1 March 2026
Methodology About Contact
ZUG BUSINESS
The Vanderbilt Terminal for Zug Business Intelligence
INDEPENDENT INTELLIGENCE FOR SWISS COMPANY FORMATION AND OPERATIONS
AG Min Capital CHF 100K| GmbH Min Capital CHF 20K| Zug Corp Tax 11.9%| Formation Time 5–10 days| Work Permit (EU) Free movement| CV Labs Desk CHF 500/mo| AG Min Capital CHF 100K| GmbH Min Capital CHF 20K| Zug Corp Tax 11.9%| Formation Time 5–10 days| Work Permit (EU) Free movement| CV Labs Desk CHF 500/mo|
Operations Intelligence

Swiss Data Protection Law (nDSG): The 2023 Overhaul and What It Means for Businesses in Zug

On 1 September 2023, Switzerland's completely revised Federal Act on Data Protection (nDSG) entered into force, replacing the 1992 original. The new law aligns Swiss data protection with GDPR standards while maintaining distinctly Swiss features — including personal criminal liability for compliance officers. Every company operating in Zug must understand its requirements.

Donovan Vanderbilt · 25 February 2026 · 15 min read

The complete revision of Switzerland’s Federal Act on Data Protection — the neue Datenschutzgesetz (nDSG), or in French the nouvelle Loi fédérale sur la protection des données (nLPD) — entered into force on 1 September 2023. It replaced the original 1992 Federal Data Protection Act (aDSG), a law that predated the commercial internet, the smartphone, cloud computing, blockchain technology, and the entire data economy.

The new law is not a minor update. It is a comprehensive modernisation that brings Swiss data protection law into alignment with the EU’s General Data Protection Regulation (GDPR), ensuring the continuation of Switzerland’s adequacy status under EU law and creating a regulatory framework fit for the data-intensive operations of Crypto Valley companies.

For businesses operating in Zug — where data processing is integral to blockchain operations, fintech services, and technology development — the nDSG creates both compliance obligations and competitive opportunities. Understanding its requirements is not optional.

Why the Revision Matters: EU Adequacy and Market Access

Switzerland’s adequacy status under EU data protection law is the essential prerequisite for frictionless data flows between Switzerland and the EU/EEA. Without adequacy, every transfer of personal data from the EU to Switzerland would require specific safeguards — Standard Contractual Clauses, Binding Corporate Rules, or other mechanisms — creating significant administrative burden for Swiss companies serving EU clients.

The European Commission’s adequacy decision for Switzerland was based on the original 1992 Act. As the GDPR raised the EU’s data protection standards in 2018, the adequacy of the 1992 Swiss law came under increasing scrutiny. The revision of the DSG was therefore not merely a domestic policy choice — it was a strategic necessity to preserve Switzerland’s position as a trusted data processing jurisdiction.

The European Commission reviewed Switzerland’s adequacy status in light of the nDSG and confirmed its continuation, validating the new law’s alignment with GDPR standards.

Scope and Application

Material Scope (Art. 2 nDSG)

The nDSG applies to the processing of personal data of natural persons by private persons (including companies) and federal bodies. Key scoping provisions:

  • Personal data is defined as all information relating to an identified or identifiable natural person (Art. 5 lit. a nDSG). This includes names, addresses, email addresses, IP addresses, device identifiers, and — critically for blockchain companies — wallet addresses to the extent they can be linked to an identified individual.

  • Sensitive personal data (Art. 5 lit. c nDSG) includes data on religious, philosophical, political, or trade union views; health data; genetic and biometric data; data on racial or ethnic origin; data on administrative or criminal proceedings; and data on social assistance measures. This category receives heightened protection under the nDSG.

  • The nDSG does not apply to data processing by natural persons exclusively for personal use, or to data processing by the Federal Assembly and parliamentary committees in the context of deliberations.

  • Legal persons are no longer covered by the nDSG. The 1992 Act unusually extended data protection to legal persons — the revised law follows the GDPR model and protects only natural persons.

Territorial Scope (Art. 3 nDSG)

The nDSG applies to circumstances that produce effects in Switzerland, even if they are initiated abroad. This extraterritorial reach means that foreign companies processing personal data of individuals in Switzerland may be subject to the nDSG. Foreign controllers must designate a representative in Switzerland under certain conditions (Art. 14 nDSG).

