Compliance

Swiss nDSG vs GDPR: Key Differences for Data Engineering Teams

Swiss nDSG vs GDPR: Key Differences for Data Engineering Teams

The revised Swiss Federal Act on Data Protection (Datenschutzgesetz, nDSG) came into force on 1 September 2023, replacing the 1992 DSG with a framework that brings Switzerland significantly closer to GDPR while retaining several Swiss-specific characteristics. For organisations handling personal data of Swiss residents — or Swiss-based companies operating under both nDSG and GDPR — the differences matter in concrete operational ways, particularly for classification systems, ROPA documentation, and breach notification workflows.

This article works through the key differences methodically, with a focus on implications for data engineering teams and privacy officers maintaining compliance programmes that span both regimes.

Territorial scope and the marketplace principle

The nDSG applies to the processing of personal data of natural persons in Switzerland, with a market-place principle closely modelled on GDPR Article 3(2): foreign companies that process Swiss resident data as part of offering goods or services to Switzerland, or monitoring behaviour in Switzerland, are subject to the nDSG even without a Swiss establishment.

The practical difference from GDPR is that the nDSG scopes to Swiss residents, not EU residents. A Zurich-based data team operating under both GDPR and nDSG needs classification systems that can identify the jurisdiction of data subjects at the record level — because EU residents are GDPR-only, Swiss residents (who are not EU residents) are nDSG-only, and many records will be ambiguous if nationality or residence is not captured in the data.

For Swiss data subjects who are also EU citizens or residents, both regimes apply. In practice, Swiss data engineers often treat GDPR-equivalent controls as meeting nDSG requirements in most cases, and add Swiss-specific provisions on top — but this only works where GDPR and nDSG are genuinely aligned, which is not always the case.

ROPA obligations under nDSG Art. 12

Unlike GDPR Article 30, which requires all controllers (with limited exceptions for organisations under 250 employees) to maintain a ROPA, nDSG Art. 12 limits the processing activity register requirement to organisations that: carry out high-risk processing, or employ more than 250 persons. This is a lighter documentation burden for smaller Swiss operations.

However, the definition of “high risk” under nDSG is broad enough to catch many data-intensive operations. Automated decision-making, large-scale processing of sensitive data, and systematic monitoring of publicly accessible areas all fall within the high-risk definition under the nDSG implementing ordinance (DSV). In practice, most Swiss companies with more than 50 employees and any meaningful data infrastructure will meet the threshold.

The substantive content of the nDSG processing register is nearly identical to GDPR Article 30: processing purpose, data categories, recipients, retention periods, cross-border transfers, and security measures. A compliance system that already generates the ROPA from a live classification graph can produce the nDSG register with minor format adaptation.

Breach notification: the “as soon as possible” standard

The nDSG’s breach notification obligation requires notification to the FDPIC “as soon as possible” when a data breach is likely to result in a high risk to the rights and freedoms of data subjects — wording that mirrors GDPR’s risk threshold but omits the specific 72-hour window. The FDPIC has indicated in guidance that “as soon as possible” should generally be interpreted as within 72 hours of becoming aware, aligning the practical expectation with GDPR.

The nDSG does not explicitly require phased notification (unlike GDPR Article 33(4)), but the FDPIC has confirmed in Q&A guidance that organisations may notify with available information and supplement as the investigation progresses. The notification content requirements are substantively similar to Article 33(3): nature of the breach, categories and approximate number of affected persons, likely consequences, and measures taken or planned.

Data subject rights: access, source, and portability

The nDSG provides rights of access, correction, deletion, and data portability that closely mirror GDPR Articles 15–20. One meaningful difference in the access right: nDSG entitles the data subject to information about the source of their data, not just the data itself. For DSAR automation, this means that responses to Swiss data subjects must include source provenance — where did this record originate, which system ingested it first — in addition to the standard data inventory output.

This source provenance requirement makes data lineage a compliance necessity for Swiss DSAR responses, not just an operational nice-to-have. A system that can trace a customer record from its source CRM entry through warehouse transformations to a derived analytics table provides the lineage evidence needed to answer the nDSG access request fully.

