DSG/FADP Compliance Guide for Swiss Companies
A Comprehensive Reference by Mont Virtua
March 2026 Edition
This guide is published by Mont Virtua GmbH as an educational resource. It does not constitute legal advice. Organizations should consult qualified legal counsel for specific compliance questions. All article references are to the Federal Act on Data Protection (DSG/FADP, SR 235.1) and its Ordinance (DSV/DPV, SR 235.11) unless otherwise noted.
Table of Contents
- Introduction: Why DSG Compliance Matters Now
- Scope: Who Is Covered
- Key Definitions
- The Seven Principles of Data Processing
- Information Obligations (Art. 19-21)
- Data Subject Rights (Art. 25-29)
- Data Security (Art. 8)
- Privacy by Design and Default (Art. 7)
- Data Processing Agreements (Art. 9)
- Cross-Border Data Transfers (Art. 16-17)
- Record of Processing Activities (Art. 12)
- Data Protection Impact Assessments (Art. 22)
- Data Breach Notification (Art. 24)
- The Data Protection Advisor (Art. 10)
- Automated Individual Decisions (Art. 21)
- Criminal Penalties (Art. 60-66)
- DSG vs. GDPR: Key Differences
- Industry-Specific Considerations
- Compliance Checklist
- How Mont Virtua Can Help
1. Introduction: Why DSG Compliance Matters Now
The revised Swiss Federal Act on Data Protection (nDSG/revDSG, SR 235.1) entered into force on September 1, 2023. It replaced the 1992 data protection law and aligned Swiss data protection standards closer to the EU’s GDPR while retaining distinctly Swiss characteristics.
Two and a half years after implementation, enforcement is maturing. The Federal Data Protection and Information Commissioner (FDPIC/EDOB) has increased supervisory activity. Several companies have received formal recommendations. The first criminal complaints under the new penalty provisions have been filed.
Key facts for 2026:
- The FDPIC opened 43% more formal inquiries in 2025 than in 2024 (FDPIC Annual Report 2025).
- Criminal penalties apply to individuals, not companies. Maximum: CHF 250,000 (Art. 60-66).
- The EU adequacy decision for Switzerland (essential for cross-border data flows) depends on continued DSG enforcement alignment with GDPR standards.
- Companies using AI systems face additional obligations under Art. 21 (automated individual decisions) and Art. 22 (data protection impact assessments for high-risk processing).
This guide covers every obligation a Swiss company must understand.
2. Scope: Who Is Covered
2.1 Material Scope (Art. 2)
The DSG applies to the processing of personal data by:
- Private persons (individuals and legal entities, including GmbHs, AGs, associations)
- Federal bodies (federal government agencies)
The DSG does NOT apply to:
- Processing of personal data by a natural person exclusively for personal use (Art. 2(2)(a))
- Processing by the Federal Assembly and parliamentary committees (Art. 2(2)(b))
- Processing by the recipient of diplomatic protection (Art. 2(2)(c))
2.2 Territorial Scope (Art. 3(1))
The DSG applies to facts that produce effects in Switzerland, even if they occur abroad. A foreign company processing data about persons in Switzerland falls within scope if the processing produces effects in Switzerland.
2.3 Practical Application
Every Swiss company that processes personal data (employee data, customer data, website visitor data, supplier data) is covered. There are no size thresholds or exemptions for SMEs.
