TL;DR: The Swiss nDSG requires every business website to have a complete privacy policy, correct cookie handling, and transparent data processing information. Violations carry fines up to CHF 250,000. This checklist covers all obligations with immediately actionable steps.
On 1 September 2023, Switzerland’s new Federal Act on Data Protection (nDSG) came into force — with no transition period. From that day on, every business operating in Switzerland had to comply with the new rules. Yet many SME websites remain non-compliant to this day. This is rarely due to wilful neglect. More often, it comes down to unclear communication about what the law actually requires and how those requirements translate into technical changes on a website.
This article is for business owners, marketing managers, and IT leads at Swiss SMEs who want to verify that their website meets nDSG requirements. You will find a complete, practical checklist covering every relevant area — from privacy policies and cookies to hosting locations and newsletter compliance. Concrete measures you can implement right away, not legal jargon.
One caveat: this article does not constitute legal advice. For complex scenarios — such as processing sensitive personal data or operating internationally — consult a specialised data protection lawyer.
What Changed with the nDSG?
The old Federal Act on Data Protection (DSG) dated back to 1992. It was written for a world where the internet was in its infancy and cookies were just something you ate. The nDSG brings Swiss data protection law into the digital age, taking strong cues from the EU’s GDPR while charting its own course in several important areas.
Key Changes at a Glance
Protection limited to natural persons: The old DSG protected both natural persons and legal entities. The nDSG limits protection to natural persons only. Personal data of individuals within a company still falls under the law, but company data as such does not.
Extended duty to inform: Under the nDSG, you must inform data subjects whenever you collect their personal data — not just when sensitive data is involved. This applies to every contact form, newsletter sign-up, and order on your website. You must state what data you collect, for what purpose, and whether it is transferred abroad.
Privacy by Design and Privacy by Default (Art. 7 nDSG): Data protection must be built into the technical design from the outset. And the most privacy-friendly setting must be the default. In concrete terms, this means that if your website displays a cookie banner, all non-essential cookies must not be pre-selected.
Stricter breach notification (Art. 24 nDSG): In the event of a data security breach — such as a hack or accidental data leak — you must notify the Federal Data Protection and Information Commissioner (FDPIC) as quickly as possible if there is a high risk to the affected individuals.
Fines target individuals, not companies: This is where the nDSG differs fundamentally from the GDPR. Fines of up to CHF 250,000 are imposed on the responsible natural person — typically the managing director or the person responsible for data protection. This creates significant personal liability.
Data Protection Impact Assessment (Art. 22 nDSG): For processing activities carrying a high risk to data subjects’ rights, a prior impact assessment is required. Not relevant for most SME websites, but it can become necessary if you operate extensive user tracking or AI-powered personalisation.
nDSG vs. GDPR — Key Differences
While the nDSG is heavily inspired by the GDPR, there are differences that matter for Swiss businesses:
- Who gets fined: The nDSG fines natural persons (up to CHF 250,000). The GDPR fines companies (up to 4% of annual global turnover or EUR 20 million).
- Consent model: The nDSG does not always require explicit consent. In many cases, it is sufficient that data subjects have been informed and have not objected (opt-out principle). The GDPR generally requires active opt-in consent.
- Data Protection Officer: The nDSG recommends appointing a data protection advisor but does not make it mandatory for private companies. The GDPR makes it compulsory under certain conditions.
- Records of processing activities: Under the nDSG, companies with fewer than 250 employees are generally exempt, provided there is no high-risk processing. The GDPR has similar but not identical thresholds.
The Complete Website Checklist
Here is the full checklist for an nDSG-compliant website. Work through each point systematically and document the status of every item.
