Recipients and processors
Identify who receives the data: categories of recipients (hosting provider, CRM platform, email service, payment processor) and, where practical, named third parties (e.g. Stripe for payments, Resend for transactional email). Data processing agreements with these sub-processors are a legal requirement.
5. Cross-border data transfers
If data is processed outside Switzerland β common with US or EU cloud services β you must disclose this, name the destination country, and specify the safeguards in place: standard contractual clauses, an FDPIC adequacy decision, or other appropriate measures. Switzerland maintains its own list of countries with an adequate level of protection, which is distinct from the EU's list.
6. Retention periods
How long do you keep each category of data? Provide concrete durations or clear criteria (e.g. "invoice records retained for 10 years in accordance with the Swiss Code of Obligations", "server logs deleted after 90 days"). Open-ended formulations like "as long as necessary" do not satisfy the transparency obligation.
7. Rights of data subjects
The nFADP grants individuals the right of access, rectification, erasure, restriction, data portability, and objection. Explain how these rights can be exercised, provide a contact address, and indicate your response timeline (generally 30 days). Inform users they can also lodge a complaint with the FDPIC.
8. Cookies and tracking technologies
Devote a dedicated section to cookies. Distinguish between strictly necessary cookies (session management, CSRF protection, language preferences) and analytical, advertising, or third-party tracking cookies that require consent. Explain how your consent mechanism works and how visitors can change their preferences at any time.
9. Contact information
Close with a clear invitation to reach out for any data protection questions, with a dedicated email address (ideally privacy@yourdomain.ch or dpo@yourdomain.ch) and information on how to escalate to the FDPIC if needed.
Privacy policy vs. legal notice (Impressum): what is the difference?
This is a common source of confusion, particularly for smaller businesses.
- The legal notice (Impressum) identifies who operates the website β company name, registered address, contact details. It may be required by commercial or sector-specific law. It contains no information about data processing.
- The privacy policy (DatenschutzerklΓ€rung in German, politique de confidentialitΓ© in French) describes how personal data is collected, processed, and protected. It is required by the nFADP.
These are two separate documents. Both should be linked from the footer of every page on your site, but they must not be merged into a single page.
Common mistakes in Swiss privacy policies
Reviewing hundreds of Swiss company websites reveals a consistent set of gaps:
1. Copy-pasting a GDPR template without Swiss adaptation. The nFADP and GDPR share common principles but differ in terminology, specific rights, and legal bases. A purely European template will not satisfy Swiss law.
2. Omitting third-party cookies and trackers. Google Analytics, Meta Pixel, LinkedIn Insight Tag, and Hotjar all process your visitors' data. Every tool must be named in your policy and covered by your consent banner.
3. Failing to disclose cross-border transfers. Using AWS, Google Cloud, Microsoft Azure, or most US-based SaaS products means data is processed outside Switzerland. These transfers must be declared with the applicable safeguards.
4. Vague or absent retention periods. Stating that data is kept "for as long as necessary" is not compliant. Concrete durations or clear criteria are required under nFADP.
5. Poor accessibility. Your privacy policy must be reachable from any page with a single click β typically via a persistent footer link. Burying it inside your terms and conditions or on an unlisted page is not sufficient.
6. Not updating after adding new tools. Every new tracker, analytics plugin, or third-party service you add to your site must be reflected in your policy. Outdated policies are one of the most frequent findings in FDPIC investigations.
Where to publish your privacy policy
The nFADP's accessibility requirement translates into specific placement expectations:
- Footer of every page β a permanent, clearly labelled link ("Privacy Policy" or "Data Protection")
- Cookie consent banner β visitors must be able to read your policy before accepting or declining cookies
- All data-collecting forms β contact forms, newsletter sign-ups, account creation β with an active hyperlink: "By submitting this form, you agree to our privacy policy"
- Transactional and marketing emails β a footer link is standard practice and helps demonstrate good faith compliance
Template: structure for your nFADP privacy policy
The following outline covers the mandatory elements of Art. 19 nFADP and can be adapted to any business type:
1. Data Controller
- Legal name, address, privacy contact email
2. Data Collected and Purposes
2.1 Usage data and cookies
2.2 Contact and enquiry forms
2.3 User accounts and authentication
2.4 Payment and billing data
2.5 Newsletter and marketing communications
3. Legal Bases for Processing
4. Recipients and Sub-Processors
- Hosting, analytics, CRM, payment, email delivery
5. Cross-Border Data Transfers
6. Retention Periods
7. Your Rights
- Access, rectification, erasure, restriction, portability, objection
- How to exercise your rights and expected response time
8. Cookies and Tracking Technologies
- Strictly necessary cookies
- Analytics cookies (consent required)
- Advertising and third-party cookies (consent required)
- Managing your preferences
9. Changes to This Privacy Policy
10. Contact and Right to Lodge a Complaint with the FDPIC
This structure satisfies Art. 19 nFADP and can be extended with minor additions to meet Art. 13 GDPR for EU users.
When to update your privacy policy
A privacy policy is a living document, not a one-time effort. You must review and update it:
- When you add any new tool that processes personal data β a new CRM, live chat widget, analytics platform, or payment provider
- When you change a service provider β switching hosting, migrating to a different cloud infrastructure, replacing your email delivery service
- When processing purposes change β launching email marketing, starting retargeting campaigns, introducing a loyalty programme
- After legislative changes β DPO amendments, new FDPIC adequacy decisions, relevant Federal Supreme Court rulings
- After a data breach β your policy should reflect any new security measures implemented in response
Date your policy visibly ("Last updated: May 2026") and retain archived versions internally for accountability.
Make it easier with PrivaGuard's built-in generator
Drafting an nFADP-compliant privacy policy from scratch requires legal knowledge, takes time, and must be maintained over the life of your business. That is why PrivaGuard includes a built-in privacy policy generator from the Starter+ plan onwards.
The generator walks you through each required section, tailors the content to your business type (SaaS, e-commerce, service website, professional practice) and the specific tools you use, and produces a trilingual document (French, German, English) ready to publish β designed to align with nFADP and structured to satisfy GDPR requirements for your European users at the same time.
Before you write your privacy policy, start by knowing exactly which cookies and trackers are active on your site. PrivaScan scans your website for free, classifies every tracker by category, and gives you a clear picture of what needs to be disclosed β so nothing gets missed.