3. Key Definitions (Art. 5)
| Term | DSG Definition | Practical Meaning |
|---|---|---|
| Personal data | All information relating to an identified or identifiable natural person | Name, email, IP address, customer number, health data, behavioral data |
| Sensitive personal data | Data on religious/philosophical/political/trade union views; health data; genetic/biometric data; data on administrative/criminal proceedings; social assistance data | Requires enhanced protection. Explicit consent or legal basis needed for processing. |
| Processing | Any operation with personal data, regardless of means: collecting, storing, using, modifying, disclosing, archiving, destroying | Virtually everything a company does with personal data |
| Controller | The person who alone or jointly determines the purposes and means of processing | The company that decides WHY and HOW data is processed |
| Processor | The person who processes personal data on behalf of the controller | Cloud providers, SaaS vendors, outsourced payroll, etc. |
| Profiling | Any form of automated processing of personal data consisting of using personal data to evaluate certain personal aspects | AI-driven customer scoring, automated risk assessment, behavioral analysis |
| Profiling with high risk | Profiling that leads to a profile that allows assessment of essential aspects of a person’s personality | Comprehensive behavioral profiling, credit scoring, health risk assessment |
4. The Seven Principles of Data Processing (Art. 6)
Every processing activity must comply with ALL seven principles:
Principle 1: Lawfulness (Art. 6(1))
Personal data must be processed lawfully. Processing is unlawful if it violates a legal prohibition, if it constitutes a breach of personality rights, or if it is conducted without a valid justification ground.
Justification grounds (Art. 31):
- Consent of the data subject
- Overriding private or public interest
- Legal obligation
- Performance of a contract
Principle 2: Good Faith (Art. 6(2))
Processing must be carried out in good faith. This means: no deceptive practices, no hidden data collection, no exploitation of trust relationships. The data subject’s reasonable expectations matter.
Principle 3: Proportionality (Art. 6(2))
Data processing must be proportionate to its purpose. Collect only what is necessary. Process only what is needed. Retain only as long as required.
Practical test: For each data field you collect, ask: “What happens if we remove this field?” If the answer is “nothing changes,” you are collecting disproportionately.
Principle 4: Purpose Limitation (Art. 6(3))
Personal data may only be collected for specific purposes apparent to the data subject and may only be processed in a manner compatible with those purposes.
Example: Email addresses collected for newsletter delivery cannot be shared with a marketing partner for advertising without additional consent.
Principle 5: Accuracy (Art. 6(5))
Anyone processing personal data must ensure that the data is accurate. They must take all reasonable measures to ensure that data that is inaccurate or incomplete in view of the purpose of processing is corrected or deleted.
Principle 6: Storage Limitation (Art. 6(4))
Personal data must be destroyed or anonymized as soon as it is no longer needed for the purpose of processing. Retention beyond necessity requires justification.
Practical implication: Every company needs a data retention schedule mapping data categories to retention periods with legal justification.
Principle 7: Data Security (Art. 8)
The controller and processor must ensure appropriate data security through technical and organizational measures. See Section 7 for detail.
5. Information Obligations (Art. 19-21)
5.1 What Must Be Disclosed (Art. 19)
When collecting personal data, the controller must inform the data subject of:
| Disclosure | Article | Example |
|---|---|---|
| Identity and contact details of the controller | Art. 19(2)(a) | “Mont Virtua GmbH, Bahnhofstrasse 20, 6300 Zug” |
| Processing purpose | Art. 19(2)(b) | “To provide you with our legal research service” |
| Recipients or categories of recipients | Art. 19(2)(c) | “Your data is shared with Supabase (database hosting) and Exoscale (infrastructure)” |
| Countries of data transfer + safeguards | Art. 19(2)(d) | “Data is stored in Switzerland. No international transfers.” |
| If data not collected from the subject: the source | Art. 19(3) | “We obtained your contact information from the Swiss commercial register (SHAB)” |
| Existence of automated individual decisions | Art. 21(1) | “Our platform uses AI to generate search results. No automated decisions affecting your rights are made.” |
| Right of access exists | Art. 19(2)(e) (implied) | “You have the right to request access to your data” |
5.2 When Must It Be Disclosed
- Data collected from the subject: At the time of collection (Art. 19(1))
- Data obtained from third parties: Within one month of obtaining the data, or at the latest when the data is first disclosed to a third party (Art. 19(4))
