Data Protection Act (DSG) and Data Protection Ordinance (DSV): Key Points for Switzerland at a Glance
DSG and DSGO / GDPR
On August 31, 2022, the Federal Council decided that the completely revised Data Protection Act (DSG) and the new Data Protection Ordinance (DSV) will come into force on September 1, 2023, in Switzerland. Additionally, the General Data Protection Regulation (GDPR) has been in effect in all EU member states since May 25, 2018.
CMS Systems like WordPress or Drupal
Generally, no problem regarding data protection. The following points should be noted:
- Comment functions can violate DSV / GDPR
- Always use https encryption
- Load Google Fonts from your own servers and not from Google servers
Privacy Policy
Privacy policies must be included on the website. These must cover the main services. Services can include (list not exhaustive):
- Analytics tools
- Embeds of videos like YouTube or Vimeo
- Tracking pixels, cookies for advertising services like Google Adsense, Facebook, LinkedIn, Pinterest, Instagram, etc.
- Use of newsletter tools like Mailchimp, Campaign Monitor, etc.
- Google reCAPTCHA
- Integration of social media
Imprint
The website must include an imprint that states who operates the website.
Contact Forms
It is not clear whether a checkbox must be integrated when submitting contact forms, stating “I have read the privacy policy and agree to the use of my data…”. What is certain is that data transmission must be encrypted with https. It is also advisable to regularly delete data from contact forms.
Analytics
It is unclear whether the use of Google Analytics is permissible (see also Schrems II problem below). When using GA3, ensure that IPs are anonymized and data is not stored for too long. Particularly, risk-averse operators can use tools like Matomo or server-side tools like Jentis.
Social Media Sharing Buttons
Using social media buttons is unproblematic as long as no data is sent. Be cautious with the implementation of FB Like buttons or other snippets provided by social networks.
Cookies
To be safe, we recommend using a proper cookie solution such as Cookie Pro.
For the EU, a true cookie consent is required, i.e., a cookie banner with “hard opt-in”. Cookies that are not technically necessary are only set with the explicit consent of the users. Our tool: CookiePro by One Trust.
In Switzerland, tracking can generally occur without the consent of the affected users, as long as it does not involve particularly sensitive data such as health information. However, since websites are also visited by users from the EU, the website must have a cookie banner.
So far, there have been no warnings. And of course, there is the option to wait until the first warnings appear before reacting.
3rd Party Services (Hosting, Mailing Tools,…)
3rd party services are services (mostly SAAS) from other companies. These can include mailing tools, CRM systems, CDN networks like Cloudflare or Fastly, as well as hosting companies.
If these services are GDPR-compliant and there is a data processing agreement (DPA), we assume that the use is OK. For all services from the USA (and there are many…), the Schrems II problem mentioned below exists. We assume that the use of Microsoft Cloud Services and Azure is OK. At least not prohibited. The Swiss Data Protection Commissioner has provided similar advice for SUVA. See more details on SUVA here.
Schrems II Problematik
The European Court of Justice clarified in its ruling of June 16, 2020, that personal data of EU citizens may only be transferred to third countries if they enjoy essentially equivalent protection in that third country as they do in the EU. For the USA, it denied such an adequate level of protection. In the context of Dream Production: Romania, as an EU member, is a country with an adequate level of protection. Therefore, data transfer to Romania is not a data protection issue (link to PDF with country list Switzerland).
Today’s safeguarding for US companies’ services against GDPR with standard contractual clauses is complex and involves much legal uncertainty. In many cases, a Transfer Impact Assessment (TIA) would have to be prepared before data export, and additional protective measures would be required. Small and medium-sized enterprises often have no choice but to risk data export without sufficient safeguards.
With the EU agreeing on a new Trans-Atlantic Data Privacy Framework, which is currently under discussion, there is hope that data export from Europe to the USA can soon be secured efficiently and with a certain degree of legal certainty.
Switzerland took note of the Trans-Atlantic Data Privacy Framework on October 22, 2022, and is working on it. No decisions have been made yet. (Link)