Privacy Policy Switzerland (Datenschutzerklärung)

A Privacy Policy Switzerland (Datenschutzerklärung) is a legally required document through which a data controller (Verantwortlicher) informs individuals (betroffene Personen) about the collection, processing, storage, and disclosure of their personal data (Personendaten), governed by the revised Federal Act on Data Protection (neues Datenschutzgesetz, nDSG) effective 1 September 2023 and the implementing Datenschutzverordnung (DSV) adopted by the Bundesrat. The nDSG replaced the original 1992 Datenschutzgesetz (DSG) with a modernised framework aligned with European data protection standards, particularly the EU General Data Protection Regulation (GDPR).

Article 19 nDSG establishes the Informationspflicht (duty to inform) — the cornerstone obligation requiring the Verantwortlicher to inform betroffene Personen at the time of data collection about: the identity and contact details of the Verantwortlicher, the purpose of data processing (Bearbeitungszweck), the categories of data recipients (Empfänger oder Kategorien von Empfängern), and, if personal data is transferred abroad (Bekanntgabe ins Ausland), the destination country and applicable safeguards. The Datenschutzerklärung is the primary instrument for fulfilling this Informationspflicht.

The nDSG applies to the processing of personal data of natural persons (natürliche Personen) by private persons (private Personen — individuals and legal entities) and federal bodies (Bundesorgane). Unlike the old DSG, the nDSG no longer protects the data of legal entities (juristische Personen). The law applies to data processing that has effects in Switzerland, regardless of where the processing occurs — the Auswirkungsprinzip (effects principle) under Article 3 paragraph 1 nDSG establishes extraterritorial jurisdiction similar to the GDPR.

The Eidgenössische Datenschutz- und Öffentlichkeitsbeauftragte (EDÖB — Federal Data Protection and Information Commissioner) is the independent supervisory authority for data protection in Switzerland, established under Article 43 nDSG. The EDÖB investigates data protection violations, issues recommendations, and may initiate administrative proceedings. Under the nDSG, the EDÖB received strengthened enforcement powers compared to the old DSG — including the authority to issue Verfügungen (binding orders) requiring the Verantwortlicher to cease or modify data processing operations. Criminal sanctions under Article 60 nDSG provide for fines of up to CHF 250,000 against responsible natural persons (not the company) for intentional violations of key obligations including the Informationspflicht, Auskunftsrecht, and duties regarding data transfers abroad.

The nDSG introduces several concepts previously absent from Swiss law. The Datenschutz-Folgenabschätzung (DSFA — data protection impact assessment) under Article 22 nDSG requires the Verantwortlicher to conduct an assessment before processing that poses a hohe Risiko (high risk) to the personality or fundamental rights of betroffene Personen — similar to the DPIA under GDPR Article 35. The Verzeichnis der Bearbeitungstätigkeiten (record of processing activities) under Article 12 nDSG must be maintained by every Verantwortlicher and Auftragsbearbeiter (data processor), with exemptions for enterprises with fewer than 250 employees whose data processing poses no high risk.

Data transfers abroad (Bekanntgabe von Personendaten ins Ausland) are regulated by Article 16 nDSG. Personal data may be transferred to countries whose legislation provides adequate data protection — the Bundesrat publishes the Staatenliste (list of countries with adequate protection) in Annex 1 of the DSV. For transfers to countries without adequate protection, the Verantwortlicher must implement geeignete Garantien (appropriate safeguards) — typically Standarddatenschutzklauseln (standard contractual clauses) published by the EDÖB or recognised by the Bundesrat, binding corporate rules (verbindliche unternehmensinterne Datenschutzvorschriften), or explicit consent (ausdrückliche Einwilligung) of the betroffene Person.

