There is a widespread assumption that this topic is straightforward, but the reality is more complex. Since September 1, 2023, the revised Data Protection Act (revDSG) has been in effect in Switzerland. What does this mean for websites? This article provides a practical overview of the most important obligations.
Disclaimer: This is not legal advice. Consult a lawyer if unsure.
The 5 Mandatory Elements of Every Swiss Website
1. Imprint
What must be included:
- Complete company name
- Legal form
- Commercial register number (if registered)
- UID number (if VAT liable)
- Postal address (no P.O. box)
- Email address
- Authorised representative(s)
Where to place:
- Linked directly in footer (“Imprint”)
- Maximum 2 clicks from any page
- Clearly labeled
If imprint is missing:
- Fines up to CHF 10,000 possible
- Loss of trust with clients
2. Privacy Policy
Mandatory since revDSG: Every website that processes personal data needs a privacy policy.
Minimum content:
- What data is collected? (name, email, IP address, etc.)
- For what purpose? (contact request, newsletter, analysis)
- Legal basis (consent, legitimate interest, contract)
- To whom is data passed? (e.g., hosting provider, newsletter tool)
- How long is data stored?
- What rights do visitors have? (access, correction, deletion)
- Contact point for privacy questions
Where to place:
- Footer link (“Privacy” or “Data Protection”)
- Before consents (e.g., contact form, newsletter)
Tools for privacy policy:
- Privacy generators (free, basic coverage)
- Lawyer (for complex websites, e-commerce)
3. Cookie Banner / Consent
When necessary: When the website uses cookies or similar technologies that aren’t technically absolutely necessary.
Technically necessary:
- Session cookies (login)
- Shopping cart
- Security cookies
Not technically necessary (= consent needed):
- Google Analytics
- Facebook Pixel
- Marketing cookies
- Social media embeds with tracking
What banner must contain:
- Information about cookie use
- Link to privacy policy
- Ability to reject cookies
- Granular selection (not just “Accept all”)
Important: “Opt-in”, not “opt-out”. Cookies may only be set after consent.
Tools:
- Cookiebot
- Usercentrics
- OneTrust
- Complianz (WordPress plugin)
4. Contact Forms and Newsletter
Obligations:
- Privacy notice directly at form
- Checkbox for consent (not pre-selected!)
- Double opt-in for newsletter
- Unsubscribe link in every newsletter
Example text:
“I agree that my information will be stored for contact and follow-up questions. [Link to privacy policy]“
5. External Integrations (Google Fonts, YouTube, etc.)
Problem: Many external services transfer data to third countries (e.g., USA) and require consent.
Critical services:
- Google Fonts (when loaded from Google servers)
- Google Maps
- YouTube videos
- Social media embeds
Solutions:
- Host locally: Integrate Google Fonts locally
- 2-click solution: Only load after consent
- Privacy mode: YouTube “youtube-nocookie.com”
- Privacy-friendly alternatives: OpenStreetMap instead of Google Maps
Special Requirements
E-Commerce
Additionally needed:
- Terms and conditions
- Withdrawal policy
- Shipping and payment information
- SSL encryption (mandatory!)
International Audiences
If you have EU customers:
- GDPR requirements in addition to revDSG
- Often higher requirements than revDSG
- Cookie banner even more critical
Data Processing
If you use external services (hosting, newsletter, CRM):
- Data processing agreement (DPA) with service providers
- Ensure service providers are GDPR/revDSG compliant
Typical DPA partners:
- Hosting provider
- Newsletter tool (Mailchimp, Brevo, etc.)
- CRM system
- Analytics tool
Checklist: Is Your Website Compliant?
- Imprint complete and easily findable
- Privacy policy present and current
- Cookie banner (if tracking cookies used)
- SSL certificate active (https://)
- Contact forms with privacy notice
- Newsletter with double opt-in
- External services reviewed (fonts, maps, videos)
- DPA concluded with all service providers
- T&C/withdrawal rights (for e-commerce)
Common Mistakes
Mistake 1: No Imprint
Problem: Many websites (especially small ones) have no complete imprint.
Risk: Fines, loss of trust
Mistake 2: Generic Privacy Policy
Problem: Template copied but not adapted.
Risk: False information, not compliant
Mistake 3: Google Analytics Without Consent
Problem: Analytics runs without cookie banner.
Risk: Unlawful, fines possible
Mistake 4: Google Fonts from Google Servers
Problem: IP address transmitted to Google.
Solution: Host locally
Mistake 5: No DPA with Service Providers
Problem: Host, newsletter tool etc. without contract.
Risk: revDSG violation
What to Do for Violations?
For deficiencies:
- Fix immediately (add imprint, update privacy policy)
- Install cookie banner retrospectively
- Conclude DPA with service providers
For warning letter:
- Seek legal advice
- Fix deficiency immediately
- Confirm in writing
Costs for Compliance
Typical costs:
- Privacy policy (lawyer): CHF 800–2,000
- Cookie banner tool: CHF 0–50 per month
- SSL certificate: CHF 0–300 per year (often free with host)
- Adjustments by web developer: CHF 500–2,000
One-time investment that’s worthwhile.
Tools and Resources
Privacy generators:
- SwissAnwalt.ch
- Datenschutzpartner.ch
Cookie banners:
- Cookiebot
- Complianz (WordPress)
Compliance check:
- Website check tools (various providers)
Advice:
- Lawyer for data protection/IT law
- Data protection officer (for larger companies)
Expert View
Being legally compliant isn’t optional but mandatory. Requirements are manageable:
- Imprint – complete and visible
- Privacy policy, adapted and current
- Cookie banner, for tracking/marketing cookies
- SSL, standard today
- DPA, with all service providers
The investment (time and money) is small compared to risks (fines, loss of trust, reputational damage).
Have your website reviewed and fix deficiencies. Compliance is a matter of trust.