HomeBlogLegal
Legal

Data Protection and nDSG for the Self-Employed: What You Need to Know

The revised Data Protection Act (nDSG) has been in force since 1.9.2023. What sole proprietorships need to be aware of: information obligation, privacy policy, processing register and penalties.

e
einzly Redaktion
Tax & Finance Editorial
8 min read
2 Mar 2026

01The Revised Data Protection Act (nDSG) at a Glance

On 1 September 2023, the fully revised Federal Act on Data Protection (DSG, often called nDSG) came into force. It replaces the previous Data Protection Act of 1992 and aligns Swiss data protection with the European General Data Protection Regulation (GDPR) -- without copying it one-to-one.

For self-employed persons and sole proprietorship owners, this is relevant because the nDSG applies to everyone who processes personal data -- regardless of company size. Whether you manage client data in an Excel spreadsheet as a freelancer or store addresses on your phone as a tradesperson: the nDSG applies to you.

The most important changes at a glance:

  • Only data of natural persons is protected (legal entities no longer)
  • Extended information obligation for every data collection (Art. 19 DSG)
  • Obligation to conduct a data protection impact assessment in case of high risk (Art. 22 DSG)
  • Obligation to report data security breaches to the FDPIC (Art. 24 DSG)
  • Penalties of up to CHF 250'000 for natural persons for intentional violations (Art. 60 ff. DSG)
  • Profiling with high risk requires explicit consent (Art. 6 Para. 7 DSG)
  • Privacy by Design and Privacy by Default enshrined as principles (Art. 7 DSG)
No transition periodThe nDSG has been in force since 1 September 2023 without a transition period. Anyone who has not yet adapted their data protection practices is already at risk of sanctions. This also applies to sole proprietorships.

02Processing Principles: The Rules in Daily Practice

The nDSG defines in Art. 6 the principles according to which personal data must be processed. These principles apply to every processing activity -- whether you capture client data, send newsletters or store job applications.

PrincipleMeaning for Self-Employed Persons
Lawfulness (Art. 6 Para. 1)Personal data may only be processed lawfully. Processing is permitted if there is a justification ground (consent, contract, overriding interest or legal obligation).
Good faith (Art. 6 Para. 2)Processing must be comprehensible and fair. No hidden data collection.
Proportionality (Art. 6 Para. 2)Only collect data that is actually necessary for the purpose. Do not collect data 'in reserve'.
Purpose limitation (Art. 6 Para. 3)Only use data for the purpose for which it was collected. You may not simply use client addresses collected for invoices for marketing purposes.
Accuracy (Art. 6 Para. 5)You must ensure that the data is correct and rectified when necessary.
Storage limitation (Art. 6 Para. 4)Delete data once the purpose is fulfilled -- unless there is a statutory retention obligation (e.g. 10 years for accounting records per OR Art. 958f).
Practical exampleYou are a graphic designer and store client data (name, address, email, phone) for order processing. This is justified by the contractual purpose. However, you may not simply pass this data to a photographer or use it for your own newsletter without first informing the clients and offering them an opt-out.

03Information Obligation and Privacy Policy

One of the most important changes in the nDSG is the extended information obligation (Art. 19--21 DSG). For every collection of personal data, you must inform the data subject -- not only for particularly sensitive data, as was previously the case.

What you must communicate (Art. 19 Para. 2 DSG):

  • Identity and contact details of the controller (i.e. your firm and address)
  • Processing purpose: What you use the data for
  • Recipients or categories of recipients: To whom you disclose data (e.g. fiduciary, hosting provider)
  • For cross-border transfers: To which country the data goes and what protective measures apply
  • Rights of the data subject: Right of access, rectification and deletion

In practice, the easiest way to fulfil this obligation is with a privacy policy on your website -- alongside your terms and conditions, one of the most important legal documents. Even if you do not have a website, you must be able to inform clients upon request.

Your privacy policy should cover the following points:

  1. Name and contact details of your firm
  2. What data you collect (e.g. name, email, phone, payment data)
  3. Purpose of data processing (order processing, accounting, newsletter)
  4. Legal basis (contract, consent, legitimate interest)
  5. Recipients of the data (hosting provider, accounting software, authorities)
  6. Storage duration and deletion deadlines
  7. Rights of the data subject (access, rectification, deletion, objection)
  8. Use of cookies and tracking tools (if applicable)
  9. Contact option for data protection enquiries
No cookie banner as in the EUIn Switzerland, there is (as yet) no general cookie consent requirement as under the GDPR/ePrivacy Directive. Technically necessary cookies are permitted. For tracking cookies (e.g. Google Analytics), however, the FDPIC recommends consent -- especially if you also have EU visitors.

04Register of Processing Activities

The nDSG introduces the obligation to maintain a register of processing activities (Art. 12 DSG). This register documents which personal data you process, for what purpose and how it is protected.

The good news for self-employed persons: There is an SME exemption. Companies with fewer than 250 employees only need to maintain the register if they process particularly sensitive personal data on a large scale or carry out high-risk profiling (Art. 12 Para. 5 DSG).

For most sole proprietorships, this means: You are exempt from the obligation. Nevertheless, it is advisable to maintain a simple register -- it helps you keep an overview and fulfil your information obligation.

A minimal register contains:

FieldExample
Processing activityClient address management
PurposeOrder processing and invoicing
Categories of data subjectsClients, prospects
Categories of personal dataName, address, email, phone
RecipientsAccounting software (einzly), hosting (Vercel)
Retention period10 years (statutory retention obligation)
Technical protective measuresEncryption, password protection, backups
Despite the exemption: Register recommendedEven if you as a sole proprietorship with fewer than 250 employees are exempt from the obligation: A simple register in an Excel spreadsheet costs you 30 minutes and helps you provide immediate information in response to an enquiry from the FDPIC or a client.

