Back to overview
nDSGFADPSME

The nDSG Explained: Switzerland's New Data Protection Act for SMEs

Switzerland's revised data protection act — commonly called the nDSG — has applied since 1 September 2023, with no transition period and to virtually every company. What it means for Swiss SMEs in practice: the five key obligations, the sanctions, and a plain-language checklist to get started.

Aiara Team··8 min read
The nDSG Explained: Switzerland's New Data Protection Act for SMEs

«Does the GDPR apply to us now — or something of our own?» We hear this question from Swiss SME executives all the time, the moment data protection comes up. The answer: Switzerland has its own, modernised data protection act — commonly known by its German abbreviation nDSG, internationally as the revised FADP. It has applied since September 2023 to virtually every company in the country, from the one-person business with a website to the industrial firm. The good news: the core obligations are manageable and can be implemented without a legal department. This article explains the revised FADP from the ground up — in plain language, without legalese, and with a concrete checklist at the end.

For the full picture of the law — from duties to sanctions — see our FADP guide.

What does «nDSG» actually mean?

nDSG is short for «neues Datenschutzgesetz» — the new data protection act — and is the common Swiss shorthand for the fully revised Federal Act on Data Protection (FADP, SR 235.1). Officially, the law is still simply called the FADP — the leading «n» established itself in everyday usage to distinguish the revised version from its predecessor dating back to 1992. Whether someone says nDSG, revised FADP or «new Swiss data protection act»: they all mean the same law.

Why the complete overhaul? The old act came from an era before smartphones, cloud services and online tracking. At the same time, Switzerland had to catch up in order to keep being recognised by the EU as a country with an adequate level of data protection — the precondition for personal data flowing between Switzerland and the EU without additional hurdles.

Important for your planning: the revised FADP entered into force on 1 September 2023 with no transition period. There is no grace period to fall back on — the obligations have applied in full since day one.

If you want to dig into the individual changes compared with the old law, you'll find them in our article «The Revised Swiss FADP: What Actually Changes for Swiss Companies». Here we focus on the big picture: what does an SME need to know and do?

Who does the nDSG apply to?

In short: everyone. The revised FADP has no thresholds based on turnover, headcount or industry. As soon as a company processes personal data — data that can be linked to a specific person — it is within scope. And practically every company processes personal data:

  • the bakery with a contact form on its website
  • the fiduciary office with client files
  • the online shop with order and payment data
  • the carpentry business with the personnel files of its five employees

Foreign companies also fall under the revised FADP if their data processing has effects in Switzerland. For Swiss SMEs with customers in the EU, the additional question arises whether the European General Data Protection Regulation (GDPR) applies in parallel — more on that below.

The five most important obligations for SMEs

1. Privacy policy — the duty to inform under Art. 19

The heart of the revised FADP from a website operator's perspective: whoever collects personal data must inform the persons concerned. Article 19 requires, at a minimum, the identity and contact details of the controller, the purpose of processing, the recipients or categories of recipients and — if data is transferred abroad — the destination country and the safeguards protecting the data.

In practice, this duty is fulfilled with a privacy policy on your website. The crucial point is that it matches your actual setup: a copied template that fails to mention Google Analytics even though it is running does not fulfil the duty — if anything, it documents the violation.

2. Records of processing activities — with an SME exemption

The records of processing activities are an internal catalogue: what data do we process, for what purpose, who has access, how long do we keep it? The good news for small businesses: companies with fewer than 250 employees are exempt — as long as they do not extensively process sensitive personal data and do not carry out high-risk profiling. Sensitive data includes, for example, health data, religious or political views, and biometric data.

Most SMEs are therefore formally off the hook. Even so, a lean set of records is worth having in small businesses too: a simple table of your main data categories forces you to take stock and makes every later access request considerably easier.

3. Duty to notify data security breaches

New in Swiss law: if data security is breached — say, through a hacking attack, a lost laptop or a mass mailing sent to the wrong recipients — and this is likely to result in a high risk for the persons concerned, the company must notify the Federal Data Protection and Information Commissioner (FDPIC) as quickly as possible.

For SMEs, this means in concrete terms: you need a minimal incident plan. If everyone knows internally who decides and who reports in an emergency, no time is lost under stress. A single A4 sheet with responsibilities and the reporting channel to the FDPIC is a perfectly adequate starting point.

4. Privacy by design and privacy by default

Two clunky terms, one simple idea: data protection should be considered from the outset («by design»), and the most privacy-friendly setting should be the default («by default»).

In practice, this means: when you introduce a new customer management tool, you ask about storage location and deletion concept during the selection process — not three years later. When you build a registration form, the newsletter checkbox is not pre-ticked. The cookie banner is another textbook case: tracking that only starts after consent is privacy by default put into practice.

5. The right of access for data subjects

Any person can ask you what data you process about them, where it comes from and who it is disclosed to. The deadline is 30 days, and the information is free of charge as a rule. It sounds trivial, but in everyday SME life it is the most common weak spot: requests land in the general inbox, nobody feels responsible, the deadline passes. Define one responsible person and a simple response template — usually that is all it takes.