Core Principles

The nDSG establishes data processing principles that are substantially aligned with GDPR principles (Art. 6 nDSG):

Lawfulness (Art. 6 para. 1)

Personal data must be processed lawfully. Unlike the GDPR, the nDSG does not require a specific legal basis (such as consent, contract performance, or legitimate interest) for every processing activity. Instead, Swiss data protection law operates on a permission principle: processing is lawful unless it violates the personality rights of the data subject (Art. 30-31 nDSG). Justification grounds include the data subject’s consent, an overriding private or public interest, or a legal basis.

This is a significant structural difference from the GDPR. Under the GDPR, processing is prohibited unless one of six enumerated legal bases applies. Under the nDSG, processing is permitted unless it violates the data subject’s personality rights — a more permissive baseline, though the practical difference is narrower than it appears.

Purpose Limitation (Art. 6 para. 3)

Personal data may only be collected for a specific purpose that is apparent to the data subject. Data must not be further processed in a manner incompatible with that purpose.

Proportionality (Art. 6 para. 2)

Data processing must be proportionate to the purpose — a principle that encompasses both data minimisation and storage limitation.

Accuracy (Art. 6 para. 5)

The controller must ensure that personal data is accurate and take all reasonable measures to ensure that inaccurate data is corrected or deleted.

Data Security (Art. 8 nDSG)

The controller and processor must ensure appropriate technical and organisational measures to protect personal data against unauthorised processing. The required level of security depends on the risk assessment, taking into account the nature, scope, context, and purposes of processing, as well as the likelihood and severity of risks to the data subjects.

The implementing ordinance (Datenschutzverordnung, DSV) provides further guidance on security measures, including requirements for access controls, encryption, pseudonymisation, and logging.

Key Obligations for Companies in Zug

Information Duty (Art. 19-21 nDSG)

The controller must inform data subjects when personal data is collected. The minimum information includes:

  • The identity and contact details of the controller
  • The purpose of processing
  • Recipients or categories of recipients to whom personal data is disclosed
  • If personal data is transferred abroad: the destination country and the safeguards ensuring an adequate level of data protection
  • If personal data is not collected directly from the data subject: the categories of personal data processed

This information duty applies regardless of whether the data is collected directly from the data subject or from third-party sources. The information must be provided in a precise, transparent, comprehensible, and easily accessible form.

For blockchain companies, this creates specific challenges: on-chain data processing, decentralised identity systems, and token-based interactions may involve personal data processing where the traditional privacy notice model is difficult to implement.

Record of Processing Activities (Art. 12 nDSG)

Controllers and processors with 250 or more employees must maintain a record of processing activities. The Federal Council may also require smaller organisations to maintain records if their processing involves a high risk to the personality or fundamental rights of data subjects.

For most Zug-based tech companies with fewer than 250 employees, the record-keeping obligation applies if they process sensitive personal data on a large scale or conduct high-risk profiling. In practice, maintaining a processing record is advisable for all companies as a matter of good data governance, regardless of the formal threshold.

Data Protection Impact Assessment (Art. 22 nDSG)

A Data Protection Impact Assessment (Datenschutz-Folgenabschätzung, DSFA) is required when processing is likely to result in a high risk to the personality or fundamental rights of data subjects. High-risk processing includes:

  • Large-scale processing of sensitive personal data
  • Systematic monitoring of large areas of public space
  • Profiling with a high risk to the personality of the data subject (hochrisiko-Profiling)

The DSFA must describe the planned processing, assess the risks, and identify the measures to mitigate those risks. If the DSFA shows that the processing would result in a high residual risk despite mitigation measures, the controller must consult the FDPIC (see below) before proceeding.

Processor Obligations (Art. 9 nDSG)

When a controller engages a processor (Auftragsbearbeiter) to process personal data on its behalf, the processing must be governed by a contract or by law (Art. 9 para. 1 nDSG). The contract must ensure that the processor:

  • Processes data only as instructed by the controller
  • Implements appropriate security measures
  • Engages sub-processors only with the controller’s prior consent
  • Assists the controller in responding to data subject requests
  • Deletes or returns data upon termination of the processing relationship

This provision essentially requires a Data Processing Agreement (DPA) equivalent to the GDPR’s Article 28 processor agreements. Companies outsourcing data processing — including cloud infrastructure, analytics, customer support, or development services — must have compliant DPAs in place.

