nDSG Compliance

Configure your forms for Switzerland's revised Federal Act on Data Protection.

What is the nDSG?

The neues Datenschutzgesetz (nDSG) — officially the revised Federal Act on Data Protection — is Switzerland's modern data protection law. It entered into force on September 1, 2023, replacing the original 1992 Data Protection Act (DSG) that had become outdated in the face of large-scale digital data processing.

The nDSG was designed to bring Swiss data protection law in line with the EU's GDPR, ensuring that Switzerland maintains its adequacy status with the European Union. Enforcement is carried out by the Federal Data Protection and Information Commissioner (FDPIC), an independent federal authority.

The law applies to the processing of personal data of natural persons by:

Private persons — individuals, companies, and organizations processing personal data.
Federal bodies — Swiss government agencies and public institutions.

The nDSG has extraterritorial reach. If your web form collects data from people in Switzerland — even if your business is based outside the country — the nDSG may apply to you. Controllers domiciled outside Switzerland must designate a representative in Switzerland under certain circumstances.

Key differences from GDPR

While the nDSG is closely modeled on the GDPR, several important differences set it apart. Understanding these is essential for organizations already familiar with EU data protection law.

Natural persons only. The nDSG protects only natural persons. The old Swiss DPA also protected legal entities (companies), but the revised law dropped this. GDPR likewise covers only natural persons, so this change aligns the two frameworks.
No mandatory DPO. Unlike the GDPR, the nDSG does not require organizations to appoint a Data Protection Officer. However, appointing a data protection advisor (Datenschutzberater) is recommended and carries benefits — it can exempt you from the duty to consult the FDPIC before high-risk processing.
Simplified records of processing. Businesses with fewer than 250 employees are generally exempt from maintaining records of processing activities, unless they process sensitive personal data on a large scale or carry out high-risk profiling. The GDPR has a similar exemption threshold but applies it less broadly.
Higher breach notification threshold. You must notify the FDPIC only for breaches that pose a high risk to the affected individuals. The GDPR requires notification for any breach likely to result in a risk (not necessarily high risk) to individuals. This means fewer breaches trigger a mandatory report under Swiss law.
Criminal penalties on individuals. This is the most distinctive feature. Fines under the nDSG target responsible individuals (managers, employees, decision-makers), not the organization itself. This is the opposite of the GDPR, where fines are levied against the company.
No one-stop-shop mechanism. There is no equivalent of the GDPR's lead supervisory authority system. The FDPIC is the sole enforcement authority for Swiss federal data protection law.

For GDPR-compliant organizations: If you already comply with the GDPR, you are most of the way to nDSG compliance. The main additional considerations are the personal liability of individuals for violations and the different breach notification threshold.

What the nDSG preset configures

Setting	Value	Why
Consent checkbox	Required	The nDSG requires transparency about data processing. A consent checkbox with a clear description ensures the data subject is informed and agrees before submission.
IP anonymization	Yes	IP addresses are personal data under the nDSG. Anonymizing them (zeroing the last octet) follows the data minimization principle and reduces your compliance burden.
User-agent storage	Enabled	Browser information aids troubleshooting and is proportionate to the purpose of operating a form service. Retained alongside other submission metadata.
Data retention	365 days	The nDSG requires that personal data be deleted or anonymized once it is no longer needed for its stated purpose. One year is a reasonable default; adjust to match your actual processing purpose.
Privacy policy URL	Required	The nDSG mandates that data subjects be informed about the identity of the controller, the purpose of processing, and any recipients. A linked privacy policy satisfies the information duty.

Set up the nDSG preset

Account level

Go to Account Settings in the sidebar.
Scroll to Compliance.
Select nDSG (Switzerland) from the dropdown.
Click Save.

Per form

Open the form in your dashboard.
Go to the Compliance tab.
Select nDSG (Switzerland) from the preset buttons or region dropdown.
Click Save.

Transparency and information duty

The nDSG’s information duty (Articles 19–21) is similar to the GDPR’s Articles 13–14. When you collect personal data, you must proactively inform the data subject about:

Identity and contact details of the controller (your organization).
Purpose of processing — why you are collecting the data through this form.
Recipients or categories of recipients — who will receive or have access to the data (e.g., your support team, third-party integrations).
Cross-border transfers — if data will be transferred outside Switzerland, which countries and what safeguards are in place.

The simplest way to fulfill this duty for web forms is to link your privacy policy directly from the form. The nDSG preset requires a privacy policy URL for this reason. Your privacy policy should be specific enough to cover the form’s data collection — a generic corporate privacy policy that does not mention form submissions may not be sufficient.

Practical approach: Use the consent checkbox message to summarize the key points (who you are, why you collect this data, where it goes), and link to the full privacy policy for details. This two-layer approach — short summary plus full policy — satisfies the transparency requirement effectively.