Sensitive data categories: nDSG vs. GDPR Article 9

The nDSG’s sensitive data categories largely overlap with GDPR Article 9 but include Swiss-specific additions. The nDSG explicitly covers: data on administrative and criminal proceedings and sanctions (not limited to convictions, as GDPR Article 10 is); and data on social assistance measures. GDPR Article 9 covers: health, biometric, genetic, racial or ethnic origin, political opinion, religious or philosophical belief, trade union membership, sex life or sexual orientation.

The gaps between the two lists have practical implications for classification systems. A GDPR-calibrated classifier tuned only against Article 9 categories will not flag Swiss administrative proceeding records or social assistance data as sensitive. For organisations operating under both regimes, the sensitive data classifier needs a nDSG-specific category layer added to the standard GDPR Article 9 taxonomy.

Profiling, automated decisions, and the AI Act interface

The nDSG introduces explicit obligations for profiling with significant effects on data subjects — similar to GDPR Article 22 but with distinct threshold language. The nDSG implementing ordinance (DSV) clarifies that profiling is considered “high risk” when it results in a legal or similarly significant effect on the data subject without opportunity for human review.

For Swiss AI deployments, the nDSG high-risk profiling rules and the EU AI Act’s high-risk AI system requirements (Title III) create overlapping obligations for organisations operating across the border. The documentation and transparency requirements for automated processing under both regimes converge: the data subject must be informed, the processing must be documented, and human review must be available for consequential decisions. A compliance programme covering both will need to map AI system registrations (under the EU AI Act) against nDSG profiling declarations for Swiss deployments.

Cross-border transfers under nDSG

nDSG Art. 16 prohibits transfers of personal data to third countries unless the destination country provides an adequate level of protection (as determined by the FDPIC’s list of adequate countries) or appropriate safeguards are in place. The FDPIC published an updated adequacy list in 2023, which includes all EU/EEA member states and a number of other countries. Transfers to non-adequate countries require SCCs (Swiss Standard Contractual Clauses as adapted by the FDPIC), Binding Corporate Rules, or other approved mechanisms.

An important practical difference: the FDPIC’s adequacy list is not identical to the European Commission’s. The US is not on the FDPIC’s adequate list, and the EU–US Data Privacy Framework does not automatically cover Swiss transfers. Swiss organisations transferring data to US cloud providers need Swiss-specific SCCs or DPA addenda, separate from the EU-facing mechanisms.

Conclusion

Operating under both GDPR and nDSG is the practical reality for most Swiss data teams serving European customers. The two regimes are substantially aligned but not identical, and the gaps — in sensitive data categories, source provenance rights, cross-border transfer mechanisms, and profiling thresholds — are operationally significant for classification systems, ROPA tooling, and breach response workflows. Building for GDPR first and adding Swiss-specific layers on top is the most practical sequencing, but it requires deliberately mapping those layers rather than assuming equivalence.

Source notes

  • Federal Act on Data Protection (nDSG), Systematische Rechtssammlung SR 235.1, in force 1 September 2023 — full text of revised Swiss DPA
  • Datenschutzverordnung (DSV) — nDSG implementing ordinance, with definitions of high-risk processing and profiling thresholds
  • FDPIC, Erklärung zum revidierten Datenschutzgesetz (2023) — FDPIC guidance on nDSG requirements and transition
  • FDPIC, Länderliste mit einem angemessenen Datenschutzniveau (updated 2023) — Swiss adequacy country list and transfer mechanism guidance
  • European Data Protection Board, Annex to the Statement 02/2019 on the interplay between the GDPR and the modernised Convention 108 — EU/Swiss alignment analysis

Related Articles

Legitimate Interest as a GDPR Legal Basis: What Your Classification System Needs to Know

Legitimate Interest as a GDPR Legal Basis: What Your Classification System Needs to Know
Automating GDPR Retention Schedule Enforcement Across a Distributed Data Stack

Automating GDPR Retention Schedule Enforcement Across a Distributed Data Stack
Why GDPR Data Discovery Must Be Continuous, Not Periodic

Why GDPR Data Discovery Must Be Continuous, Not Periodic