Data Breach Notification (Art. 24 nDSG)

The controller must notify the FDPIC as quickly as possible of any data security breach (Verletzung der Datensicherheit) that is likely to result in a high risk to the personality or fundamental rights of the data subjects. The notification must include:

  • The nature of the breach
  • Its consequences
  • The measures taken or planned to mitigate the breach

If the breach is likely to result in a high risk to the affected data subjects, the controller must also inform the data subjects, unless doing so would require disproportionate effort (in which case a public communication is sufficient).

There is no specified notification deadline (unlike the GDPR’s 72-hour window), but the law requires notification “as quickly as possible” — which the FDPIC interprets as within 72 hours in most cases.

Cross-Border Data Transfers (Art. 16-17 nDSG)

Personal data may be transferred to countries that provide an adequate level of data protection, as determined by the Federal Council. The Federal Council publishes a list of countries with adequate protection (Anhang 1 DSV). This list includes the EU/EEA member states (based on GDPR), the United Kingdom, Canada, New Zealand, Israel, and several others.

For transfers to countries without adequate protection, the controller must ensure appropriate safeguards, including:

  • Standard data protection clauses (equivalent to EU Standard Contractual Clauses) — the FDPIC has recognised the EU’s SCCs as appropriate safeguards, with Swiss-specific modifications
  • Binding Corporate Rules approved by the FDPIC
  • Specific contractual clauses that have been previously communicated to the FDPIC
  • Consent of the data subject, after being informed of the inadequate protection in the receiving country

For blockchain companies operating globally, cross-border transfer rules affect cloud infrastructure choices, international development team coordination, and the geographic distribution of data processing activities.

The FDPIC: Enforcement Authority

The Federal Data Protection and Information Commissioner (Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter, EDÖB/FDPIC) is the supervisory authority for data protection under the nDSG. The FDPIC’s powers were significantly strengthened by the revision:

Investigation Powers (Art. 49 nDSG)

The FDPIC may open an investigation on its own initiative or upon notification. During an investigation, the FDPIC can:

  • Require the production of documents and information
  • Access business premises
  • Inspect data processing systems and data

Administrative Measures (Art. 51 nDSG)

Following an investigation, the FDPIC can issue administrative orders:

  • Ordering the controller to modify, suspend, or cease data processing
  • Ordering the deletion of personal data
  • Ordering the provision of information to data subjects
  • Ordering compliance with specific data protection requirements

No Administrative Fines

Unlike the GDPR, the nDSG does not provide for administrative fines imposed by the FDPIC. The penalty mechanism is criminal, not administrative — a distinctly Swiss approach that has significant implications for compliance officers and company directors.

Criminal Penalties: Personal Liability Up to CHF 250,000

The nDSG’s penalty regime is its most distinctive and — for many company directors — most alarming feature. Unlike the GDPR’s administrative fines (which are imposed on the organisation), the nDSG’s penalties are criminal sanctions imposed on the responsible natural person (Art. 60-66 nDSG).

Punishable Conduct

The following violations are punishable upon complaint (Antragsdelikt):

  • Violation of the information duty (Art. 60 para. 1 lit. a nDSG): Failure to provide required information to data subjects or providing false or incomplete information. Fine up to CHF 250,000.

  • Violation of duties towards processors (Art. 60 para. 1 lit. b nDSG): Failure to comply with processor obligations, including engaging processors without adequate contractual safeguards. Fine up to CHF 250,000.

  • Violation of data security requirements (Art. 60 para. 1 lit. c nDSG): Failure to implement adequate security measures. Fine up to CHF 250,000.

  • Violation of cross-border transfer rules (Art. 61 nDSG): Transferring personal data to a country without adequate protection without appropriate safeguards. Fine up to CHF 250,000.

  • Violation of FDPIC orders (Art. 63 nDSG): Failure to comply with an FDPIC administrative order. Fine up to CHF 250,000.