Sanctions: fines target people, not companies

When it comes to fines, the revised FADP differs markedly from the GDPR. Intentional violations of core duties — such as the duty to inform or to provide access — can be punished, upon criminal complaint, with fines of up to CHF 250,000. The addressee is not the company but the natural person responsible for the violation. In an SME, that is typically the managing director.

That makes data protection a matter for the boss. Two points of perspective so nobody panics: first, only intentional violations are punishable, not negligent ones. Second, a criminal complaint is required — the FDPIC does not hand out fines across the board on its own initiative. Anyone who demonstrably fulfils the core obligations has little to fear. Anyone who deliberately ignores them carries the risk personally.

Three common misconceptions

«We're too small, this doesn't concern us.» The revised FADP has no lower limit. The SME exemption for the records of processing is the only relief worth mentioning — all other obligations apply to the sole proprietorship just as they do to the corporation.

«We have a privacy policy from 2019, that's enough.» Unfortunately not. The duty to inform under Art. 19 requires disclosures that older texts usually do not contain — in particular on recipients and cross-border transfers. A text written before September 2023 is very likely incomplete.

«No EU customers, so we don't need to worry about cookies.» The revised FADP requires transparency about the tracking services you use, and the FDPIC's guidance clearly points towards genuine freedom of choice. As soon as high-risk services or EU visitors are involved, there is hardly a way around a proper consent solution.

The nDSG and the GDPR: which applies to whom?

Many Swiss SMEs are unsure whether the GDPR applies to them on top. The rule of thumb: whoever actively targets customers in the EU — for instance with an online shop that ships to Germany — must comply with both frameworks. Whoever operates purely domestically only has to comply with the revised FADP.

Where exactly the two laws diverge — consent, sanction logic, EU representation — is broken down in our article «FADP vs. GDPR: The Key Differences». For a start, this is enough: whoever complies with the stricter GDPR automatically complies with the revised FADP as well.

Obligations checklist: the nDSG for SMEs

The compact self-check — every line should get a yes:

  • Privacy policy online, up to date and tailored to your actual setup (Art. 19)
  • All tools and third-party providers named in it, including cross-border transfers
  • Cookie banner that starts tracking only after consent
  • Responsibility for access requests defined (30-day deadline)
  • Incident plan for data security breaches with a reporting channel to the FDPIC
  • Records of processing activities in place — mandatory from 250 employees, recommended below
  • New tools and processes set up following privacy by design and by default

How to get started: three pragmatic steps

Step 1: Take stock. One hour, one document: what personal data do we hold, where is it stored, which tools run on our website? A cookie scan of your own site almost always surfaces surprises — modern websites set more cookies than their operators assume.

Step 2: Update your privacy policy and cookie banner. These are the two most visible obligations — and the ones checked first when a complaint comes in.

Step 3: Define your processes. Responsibility for access requests, reporting channel for data breaches, a privacy check for every new tool. Once defined properly, this costs hardly any time in daily operations.

Conclusion

The revised FADP is not a bureaucratic monster but a pragmatic law with clear core duties: inform, document, report when things go wrong — and think about data protection from the start whenever something new is introduced. Work through the checklist above and you have covered the bulk of the SME obligations and brought the managing director's personal fine risk under control.

And you don't have to build the most visible part by hand: with Aiara, your privacy policy and cookie banner are generated automatically in line with the revised FADP — including a cookie scanner that keeps your website and your policy permanently in sync. That turns the website side of compliance into an hour's work instead of a week's.

Frequently Asked Questions

What does the abbreviation nDSG mean?

nDSG is the common German shorthand for «neues Datenschutzgesetz» — the new data protection act. It refers to the fully revised Swiss Federal Act on Data Protection (FADP), in force since 1 September 2023. Officially the law is still simply called the FADP (DSG in German); the «n» merely distinguishes the revised version from its 1992 predecessor.

Who does the nDSG apply to?

To all private companies and federal bodies that process personal data — regardless of size, turnover or industry. Even a sole proprietorship with a website and a contact form falls within scope. Reliefs exist only in specific areas, such as the records of processing activities for companies with fewer than 250 employees.

Since when has the new Swiss data protection act been in force?

Since 1 September 2023 — with no transition period. Unlike the GDPR, which allowed a two-year lead time, the obligations of the revised FADP applied in full from day one. Anyone still non-compliant today cannot invoke any grace period.

What are the penalties for violating the nDSG?

Intentional violations of core duties — such as the duty to inform, to provide access or to cooperate — can be punished, upon criminal complaint, with fines of up to CHF 250,000. The fine targets not the company but the natural person responsible for the violation: in an SME, typically the managing director.

Do I need records of processing activities as an SME?

The records become mandatory only from 250 employees. Smaller companies are exempt as long as they do not extensively process sensitive personal data or carry out high-risk profiling. A lean overview is still recommended — it makes any later access request considerably easier to handle.

Ready for clean cookie consent?

Aiara handles cookie banners, privacy policies and legal notices for your website — FADP and GDPR compliant.

Discover Aiara