New data protection law in the context of immigration law.
Last reviewed
03.06.2026
Statute as of
01.09.2023
Statute citations
8 linked
Reading time
29 min read
As of: 01.06.2026 · Snapshot
Data protection at SwissImmigrationPro — Federal Act on Data Protection (nDSG)
Effective date
Frequently asked
4 answers on this topic.
Concrete questions people ask about revFADP — data protection.
The following data are stored in ZEMIS (Central Migration Information System): personal details, permit history, employment status, marital status, registration/deregistration data, procedural decisions, criminal record entries relevant to migration. Cantonal migration offices maintain their own records with detailed supporting documents (rental agreement, pay slips, correspondence).
: 01.09.2023 — Status of the revised nDSG at the time of initial drafting.
Status
: AI draft, pending review by the supervising lawyer of record and by the data protection officer (DPO).
Purpose of this file
SwissImmigrationPro (SIP) stores and processes migration data which, under federal law, belongs to the category of particularly sensitive personal data (Art. 5 lit. c nDSG). This file describes the applicable data protection regime under Swiss federal law, identifies the operational consequences for SIP users, and sets out the relevant provisions verbatim. It is the authoritative source for any question of consent, any access request, and any data-deletion request.
The file does not answer what SIP specifically stores (that is the role of the Tier-2 Layered Privacy Policy under ADR-018 D7). It answers which law applies in the first place and which obligations and rights follow from it for the operator and the data subject.
1. The revised Data Protection Act (nDSG) — Overview
The Federal Act on Data Protection (DSG, SR 235.1) entered into force in its revised version on 1 September 2023. It replaces the aDSG of 1992. The revision was motivated in particular by the alignment with Art. 8 ECHR, with the EU GDPR (for the purpose of an adequacy decision) and with the modernised Convention SEV 108+ of the Council of Europe.
Scope of application (Art. 2 nDSG). The Act applies to the processing of personal data of natural persons by:
private persons (Art. 2 para. 1 lit. a) — this includes SIP as a legal entity under private law;
federal bodies (Art. 2 para. 1 lit. b) — State Secretariat for Migration (SEM), Federal Administrative Court (BVGer), Federal Tax Administration (ESTV), etc.
It does not apply to processing by:
cantonal and municipal bodies (these are subject to cantonal data protection laws — see section 15);
personal data of legal persons (Art. 2 para. 2 lit. b — a significant change compared to the aDSG, which also protected legal persons);
personal data for exclusively personal use (Art. 2 para. 2 lit. a).
Supervisory authority. The Federal Data Protection and Information Commissioner (EDÖB; internationally FDPIC — Federal Data Protection and Information Commissioner). Based in Bern, with national jurisdiction. The Commissioner is appointed by the Federal Council (Art. 43 nDSG) and is independent of instructions in the performance of their duties (Art. 43 para. 4 nDSG).
Relationship to the EU GDPR. On 15 January 2024 the European Commission recognised the nDSG as adequate within the meaning of Art. 45 GDPR. Data transfers from the EEA to Switzerland therefore do not require any additional safeguards. The nDSG is, however, self-standing and not identical to the GDPR (key differences: no self-standing right to erasure, no fines of up to 4% of annual turnover, no explicit protection against profiling at GDPR level).
2. Particularly sensitive personal data — Art. 5 lit. c nDSG
Under Swiss federal law, migration data is particularly sensitive. The exhaustive list in Art. 5 lit. c nDSG reads verbatim:
Art. 5 Definitions
In this Act, the following terms mean:
c. particularly sensitive personal data: data:
concerning religious, ideological, political or trade-union views or activities,
concerning health, the intimate sphere or affiliation to a race or ethnicity,
genetic data,
biometric data that uniquely identifies a natural person,
data on administrative and criminal proceedings or sanctions,
data on social-assistance measures.
Operational consequence for SIP. Migration data — in particular asylum, sans-papiers, S-permit and F-permit data — typically triggers at least four of the six sub-categories simultaneously:
Asylum data (Art. 5 lit. c no. 1, 2, 4, 5):
religious or political grounds for persecution (no. 1 — religion, politics);
health data in the hearing (no. 2 — health);
ethnicity and region of origin (no. 2 — race/ethnicity);
Sans-papiers data (Art. 5 lit. c no. 5): the mere fact of presence without a residence status is an administrative status carrying a sanction risk under Fedlex·Art. 115 AIG (criminal provision for unlawful stay).
