FREE QUOTE
FREE QUOTE

DSG Explained

Data Protection & Compliance • Switzerland • Updated: February 22, 2026

DSG Explained

A practical guide to DSG Switzerland (the Swiss Data Protection Act): what it is, who it applies to, key obligations, and how to build a realistic compliance program.

Reading time: 11 min Difficulty: Intermediate Audience: SMEs, legal/compliance, IT & security, product teams
Book a consultation Explore consulting services

Key takeaways

  • DSG = Switzerland’s data protection law: the revised act (often called nFADP/revDSG) has applied since 1 September 2023.
  • Focus on transparency + risk: inform people, document processing, and treat high-risk processing with extra rigor (e.g., DPIAs).
  • Security incidents matter: certain breaches must be reported to the FDPIC when they’re likely to cause high risk.
  • Personal liability exists: fines can apply to responsible individuals for intentional violations.
In practice: “We have a privacy policy” is not compliance. DSG is about lifecycle controls: purpose, access, retention, security, and evidence.

What DSG is (and how it’s referenced)

The DSG is the German abbreviation for Switzerland’s data protection law. In English contexts, you’ll often see it referenced as the Swiss Data Protection Act or the Federal Act on Data Protection (FADP). The current, fully revised act entered into force on 1 September 2023 together with implementing ordinances.

The purpose of the DSG is to protect the personality and fundamental rights of natural persons whose personal data is processed. Compared with older Swiss law, the revised DSG strengthens transparency, modernizes key definitions, and adds clearer obligations for businesses.

Common terms you’ll see

  • Controller: decides why and how personal data is processed.
  • Processor: processes data on behalf of the controller (e.g., SaaS vendor).
  • Sensitive personal data: includes categories like genetic/biometric data (and other high-sensitivity categories) with stronger safeguards.
  • Profiling / high-risk profiling: automated processing that evaluates personal aspects; “high-risk” triggers stronger requirements.

Scope: who must comply

DSG applies broadly to the processing of personal data of natural persons by private organizations and federal bodies. In practice, any business operating in Switzerland—or serving Swiss customers—should treat DSG as a baseline requirement.

Typical scenarios

  • Swiss company processing customer, employee, or supplier data
  • Foreign company offering services to Switzerland and processing Swiss personal data (often requiring local representation depending on the setup)
  • Organizations using third-party processors (cloud, CRM, analytics, payroll)
Rule of thumb: If you collect emails, run a CRM, use tracking, or process employee records—you’re in scope.

Core obligations under the DSG

DSG compliance is a set of operational controls. The strongest approach is to map obligations to your data lifecycle: collect → use → share → store → secure → delete.

1) Transparency and information duties

People must be informed about key elements of processing (what you collect, why, who receives it, and cross-border transfers). Practically, this means a clear privacy notice, plus contextual notices where data is collected.

2) Records of processing activities (RoPA)

Maintain an internal inventory of processing: purposes, categories, recipients, retention logic, and security measures. For some SMEs, there can be exemptions if processing presents limited risk—but relying on exemptions without a documented assessment is risky.

3) Privacy by design and by default

Build privacy into systems: minimize data, restrict access, set secure defaults, and avoid collecting “just in case.” This is especially important for product teams and anyone shipping features that collect data.

4) Data security and breach handling

Implement appropriate technical and organizational measures (TOMs). If a data security breach is likely to result in a high risk to individuals, the controller must notify the FDPIC promptly. In certain cases, affected individuals must also be informed.

5) Data subject rights

Expect requests like access, correction/deletion, and (in certain cases) data portability. You need intake channels, identity checks, response workflows, and evidence trails.

6) Cross-border data transfers

When data is disclosed abroad, ensure an adequate level of protection or use appropriate safeguards and contractual measures. Vendor governance matters: you need to know where data flows and under what controls.

7) Sanctions and accountability

DSG includes criminal provisions with potential fines (notably targeting responsible individuals in cases of intentional violations). Regardless of penalties, the operational risk is clear: incidents, loss of trust, and contractual exposure.

How to implement DSG compliance (step-by-step)

Keep it simple: inventory first, then risk, then controls. Most organizations can build a solid baseline in 2–6 weeks.

Step 1: Build your data inventory (what exists)

  1. List systems (CRM, HR, cloud storage, analytics, support desk).
  2. Map categories of personal data and purposes.
  3. Document recipients/processors and cross-border transfers.

Step 2: Define lawful purpose and retention

  • Write purpose statements you can defend (“why we need this data”).
  • Set retention rules (and deletion triggers) per dataset.
  • Align with legal obligations (employment, tax, contractual retention).

Step 3: Vendor and processor governance

  • Ensure contracts cover processor obligations, security, and support for requests/incidents.
  • Check sub-processors and data locations.
  • Define how access is granted and revoked (least privilege).