Privacy Policy
| Item | Requirement | Status |
|---|---|---|
| 1 | Privacy policy exists and is accessible from every page (ideally in the footer) | ☐ |
| 2 | Identity and contact details of the data controller are stated | ☐ |
| 3 | Purpose of data processing is described | ☐ |
| 4 | Recipients or categories of recipients are named | ☐ |
| 5 | For cross-border transfers: destination country and safeguards are specified | ☐ |
| 6 | Retention period or criteria for determining it are defined | ☐ |
| 7 | Rights of data subjects (access, rectification, deletion) are listed | ☐ |
| 8 | Automated individual decisions are declared (if applicable) | ☐ |
| 9 | Date of last update is shown | ☐ |
Cookies and Tracking
| Item | Requirement | Status |
|---|---|---|
| 10 | Cookie banner informs users about cookies used | ☐ |
| 11 | Non-essential cookies are only set after consent | ☐ |
| 12 | Cookie banner offers a genuine choice (not just “Accept”) | ☐ |
| 13 | Consent decision can be revoked at any time | ☐ |
| 14 | Cookie policy lists all cookies with purpose and lifespan | ☐ |
| 15 | Third-party tracking scripts only load after consent | ☐ |
Contact Forms
| Item | Requirement | Status |
|---|---|---|
| 16 | Reference to privacy policy near the form | ☐ |
| 17 | Only necessary data is collected (data minimisation) | ☐ |
| 18 | Form data is transmitted encrypted (HTTPS) | ☐ |
| 19 | Retention periods for enquiries are defined | ☐ |
| 20 | Form data is not shared with uninvolved third parties | ☐ |
Hosting and Data Transfers
| Item | Requirement | Status |
|---|---|---|
| 21 | Hosting location is documented | ☐ |
| 22 | For hosting outside Switzerland/EU: safeguards are in place | ☐ |
| 23 | SSL/TLS encryption is active (HTTPS) | ☐ |
| 24 | Data processing agreement (DPA) with hosting provider exists | ☐ |
| 25 | Server log files and their retention period are documented | ☐ |
Newsletter
| Item | Requirement | Status |
|---|---|---|
| 26 | Newsletter sign-up uses informed consent | ☐ |
| 27 | Double opt-in process is implemented | ☐ |
| 28 | Every newsletter contains an unsubscribe link | ☐ |
| 29 | Newsletter service is listed in the privacy policy | ☐ |
| 30 | For services abroad: safeguards are documented | ☐ |
Analytics
| Item | Requirement | Status |
|---|---|---|
| 31 | Analytics tool is named in the privacy policy | ☐ |
| 32 | IP anonymisation is enabled (if available) | ☐ |
| 33 | Analytics loads only after cookie consent (for tracking-based tools) | ☐ |
| 34 | Data processing agreement with analytics provider exists | ☐ |
| 35 | Opt-out option is provided | ☐ |
Penalties and Consequences
The nDSG imposes serious penalties. And unlike the GDPR, fines are directed at the responsible natural person — not the company. As a managing director or responsible officer, you are personally liable.
| Violation | Maximum Fine | Legal Basis |
|---|---|---|
| Breach of duty to inform | CHF 250,000 | Art. 60 nDSG |
| Breach of due diligence in cross-border transfers | CHF 250,000 | Art. 61 nDSG |
| Breach of duty to provide information | CHF 250,000 | Art. 60 nDSG |
| Breach of duty to cooperate with the FDPIC | CHF 250,000 | Art. 63 nDSG |
| Breach of professional confidentiality | CHF 250,000 | Art. 62 nDSG |
| Inadequate data security | Measures ordered by the FDPIC | Art. 51 nDSG |
Important to know: the criminal provisions of the nDSG generally require intent. Negligent conduct is only punishable in certain cases. However, this is no reason for complacency — in a dispute, the burden of proving due diligence falls on you.
Beyond criminal fines, the FDPIC can order administrative measures: restricting, suspending, or prohibiting data processing entirely. For an SME whose business relies on its website, this can be existentially threatening.
Affected individuals can also pursue civil claims for damages and satisfaction — a financial risk beyond the fines themselves.
Technical Implementation
Theory is one thing, practice another. Here is how you concretely implement the most important technical requirements on your website.
