GDPR and Swiss nDSG: What Your Website Must Comply With

Data protection law is not optional for websites. Whether you operate under the EU's General Data Protection Regulation (GDPR), Switzerland's revised Federal Act on Data Protection (nDSG/LPD), or both, your website has specific legal obligations. Ignoring them does not just risk fines. It damages trust with your customers and can lead to complaints that regulators take seriously.

This guide covers the practical, technical steps you need to take to bring your website into compliance. No legal jargon walls, no scare tactics. Just clear explanations of what the law requires and how to implement it.

Who Needs to Comply?

Short answer: almost every business with a website.

GDPR Applies If:

• Your business is established in the EU/EEA
• You offer goods or services to people in the EU (even if your business is in Switzerland)
• You monitor the behavior of people in the EU (analytics, tracking, profiling)

Swiss nDSG/LPD Applies If:

• You process personal data of individuals in Switzerland
• Your data processing has effects in Switzerland, even if your business is abroad

For most Swiss businesses, both laws apply simultaneously. A company in Lugano selling to customers in Italy and Germany must comply with both the nDSG and the GDPR. The good news: if you comply with the stricter of the two requirements for each area, you cover both.

Cookie Consent Requirements

Cookies are where most websites first run into compliance trouble. The rules differ between the EU and Switzerland, and getting them wrong is one of the most visible violations.

EU/GDPR Cookie Rules

Under the ePrivacy Directive (which works alongside GDPR), the rule is clear: you need prior consent before setting non-essential cookies.

What this means in practice:

• Strictly necessary cookies (session cookies, shopping cart, authentication) can be set without consent
• Analytics cookies (Google Analytics, Matomo with cookies) require consent
• Marketing/advertising cookies (Google Ads, Facebook Pixel, retargeting) require consent
• Preference cookies (language selection, theme choice stored in cookies) require consent

What Valid Consent Looks Like

Valid cookie consent must be:

1. Freely given: The user must have a genuine choice. Pre-ticked boxes, "accept all" being more prominent than "reject all," or cookie walls that block content are problematic.
2. Specific: Users must be able to consent to different categories separately (analytics vs. marketing).
3. Informed: The banner must explain what cookies are used for, not just say "we use cookies."
4. Unambiguous: Consent requires a clear affirmative action. Scrolling or continuing to browse is not consent.
5. Revocable: Users must be able to withdraw consent as easily as they gave it.

Swiss nDSG Cookie Rules

Swiss law takes a slightly different approach. The nDSG does not have a cookie-specific provision like the EU's ePrivacy Directive. Instead, it focuses on the broader principles of data processing:

• Users must be informed about data collection (transparency principle)
• Data processing must have a lawful basis (consent, contract, legitimate interest, or legal obligation)
• The principle of proportionality applies: you should only collect what you genuinely need

In practice, many Swiss data protection experts recommend implementing EU-style cookie consent anyway. If your website is accessible from the EU (which it is, unless you actively geo-block), you are likely subject to GDPR requirements regardless.

Cookie Banner Implementation

A compliant cookie banner should:

• Load before any non-essential cookies are set
• Block third-party scripts (Google Analytics, Facebook Pixel, etc.) until consent is given
• Offer granular choices (not just "accept all" or "reject all")
• Make rejecting non-essential cookies as easy as accepting them
• Store the user's consent choice (itself a strictly necessary cookie)
• Provide a way to change preferences later (usually a link in the footer)
• Record consent for audit purposes (timestamp, what was consented to, IP address)

Popular consent management platforms (CMPs) like Cookiebot, Usercentrics, or open-source solutions like Klaro can handle much of this. But they need proper configuration. An improperly configured CMP is worse than no CMP at all because it gives a false sense of compliance.

Privacy Policy Essentials

Every website needs a privacy policy. Under both GDPR and nDSG, you must inform users about how their data is processed. The privacy policy must be easily accessible (typically linked from every page via the footer).

Required Information (GDPR Art. 13/14)

• Identity and contact details of the data controller
• Contact details of the Data Protection Officer (if applicable)
• Purposes of processing and legal basis for each
• Legitimate interests pursued (if applicable)
• Recipients or categories of recipients
• Transfers to third countries and safeguards
• Retention periods for each category of data
• Data subject rights (access, rectification, erasure, restriction, portability, objection)
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority
• Whether providing data is a statutory/contractual requirement
• Automated decision-making and profiling information

Required Information (Swiss nDSG Art. 19)

• Identity and contact details of the data controller
• Processing purpose
• Recipients or categories of recipients
• If data is transferred abroad: the country and applicable safeguards

The nDSG requirements are less detailed than GDPR, but best practice is to include all GDPR-required information even in a Swiss-only context. It builds trust and protects you if your reach expands.