5.3 Exceptions (Art. 20)
Information obligations do not apply when:
- The data subject already has the information (Art. 20(1)(a))
- Processing is prescribed by law (Art. 20(1)(b))
- Providing information is impossible or requires disproportionate effort (Art. 20(1)(c))
- Collection is prescribed by law and the controller is subject to professional secrecy (Art. 20(2))
5.4 Privacy Policy Requirements
A compliant privacy policy must include all Art. 19 disclosures. For websites, this means:
- Accessible from every page (footer link)
- Available in the language of the website
- Covers all data processing activities (cookies, forms, analytics, third-party integrations)
- Names all processors and their countries
- States retention periods per data category
- Describes data subject rights and how to exercise them
- Names the FDPIC as the supervisory authority
- Dated (last update visible)
6. Data Subject Rights (Art. 25-29)
6.1 Right of Access (Art. 25-27)
Every person can request from any controller:
- Whether personal data about them is being processed (Art. 25(2)(a))
- All information necessary to assert their rights under the DSG (Art. 25(2)(b))
Specifically, the controller must disclose:
- The identity of the controller
- The personal data processed
- The processing purpose
- The retention period
- The origin of data (if not collected from the subject)
- Automated individual decisions (logic involved)
- Recipients or categories of recipients
Response deadline: 30 days from receipt of the request (Art. 25(6)). Cost: Free of charge in principle. Reasonable contribution may be charged for manifestly unfounded or excessive requests (Art. 25(7)).
6.2 Right to Data Portability (Art. 28)
The data subject can request that their personal data be provided in a commonly used electronic format, or that it be transferred to another controller, provided:
- The controller processes the data automatically
- The data was provided by the data subject (directly or through use of a service)
6.3 Right to Rectification, Deletion, and Objection
| Right | Article | What It Means |
|---|---|---|
| Rectification | Art. 32(1) | Request correction of inaccurate data |
| Deletion | Art. 32(2)(c) | Request destruction of data no longer needed |
| Objection to processing | Art. 30(2)(b) | Object to processing based on overriding interest |
7. Data Security (Art. 8)
7.1 Legal Requirement
The controller and processor must ensure appropriate data security through technical and organizational measures appropriate to the risk (Art. 8(1)).
The DSV (Ordinance, Art. 1-5) specifies that measures must protect against:
- Unauthorized or accidental destruction
- Accidental loss
- Technical faults
- Falsification, theft, or unlawful use
- Unauthorized alteration, copying, access, or other unauthorized processing
7.2 Technical Measures
| Measure | Minimum Standard | Best Practice |
|---|---|---|
| Encryption in transit | TLS 1.2+ for all connections | TLS 1.3, HSTS, certificate pinning |
| Encryption at rest | AES-256 for databases and backups | Full-disk encryption, key management |
| Access control | Role-based access, unique credentials | MFA, principle of least privilege, JIT access |
| Logging | Access logs retained 1 year | SIEM, anomaly detection |
| Backup | Regular backups, tested restoration | Immutable backups, geographic redundancy |
| Vulnerability management | Regular patching | Continuous scanning, pen testing |
7.3 Organizational Measures
| Measure | Description |
|---|---|
| Data protection policy | Internal policy document, approved by management |
| Employee training | Annual training on data protection obligations |
| Incident response plan | Documented procedure for data breaches |
| Vendor management | DPA with every processor, annual review |
| Data classification | Categories with handling rules per sensitivity level |
| Clean desk / clear screen | Physical and digital workspace policies |
8. Privacy by Design and Default (Art. 7)
8.1 Privacy by Design (Art. 7(1))
The controller must design the processing from the outset so that data protection principles and processing rules are complied with. This means considering data protection in every system design, process design, and procurement decision.
8.2 Privacy by Default (Art. 7(2))
The controller must ensure, by way of appropriate default settings, that the processing of personal data is limited to the minimum required for the intended purpose, unless the data subject provides otherwise.
Practical implications:
- Cookie consent banners must default to “reject all” or “only necessary” (not pre-checked marketing cookies)
- Social media sharing buttons must not load tracking scripts until explicitly activated
- Analytics tools must anonymize IP addresses by default
- Registration forms must not pre-check optional consent boxes
9. Data Processing Agreements (Art. 9)
9.1 When Required
Whenever a controller engages a processor (a third party that processes personal data on the controller’s behalf), a data processing agreement (DPA) is required (Art. 9(1)).
