The revised Swiss Data Protection Act (revDSG) has been in effect since September 2023 and brings significant obligations for online retailers. It aligns with the EU GDPR but has its own distinctive regulations specific to the Swiss market. The Federal Data Protection and Information Commissioner (FDPIC/EDÖB) oversees compliance and can initiate investigations into potential violations.
Core Obligations
Online retailers must provide a transparent privacy policy informing about the type, scope and purpose of data processing. A data protection impact assessment (DPIA) is required for high-risk processing activities. Data breaches must be reported to the FDPIC as quickly as possible. Every online shop also needs a cookie banner informing users about the use of tracking technologies.
Information Duty on Data Collection
Whenever personal data is collected, the affected person must be informed. For e-commerce, this means: during checkout, newsletter signup, contact forms and account creation, it must be clearly communicated which data is collected and for what purpose. The privacy policy should be available in at least German and French to cover the Swiss language regions.
Record of Processing Activities
Companies with more than 250 employees must maintain a record of their data processing activities. Smaller companies are exempt unless they process particularly sensitive data on a large scale or engage in high-risk profiling. For e-commerce businesses, maintaining such a record is still recommended since customer data, payment information and order histories are systematically processed.
International Data Transfer
When transmitting personal data abroad, an adequate level of data protection must be ensured. The Federal Council publishes a list of countries with adequate protection levels. For other countries, standard contractual clauses or binding corporate rules are required for lawful transfer. Businesses using cloud services like AWS, Google Cloud or Azure must ensure that data processing meets Swiss requirements.
Differences from EU GDPR
Unlike the GDPR, the Swiss DSG does not require consent for all cookies. Only non-essential tracking cookies require user consent. There is also no mandatory requirement to appoint a data protection officer, though it is recommended. The territorial scope differs as well, applying to data processing that has effects in Switzerland.
Penalties and Enforcement
Unlike the GDPR, Switzerland penalizes natural persons (responsible employees) with fines up to CHF 250,000. There is no turnover-based fine model as in the EU. The FDPIC can initiate investigations and issue orders. Zunapro supports online retailers with complete DSG compliance, from privacy policy drafting through cookie management to implementing technical and organizational measures.