Step 4: Security controls + incident playbook

  • Access control, encryption, logging, backups, and secure configuration baselines.
  • Incident triage: severity, “high risk” assessment, notification decision, and evidence retention.

Step 5: Rights handling workflows

  • Set intake channels (email/form) and an identity verification method.
  • Create a repeatable process: search → export → redact third-party data → respond.
  • Track cases and response times with an audit trail.
Swiss execution tip: Keep compliance “close to delivery.” If product releases can change data collection, make privacy review part of the release checklist.

Helpful tools (optional)

If you need secure workflows, auditability, and traceable approvals for compliance operations, these tools can support implementation:

SignNTrack – secure e-signatures & tracking Business & IT Consulting

Disclaimer: Links are for convenience; choose tools based on your requirements and compliance needs.

DSG vs GDPR (practical view)

DSG is often described as “GDPR-aligned” in spirit, but it’s not identical. If you already run a mature GDPR program, your DSG gap is usually around documentation specifics, Swiss expectations for breach thresholds, and how responsibilities are assigned internally.

Topic DSG (Switzerland) GDPR (EU)
Breach notification Notify the FDPIC when the breach is likely to cause high risk; timing is prompt (risk-based). Notify the DPA within 72 hours (with certain conditions).
Sanctions model Criminal provisions; fines can target responsible individuals for intentional violations. Administrative fines against organizations (turnover-based caps).
Operational approach Transparency, RoPA, privacy-by-design/default, vendor governance, risk handling. Similar foundation; more prescriptive in some areas.
Bottom line: Build one integrated program. The best “DSG compliance” is a good privacy + security operating system.

DSG compliance checklist (copy/paste)

Use this checklist to assess whether your DSG baseline is operational (not just documented).

  • We maintain a data inventory (systems, purposes, categories, recipients, cross-border transfers).
  • We have an up-to-date privacy notice and contextual notices where data is collected.
  • We defined retention rules and deletion triggers for key datasets.
  • We have processor/vendor contracts with security and incident obligations.
  • We apply privacy by design/default in product and system changes (secure defaults, minimization).
  • We run an incident playbook with a “high risk” assessment and notification decision path.
  • We can handle access/correction/deletion/portability requests with an auditable workflow.
  • We restrict access via least privilege and keep logs for sensitive processing.
  • We periodically review and update our records (quarterly or after major changes).
Quick win: Create a one-page “processing register lite” for SMEs: system → purpose → data → recipient → retention → owner. It catches 80% of gaps quickly.

FAQ

What does DSG stand for in Switzerland?
DSG is the German abbreviation for Switzerland’s data protection law (Datenschutzgesetz), commonly referred to in English as the Federal Act on Data Protection (FADP).
When did the revised DSG come into force?
The fully revised Swiss Data Protection Act has applied since 1 September 2023 (together with implementing ordinances).
Do SMEs need a full DSG program?
SMEs should build a proportional program: inventory + transparency + security + vendor controls + request handling. You can keep documentation lightweight, but the operational controls still need to exist.
Is DSG the same as GDPR?
They are similar in many principles (transparency, rights, security), but they differ in details—especially how breach notification thresholds and sanctions are structured.

About the author

Leutrim Miftaraj

Leutrim Miftaraj — Founder, Innopulse.io

Leutrim is an IT project leader and innovation management professional (BSc/MSc) focused on governance, secure delivery, and compliance-friendly execution for organizations in Switzerland.

Data Protection (DSG) Governance Security-by-design Swiss compliance focus

Reviewed by: Innopulse Editorial Team (Quality & Compliance) • Review date: February 22, 2026

This content is for informational purposes and does not constitute legal advice. For case-specific guidance, consult qualified counsel.

Sources & further reading

Use authoritative sources and keep them updated. Replace or extend this list based on your industry and risk profile.

  1. FDPIC / EDÖB — Swiss Federal Data Protection and Information Commissioner
  2. SECO SME Portal — New Federal Act on Data Protection (overview)
  3. Fedlex — Ordinance on Data Protection (DPO)
  4. ISO/IEC 27001 — Information Security Management
  5. NIST Cybersecurity Framework

Last updated: February 22, 2026 • Version: 1.0

Want help building DSG compliance that actually works?

Innopulse supports organizations with practical data protection programs—data mapping, governance, security controls, vendor management, and implementation planning—so compliance becomes operational and auditable.

Book a consultation Back to Data Protection & Compliance pillar Business & IT Consulting

Driving innovation.

Quick Links

Get in touch

Newsletter

© 2026 Innopulse Consulting. All Rights Reserved.

Imprint | Privacy PolicyTerm of Use Cookies