Implementing Cookie Consent Correctly
A cookie banner is unavoidable for most websites — at least if you use cookies beyond purely technical functionality. And almost every website does: Google Analytics, Facebook Pixel, YouTube embeds, and chat widgets all set cookies.
Here is how to implement it correctly:
1. Categorise your cookies. Distinguish between technically necessary cookies (session cookies, language settings, shopping cart), statistics cookies (analytics), marketing cookies (retargeting, social media), and comfort cookies (personalisation).
2. Block non-essential cookies before consent. This is the critical point that many get wrong. A banner that merely informs but still sets all cookies is not compliant. The scripts that set tracking cookies must not load until the user has actively consented.
3. Offer a genuine choice. The user must be able to reject or accept individual cookie categories. A banner that only offers an “Accept” button is insufficient. You need at least “Accept”, “Reject”, and ideally a detailed view with individual category selection.
4. Store the consent decision. The user’s choice must be documented so that you can prove consent was given if challenged.
5. Enable withdrawal. The user must be able to change their consent at any time — for example via a link in the footer or a re-accessible cookie banner.
Proven consent management solutions for Swiss websites include Cookiebot, Usercentrics, and Klaro. All three support the nDSG and can document consent decisions.
Privacy-Friendly Analytics
Google Analytics is the most widely used analytics tool — and the most problematic from a data protection perspective. GA4 transfers user data to the US, sets cookies, and requires informed consent via your cookie banner. Users who reject cookies disappear from your statistics. Depending on your industry, that can be 30 to 50 percent of visitors.
The alternative: privacy-friendly analytics tools that use no cookies and process no personal data.
Plausible Analytics is a European tool (EU-hosted) that works without cookies, stores no personal data, and is fully GDPR and nDSG compliant. No cookie banner needed, yet it delivers meaningful statistics on visitors, page views, session duration, and referrers.
Fathom Analytics follows a similar approach: cookie-free, privacy-compliant, focused on simple reports.
Both cost between USD 9 and USD 19 per month — a small price for legal certainty and complete data capture without consent losses.
Handling Form Data Securely
Contact forms are the most common type of data collection on SME websites. To make them nDSG-compliant, follow these guidelines:
- HTTPS is mandatory. Form data must be transmitted encrypted. If your website does not yet have an SSL certificate, this is the first measure to take.
- Data minimisation: Only ask for what you truly need. For a contact enquiry, you need a name, email address, and message — not a date of birth, postal address, and phone number.
- Purpose limitation: Use the collected data only for the stated purpose. If someone sends you an enquiry, you may not automatically add them to your newsletter.
- Deletion policy: Define when form data is deleted. A retention period of six to twelve months after the enquiry has been resolved is a sensible guideline.
- Notice text: Place a brief notice near the form such as: “By submitting this form, you consent to the processing of your data in accordance with our Privacy Policy.”
SSL/TLS Encryption
HTTPS has been the standard for years and most hosting providers offer it free via Let’s Encrypt. Yet some websites still run unencrypted. For nDSG compliance, SSL/TLS encryption is mandatory — it is part of the minimum data security requirements under Art. 8 nDSG.
Also verify that your website redirects HTTP to HTTPS correctly. A common mistake is the HTTP version remaining accessible alongside the HTTPS version.
Hosting Location and Data Transfers
The choice of hosting location is legally relevant because the nDSG sets clear rules for transferring personal data abroad (Art. 16-18 nDSG).
Swiss Hosting — The Safest Option
If your website is hosted with a Swiss provider — such as Infomaniak, Cyon, or Hostpoint — the data stays within Switzerland. This eliminates the additional requirements for cross-border transfers. It is the simplest and safest solution.
EU/EEA Hosting — Straightforward
The EU is considered by the Swiss Federal Council to be a country with an adequate level of data protection. Data transfers to the EU/EEA are permissible without additional measures. Providers like Hetzner (Germany), OVH (France), or Vercel (with EU region) are therefore unproblematic.
