Data protection law: it’s time to get to grips with it
The revised Data Protection Act comes into force on September 1, 2023. It brings with it a whole series of innovations that will require a great deal of effort to implement, from small businesses to large companies. Those who deal with it in good time will be on the safe side.

Everyone is talking about data protection, not least because the theft of sensitive electronic data has become a criminal business model. But the costly and indispensable protection of one’s own data is not an issue in the revised data protection law. Sensitive data, however, is very much at issue. It is the handling of consumers’ personal data that is regulated by this law in order to protect it from misuse. The initiative to adapt the regulations came from the Council of Europe and the European Union. Switzerland therefore felt compelled to follow suit with the revision of the Data Protection Act of 1992 in order to meet international requirements, on the one hand the corresponding Council of Europe Convention of 2016, and on the other hand the European Union’s General Data Protection Regulation of 2018. The latter also regulates the geographical scope of application. According to this, it applies to any person resident in the EU, regardless of whether the processor of the data is located in the EU or not. This means that EU data protection law also applies to any Swiss company doing business in the EU. It is not even necessary to conclude a business transaction. It is sufficient if goods are offered in euros.
During the parliamentary debates on the new data protection law, representatives of the business community succeeded in most cases in preventing the “Swiss Finish,” which would have been even more restrictive. This was particularly true of restrictions that would have affected credit checks.
The following are the most important changes for creditors
The Data Protection Act regulates the processing of personal data. It applies not only to private individuals but also to sole proprietorships and partnerships.
Personal data deemed to be “particularly worthy of protection” may not be used to assess creditworthiness. This includes data on religious, political, ideological or trade union views or activities, on health, privacy or ethnic affiliation, genetic data and data on administrative and criminal rulings or sanctions and on social assistance measures.
The term “profiling” is new in the law. This refers to the automated processing of personal data. The legislator distinguishes between “profiling” and “high-risk profiling”. The latter always applies if this makes it possible to assess essential aspects of the personality of a natural person. In such cases, the consent of the data subject is mandatory. The use of such profiling is prohibited for the assessment of creditworthiness. The data of minors may generally not be used for this purpose.
Any person who processes personal data is considered “responsible” within the meaning of the law and is obliged to provide information and disclosure to the people whose data is at issue, even if the data is obtained from third parties. It is therefore advisable to include a corresponding provision in contracts or the ordering process. There is one exception: when personal data is procured for the purpose of assessing creditworthiness, the duty to provide information does not apply.
It is highly recommended, if necessary also together with experts, to adapt the use of personal data and the corresponding documents to the new legal situation in good time. This applies, for example, to the general terms and conditions, but also to the processes in online trading.
Here are some links that can help:
Helpful documents and tools can be found at:
Gewerbeverband: Merkblätter und Musterdokumente
KMU-Portal des Staatssekretariats für Wirtschaft
RA Dr. David Vasella: Checklisten für Unternehmen
RA David Rosenthal: Diverse hilfreiche Publikationen
Source: Creditreform