  • Violation of professional secrecy (Art. 62 nDSG): Wilful disclosure of secret personal data that has come to the person’s knowledge in the course of their professional activities. Fine up to CHF 250,000.

Personal, Not Corporate

The critical distinction from the GDPR: these penalties apply to natural persons, not to companies. The responsible person is typically the data protection officer, the compliance officer, the managing director, or the board member with responsibility for data protection compliance.

Article 64 nDSG provides that if the identification of the responsible natural person would require disproportionate investigative effort, and if the potential fine does not exceed CHF 50,000, the company itself may be fined instead of identifying the individual. But for fines above CHF 50,000, the authorities must identify and prosecute the responsible individual.

This personal liability creates a fundamentally different compliance dynamic than the GDPR. Under the GDPR, data protection failures are a corporate risk — potentially expensive, but borne by the organisation. Under the nDSG, data protection failures are a personal criminal risk for the individuals responsible — with consequences for criminal records, professional reputation, and personal finances.

Practical Implications

For Zug-based companies, the personal penalty regime means:

  1. Clear internal allocation of responsibility. Companies must clearly designate who is responsible for data protection compliance — and those individuals must have the authority, resources, and knowledge to fulfil that responsibility.

  2. D&O insurance review. Directors’ and officers’ insurance policies should be reviewed to confirm coverage for nDSG criminal proceedings and fines. Many standard D&O policies exclude criminal fines.

  3. Compliance programme investment. The personal criminal risk creates a strong incentive for responsible individuals to insist on adequate compliance programmes, data protection training, and external advisory support.

  4. Board-level attention. Data protection compliance is no longer a back-office function — it is a board-level risk that requires regular reporting and oversight.

Data Protection and Blockchain: Specific Challenges

The intersection of data protection law and blockchain technology creates unique compliance challenges that are particularly relevant for Zug-based companies.

On-Chain Personal Data

Blockchain transactions that include personal data — wallet addresses linked to identified individuals, transaction amounts, timestamps, smart contract interaction data — raise fundamental questions under the nDSG:

Controller identification. In a decentralised network, identifying the controller of on-chain personal data is conceptually difficult. The nDSG defines the controller as the person who determines the purposes and means of processing. For public blockchains, no single entity determines the purposes and means of the network’s data processing. However, companies that collect wallet addresses and link them to customer identities (e.g., for KYC purposes) are controllers of that linked data.

Right to erasure. The nDSG grants data subjects the right to request deletion of their personal data (Art. 32 lit. c nDSG). On an immutable blockchain, deletion of on-chain data is technically impossible. Companies must design their systems to minimise on-chain storage of personal data and to maintain the ability to delete off-chain linkages between on-chain data and identified individuals.

Purpose limitation. Public blockchain data is accessible to anyone. A company that collects personal data for one purpose (e.g., customer onboarding) cannot prevent that data — once published on-chain — from being accessed and used for other purposes by third parties.

Pseudonymisation and Anonymisation

The nDSG distinguishes between pseudonymised and anonymous data:

  • Pseudonymised data — data processed in such a way that it can no longer be attributed to a specific person without the use of additional information — remains personal data and is subject to the nDSG.

  • Anonymous data — data that has been irreversibly de-identified so that no re-identification is possible — is not personal data and falls outside the nDSG’s scope.

For blockchain companies, the question is whether wallet addresses constitute pseudonymised or anonymous data. The prevailing view — consistent with GDPR guidance from the EDPB — is that wallet addresses are pseudonymised data if they can be linked to identified individuals through any reasonably available means. Given the existence of blockchain analytics tools that can link wallet addresses to exchanges and KYC-verified accounts, most wallet addresses should be treated as pseudonymised personal data.

Smart Contract Processing

Smart contracts that process personal data (or data that can be linked to personal data) raise controller and processor questions. If a company deploys a smart contract that processes user data, the company is likely the controller for that processing. The immutable, autonomous nature of smart contract execution does not relieve the deploying company of its data protection obligations.