05Commissioned Processing and Third-Party Providers

When you have personal data processed by third parties -- for example through cloud accounting software, a newsletter service or a hosting provider -- this is known as commissioned processing (Art. 9 DSG). You remain responsible for data protection as the controller.

The most important obligations in commissioned processing:

  • You may only delegate processing to third parties that ensure an adequate level of data protection
  • The processing must not be contractually or legally prohibited
  • You must verify that the commissioned processor can ensure data security
  • The commissioned processor may only process the data as you yourself would be permitted to
  • Further delegation to sub-processors requires your approval

In practice, you conclude a data processing agreement (DPA) with the respective provider. Most reputable cloud services offer a DPA as standard.

Data abroad?If your cloud provider stores data outside of Switzerland (e.g. in the EU or the USA), additional rules apply. Data may only be transferred to countries with an adequate level of data protection. The Federal Council maintains a list of recognised countries. For the USA, the Swiss-U.S. Data Privacy Framework (valid since 15.9.2024) provides an adequate level for certified companies.

06Penalties for Violations: Up to CHF 250'000

A key difference from the GDPR: Under the Swiss nDSG, it is not companies that are fined, but natural persons -- i.e. you as the owner of the sole proprietorship personally. Fines can amount to up to CHF 250'000 (Art. 60--63 DSG).

The following intentional violations are punishable:

ViolationArticleMaximum Fine
Breach of information obligationArt. 60 Para. 1 lit. a DSGCHF 250'000
Breach of right of access obligationArt. 60 Para. 1 lit. a DSGCHF 250'000
Breach of due diligence in cross-border transfersArt. 61 DSGCHF 250'000
Breach of obligations in commissioned processingArt. 61 DSGCHF 250'000
Breach of data security (minimum requirements)Art. 61 DSGCHF 250'000
Non-compliance with orders of the FDPICArt. 63 DSGCHF 250'000
Breach of professional secrecyArt. 62 DSGCHF 250'000
Personal liabilityThe fine applies to you as a natural person -- not your company. As a sole proprietorship owner, you are the responsible person in any case. The fine of up to CHF 250'000 is only imposed for intentional violations. Negligence is generally not punishable, but can have civil law consequences.

Important: The FDPIC (Federal Data Protection and Information Commissioner) can initiate investigations, issue recommendations and make orders. Criminal prosecution is the responsibility of the cantonal criminal authorities.

07Practical Checklist: nDSG for Your Sole Proprietorship

Data protection does not have to be complicated. The following checklist helps you meet the most important requirements of the nDSG -- without a law degree.

1
Create or update privacy policy:

Create a privacy policy for your website (if applicable) and keep it readily available for client enquiries. It must contain the identity of the controller, processing purposes, recipients and rights of data subjects.

2
Set up a processing register (recommended):

Even though you as an SME with fewer than 250 employees are exempt: Document in a simple spreadsheet which data you process for which purpose. This helps with access requests.

3
Review data processing agreements:

Check with all cloud services (accounting, email, hosting, CRM) whether a DPA is in place. Reputable providers like einzly provide these as standard.

4
Ensure data security:

Implement basic technical measures: strong passwords, two-factor authentication (2FA), encrypted data transmission (HTTPS), regular backups, up-to-date software.

5
Define a deletion concept:

Determine when you delete which data. Client data after end of contract? Job applications after 3 months? Accounting records after 10 years? Document the deadlines.

6
Establish a process for data subject requests:

Clients have the right to access, rectification and deletion. Set up a simple process: Who answers requests, within what deadline (statutory: 30 days), in what form?

7
Prepare a breach notification process:

If data is stolen or accidentally published, you must inform the FDPIC as quickly as possible (Art. 24 DSG). Keep the FDPIC's contact details ready and think in advance about who you would contact in an emergency.

einzly takes data protection work off your handseinzly stores your client data encrypted in Switzerland (Supabase/Vercel), offers two-factor authentication and provides a data processing agreement. This way you automatically meet the nDSG requirements for your accounting data -- without additional effort.

08Frequently Asked Questions about Data Protection for the Self-Employed

Yes. The nDSG applies to all natural and legal persons who process personal data -- regardless of company size. If you store client addresses, emails or phone numbers, you are processing personal data and are subject to the nDSG.
No. The appointment of a data protection advisor (analogous to the DPO under the GDPR) is voluntary under the nDSG (Art. 10 DSG). For sole proprietorships with manageable data processing, this is generally not necessary. However, if you process particularly sensitive data (e.g. health data as a therapist), professional advice can be worthwhile.
Only if your data processing entails a high risk to the personality or fundamental rights of the data subject (Art. 22 DSG). For most sole proprietorships (client management, invoicing, simple website), this is not the case. Examples of high risk: systematic monitoring of public areas, large-scale processing of health data.
A laptop theft with unencrypted client data constitutes a data security breach. You must inform the FDPIC as quickly as possible if there is a high risk to the affected persons (Art. 24 DSG). You must also inform the affected persons if this is necessary for their protection. Preventively: Activate hard drive encryption (FileVault on Mac, BitLocker on Windows).
Only with the consent of the clients. Email advertising to natural persons without their consent is unfair under UWG Art. 3 Para. 1 lit. o. You need an opt-in (ideally double opt-in) and must offer an unsubscribe option in every newsletter. Exception: You obtained the email address in the context of a sale and the client has not objected (soft opt-in for similar products).
Share