US Hosting — Proceed with Caution
Data transfers to the United States are the most complex topic in data protection law. Since the Schrems II ruling by the European Court of Justice (2020), the Privacy Shield has been invalidated. While the new EU-US Data Privacy Framework was introduced in 2023, its long-term validity remains contested.
For Swiss businesses: the Federal Council has published a state list defining which countries provide adequate data protection. The US is listed with restrictions — transfers are only permissible if the US recipient is certified under the Swiss-U.S. Data Privacy Framework.
If you host on AWS, Google Cloud, or Vercel (US region), verify that the provider is certified under the framework and document this in your privacy policy. Alternatively, rely on Standard Contractual Clauses (SCCs).
Our recommendation: For Swiss SME websites, hosting in Switzerland or the EU is the most pragmatic solution. You avoid legal grey areas and can clearly communicate to customers and regulators where the data resides. If you are interested in modern, fast hosting, we are happy to advise you — get in touch.
Do Not Forget Third-Party Services
Hosting is only one piece of the puzzle. Think about all third-party services that process data:
- Email service (Mailchimp, Brevo, etc.): Where is recipient data stored?
- CRM system (HubSpot, Salesforce, etc.): Where are the servers located?
- Cloud storage (Google Drive, Dropbox, etc.): Is customer data stored there?
- Chat tools (Zendesk, Intercom, etc.): Where are chat histories stored?
- Payment providers (Stripe, PayPal, etc.): How is payment data processed?
Each of these services must be listed in your privacy policy, including the location of data processing and safeguards in place.
Creating a Proper Privacy Policy
The privacy policy is the centrepiece of your nDSG compliance. It must be transparent, understandable, and complete. Here is the structure that a compliant privacy policy should follow.
Mandatory Content Under the nDSG
1. Identity and contact details of the data controller: Full company name, address, email address, and optionally a phone number. If you have appointed a data protection advisor, include their contact details as well.
2. Purpose of data processing: Describe the purpose clearly for each type of data collection. Examples: “Processing your contact enquiry”, “Sending our newsletter”, “Analysing user behaviour to improve our website”.
3. Categories of personal data processed: List the data you collect — e.g. name, email address, IP address, device information, browser data.
4. Recipients of the data: Name all third parties to whom data is disclosed — hosting providers, analytics services, newsletter tools, payment providers, etc.
5. Retention period: State how long the data is stored, or the criteria used to determine the storage duration.
6. Cross-border data transfers: If data is transferred to countries outside Switzerland, you must state the destination country and the safeguards in place (adequacy decision, SCCs, consent, etc.).
7. Rights of data subjects: Inform about the right of access (Art. 25 nDSG), the right to data portability (Art. 28 nDSG), and the right to rectification, deletion, and objection.
8. Automated individual decisions: If you use automated decision-making processes with legal effect, you must disclose this.
Language and Accessibility
Write the privacy policy in a language your target audience understands. For a German-language website, it should be available in German; for a multilingual website, in all offered languages.
Avoid unnecessary legal jargon. The nDSG requires “appropriate” information — and appropriate also means comprehensible. Structure the text clearly with headings, use short paragraphs, and explain technical terms.
The privacy policy must be accessible from every page of your website — ideally via a link in the footer. The link should be clearly labelled, such as “Privacy” or “Privacy Policy”.
Template vs. Custom Creation
There are numerous privacy policy generators available online. These can be a starting point but are no substitute for individual customisation. Every website is different — the tools used, the type of data collection, the hosting location. A generic template rarely covers all specifics.
When you have your website built by loaded, we create the privacy policy to match the tools and services in use — so it fits your website rather than being an empty shell.
Frequently Asked Questions (FAQ)
Does the nDSG apply to small businesses?
