nDSG and GDPR: What Swiss Businesses Must Know About CRM Data

Data protection law tends to get treated as someone else's problem — something for large corporations with legal teams and compliance officers. If you're a consultant, insurance broker, accountant, or agency owner managing a few hundred client records in a CRM, it can feel like it doesn't apply to you.

It does. And since September 2023, Switzerland's revised Federal Act on Data Protection — the nDSG — has been in force with requirements that affect every business processing personal data, regardless of size.

Here's what you actually need to understand, without the legal jargon.

What Is the nDSG?

The nDSG (Neues Datenschutzgesetz) is Switzerland's updated federal data protection law. It replaces the previous 1992 law, which was largely outdated in the context of modern digital data processing.

The revision was driven partly by the need to align Swiss law with European standards — specifically the EU's General Data Protection Regulation (GDPR) — so that Switzerland could maintain its "adequacy" status with the EU, allowing data to flow freely between Switzerland and EU member states without additional transfer mechanisms.

In practical terms, the nDSG and GDPR share the same core principles: data minimization, purpose limitation, transparency, and individual rights. But there are differences that matter for Swiss businesses.

How nDSG Differs from GDPR

Territorial scope. GDPR applies to any organization processing data of EU residents, regardless of where the organization is based. nDSG applies to the processing of data about individuals in Switzerland. If you have clients in both Switzerland and the EU, you may need to satisfy both frameworks.

No data protection officer requirement (for most SMEs). GDPR requires a Data Protection Officer for certain organizations. nDSG does not mandate a DPO, though larger businesses processing sensitive data at scale may still benefit from appointing one.

Privacy by design is mandatory. The nDSG explicitly requires that data protection be built into systems and processes from the start — not added as an afterthought. For a service professional choosing a CRM, this means the tool itself should support data protection practices, not just allow them.

Breach notification timelines. Under nDSG, data breaches that pose a high risk to individuals must be reported to the Federal Data Protection and Information Commissioner (FDPIC) "as soon as possible." GDPR requires notification within 72 hours. Swiss law doesn't specify a hard deadline but expects prompt action.

Data subject rights. Both laws give individuals the right to access their data, request corrections, and in certain circumstances, request deletion. In a CRM context, this means you need to be able to extract or delete a specific client's data if they ask — not "we'll get to it eventually" but within a reasonable, documented timeframe.

What "Swiss Hosted" Means for CRM Data

Many CRM platforms are US-headquartered and store data on servers in the US or globally distributed cloud infrastructure. This creates a compliance concern under both nDSG and GDPR.

Data transfers outside Switzerland to countries without an adequate level of data protection require additional safeguards — typically standard contractual clauses (SCCs) or binding corporate rules. While these exist and are widely used, they add administrative overhead and legal complexity that many small service businesses aren't equipped to manage.

A CRM that stores data in Switzerland or within the EU/EEA removes this complexity. Your client data stays in a jurisdiction where data protection standards are established and recognized, and you're not responsible for managing cross-border transfer documentation.

When evaluating any CRM, ask directly: where is data stored, and what transfer mechanisms are in place?

Consent and Purpose Limitation in a CRM Context

Two nDSG principles are particularly relevant to how you use a CRM day-to-day.

Purpose limitation means you can only use client data for the purpose it was collected. If a client gives you their contact details to receive a proposal, you can't automatically add them to a marketing newsletter list without separate consent. In a CRM, this means your data categories should reflect why you have each piece of information.

Transparency means clients should generally know what data you hold about them and why. You don't need to send everyone a 20-page privacy notice, but you should have a clear, accessible privacy policy that covers how you collect and use client data.

Practically, this means:

• Don't add contacts to your CRM without a legitimate basis (contract, consent, or legitimate interest)
• Keep your CRM data current and accurate — storing outdated or incorrect information is itself a compliance issue
• Be able to respond to a data access request within a reasonable timeframe (a CRM should make this straightforward — you should be able to export a client's full record on request)

Data Subject Rights: What You Need to Be Ready For

Under nDSG, individuals can request:

• Access to what data you hold about them
• Correction of inaccurate data
• Deletion of data in certain circumstances (when the purpose for processing no longer applies)
• Restriction of processing in some cases
• Portability (in limited circumstances)

For most service professionals, the most common request will be access or deletion — a former client asking what information you still hold about them. Your CRM should make it straightforward to pull a complete record and, if needed, delete it cleanly without leaving orphaned data in other tables.

This is a genuine operational consideration when choosing a CRM. A tool that stores data in disconnected tables with no export function creates real compliance risk.

What to Look for in a Compliant CRM

When evaluating a CRM for your Swiss service business, ask these questions:

• Where is data hosted? Switzerland, EU/EEA, or elsewhere?
• Is there a Data Processing Agreement (DPA) available? If the CRM provider processes personal data on your behalf, you need a DPA in place.
• Can you export a complete client record? For data access requests.
• Can you delete a client record entirely? For right-to-erasure requests.
• Does the tool support per-contact consent tracking? So you can document why you hold each person's data.
• What are the breach notification procedures? What does the vendor do if their systems are compromised?

MenteIQ is built for Swiss service professionals with these requirements in mind — data residency, compliant defaults, and the ability to meet data subject rights requests without custom workarounds.

Practical Steps to Take Now

If you haven't reviewed your CRM setup through a compliance lens, here's where to start:

1. Audit what you're storing. Open your CRM and look at the fields you're using. Do you know why you have each piece of data? Is it still relevant?

2. Check your legal basis. For each category of contact (leads, active clients, former clients), what's your legal basis for processing? Contract, consent, or legitimate interest?

3. Update your privacy policy. If you mention specific tools by name (e.g., "we use X to manage client data"), verify those tools meet the standards you're claiming.

4. Test a data export. Can you actually export a complete client record in a readable format? Do it now, before you need to do it under pressure.

5. Review your data retention. How long do you keep former client data? Do you have a policy? The nDSG doesn't mandate specific retention periods for most categories of business data, but holding data indefinitely without purpose is a compliance risk.

Data protection compliance isn't a one-time task — it's an ongoing practice. But for most service businesses, the foundation is straightforward: know what data you hold, why you hold it, and how to respond when someone asks.