Compliance Roadmap for Zug Companies

Step 1: Data Mapping

Identify all personal data processing activities, including:

  • Customer and user data
  • Employee data (governed by both the nDSG and employment law)
  • Supplier and business partner data
  • On-chain data linked to identified individuals
  • Data processed by third-party processors

Step 2: Privacy Notices

Review and update all privacy notices to comply with the information duty under Art. 19-21 nDSG. Ensure that privacy notices are provided in the languages relevant to your data subjects (German, English, and potentially French and Italian for Swiss users).

Step 3: Processor Agreements

Review all data processing relationships and ensure compliant DPAs are in place under Art. 9 nDSG. Prioritise cloud infrastructure providers, analytics services, customer support platforms, and any other third parties processing personal data on your behalf.

Step 4: Cross-Border Transfer Assessment

Map all cross-border data transfers and ensure appropriate safeguards are in place. Review the Federal Council’s adequacy list and implement SCCs or other safeguards for transfers to non-adequate countries.

Step 5: Data Breach Response Plan

Establish a data breach response plan that includes procedures for:

  • Detection and assessment of breaches
  • Notification to the FDPIC
  • Notification to affected data subjects
  • Documentation and lessons learned

Step 6: DPIA Framework

Implement a framework for identifying and conducting Data Protection Impact Assessments for high-risk processing activities.

Step 7: Internal Governance

Assign clear data protection responsibilities, provide training to relevant staff, and establish board-level reporting on data protection compliance. Consider appointing a Data Protection Officer (Datenschutzberater) — while not mandatory under the nDSG in all cases, appointment of a DPO can provide a safe harbour for certain DPIA obligations (Art. 10 nDSG).

The nDSG in the Swiss Regulatory Landscape

The nDSG does not operate in isolation. Companies in Zug must also comply with:

  • Cantonal data protection law for data processing by cantonal and communal bodies (not applicable to private companies, but relevant for interactions with cantonal authorities)
  • FINMA regulations on data protection and information security for regulated financial institutions
  • Swiss banking secrecy (Art. 47 Banking Act) for companies with banking relationships
  • Swiss accounting standards regarding the retention and protection of financial data
  • Sector-specific regulations (telecommunications, health, etc.) that may impose additional data protection requirements

The nDSG provides the baseline. Companies must map their specific regulatory landscape and ensure compliance with all applicable data protection requirements — a task that, in the converging regulatory environment of Crypto Valley, demands specialised legal and compliance expertise.

The nDSG represents Switzerland’s commitment to maintaining its position as a jurisdiction where innovation and data protection coexist. For companies in Zug, compliance is not merely a legal obligation — it is a competitive advantage in a global market where data protection credibility is increasingly a prerequisite for customer trust, business partnerships, and market access.

INTELLIGENCE SERVICES
Establish Your Entity in Zug, Switzerland

The Vanderbilt Portfolio provides institutional intelligence on Zug's business environment, Swiss corporate structures, and the regulatory framework for international entities. For enquiries about establishment intelligence, contact our research desk.

Swiss data protectionnDSGFADPGDPRFDPICprivacyZugSwitzerlandblockchaindata processing
About the Author
Donovan Vanderbilt
Founder of The Vanderbilt Portfolio AG, Zurich. Institutional analyst covering Swiss company formation, corporate governance, banking infrastructure, employment law, and operational frameworks for businesses establishing in Zug and Switzerland.
In This Article
Market Indicators
AG Min Capital CHF 100K
GmbH Min Capital CHF 20K
Zug Corp Tax 11.9%
Formation Time 5–10 days
Work Permit (EU) Free movement
CV Labs Desk CHF 500/mo
Intelligence Brief

Weekly Swiss market intelligence from Donovan Vanderbilt, Zurich.

SUBSCRIBE FREE →
Related Intelligence
Network Intelligence
Zug Blockchain
Crypto Valley blockchain intelligence
Zug Finance
Swiss private banking & fintech
Zug Economy
Canton Zug economic intelligence
Zug Web3
Decentralised protocol intelligence
Zug DAO
Decentralised governance intelligence
Zug DLT
Swiss DLT law & regulation
Zug Commodities
Swiss commodity trading intelligence
Zug Trading
Digital asset trading & exchanges
Zug Oil
Swiss energy trading intelligence
Zug Estates
Swiss real estate intelligence