9.2 Required Content
The DPA must ensure that the processor:
- Processes data only as instructed by the controller (Art. 9(1)(a))
- Ensures data security (Art. 9(2))
- Does not engage sub-processors without prior approval (Art. 9(3))
- Assists the controller with data subject rights and breach notification
9.3 Sub-Processor Requirements
If the processor engages sub-processors, it must:
- Obtain prior specific or general authorization from the controller (Art. 9(3))
- Ensure the sub-processor is bound by equivalent obligations
- Notify the controller of changes to sub-processors (in case of general authorization)
10. Cross-Border Data Transfers (Art. 16-17)
10.1 General Rule
Personal data may be disclosed abroad if the Federal Council has determined that the legislation of the destination country ensures adequate protection (Art. 16(1)).
Countries with adequate protection: Listed on the FDPIC website. Currently includes EU/EEA member states, UK, Canada, Israel, Japan, New Zealand, Uruguay, and others.
10.2 Transfers Without Adequacy
If the destination country does not have an adequacy decision, the transfer requires safeguards (Art. 16(2)):
| Safeguard | Article | Common Use |
|---|---|---|
| International treaty or agreement | Art. 16(2)(a) | Government-to-government |
| Standard data protection clauses (SCCs) | Art. 16(2)(d) | Most common for commercial transfers |
| Binding corporate rules (BCRs) | Art. 16(2)(c) | Intra-group transfers |
| Specific contractual clauses | Art. 16(2)(b) | Bespoke arrangements |
| Consent | Art. 17(1)(a) | As last resort |
10.3 The US Problem
The United States does not have an adequacy decision from Switzerland. Transfers to US companies require:
- SCCs or equivalent contractual safeguards
- Assessment of the effectiveness of those safeguards in light of US surveillance law
- Supplementary measures where needed (encryption, pseudonymization)
The CLOUD Act complicates this further: US companies can be compelled by US government to disclose data regardless of where it is stored. Contractual safeguards cannot override federal law.
Practical advice: Minimize data transfers to the US. Where unavoidable, implement SCCs + supplementary measures. Document the risk assessment. For sensitive data in regulated industries, use Swiss or EU-hosted alternatives.
11. Record of Processing Activities (Art. 12)
11.1 Who Must Maintain One
The controller and processor must each maintain a record of processing activities (Art. 12(1)).
Exemption (Art. 12(5)): Companies with fewer than 250 employees are exempt UNLESS their processing involves sensitive personal data on a large scale or constitutes high-risk profiling. In practice, most companies that handle employee health data or customer financial data should maintain a record regardless of size.
11.2 Required Content (Controller)
| Field | Description |
|---|---|
| Controller identity | Name and contact of the controller and DPA |
| Processing purposes | Each purpose separately identified |
| Categories of data subjects | Employees, customers, website visitors, etc. |
| Categories of personal data | Contact data, financial data, health data, etc. |
| Categories of recipients | Internal departments, processors, authorities |
| Retention periods | Per data category, with justification |
| Security measures | General description of TOM |
| Cross-border transfers | Countries, safeguards |
12. Data Protection Impact Assessment (Art. 22)
12.1 When Required
A DPIA is required when the planned processing is likely to result in a high risk to the personality or fundamental rights of the data subjects (Art. 22(1)).
High-risk indicators:
- Systematic and extensive evaluation of personal aspects (profiling)
- Large-scale processing of sensitive personal data
- Systematic monitoring of publicly accessible areas
- Use of new technologies (including AI)
- Processing that prevents data subjects from exercising their rights
12.2 DPIA Content
| Element | Description |
|---|---|
| Description of processing | Detailed description of operations, purpose, scope |
| Necessity and proportionality assessment | Why this processing is needed, why less intrusive alternatives are insufficient |
| Risk assessment | Identification of risks to data subjects’ rights |
| Mitigation measures | Technical and organizational measures to address risks |
| Residual risk assessment | Remaining risks after mitigation |
| Monitoring plan | How risks will be monitored over time |
12.3 Consultation
If the DPIA shows high residual risk that cannot be mitigated, the controller must consult the FDPIC before proceeding (Art. 23).
