There is a widespread assumption that this topic is straightforward, but the reality is more complex. The revised Swiss Data Protection Act (revDSG) has been in force since 1 September 2023. It introduces concrete obligations for Swiss companies regarding their website design. This checklist helps you implement the key requirements.

Note: This checklist does not replace legal advice. For your specific situation, consult a lawyer specialising in data protection law.

Privacy Policy

The privacy policy is the central document for transparency about your data processing.

  • Privacy policy is available on the website and easy to find
  • Identity and contact details of the data controller are stated
  • Processing purposes are clearly described
  • Recipients or categories of recipients are named
  • For data exports abroad: target country and safeguards are stated
  • Retention periods or criteria are specified
  • Rights of data subjects (access, deletion, rectification) are described
  • Contact option for data protection enquiries is available
  • Privacy policy is available in the website’s language(s)

The revDSG does not require explicit cookie consent like the GDPR, but:

  • Information obligation about cookies used is fulfilled
  • Third-party tracking cookies are listed in the privacy policy
  • For users from the EU/EEA: GDPR-compliant consent obtained (if relevant)
  • Cookie banner at least informs about the use of cookies
  • Non-essential cookies can be declined

Recommendation

Even though the revDSG is less strict than the GDPR: implement a cookie consent banner that gives users a real choice. This protects you with EU users and strengthens trust.

Contact Forms and Data Collection

  • Only necessary data is collected (data minimisation)
  • Purpose of data collection is clear at the form
  • Reference to privacy policy is present at the form
  • Data is transmitted encrypted (HTTPS)
  • Automatic deletion after the retention period is configured

Newsletter and Email Marketing

  • Registration uses a double opt-in process
  • Unsubscribe option is available in every email
  • Purpose and frequency are transparent at registration
  • Consents are documented and stored verifiably
  • Newsletter tool is privacy-compliant (check server location)

Web Analytics and Tracking

  • Web analytics tools are listed in the privacy policy
  • IP anonymisation is enabled (where available)
  • Data sharing with third parties is documented
  • Server location of the analytics tool is known and documented
  • Data processing agreement with the analytics provider is in place

Recommendation on Tool Choice

Privacy-friendly alternatives for Swiss companies:

  • Plausible Analytics: No cookies, EU servers
  • Matomo (self-hosted): Full data control
  • Simple Analytics: No personal data

Technical Security Measures

  • Website runs on HTTPS (SSL/TLS certificate)
  • Form data is transmitted encrypted
  • CMS and plugins are up to date
  • Backend access credentials are secure (strong passwords, MFA)
  • Regular backups of website data

Data Processing Agreements (with Third Parties)

When using service providers that process personal data:

  • Data processing agreements (DPA) with all relevant providers are in place
  • Hosting provider: DPA and location check
  • Email marketing tool: DPA and data export check
  • CRM system: DPA and location check
  • Cloud services: DPA and appropriate safeguards for cross-border transfers

Processing Register

The revDSG requires a register of processing activities for companies with more than 250 employees or for high-risk processing:

  • Register is created and documented
  • Processing purposes are recorded per activity
  • Categories of affected persons and data are documented
  • Retention periods are defined
  • Technical and organisational measures are described

Data Breach Notification

  • Process for reporting data breaches is defined
  • Notification to the FDPIC within 72 hours is organisationally ensured
  • Responsible person for data protection incidents is designated
  • Communication plan for affected persons is in place

Next Steps

  1. Go through this checklist point by point
  2. Mark open items
  3. Prioritise: privacy policy and cookie consent first
  4. Engage a data protection lawyer for your specific situation if needed
  5. Schedule an annual review

Disclaimer

This guide is for general information and does not replace legal advice. The content has been carefully researched, but no guarantee of completeness or currency can be given. For legally binding information, consult a specialised lawyer.