nDSG vs GDPR: What Every Swiss Entrepreneur Must Know
A practical comparison of the Swiss nDSG and EU GDPR data protection laws. What applies to your business, what are the penalties, and how to stay compliant.
Since September 1, 2023, the new Swiss Federal Act on Data Protection (nDSG) has been in effect. If your company operates in Switzerland or serves Swiss customers, you need to understand how it differs from the EU's GDPR — and what it means for your website, apps, and data processing.
Key Differences at a Glance
While the nDSG was largely modeled after the GDPR, there are several critical differences that Swiss businesses must understand. The nDSG focuses specifically on natural persons (the GDPR also covers legal entities in some cases), has different penalty structures, and takes a unique approach to consent requirements.
1. Scope and Applicability
The GDPR applies to any company processing data of EU residents, regardless of where the company is based. The nDSG applies to data processing that has effects in Switzerland, even if the processing occurs abroad. For Swiss companies doing business across Europe, both regulations typically apply simultaneously.
2. Consent Requirements
Under the GDPR, explicit consent is required for most data processing. The nDSG is more permissive: processing personal data is generally allowed unless the data subject has explicitly objected. However, for sensitive personal data (health, biometric data, political opinions), the nDSG also requires explicit consent.
If your website uses cookies for analytics or marketing, you likely need a cookie banner for both GDPR and nDSG compliance — but the technical requirements differ.
3. Penalties
Here's where it gets interesting. The GDPR can fine companies up to €20 million or 4% of global annual turnover. The nDSG takes a different approach: fines up to CHF 250,000, but they target responsible individuals, not the company. This means a CEO or CTO can be held personally liable.
Personal liability under the nDSG means that decision-makers should take data protection seriously — it's not just a corporate risk anymore.
4. Data Protection Impact Assessment (DPIA)
Both regulations require DPIAs for high-risk processing. Under the GDPR, you must consult the supervisory authority if risks cannot be mitigated. Under the nDSG, you can skip the FDPIC consultation if you have an internal data protection advisor — a practical advantage for larger companies.
What This Means for Your Digital Products
- Your privacy policy must address both nDSG and GDPR if you serve EU customers
- Cookie consent mechanisms need to satisfy the stricter of the two requirements
- Data hosting in Switzerland is preferred but not legally required — adequate protection level is key
- Breach notification deadlines differ: GDPR requires 72 hours, nDSG says "as soon as possible"
- International data transfers need appropriate safeguards under both laws
Our Recommendation
For most Swiss businesses with a European customer base, the safest approach is to comply with both regulations simultaneously. Design your data processing for GDPR compliance (the stricter standard), ensure your privacy policy addresses nDSG-specific requirements, and host your data with Swiss or EU-based providers.
At AI Swiss Group, we build all our web and mobile solutions with privacy-by-design principles. Our infrastructure is hosted in Switzerland, and we use privacy-friendly analytics (Umami) that don't require cookie consent. If you need help auditing your digital presence for compliance, get in touch for a free consultation.
Need Expert Help?
Our team can help you implement the strategies discussed in this article. Free consultation included.
Get in TouchHow does your website perform?
Get a comprehensive audit of your website's performance, SEO, security, and accessibility.