13. Data Breach Notification (Art. 24)
13.1 Notification to FDPIC
The controller must notify the FDPIC as soon as possible of any security breach that is likely to result in a high risk to the personality or fundamental rights of the data subjects (Art. 24(1)).
“As soon as possible” is interpreted as within 72 hours, aligned with GDPR practice. The DSG does not specify a fixed deadline, but the FDPIC has indicated that delays beyond 72 hours require justification.
13.2 Notification Content
| Element | Required |
|---|---|
| Nature of the breach | Type (unauthorized access, loss, destruction) |
| Categories of data affected | Personal data, sensitive data, types |
| Number of data subjects affected | Approximate, if exact not yet known |
| Likely consequences | Assessment of impact on data subjects |
| Measures taken or proposed | Technical and organizational response |
| Contact point | Person within the organization |
13.3 Notification to Data Subjects
If the breach is likely to result in a high risk to individual data subjects, those individuals must also be informed (Art. 24(4)). Exceptions exist when disproportionate effort is required (in which case, public communication may substitute).
14. The Data Protection Advisor (Art. 10)
14.1 Voluntary for Private Companies
Unlike the GDPR’s DPO requirement for certain entities, the DSG makes the Data Protection Advisor (DPA) voluntary for private companies (Art. 10(1)).
However, appointing a DPA has a concrete benefit: if a DPIA reveals high residual risk, the controller may consult their DPA instead of the FDPIC (Art. 23(4)). This avoids FDPIC involvement in sensitive processing decisions.
14.2 DPA Requirements
If appointed, the DPA must:
- Be independent in the exercise of their function (Art. 10(3))
- Not receive instructions regarding the exercise of their function
- Have adequate resources (training, time, tools)
- Have access to all processing activities
15. Automated Individual Decisions (Art. 21)
15.1 What Counts
An automated individual decision is a decision based solely on automated processing (including profiling) that produces legal effects for the data subject or similarly significantly affects them (Art. 21(1)).
Examples: Automated credit scoring, algorithmic hiring decisions, automated insurance pricing, AI-driven claims rejection.
15.2 Obligations
The controller must:
- Inform the data subject that a decision is being made solely by automated means (Art. 21(1))
- Give the data subject the opportunity to express their views (Art. 21(2))
- On request, have the automated decision reviewed by a natural person (Art. 21(2))
15.3 Relevance for AI
Any company deploying AI that makes or significantly influences decisions about individuals must comply with Art. 21. This includes:
- AI-powered customer service that routes or rejects claims
- AI scoring systems for credit, insurance, or employment
- AI recommendation systems that determine access to services
16. Criminal Penalties (Art. 60-66)
The DSG is unusual in imposing criminal penalties on individuals, not fines on companies.
| Violation | Article | Maximum Penalty |
|---|---|---|
| Willful breach of information obligations | Art. 60(1)(a) | CHF 250,000 |
| Willful breach of data subject access rights | Art. 60(1)(b) | CHF 250,000 |
| Willful breach of cross-border transfer rules | Art. 61 | CHF 250,000 |
| Willful breach of processor obligations | Art. 61 | CHF 250,000 |
| Willful breach of minimum security requirements | Art. 61 | CHF 250,000 |
| Willful breach of DPA professional secrecy | Art. 62 | CHF 250,000 |
| Failure to comply with FDPIC order | Art. 63 | CHF 250,000 |
| False information to FDPIC | Art. 64 | CHF 250,000 |
Key distinction from GDPR: Penalties target the responsible individual (typically the person who made the decision), not the company. This means C-level executives and data protection officers face personal criminal liability. The criminal standard of “willful” breach provides some protection, but negligence in the face of clear obligations may be construed as willful.