A Privacy Policy Switzerland is required whenever a Verantwortlicher (data controller) — whether a company, association, sole proprietor, or other private person — collects or processes personal data (Personendaten) of natural persons (natürliche Personen). Article 19 nDSG mandates the Informationspflicht (duty to inform) for every data collection event, and the Datenschutzerklärung is the standard instrument for fulfilling this obligation.

A Datenschutzerklärung is needed when a company operates a website or mobile application that collects user data — through contact forms, registration processes, newsletter subscriptions, web analytics (Google Analytics, Matomo, Adobe Analytics), cookies, or social media integrations. The Datenschutzerklärung must be prominently accessible on the website, typically through a permanent footer link.

The policy is required when an employer (Arbeitgeber) collects and processes employee data — payroll data (Lohndaten), AHV-Nr., health data for Krankentaggeldversicherung, performance evaluations (Mitarbeiterbeurteilungen), and video surveillance (Videoüberwachung) of the workplace. The employer's Datenschutzerklärung for employees must comply with both the nDSG and the specific provisions of Article 328b OR on data processing in the employment context.

A Datenschutzerklärung is needed when a company shares personal data with third parties — service providers (Auftragsbearbeiter such as cloud hosting providers, payroll processors, IT support companies), group companies (Konzerngesellschaften), authorities (Behörden), or commercial partners. The Datenschutzerklärung must disclose the categories of recipients under Article 19 paragraph 2 lit. c nDSG.

The policy is required when personal data is transferred abroad (Bekanntgabe ins Ausland) — the Datenschutzerklärung must disclose the destination country and the applicable Garantien (safeguards) under Article 19 paragraph 4 nDSG.

Under the nDSG, the DSV, and applicable EDÖB guidance, every organisation processing personal data in Switzerland must maintain an up-to-date Datenschutzerklärung that transparently communicates its data processing practices to betroffene Personen.

A valid Privacy Policy Switzerland under the revised Federal Act on Data Protection (nDSG) effective 1 September 2023, the Datenschutzverordnung (DSV), and EDÖB guidance must contain the following essential elements to satisfy the Informationspflicht under Article 19 nDSG.

Identity of the Data Controller (Verantwortlicher): The full legal name, business address, and contact details (email, phone) of the Verantwortlicher — the natural or legal person who determines the purposes and means of data processing. If the Verantwortlicher has appointed a Datenschutzberater/in (data protection advisor — the Swiss equivalent of a DPO under Article 10 nDSG), their contact details should be stated. For companies with no establishment in Switzerland but processing data with effects in Switzerland, a Vertretung in der Schweiz (Swiss representative) must be designated under Article 14 nDSG.

Purposes of Processing (Bearbeitungszwecke): A clear and specific description of each purpose for which personal data is processed — contract performance (Vertragserfüllung), pre-contractual measures (vorvertragliche Massnahmen), legitimate interests (überwiegende Interessen), legal obligations (gesetzliche Pflichten), consent (Einwilligung), and protection of vital interests. The nDSG does not use the GDPR's concept of Rechtsgrundlage (legal basis) in the same structured way — instead, Article 6 paragraph 2 nDSG establishes that data processing must comply with the Grundsätze (principles) of proportionality (Verhältnismässigkeit), purpose limitation (Zweckbindung), and transparency (Transparenz).

Categories of Personal Data: Description of the types of personal data collected — Personenstammdaten (master data — name, address, date of birth), Kontaktdaten (contact data — email, phone), Vertragsdaten (contract data), Finanzdaten (financial data — bank details, payment history), Nutzungsdaten (usage data — IP address, browser type, access logs), and any besonders schützenswerte Personendaten (sensitive personal data — health data, religious beliefs, ethnic origin, biometric data, criminal records) as defined in Article 5 lit. c nDSG.

Data Recipients (Empfänger): Categories of third parties who receive personal data — Auftragsbearbeiter (data processors — cloud hosting providers such as Microsoft Azure, Amazon Web Services, Google Cloud), Konzerngesellschaften (group companies), Behörden (public authorities — AHV-Ausgleichskasse, Steuerbehörden, FINMA), Banken und Versicherungen, and other contractual partners.