S-permit data Ukraine (Art. 5 lit. c no. 1, 2, 5): origin from an active war zone implies, with high probability, political and health-related information; the S-status is a protection category granted by administrative decision.
F-permit data (provisional admission) (Art. 5 lit. c no. 5): ongoing enforcement of a removal order with deferred execution.
Family-reunification and marriage data (Art. 5 lit. c no. 2): relationship details fall within the intimate sphere.
Legal consequence. For particularly sensitive personal data, the nDSG tightens:
the DSFA obligations (Art. 22 — data protection impact assessment for extensive processing);
disclosure to third parties (Art. 30 para. 2 lit. c — even a simple disclosure can constitute an infringement of personality rights);
the penalty provisions (Art. 60 ff. — punishable only in the case of particularly sensitive data or profiling, not generally).
3. Consent — Art. 6 para. 6 and 7 nDSG
The consent requirements read verbatim:
Art. 6 Principles
6 Where the consent of the data subject is required, such consent is valid only if it is given voluntarily for one or more specific processing operations after appropriate information.
7 Consent must be given expressly for:
a. the processing of particularly sensitive personal data;
b. high-risk profiling by a private person; or
c. profiling by a federal body.
Operational consequences for SIP.
A general terms-and-conditions clause is not sufficient. A blanket consent in the terms of use — for example, "By clicking 'Create account' you consent to all data processing" — is not valid for particularly sensitive personal data. The requirement of express consent under Art. 6 para. 7 nDSG excludes implicit or bundled consent. Every processing of particularly sensitive data — in particular the recording of permit status or the clarification of a hardship case — requires a separate consent, granted and logged before the processing.
Granularity. Art. 6 para. 6 nDSG requires consent "for one or more specific processing operations". A blanket consent "for all future processing operations" is not purpose-specific and is therefore invalid. SIP consents must name each purpose category individually (account management; permit tracking; crisis card; client mandate; marketing — each a separate opt-in).
Voluntariness. Consent is not voluntary if refusing it prevents access to an essential service or causes significant disadvantages. SIP must not make account access dependent on consent to non-essential processing (e.g. marketing) (prohibition of tying, cf. EDÖB explanatory note 2022).
Revocability. Consent may be revoked at any time (cf. Art. 30 para. 2 lit. b nDSG — right to object). The revocation takes effect ex nunc (for the future); processing carried out before the revocation remains lawful if it was covered by valid consent at the time.
Burden of proof. In the event of a dispute, SIP, as controller, bears the burden of proving that valid consent was given. SIP therefore logs every consent with a timestamp, IP hash, the wording of the consent declaration and a versioned UI form.
4. Information obligation of the controller — Art. 19 nDSG
When collecting personal data, SIP must actively inform the data subject. Art. 19 nDSG reads, in part, verbatim:
Art. 19 Information obligation when collecting personal data
1 The controller informs the data subject appropriately about the collection of personal data; this information obligation applies also where the data is not collected from the data subject.
2 At the time of collection, the controller provides the data subject with the information necessary for them to assert their rights under this Act and to ensure transparent data processing; it provides them with at least:
a. the identity and contact details of the controller;
b. the purpose of the processing;
c. where applicable, the recipients or categories of recipients to whom personal data is disclosed.
3 Where the data is not collected from the data subject, the controller also informs them of the categories of the personal data processed.
4 Where the personal data is disclosed abroad, the controller also informs the data subject of the state or international body and, where applicable, of the safeguards under Article 16 paragraph 2 or of the application of an exception under Article 17.
Operational consequence for SIP. The Layered Privacy Policy under ADR-018 D7 must, when each data point is collected, make the following points transparent proactively (not only on request):
Identity of the controller: SwissImmigrationPro AG, registered office, contact email of the DPO;
Purpose of the processing: permit tracking; crisis card; client-mandate referral; AHV/tax reminders — each purpose category separately;
Recipients or categories: cantonal migration office (only upon an explicit send action by the user); lawyer of record (only in the case of a mandate); processors (Stripe SPEL, Infomaniak, Vault, Anthropic — see section 13);
Disclosure abroad: Anthropic (USA) for Clara LLM inference — see section 12.
Timing. The information must be provided at the time of collection, not afterwards. Specifically: the Privacy Notice Layer 1 must be visible before the click on "Create account", not only after the data has been entered.