Common Privacy Policy Mistakes

• Copy-pasting a generic template without customizing it to your actual data practices
• Listing services you do not actually use (or omitting ones you do)
• Vague language like "we may share data with partners" without identifying who
• Missing retention periods (saying "as long as necessary" is not specific enough for GDPR)
• Not updating the policy when you add new services or tools
• Making the policy hard to find or only accessible in one language when your audience is multilingual

Data Processing Agreements

When you use third-party services that process personal data on your behalf, you need a Data Processing Agreement (DPA) with each provider. Under GDPR Art. 28, this is mandatory. The nDSG has similar requirements under Art. 9.

Common Services Requiring DPAs

• Web hosting providers
• Email marketing platforms (Mailchimp, Sendinblue, etc.)
• CRM systems (HubSpot, Salesforce, etc.)
• Analytics tools (Google Analytics, Hotjar, etc.)
• Payment processors
• Customer support tools (Zendesk, Intercom, etc.)
• Cloud storage services (AWS, Google Cloud, Azure)

Most major providers offer standard DPAs that you can accept online. The key is to actually execute them and keep them on file. During an audit, regulators will ask for these documents.

Third-Party Services: The Hidden Compliance Problem

Every third-party service your website loads is a potential compliance issue. Many website owners do not realize how much data their site shares with external parties.

Google Analytics

Google Analytics is the most discussed third-party service in data protection circles. The situation:

• GA4 still transfers data to Google servers (though Google claims data stays in the EU/EEA for EU users)
• Several EU data protection authorities have ruled specific GA implementations non-compliant
• Google offers a server-side tagging option that gives more control
• Consent is required before loading GA scripts

Alternatives to consider:

• Matomo (self-hosted): Open source, data stays on your server, can be configured to work without cookies (no consent needed for basic analytics)
• Plausible: Lightweight, privacy-focused, no cookies, EU-hosted
• Fathom: Similar to Plausible, privacy-first approach

Google Fonts

Loading fonts from Google's CDN (fonts.googleapis.com) transmits the user's IP address to Google. A German court ruled this a GDPR violation in January 2022, and similar cases have followed.

The fix is simple: self-host your fonts. Download the font files and serve them from your own domain. This is also better for performance.

External CDNs and JavaScript Libraries

Loading jQuery from cdnjs.cloudflare.com, Bootstrap from maxcdn.bootstrapcdn.com, or any library from a third-party CDN sends the user's IP address to that CDN provider. Self-host these files when possible.

Embedded Content

YouTube videos, Google Maps, social media widgets, and similar embedded content load external resources and set cookies. Solutions:

• Use two-click solutions (show a placeholder, load the actual embed only after the user clicks)
• YouTube: use youtube-nocookie.com embed URLs
• Google Maps: consider using static map images with a link to the full map
• Social media: use simple links instead of embedded widgets

Contact Forms and Data Collection

Every form on your website collects personal data. Here is what compliance requires:

Minimum Requirements

• Collect only the data you actually need (data minimization). If you do not need a phone number, do not ask for it.
• Link to your privacy policy near the form
• If you plan to use the data for marketing (newsletter, follow-up emails), get separate, explicit consent via an unchecked checkbox
• Use HTTPS for form submission (this should go without saying in 2025)
• Implement spam protection that does not compromise privacy (prefer honeypot fields or server-side validation over Google reCAPTCHA, which sets tracking cookies)

Data Storage and Retention

• Store form submissions securely (encrypted at rest, access-controlled)
• Define a retention period (e.g., "contact form submissions are deleted after 12 months if no business relationship is established")
• Have a process for data deletion requests
• Do not store data in more places than necessary (form plugin database, email inbox, CRM, spreadsheet... pick one primary system)

Data Subject Rights

Both GDPR and nDSG give individuals rights over their personal data. Your website and business processes must be able to handle these requests.

