A stricter data protection law will apply in Switzerland from the beginning of 2023 at the latest. Therefore, every website operator should inform themselves about the new regulations.
Use of data
You should keep an up-to-date list of all places where you store, use, modify, disclose, archive, or delete data. This can be, for example, in a contact form, a newsletter you send out, photos you publish but also softwares you use besides your website to create invoices or record working hours. The Data Protection Authority of Liechtenstein has sample directories for companies and associations and the Bavarian State Office for Data Protection Supervision has one for online shops and various others.
Third party services
As a website operator, you must have a data processing agreement (DPA) for each external service. Depending on the provider, this may already be part of the general terms and conditions (GTC) or must be explicitly concluded. If the external service also uses the data of your website for its own purposes, such as Facebook does, additional protection is required.
Third party services for a website may include, for example, plugins, hosting, email and newsletter delivery, analytics, performance measurement and video conferencing tools. On the webbkoll website, you can check which services are integrated into your website (Section: Third Party).
Foreign services (data export)
If you use a service that is from abroad – for example the USA – and therefore the data is processed there, this is called data export and in this case a standard contractual clauses (SCC) is required. This can be part of the DPA or the GTC. Here (in German) you will find a list of countries which offer adequate protection of personal data and which do not.
The privacy statement page can be linked in the footer. It must be available in all languages of the website.
- Owner and contact details
- Purposes for which data is collected
- Any recipients of the personal data processed
- Protection of data export through contracts
- Rights that data subjects have in relation to data protection
Response to requests for information from data subjects
If a user of your website contacts you regarding privacy, you must respond within 30 days. The person making the request must be beforehand identified and the request carefully reviewed.
In the event of a data breach, such as the sending out e-mails to the wrong recipient, deleted data or a ransomware attack, the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland must often be notified, as well as the persons affected.
It is a good idea to get an overview of the data collected. In principle, it is still allowed to process personal data in connection with a website and you almost never have to obtain consent from the users. There is also no obligation to use cookie banners in Switzerland. However, those who do not comply with the rules and act with intent can be punished with fines of up to CHF 250,000.