Has your rent been raised? Find out more about your rights

Swiss Data Protection Act: What companies need to know

Swiss SMEs should implement these 12 measures to adapt to the revised Data Protection Act (nFADP), which will enter into force on September 1, 2023.

The answer in detail

As a self-employed person or SME in Switzerland, you must implement the following 12 measures to meet the requirements of the revised Data Protection Act (nFADP), which enters into force on September 1, 2023. 

Here is an overview of the 12 most important points:

  1. Check your privacy policy and expand if necessary
  2. Create guidelines for data processing within the company (or amend them)
  3. Create a data processing directory 
  4. Draw up a process for a quick response to queries from affected persons – for example requests for information or the deletion of data
  5. Introduce a reporting process for breaches of data security 
  6. Define a process for data protection impact assessments for when the data processing entails a high risk for the affected persons 
  7. Analyze contracts with subcontractors regarding data security and add corresponding clauses – so-called data processing agreements – (especially with regard to reporting any breaches of the Data Protection Act) 
  8. Ensure that all personal data is deleted or anonymized as soon as it is no longer needed
  9. Find out which countries data is transmitted to
  10. Guarantee data security through appropriate technical and organizational measures
  11. Ensure data portability and the transfer of the data in a standard electronic format 
  12. Review whether you need a data protection advisor


Further legal tips on the subject of data protection or data processing: