With the revDSG , key changes in data protection law have come into force in Switzerland since September 2023 , which have significant consequences for digital marketing. In our article, you will learn which specific requirements have applied since the introduction of the revDSG and how you can make your marketing activities legally compliant.
Key facts at a glance
-
The revised Data Protection Act (revDSG) increases data protection in the online context from September 1, 2023 and affects all companies operating in Switzerland; it requires, among other things, clearly defined consent procedures and adapted email marketing practices.
-
The revDSG introduces new obligations for companies, such as extended information obligations and new rights for data subjects, including the rights to information, access and deletion of their data as well as the principles of 'privacy by design' and 'privacy by default'.
-
Companies must review and adapt their marketing strategies in accordance with the revised GDPR requirements and are obliged to train their employees on the new data protection regulations in order to ensure legal compliance and strengthen customer trust.
The revDSG and its significance for marketing
The revised Swiss Data Protection Act (revDSG) was introduced to ensure compatibility with EU law and to enable the free flow of data between Switzerland and the European Union. Since the entry into force of this law on September 1, 2023, the protection of the personal and fundamental rights of natural persons , in particular in the online context and when conducting business over the Internet, has been significantly strengthened. The revDSG significantly expands the territorial applicability of the Swiss data protection regime, inspired by the GDPR, to ensure the accountability of globally active companies for the protection of personal data of Swiss citizens . This means that even non-Swiss-based companies that operate in Switzerland or whose data processing impacts Switzerland must comply with these new rules.
The revised Data Protection Act affects all companies based in Switzerland as well as foreign companies that operate in Switzerland or whose data processing affects Switzerland . Small and medium-sized companies with up to 250 employees will be particularly affected by the changes in the Data Protection Act and will have to adapt accordingly.
Adjustments in email marketing
E-mail marketing is an essential part of most marketing strategies. However, the revised GDPR requires some significant adjustments in this area. For example, the double opt-in process in e-mail marketing, also known as e-mail advertising, requires clear consent and confirmation by clicking or clicking on a confirmation link, accompanied by secure data processing. In addition, only those e-mail addresses that are actually needed and whose use has been clearly defined beforehand should be transmitted in e-mail marketing.
When using tracking pixels in email campaigns, the user's consent must also be obtained beforehand. Another key aspect of the email marketing adjustments under the revised GDPR concerns the right of objection. It is essential that companies ensure that the right of objection is obtained in a timely manner, is verifiable and can be implemented effectively.
Online marketing under the new data protection regime
Online marketing includes a variety of marketing activities, from social media campaigns to pay-per-click advertising. Since the revDSG came into force, cookie banners in Switzerland must be designed in accordance with the new legal requirements.
This means that visitors to websites must be informed about data processing without coercion and misleading texts.
Impact on the use of analytics tools
Analytics tools such as Google Analytics remain indispensable for many companies to understand the behavior of their customers. However, since the revised Data Protection Act came into force, important adjustments have become necessary.
On the one hand, a correctly set up cookie banner is becoming significantly more important. It must provide clear information about how and which data is processed by analysis tools. In addition, under the new law, people have the right to be informed about data processing and to have access to their data.
This means that companies must increase the transparency of their data processing in order to do justice to the rights of users and to make the use of analytics tools compliant with the revDSG.
New requirements for personal data in marketing
The revised Data Protection Act brings new rights for data subjects and new obligations for companies when handling personal data in marketing. The revised Data Protection Act grants data subjects new rights and imposes new obligations on companies in order to meet these. Extended information obligations and the obligation to maintain a register of processing activities are part of the changes introduced by the revised Data Protection Act.
Since the revDSG came into force on September 1, 2023, important new concepts such as 'privacy by design' and 'privacy by default' have been in effect, and the protection of genetic and biometric data has been given special priority. Organizations that process data of individuals in Switzerland must therefore carefully review the revDSG and adapt their processes accordingly to ensure compliance.
Consent and transparency
A central aspect of the revised GDPR is the emphasis on consent and transparency in the processing of personal data. Companies are now obliged to inform individuals in a precise, transparent, understandable and easily accessible manner about the collection of their personal data, including the purpose and processing of the data. This also applies to automated individual decisions, where data subjects must be actively informed about decisions made by computer programs or algorithms.
Transparency in communication, both in data and over the phone, and a clear privacy policy are essential so that customers can understand how their data is used, which in turn increases trust in the company. Companies are obliged to disclose when data is shared with foreign service providers and which country may have access to the personal data.
Data subjects also have the right to request and receive information about the processing of their data and the right to request the deletion of their data.
Data security and protection measures
Another important aspect of the revDSG concerns data security and the protective measures that companies must take. Compliance with the principles of 'privacy by design' and 'privacy by default' is required by law to ensure data protection from the development stage of software and hardware and to protect users through data protection-friendly default settings. Furthermore, companies must ensure protection against manipulation, loss, unauthorized access by third parties and other threats to their data through technical and organizational measures. Large organizations face considerable challenges in the subsequent creation of a register of all data processing activities (ROPA) , which requires comprehensive data mapping and close coordination between legal, IT and data protection teams due to the volume and complexity of data processing activities.
In the case of data breaches that could pose a high risk to the data subject, these must be reported to the Federal Data Protection and Information Commissioner (FDPIC), although the law does not define what constitutes a 'high risk'. Data processors are obliged to inform the data controller of data breaches as soon as possible.
In the event of requests from data subjects or authorities, website operators must respond promptly, but no later than within 30 days, and carefully examine their concerns. In the event of a data breach, website operators must respond quickly and carefully, investigate the incident and, if necessary, report it to the FDPIC and the data subjects depending on the risk.
Strategies for implementing the revDSG requirements in marketing
To remain compliant with the requirements of the revDSG, companies have had to carefully review and adapt their marketing strategies and processes . For companies that have already taken steps to comply with the GDPR, the revDSG will in most cases mean only minor adjustments. There was no legally mandated transition period for the revDSG, giving companies an informal transition period until September 1, 2023 to adopt the changes and requirements of the revDSG. This provides companies with additional time to make the necessary adjustments and ensure they comply with the new requirements.
By implementing data protection-compliant marketing measures and taking data protection into account in marketing, companies can not only comply with legal requirements, but also promote customer trust and thus strengthen customer loyalty.
Review and adaptation of existing processes
A first step to adapt to the requirements of the revDSG was to review existing processes. Swiss companies had to take the following measures to comply with the revDSG, which came into force on September 1, 2023:
-
Take stock of the processing of personal data
-
Enter into contracts with third parties
-
Provide mandatory information about the responsible person and contact details
-
Conduct data protection impact assessments (DPIAs) before processing high-risk data
-
Record the DPIAs for at least two years after the termination of the processing activity.
Companies must design their data processing technically and organizationally in such a way that it complies with data protection regulations and that the data is used for clearly defined purposes. The revised Data Protection Act introduces the principles of 'Privacy by Design' and 'Privacy by Default' and thus obliges companies to design their services in a data protection-friendly manner, which requires an adaptation of marketing processes.
Training and awareness raising in the team
In addition to adapting processes, training and raising awareness among employees also plays an important role in complying with data protection regulations. A data protection seminar is essential to ensure that marketing activities comply with data protection regulations. Seminars in Switzerland aim to provide a thorough understanding of data protection regulations and develop the necessary skills to apply them.
There are also e-learning offerings that are tailored to individual needs and enable a flexible and interactive learning experience for teams. Companies can book individual in-house training courses to train their teams in dealing with data protection issues. Another important tool is the data protection check, which is used to determine the level of data protection.
The ePrivacy Regulation and its relationship to the revDSG
In Switzerland, the legal requirements for websites and marketing activities are determined by both the new Swiss Data Protection Act (revDSG) and relevant EU laws such as the ePrivacy Regulation. The revDSG, which comes into force in September 2023, has both similarities and differences with the EU General Data Protection Regulation (GDPR) and also refers to other laws such as the Unfair Competition Act and the Telecommunications Act.
Although Switzerland is not a member of the EU, Swiss companies must comply with the EU ePrivacy Directive and the GDPR in certain circumstances, such as offering goods or services to EU citizens or when receiving website traffic from the EU.
Data protection in digital change: trends and developments
The revised GDPR brings changes that are significant for marketing, including stricter rules for user consent and increased transparency requirements. The changes in the new data protection law will encourage marketers to make their privacy policies clearer and ensure that consent for marketing activities is specific and informed.
The use of online marketing tools such as personalized advertising, retargeting and analytics will be significantly impacted by the new data protection law, as these require stricter data processing regulations. In order to meet the requirements of the new data protection law, companies must rethink their marketing approaches and strategies and, if necessary, adapt them in order to remain data protection compliant.
Legal questions and court rulings in the context of the revDSG
In addition to the operational requirements and the impact on marketing activities, there are also some legal questions and court rulings that are relevant in the context of the revDSG. Violations of the new data protection law can be punished with fines of up to CHF 250,000.
It is therefore crucial for companies to be aware of the exact requirements of the revDSG and to ensure that their marketing practices comply with these requirements. It is also important to always follow the latest court rulings and legal developments in order to stay up to date and minimise potential legal risks.
Summary
In this post, we looked at the revised Swiss Data Protection Act (revDSG) and its impact on marketing. It is clear that the revDSG brings significant changes to marketing, especially in areas such as email marketing, online marketing and the use of analytics tools.
It remains essential that companies continuously understand and apply the changes introduced by the revised Data Protection Act. This includes regular review and adjustment of processes, ongoing training and employee awareness, and the constant implementation of 'privacy by design' and 'privacy by default'. It should not be forgotten that data protection is not a one-off task, but an ongoing process that requires regular reviews and adjustments.