Switzerland's revised Federal Act on Data Protection (nDSG) entered into force in September 2023. Yet practical compliance, as opposed to paper compliance, remains elusive for a significant portion of Swiss organisations. This article examines the most common gaps identified in recent compliance assessments and offers a framework for addressing them.
The Records of Processing Activities Gap
Article 12 of the nDSG requires organisations to maintain records of their data processing activities. In practice, many companies have created a static document that was accurate at the time of drafting but has not kept pace with the introduction of new SaaS tools, vendor relationships, or internal processes. A record that is six months out of date is worse than no record — it creates a false sense of compliance.
Third-Country Transfers: The Persistent Blind Spot
Every time a Swiss company sends personal data to a jurisdiction that Switzerland has not recognised as offering adequate protection — which includes most of the world outside the EU/EEA and a short list of approved countries — an appropriate safeguard must be in place. Standard contractual clauses (SCCs), binding corporate rules, or specific FDPIC-approved mechanisms are required.
Data Protection Impact Assessments
The nDSG introduces a mandatory Data Protection Impact Assessment (DPIA) obligation for high-risk processing activities. Many organisations are unaware of what constitutes high risk under Swiss law, or have conducted assessments that are superficial and would not withstand scrutiny.
◆ Key Takeaway
Compliance with the nDSG is not a one-time project. It requires ongoing governance, designated accountability, and integration into your organisation's change management processes.