Cross-border data transfers

The nDSG follows an adequacy-based framework for cross-border transfers, similar to the GDPR. The Swiss Federal Council maintains a list of countries that provide adequate data protection.

Key points for form operators:

The EU is considered adequate by Switzerland. Data can flow freely between Switzerland and EU/EEA member states without additional safeguards. Since FormBlade servers are located in the EU, processing Swiss users’ data is permitted without extra mechanisms.
Switzerland’s adequacy list largely overlaps with the EU’s. Most countries recognized as adequate by the EU are also recognized by Switzerland, though the lists are maintained independently.
Transfers to non-adequate countries require additional safeguards: Standard Contractual Clauses (SCCs), binding corporate rules, explicit consent of the data subject, or other recognized mechanisms under Article 16 of the nDSG.
The Swiss-U.S. Data Privacy Framework provides a mechanism for transfers to certified U.S. companies, similar to the EU-U.S. arrangement.

FormBlade and cross-border transfers: FormBlade servers are in the EU, which Switzerland considers adequate. No additional transfer mechanisms are required for Swiss users submitting forms processed by FormBlade.

Data breach notification

The nDSG requires controllers to notify the FDPIC of data security breaches, but the threshold is higher than the GDPR’s:

Notification trigger: You must report a breach only if it poses a high risk to the personality or fundamental rights of affected individuals. Under the GDPR, any breach posing a risk (not necessarily high) must be reported.
Timing: Notification must happen “as soon as possible.” Unlike the GDPR’s explicit 72-hour deadline, the nDSG does not set a fixed timeframe. However, the FDPIC interprets “as soon as possible” strictly — delays must be justified.
Content of notification: You must describe the nature of the breach, its likely consequences, and the measures taken or proposed to address it.
Notification to data subjects: If the breach poses a high risk to affected individuals, you must also inform them directly, unless doing so would require disproportionate effort (in which case a public announcement may suffice).

As a form operator, the most likely breach scenario involves unauthorized access to submission data. FormBlade encrypts data in transit (TLS) and provides access controls through its dashboard, but you should also enforce strong passwords and enable two-factor authentication on your account.

Penalties

The nDSG’s penalty regime is unique among data protection laws worldwide. It differs fundamentally from the GDPR in both its targets and its nature.

Maximum fine: CHF 250,000 per violation.
Criminal, not administrative: Penalties under the nDSG are criminal fines, not administrative penalties. They are imposed through criminal proceedings, not by the FDPIC directly.
Personal liability: Fines are imposed on the responsible individual — the person who made the decision or failed to act. This could be a CEO, a department head, a project manager, or any employee with decision-making authority over data processing. The company itself is fined only if identifying the responsible individual would require disproportionate investigative effort and the fine does not exceed CHF 50,000.
Intentional violations only: The nDSG penalizes only intentional breaches of its provisions. Negligent violations are not subject to criminal fines. This is a significantly higher bar than the GDPR, which penalizes both intentional and negligent non-compliance.

The personal nature of penalties is the most important practical distinction. Unlike the GDPR, where a company pays the fine and moves on, nDSG violations result in individual criminal records. This creates a strong personal incentive for managers and data protection decision-makers to ensure compliance.

Key takeaway: While the maximum fine of CHF 250,000 is far lower than GDPR maximums (up to 4% of global revenue), the personal criminal liability makes nDSG penalties arguably more impactful at the individual level. Ensure that whoever configures your forms and manages submission data understands their personal responsibility.

Practical recommendations

Apply the nDSG preset. The consent, IP anonymization, and retention settings align with the law’s data minimization and transparency requirements. This is the fastest path to baseline compliance for your forms.
Leverage Swiss-EU adequacy. Since Switzerland recognizes the EU as adequate, and FormBlade servers are in the EU, you do not need additional transfer safeguards. If you use third-party integrations (webhooks, Google Sheets, Slack), verify where those services store data and whether that destination is on Switzerland’s adequacy list.
Set a retention period that matches your purpose. The nDSG requires deletion once the purpose is fulfilled. If you only need form data for 90 days to handle inquiries, set 90 days — not the 365-day default. FormBlade’s automatic retention purge handles the deletion for you.
Write a specific privacy policy. Generic privacy policies often fail the nDSG’s transparency test. Your policy should explicitly mention form data collection, the purposes for which submissions are used, how long they are retained, and who has access.
Be aware of personal liability. If you are the person configuring forms and deciding how data is handled, nDSG penalties fall on you personally, not your employer. Take compliance seriously at an individual level.
Monitor the FDPIC. The FDPIC publishes guidance and enforcement decisions at edoeb.admin.ch. As the nDSG is still relatively new, interpretive guidance will continue to develop.