Key Rights

Right	GDPR	nDSG	What It Means
Access	Art. 15	Art. 25	Individuals can request a copy of all data you hold about them
Rectification	Art. 16	Art. 32	Individuals can request correction of inaccurate data
Erasure	Art. 17	Art. 32	Individuals can request deletion of their data (with exceptions)
Restriction	Art. 18	-	Individuals can request that processing be restricted
Portability	Art. 20	Art. 28	Individuals can request their data in a machine-readable format
Objection	Art. 21	-	Individuals can object to processing based on legitimate interest

Practical Implementation

1. Designate a person or team to handle data subject requests
2. Publish a contact method for privacy inquiries (email, form, or postal address)
3. Respond within 30 days (GDPR) or 30 days (nDSG)
4. Verify the identity of the requester before disclosing data
5. Have processes in place to search for and export/delete data across all systems

Penalties and Enforcement

GDPR Penalties

GDPR fines can reach up to 20 million EUR or 4% of global annual turnover, whichever is higher. In practice, fines for website violations (cookie consent, analytics, insufficient privacy policy) typically range from a few thousand to several hundred thousand euros for SMEs.

Notable website-related fines include:

• Amazon: 746 million EUR (Luxembourg, 2021) for behavioral advertising without proper consent
• Google: 150 million EUR (France, 2022) for making cookie rejection harder than acceptance
• Criteo: 40 million EUR (France, 2023) for tracking without valid consent
• Numerous smaller fines (1,000-100,000 EUR range) for Google Analytics usage, Google Fonts loading, and insufficient cookie consent

Swiss nDSG Penalties

The nDSG takes a different approach: fines target individuals (responsible persons within the organization), not the company itself. Maximum fine: CHF 250,000. This is deliberate. The idea is that personal liability motivates compliance more effectively than corporate fines.

Criminal prosecution is handled by cantonal authorities. The Federal Data Protection and Information Commissioner (FDPIC) can investigate, issue recommendations, and refer cases for prosecution.

Swiss vs. EU: Key Differences

Aspect	GDPR	Swiss nDSG
Scope	Any data relating to an identified or identifiable natural person	Same, plus data of legal entities was removed in the revision
Legal basis for processing	6 legal bases (consent, contract, legal obligation, vital interests, public task, legitimate interest)	No explicit list; processing is lawful unless it violates personality rights
DPO requirement	Mandatory for certain organizations	Optional (but recommended)
Data breach notification	72 hours to supervisory authority	"As soon as possible" to FDPIC
DPIA	Required for high-risk processing	Required (called "data protection impact assessment")
Fines	Up to 20M EUR / 4% of turnover (against company)	Up to CHF 250,000 (against individuals)
Representative requirement	Non-EU controllers need an EU representative	Non-Swiss controllers may need a Swiss representative

Practical Compliance Checklist

Use this checklist to evaluate your website's compliance status. Each item should be verified and documented.

Cookie Consent

• Cookie banner loads before non-essential cookies are set
• Non-essential scripts are blocked until consent is given
• Users can reject non-essential cookies with one click
• Consent choices are granular (analytics, marketing, preferences)
• Users can change their preferences at any time
• Consent is recorded with timestamp for audit purposes
• No pre-ticked boxes or dark patterns

Privacy Policy

• Accessible from every page (footer link)
• Available in all languages your website offers
• Lists all third-party services with their purposes
• Includes specific retention periods
• Explains data subject rights and how to exercise them
• Identifies the data controller with contact information
• Updated whenever services change

Third-Party Services

• DPAs in place for all data processors
• Google Fonts self-hosted (not loaded from Google CDN)
• Analytics configured with consent requirement or replaced with privacy-friendly alternative
• Embedded content (YouTube, Maps) uses two-click solution or privacy-enhanced mode
• External CDN dependencies minimized

Forms and Data Collection

• Only necessary fields collected (data minimization)
• Privacy policy linked near each form
• Marketing consent collected separately (unchecked checkbox)
• Form submissions transmitted over HTTPS
• Spam protection implemented without tracking (prefer honeypot over reCAPTCHA)
• Data retention periods defined and enforced

Technical Measures

• HTTPS enforced on all pages
• Security headers configured (see our security audit checklist)
• Access to personal data restricted and logged
• Backups encrypted
• Incident response plan in place for data breaches

Next Steps

Website compliance is not a one-time project. It requires ongoing attention as you add new features, integrate new services, and as regulations evolve. Start with the checklist above, address the most critical gaps first, and build compliance into your development process.

If you need help evaluating your website's compliance status or implementing the technical measures described here, get in touch with our team. We work with businesses across Switzerland to bring their web presence in line with both GDPR and nDSG requirements.