DSG Datenschutz Schweiz: What SMEs Must Implement Now
The revised Federal Data Protection Act (revDPA) has been in force since September 2023 – and many Swiss SMEs are not yet compliant. Learn what concrete measures you need to implement right now.
DSG Datenschutz Schweiz: What SMEs Must Implement Now
Since September 1st, 2023, the revised Federal Data Protection Act (revDPA) has been in force in Switzerland – and violations can result in fines of up to CHF 250,000. Nevertheless, according to an estimate by SECO, approximately half of Swiss SMEs have not yet fully implemented the mandatory requirements.
TL;DR
- The revDPA has been in force since September 2023 and affects virtually every Swiss company.
- Fines up to CHF 250,000 are possible – including personal liability of management.
- Privacy policy, processing activities register, and DPIA are mandatory.
- Technical and organizational measures (TOMs) must be documented.
What is the revDPA – and who is affected?
The revDPA (revised Federal Data Protection Act, SR 235.1) is the modernized Swiss data protection law that replaces the 1992 version and is strongly aligned with the European GDPR. It applies in principle to every company that processes personal data of individuals – meaning virtually all Swiss SMEs.
📊 ~50% of Swiss SMEs have not yet fully aligned their data protection documentation with the revDPA, according to SECO estimates. Source: SECO SME Monitor, 2023
Particularly affected are companies that:
- Store customer data, employee data, or supplier information
- Operate websites with tracking or contact forms
- Use cloud services based abroad (e.g., Microsoft 365, Salesforce)
What are your concrete obligations as an SME?
The revDPA prescribes several concrete measures that apply regardless of company size. Here is an overview of the key obligations:
1. Processing Activities Register
Every company must document which personal data is processed, for what purpose, and how. This register must be maintained internally and presented to the Federal Data Protection and Information Commissioner (FDPIC) upon request.
💡 Tip: Start with a simple Excel template. The FDPIC offers free sample templates on its website that you can directly adapt.
2. Update Your Privacy Policy
Your website's privacy policy must now cover the following points:
- Identity and contact details of the controller
- Purpose and legal basis of data processing
- Recipients of data (including international transfers)
- Retention period
- Rights of data subjects
3. Data Protection Impact Assessment (DPIA)
If your company processes data on a large scale or particularly sensitive personal data, a DPIA (Data Protection Impact Assessment) is mandatory. This applies, for example, with video surveillance, profiling, or health data processing.
⚠️ Important: For a DPIA, you must consult the FDPIC in advance if the risk to data subjects is high. Failing to do so exposes you to fines.
How does the revDPA differ from the GDPR?
Many IT managers are already familiar with the European GDPR – and wonder how different the revDPA really is. The short answer: The basic principles are similar, but there are relevant differences.
| Criterion | revDPA (Switzerland) | GDPR (EU) |
|---|---|---|
| Scope | Natural persons | Natural persons |
| Fine amount | Up to CHF 250,000 (personal) | Up to EUR 20 million / 4% of revenue (company) |
| DPO obligation | Voluntary (recommended) | Mandatory for certain organizations |
| Breach notification | To FDPIC (if high risk) | To authority within 72 hours |
| Profiling | Explicitly regulated | Explicitly regulated |
| Privacy by design | Mandatory | Mandatory |
ℹ️ Note: The revDPA does not include company liability like the GDPR. Fines are imposed on natural persons – meaning executives, IT managers, or specifically responsible individuals. This significantly increases personal pressure.
How do you implement the revDPA step by step?
A structured approach helps you become compliant without overwhelming your team. Plan for approximately 4–8 weeks for a complete initial implementation.
- Stock-take — Identify all data flows in your company: Which personal data is processed, where, how, and by whom?
- Create the register — Document all processing activities in a register (template: edoeb.admin.ch).
- Update privacy policy — Review and revise your website privacy policy and internal guidelines.
- Review contracts — Ensure data processing agreements exist with IT service providers and cloud vendors.
- Document TOMs — Record technical and organizational measures (encryption, access controls, backups) in writing.
- Train employees — Data protection is a leadership and team responsibility. Short, practical training sessions suffice initially.
- Review DPIA requirements — Analyze whether a Data Protection Impact Assessment is needed for specific processing activities.
- Define breach notification process — Establish internally how to respond to data breaches and who will notify the FDPIC.
Are you truly compliant? – The Checklist
- Processing activities register created and current
- Website privacy policy updated
- Data processing agreements with all service providers in place
- Data Protection Impact Assessment completed for high-risk processing
- Technical and organizational measures (TOMs) documented
- Data breach notification process defined
- Employees trained on revDPA
- Internal data protection policy adopted
🚨 Warning: Many companies overlook the obligation to document verbally provided privacy notices (e.g., over the phone or when signing a contract). This can become problematic during an audit.
Conclusion – Act now, don't wait
The revDPA is not a toothless bureaucratic law. The FDPIC has announced investigations, and personal liability of executives is real. The good news: With a structured approach, you can become compliant as an SME in a few weeks – without hiring large consulting firms.
The first step is an honest assessment of your data flows. The second: the right technical support.
On IT-Provider.ch, you'll find over 200 verified Swiss IT providers who can help you implement the revDPA – from data protection consulting to secure cloud solutions to technical data protection measures.
Frequently Asked Questions about the revDPA for SMEs
Does the revDPA apply to micro-enterprises and sole traders?
Yes. The revDPA applies to all natural and legal persons processing personal data. Only purely private data processing is excluded. Even a hair salon with customer data is affected.
What are the concrete consequences of non-compliance with the revDPA?
For violations of specific information, notification, and transparency obligations, fines up to CHF 250,000 can be imposed. Important: The fine is imposed on the responsible natural person, not the company itself.
Do I need an external data protection officer?
No, the revDPA does not mandate a data protection officer. However, appointing one is recommended, especially if you regularly process large volumes of personal data. An external DPO service provider can be a cost-effective solution.
Do data breaches need to be reported?
Yes – if a data breach is likely to pose a high risk to data subjects, the FDPIC must be informed as soon as possible. Affected individuals must also be notified if it serves to protect them.
What happens with data transferred to the EU or USA?
Data transfers abroad are only permitted if the recipient country offers an adequate level of data protection (e.g., EU countries) or if appropriate safeguards exist (e.g., standard contractual clauses). For the USA, simplified rules apply since the EU-U.S. Data Privacy Framework – but always check current FDPIC recommendations.