Yes, without exception. The nDSG makes no exemption based on company size. Whether you are a sole proprietorship, LLC, or corporation — if you process personal data, you must comply. The only concession is for records of processing activities: companies with fewer than 250 employees are exempt, provided they do not carry out extensive processing of sensitive data or high-risk profiling. All other obligations — duty to inform, data security, data subject rights — apply to every business regardless of size.
Do I need a Data Protection Officer?
The nDSG refers to a “data protection advisor” (Art. 10 nDSG). For private companies, appointing one is voluntary — unlike the GDPR, which requires a DPO under certain circumstances. However, it is recommended if you regularly process personal data. The advisor serves as the internal contact point for data protection and can help identify risks early. You can register them with the FDPIC — voluntary, but it can bring procedural advantages.
Can I still use Google Analytics?
Yes, but with restrictions. Google Analytics 4 (GA4) sets cookies and transfers data to Google servers, some of which are located in the United States. You must therefore ensure that Google is certified under the Swiss-U.S. Data Privacy Framework (which is currently the case), that IP anonymisation is enabled, that GA4 only loads after informed cookie consent, and that the use of Google Analytics is documented in your privacy policy.
Alternatively, we recommend privacy-friendly tools such as Plausible or Fathom, which operate without cookies and require no consent banner. This delivers more complete data and reduces your legal risk to zero.
What must my privacy policy contain?
At minimum: identity and contact details of the data controller, purpose of processing, categories of data collected, recipients or categories of recipients, cross-border transfer details (destination country and safeguards), retention periods, rights of data subjects, and automated individual decisions (if any). Additionally, list all third-party services individually and explain what data they process. See a detailed example in our Privacy Policy.
Are contact forms nDSG-compliant?
Contact forms are fundamentally permissible but must be implemented correctly. Only collect the data you genuinely need (data minimisation). Transmit the data encrypted (HTTPS). Include a reference to your privacy policy near the form. Store the data only as long as it is needed for the stated purpose. And do not use the data for other purposes — such as newsletter distribution — without separate consent. If you follow these points, contact forms are a privacy-compliant way to communicate with your customers.
Do I need active cookie consent?
The nDSG generally requires informed consent for the processing of personal data when no other justification applies. For technically necessary cookies (session cookies, language settings), you do not need consent, as they are required for the website to function. For all other cookies — particularly tracking and marketing cookies — you must obtain consent before the cookies are set. Important: the Federal Council has clarified that simply continuing to use the website does not constitute consent. A banner stating “By using this website, you agree to…” is not sufficient.
What happens if I violate the nDSG?
For intentional violations of the nDSG, fines of up to CHF 250,000 can be imposed on the responsible natural person. This particularly concerns breaches of the duty to inform, due diligence in cross-border transfers, the duty to provide information, and the duty to cooperate with the FDPIC. Additionally, the FDPIC can order administrative measures — from restricting data processing to a complete ban. Affected individuals can also pursue civil claims for damages and satisfaction. A violation can therefore cost far more than the fine alone.
How does the nDSG differ from the GDPR?
The most important differences: the nDSG fines natural persons up to CHF 250,000, while the GDPR fines companies up to 4% of annual global turnover or EUR 20 million. The nDSG permits an opt-out model in many cases (informing is sufficient), while the GDPR more frequently requires active opt-in consent. A Data Protection Officer is voluntary under the nDSG but mandatory under the GDPR in certain conditions. The nDSG’s scope is limited to natural persons, while the GDPR also protects legal entities. For Swiss businesses that also serve customers in the EU: you must comply with both laws.
Conclusion: Act Now
The nDSG has been in force for over two years. There was never a transition period — and enforcement by the FDPIC is increasing. If your website is not yet compliant, act now. The good news: for most SME websites, the necessary adjustments are manageable. A proper privacy policy, a correctly implemented cookie banner, privacy-friendly analytics, and HTTPS — these are the pillars.
Use this checklist as your starting point and work through the items systematically. If you need help with technical implementation, talk to us. We build websites that are not only fast and beautiful but privacy-compliant from the ground up — by Design and by Default.