5. Right to access — Art. 25 nDSG
The right to access is the central data-subject right. Art. 25 nDSG reads, in part, verbatim:
Art. 25 Right to access
1 Any person may request information from the controller as to whether personal data concerning them is being processed.
2 The data subject receives the information necessary for them to assert their rights under this Act and to ensure transparent data processing. In any event they receive the following information:
a. the identity and contact details of the controller;
b. the personal data processed as such;
c. the purpose of the processing;
d. the retention period of the personal data or, if this is not possible, the criteria for determining that period;
e. the available information on the origin of the personal data, insofar as it was not collected from the data subject;
f. where applicable, the existence of an automated individual decision as well as the logic on which the decision is based;
g. where applicable, the recipients or categories of recipients to whom personal data is disclosed, as well as the information under Article 19 paragraph 4.
7 As a rule, the information is provided free of charge within 30 days.
Operational consequence for SIP. Access requests are to be answered free of charge within 30 days — as the standard deadline. For this purpose, SIP maintains a self-service access button in the account dashboard, which generates a complete data-export package, as well as an access email to dpo@swissimmigrationpro.ch for complex requests.
Minimum content of the response. The information covers not only the "data" but the complete catalogue under para. 2 lit. a–g: retention period, origin, any automated individual decisions, recipients. A mere PDF collection of the entered data without metadata is not sufficient.
EDÖB practice 2025. In a recommendation published in August 2025 against a large Swiss bank, the EDÖB found that a blanket justification for delay ("too many requests", "internal compliance review") does not legitimately extend the 30-day deadline. Extensions are permissible only in the case of demonstrated complexity of the individual request and must be communicated with reasons.
Refusal. Access may be refused, restricted or deferred where the conditions under Art. 26 nDSG are met — in particular within the scope of attorney-client privilege (see section 6).
Attorney-client privilege is an explicit limit on the right to access. Art. 26 para. 1 lit. a nDSG reads verbatim:
Art. 26 Restrictions on the right to access
1 The controller may refuse, restrict or defer the provision of information if:
a. a law in the formal sense provides for this, in particular to protect a professional secret;
b. this is necessary because of overriding interests of third parties; or
c. the access request is manifestly unfounded, in particular if it pursues a purpose contrary to data protection law or is manifestly vexatious.
2 The controller may also refuse, restrict or defer the provision of information if:
a. it is a private person and the following conditions are met:
overriding interests of the controller require the measure,
the controller does not disclose the personal data to third parties;
b. it is a federal body and the following conditions are met:
overriding public interests, in particular the internal or external security of Switzerland, require the measure,
the disclosure of the information could jeopardise an inquiry, a criminal investigation or other investigative proceedings.
Operational consequence for SIP mandates. As soon as a mandate exists between the user and the lawyer of record, the mandate-specific file management falls under Fedlex·Art. 13 BGFA (attorney-client privilege). Data and correspondence in the client portal are then exempt from the right to access insofar as they fall under professional secrecy (Art. 26 para. 1 lit. a nDSG in conjunction with Fedlex·Art. 13 BGFA).
What this means in practice.
The user still has full access to their own mandate file (the BGFA professional secrecy protects the lawyer–client relationship, not the other way around).
Third parties — such as the Swiss authorities, an employer, another family member — cannot use the nDSG right to access to obtain access to the mandate file.
In the case of an access request by a person whose data appears in the file of another client (e.g. family-reunification proceedings), SIP may refuse access under Art. 26 para. 1 lit. a nDSG insofar as the disclosure would violate the professional secrecy of the main client.
Duty to give reasons. A refusal of access must be reasoned (Art. 26 para. 4 nDSG in conjunction with EDÖB practice). Merely citing "professional secrecy" is not sufficient; SIP names the specific legal basis and the category of the withheld data.
7. No self-standing right to erasure in the nDSG
Important clarification — diverging from the EU GDPR. The nDSG contains no self-standing, formulated "right to erasure" (no "right to be forgotten"). The EU GDPR regulates this in Art. 17 GDPR; the Swiss counterpart is explicitly absent.
This doctrine goes back to David Rosenthal (Rosenthal/Jöhri, Handkommentar zum Datenschutzgesetz, Schulthess 2008, N 137 on Art. 5; confirmed in Rosenthal's nDSG commentary 2022). Under the nDSG, erasure is achieved indirectly via two mechanisms:
Mechanism 1 — Right to object (Art. 30 para. 2 lit. b nDSG). Verbatim:
Art. 30 Infringements of personality rights
1 The controller must not unlawfully infringe the personality rights of the data subject.
2 An infringement of personality rights exists in particular if:
a. personal data is processed contrary to the principles set out in Articles 6 and 8;
b. personal data is processed contrary to the express declaration of intent of the data subject;
c. particularly sensitive personal data is disclosed to third parties.
