New data protection act: What you need to know for your website

Data protection - a topic that repeatedly leads to uncertainty. After all, anyone who does not store or process data correctly risks damage to their image and legal consequences. In Switzerland, the Federal Act on Data Protection and the Data Protection Ordinance regulate the processing of personal data. On September 1, 2023, the totally revised Federal Act on Data Protection (FADP) will come into force.

But don't worry: If you are already working in compliance with the previous Act on Data Protection, the effort required by the new regulations will be manageable for you. Read below what you need to consider with regard to your website:

Privacy policy

A privacy policy is mandatory for your website. In it, you show how and for what purpose you process the data and mention the services used on your website, such as analytics tools, tracking pixels and cookies. Likewise, explain how you handle newsletter tools and social media.

You should place the link to your data protection page on your website in a simple way and also in a way that can be found from every subpage, for example at the bottom of every website in the footer.

Imprint

Like the detailed privacy page, the imprint must be clearly visible on every sub-page of your website - preferably at the bottom. In it, you communicate who operates the website and publish your contact details.

Technical requirements

In any case, make sure that all your subpages have https encryption. You can see this in the URL by the "https" (instead of "http") and the lock symbol that appears.

Forms

Do you collect data via contact forms? Here, too, make sure that they are https-encrypted. Either integrate a checkbox with which your users confirm that they have read the privacy policy and agree to the use of data or refer to the privacy policy below the form.

Analytics Tools

If you use analytics tools, make sure that IP addresses are anonymized. Tools such as Matomo or Jentis are exciting alternatives to U.S.-based providers such as Google Analytics, especially with regard to data protection law. This is because they allow you to fully control data processing and nevertheless use comprehensive evaluation options. As you install these tools on your own server, all collected data remains in your care.

Cookies

I'm sure you know it: When you visit a website for the first time, an on-screen display informs you about cookies and asks for your consent. In the EU, a so-called cookie consent is required: cookies that are not technically necessary may only be used with your explicit consent.

Switzerland is not yet subject to the GDPR and the regulations are not quite as strict as in the EU, for example. However, particularly sensitive data, such as health data, is also subject to strict regulations in Switzerland. But be careful: If users from the EU area visit your website, then the legislation of the EU area may apply and the data protection is subject to the GDPR. With a plugin you can provide your website with a cookie bar.

Hosting Services

Your Internet presence is based on web hosting. Make sure that your hoster operates in compliance with the Data Protection Act. Since it processes data for you, conclude a Data Processing Agreement (DPA) with it. This agreement refers to the Federal Act on Data Protection and is mandatory from September 2023. Green customers receive their DPA agreement directly in the Green customer portal.

Data security

The personal data of your website visitors should be safe. Therefore, choose a hosting provider that is concerned about the security of your data. A good hoster keeps your data in accordance with the latest technical knowledge and protects it from access through a firewall, for example.

Third-party services

You probably use 3rd party services for your website. These include mailing providers or CRM tools. Here, too, it is important that these services operate in compliance with data protection regulations. Conclude an order processing contract with them – analogous to your web hosting provider.

Exciting to know: Currently, there is the so-called Schrems II problem. The main issue here is that personal data may not be transferred to the USA. According to the European Court of Justice, data protection there is not guaranteed to the prescribed extent. Consequently, the transfer of data to the USA is currently associated with great legal uncertainty. This also affects many services used in this country, such as clouds or analytics tools. The EU is working on an agreement with the USA - which will hopefully soon allow data to be exported efficiently and securely. To avoid this problem, it is advisable to use Swiss providers wherever possible.

Google Fonts

If you use such fonts, your website loads them from the Google server by default. With the new data protection law, you should embed the fonts locally. To do this, store them directly on the server on which your website is based.

Important:

As you can see, the revised legislation affects many areas of your website. Because as a website operator, you are responsible for ensuring that your website is privacy compliant and secure. We have listed some important points for you in this blog. To ensure that you are legally protected, it is advisable to consult a data protection lawyer.

Further information on the revised Data Protection Act, such as the directory of processing activities, can be found at the following link:
Federal information on the revised Data Protection Act