17. DSG vs. GDPR: Key Differences
| Aspect | DSG (Switzerland) | GDPR (EU) |
|---|---|---|
| Penalties | Criminal, max CHF 250K per individual | Administrative fines, max EUR 20M or 4% turnover |
| DPO/DPA | Voluntary | Mandatory for certain entities |
| Legal basis for processing | Consent, legitimate interest, law | Six legal bases (Art. 6 GDPR) |
| Consent requirements | Less strict (implied consent possible in some contexts) | Explicit consent required for sensitive data |
| Breach notification deadline | “As soon as possible” (interpreted as ~72h) | 72 hours (explicit) |
| Record of processing activities | Companies with 250+ employees (with exceptions) | Companies with 250+ employees (with exceptions) |
| Representative requirement | None | Art. 27 GDPR (for non-EU controllers) |
| Profiling | “Profiling with high risk” defined and regulated | “Profiling” broadly defined and regulated |
| Extraterritorial scope | Yes (effects in Switzerland) | Yes (targeting/monitoring EU residents) |
18. Industry-Specific Considerations
18.1 Financial Services (FINMA-supervised)
FINMA Guidance 08/2024 adds AI governance requirements on top of DSG obligations. FINMA-supervised institutions must:
- Maintain an inventory of all AI systems
- Risk-classify each system
- Document governance frameworks
- Report material AI incidents
18.2 Healthcare
Health data is classified as sensitive personal data (Art. 5(c)). Processing requires explicit consent or a legal basis. Cantonal health data laws may impose additional requirements.
18.3 Treuhänder / Fiduciaries
Treuhänder process sensitive financial data. GwG (Anti-Money Laundering Act) obligations interact with DSG data retention rules. Conflict: GwG requires retention; DSG limits it. Resolution: retain per GwG requirements, document the legal basis.
19. Compliance Checklist
| # | Requirement | Article | Status |
|---|---|---|---|
| 1 | Privacy policy published and complete | Art. 19 | [ ] |
| 2 | Information provided at data collection | Art. 19 | [ ] |
| 3 | Consent mechanisms operational (cookies, forms) | Art. 6, 31 | [ ] |
| 4 | Data subject access process defined | Art. 25 | [ ] |
| 5 | Record of processing activities maintained | Art. 12 | [ ] |
| 6 | DPAs signed with all processors | Art. 9 | [ ] |
| 7 | Cross-border transfers documented with safeguards | Art. 16-17 | [ ] |
| 8 | Data breach notification process defined | Art. 24 | [ ] |
| 9 | DPIA conducted for high-risk processing | Art. 22 | [ ] |
| 10 | Technical security measures implemented | Art. 8 | [ ] |
| 11 | Organizational security measures implemented | Art. 8 | [ ] |
| 12 | Data retention schedule documented | Art. 6(4) | [ ] |
| 13 | Automated decision-making disclosed (if applicable) | Art. 21 | [ ] |
| 14 | Employee training conducted | Best practice | [ ] |
| 15 | Data Protection Advisor appointed (recommended) | Art. 10 | [ ] |
20. How Mont Virtua Can Help
Mont Virtua provides technical compliance analysis for Swiss data protection obligations. Our services include:
Compliance Analysis: Structured assessment of your website, data practices, and regulatory posture against DSG, GDPR, and sector-specific requirements. Scored findings with legal references and remediation roadmap. CHF 1,990 (SME) / CHF 2,490 (enterprise).
Enclava Platform: AI-powered access to Swiss data protection law, FDPIC guidance, relevant court decisions, and cantonal data protection regulations. Source-verified. Swiss-hosted.
Compliance Monitoring: Ongoing monitoring of regulatory changes affecting your data protection obligations. Quarterly re-assessment. CHF 490/month.
Contact: [email protected] | montvirtua.com
This guide is updated quarterly. Current version: March 2026. Mont Virtua GmbH | CHE-451.311.553 | Bahnhofstrasse 20, 6300 Zug This document does not constitute legal advice.