International Data Transfers (Bekanntgabe ins Ausland): Disclosure of destination countries, adequacy status per Bundesrat Staatenliste (DSV Annex 1), and applicable safeguards for non-adequate countries — Standarddatenschutzklauseln, verbindliche unternehmensinterne Datenschutzvorschriften, or consent of the betroffene Person under Article 17 paragraph 1 nDSG.

Data Retention (Aufbewahrungsdauer): The criteria for determining how long personal data is retained — typically linked to contractual necessity, statutory retention obligations (handelsrechtliche Aufbewahrungspflicht of 10 years under OR Article 958f for business records, steuerrechtliche Aufbewahrungspflicht under the DBG), and the purposes of processing.

Rights of Data Subjects (Betroffenenrechte): Under the nDSG, betroffene Personen have: Auskunftsrecht (right of access under Article 25 nDSG), Recht auf Datenherausgabe oder -übertragung (right to data portability under Article 28 nDSG), Recht auf Berichtigung (right to rectification), and the right to object to processing. The Datenschutzerklärung must explain how betroffene Personen can exercise these rights and inform them of the right to lodge a complaint with the EDÖB.

Cookies and Web Analytics: For website operators, specific disclosure of cookies and tracking technologies used — session cookies (Sitzungscookies), persistent cookies (dauerhafte Cookies), third-party cookies (Drittanbieter-Cookies), and web analytics tools. Under the nDSG and the Fernmeldegesetz (FMG) Article 45c, the use of cookies that are not strictly necessary requires transparent information.

Forms-legal.com provides this Privacy Policy Switzerland template as a practical starting point. The nDSG interacts with sector-specific regulations including the Fernmeldegesetz (FMG), the Arbeitsrecht (OR Article 328b), and potentially the EU GDPR for cross-border processing — every Verantwortlicher should consult a licensed Datenschutzanwalt or Datenschutzberater and review current EDÖB guidance before publishing a Datenschutzerklärung.

To complete the Privacy Policy Switzerland template, work through each section systematically. In the data controller section, enter the exact legal name and UID number. For GDPR-overlapping situations, check if an EU representative is also required. For data categories, be specific — list all actual data types collected. For international transfers, verify each recipient's country against the DSV Annex 1 Staatenliste; for non-listed countries (e.g., USA), specify the applicable safeguard (usually EU Standard Contractual Clauses with Swiss amendments). For retention periods, check the 10-year commercial records rule under OR Art. 958f. Update the effective date whenever the policy is revised.

The Swiss Datenschutzerklärung is governed by the nDSG (SR 235.1) effective 1 September 2023, the DSV, and EDÖB guidance. Key requirements: Informationspflicht (Art. 19 nDSG) at time of data collection; Bearbeitungsgrundsätze (Art. 6 nDSG — proportionality, purpose limitation, transparency); criminal fines up to CHF 250,000 against responsible natural persons for intentional violations (Art. 60 nDSG); DSFA required for high-risk processing (Art. 22 nDSG); records of processing activities required (Art. 12 nDSG); international transfer rules (Art. 16-17 nDSG); EDÖB supervisory authority (Art. 43 nDSG). Companies also subject to GDPR for EU/EEA data subjects must comply with both frameworks simultaneously.

Common mistakes in Swiss Privacy Policies: failing to update the policy after the nDSG came into force on 1 September 2023; omitting the EDÖB complaint right; not listing all third-party data processors (Auftragsbearbeiter); missing Bearbeitungsverzeichnis (record of processing activities) under Art. 12 nDSG; using overly vague purpose descriptions that do not meet the specificity requirement of Art. 19 nDSG; forgetting to specify safeguards for transfers to non-Staatenliste countries; not addressing cookie consent in line with the Fernmeldegesetz (FMG) Art. 45c.