Most important changes and translation

Background and translation

At its meeting on 31 August 2022, the Swiss Federal Council adopted the revised Data Protection Ordinance (nDPO), which contains the implementing provisions of the revised Data Protection Act (nDPA). A translated version of the nDPO in English can be found here. The federal council confirmed that the nDPA and the nDPO will enter into force as expected on 1 September 2023. Overall, the revised Swiss data protection law is in line with the European General Data Protection Regulation (GDPR). 

The following is an overview of the most important changes triggered by the nDPA and the nDPO:

Most important changes at a glance

1. Overall

The revised Swiss data protection law is a “GDPR-like” legislation.

2. Governance obligations

Like the GDPR, the nDPA and the nDPO now provide further governance obligations:

  1. Larger companies that act as controllers or processors (i.e., they have more than 250 employees) must keep a register of processing activities (comparable to the register of processing activities under the GDPR).
  2. The controller has a duty to report data security breaches to the Federal Data Protection and Information Commissioner, while processors have a duty to inform the controller.
  3. The controller has, under certain circumstances, an obligation to carry out data protection impact assessments.
  4. According to the nDPO (Article 4), the controller and processor have an obligation to keep specific records under certain circumstances.
  5. According to the nDPO (Article 5), the controller and processor have an obligation to provide a processing policy (Bearbeitungsreglement) under certain circumstances.

3. Further similarities to the GDPR

Other than on the topic of governance obligations, further similarities between the nDPA and the nDPO and the GDPR can be found:

  1. The nDPA now also explicitly provides for an extraterritorial scope.
  2. Foreign companies that process the personal data of data subjects in Switzerland on a large scale must provide a representative in Switzerland (Article 14 of the nDPA).
  3. Under the nDPA, a processor may only transfer personal data to a third party (subcontractor) with the prior consent of the controller. The nDPO clarifies that it is sufficient if the controller has a right to object.
  4. In addition, unlike under the current DPA, the data subjects must be informed of any data processing (general notification obligation) — not only if sensitive data is being processed.
  5. The nDPA no longer protects the data of legal persons, but only the data of natural persons. In this respect, there is further alignment with the GDPR, which also only protects the data of natural persons.

4. Amendments compared to the current data protection law

  1. Changed terminology and addition to the definition of personal data requiring special protection with the explicit mention of genetic and biometric data.
  2. The safeguards to ensure an appropriate level of data protection when personal data is transferred to countries with a lower data protection level than Switzerland have been slightly amended.
  3. The rights of the data subjects are somewhat broader.
  4. The Federal Data Protection and Information Commissioner has extended powers under the nDPA. It can issue processing bans and other rulings and may also conduct investigations.
  5. The professional duty of confidentiality contained in the DPA, which punishes anyone who intentionally discloses secret personal data that they became aware of in the course of their professional duties, has been extended.

Differences to the GDPR

There are still differences to the GDPR:

  1. The basic principles of Swiss data protection will not change; even under the nDPA, the processing of personal data is generally permissible and does not require specific justification. Consent to process personal data is still not required in most cases (unlike under the GDPR, where all data processing requires justification).
  2. Penalty provisions have been adapted under the nDPA and the fines have been increased from CHF 10,000 under the current DPA to CHF 250,000. Under the GDPR, the maximum fine is EUR 20 million. In the case of a company, it is up to 4% of its total annual worldwide turnover in the preceding business year or EUR 20 million, whichever is higher. Unlike under the GDPR, fines under the nDPA still target responsible employees and not companies.

What should companies do?

Because of the above-mentioned key points, companies need to take action. An analysis should be carried out promptly to determine where action is required. In particular, existing data privacy statements and existing standard contractual clauses must be adapted to the new provisions. It is also advisable to train employees in handling personal data.

If you would like to assess whether you already comply with the revised law and identify potential gaps, check out the Swiss Compliance Check, our first tool of DIVA, the Data and Information Virtual Assistant, accessible here.

If you have any questions, please do not hesitate to reach out to any of the contacts from the Baker McKenzie Zurich Data Protection team.


Johanna Moesch is an associate in the Firm’s Intellectual Property Practice Group in Zurich. Prior to joining Baker McKenzie she worked as an associate and senior associate in a major Zurich law firm and prior thereto as a law clerk in a Swiss district court. She was also a tutor and student research assistant at the University of Basel in the fields of public and private law. Johanna obtained a LL.M. degree from the Tsinghua University (Beijing). She is a member of the International Association of Privacy Professionals (IAPP) and since January 2021 a Certified Information Privacy Professional/Europe (CIPP/E).


Nadine Charrière is an Associate in the Firm’s Intellectual Property and Technology Practice Group in Zurich. Nadine holds a Master degree in Law and Economics as well as International Management. She gained practical experience in both the legal and business field in Switzerland, Germany, Belgium and Japan before she joined the Firm in 2019. She is a member of the International Association of Privacy Professionals (IAPP) and since October 2021 a Certified Information Privacy Professional/Europe (CIPP/E).