An express declaration of intent against further processing (= revocation of consent + objection to the processing) renders any subsequent processing an infringement of personality rights.
Mechanism 2 — Claim for rectification and injunction under Art. 28 ZGB. Based on Art. 32 para. 2 nDSG in conjunction with Art. 28 ff. ZGB, the data subject may bring an action for erasure before the civil court. Art. 32 para. 2 lit. c nDSG verbatim:
Art. 32 Claims and procedure
2 The claimant may request:
c. that the personal data be rectified, destroyed or not disclosed to third parties.
Operational consequence for SIP. A user's deletion request is not handled under an nDSG label "Right to Erasure", but rather:
SIP first checks whether consent has been revoked — if so, any subsequent processing infringes personality rights (Art. 30 para. 2 lit. b);
SIP checks whether a legal basis still exists for retention (contractual obligation, accounting obligation Art. 958 OR, lawyer's file-keeping obligation Fedlex·Art. 12 BGFA, tax retention obligation);
Where no legal basis exists, SIP deletes immediately; where a legal basis exists, SIP blocks the data and automatically deletes it once the legal basis has expired.
Clarity for users. The SIP Privacy Policy does not state "You have a right to erasure" (which would be doctrinally imprecise), but rather: "You can revoke your consent at any time. Data whose retention has no other legal basis will be deleted. Data that fulfils legal retention obligations will be blocked and automatically deleted once the obligation has expired."
8. Exclusion of rectification where there is a legal retention obligation — Art. 32 para. 1 lit. a nDSG
Art. 32 para. 1 nDSG governs the right to rectification and its limits. Verbatim:
Art. 32 Claims and procedure
1 The data subject may in particular request that:
a. incorrect personal data be rectified, unless a statutory provision prohibits the amendment;
b. the processing not take place or take place only in a restricted manner;
c. the personal data be destroyed.
Operational consequence for SIP. The clause "unless a statutory provision prohibits the amendment" is the central limit for SIP rectification requests relating to a lawyer's mandate file.
Lawyer's file-keeping as a limit on rectification. Under Fedlex·Art. 12 lit. j BGFA, a lawyer entered in the register of lawyers must retain the mandate files for at least ten years from the end of the mandate. This is a federal statutory provision within the meaning of Art. 32 para. 1 lit. a nDSG.
It follows that: data in an ongoing or concluded mandate cannot be rectified or deleted in the original file during the ten-year retention period. Where a correction is necessary (e.g. an error in a date of birth identified during the proceedings), the error is documented by a dated addendum; the original file entry remains unchanged. This is established legal practice and is expressly supported by Art. 32 para. 1 lit. a nDSG.
Further limits on rectification.
accounting retention obligation under Art. 958f OR (10 years — business books, accounting vouchers);
retention obligations in the AHV area (Art. 209 AHVV, 5–10 years depending on the voucher category);
money-laundering-related retention obligations under Art. 7 para. 3 GwG (10 years — where applicable).
9. Data protection impact assessment (DSFA) — Art. 22 nDSG
For extensive processing of particularly sensitive personal data, a data protection impact assessment is mandatory. Art. 22 nDSG verbatim:
Art. 22 Data protection impact assessment
1 The controller draws up a data protection impact assessment in advance if a processing operation may entail a high risk to the personality or the fundamental rights of the data subject. Where several similar processing operations are planned, a joint data protection impact assessment may be drawn up.
2 The high risk arises, in particular where new technologies are used, from the nature, scope, circumstances and purpose of the processing. It exists in particular if:
a. particularly sensitive personal data is processed extensively;
b. public areas are systematically monitored on a large scale.
3 The data protection impact assessment contains a description of the planned processing, an assessment of the risks to the personality or the fundamental rights of the data subject, and the measures to protect the personality and the fundamental rights.
Operational consequence for SIP. SIP carries out a DSFA per permit class and per new feature involving data. The DSFA is documented internally (/compliance/dsfa/), dated, signed by the DPO and — for significant changes, typically every 12 months or for feature releases involving new data collection — updated.
Content of the SIP DSFA. Description of the data flow (collection → storage → processing → disclosure → deletion); risk assessment (infringement of personality rights, discrimination, identity misuse, spillover to authorities); protective measures (encryption, access logs, data minimisation, IP hashing, restrictive processor contract).
No right to be handed a copy. The DSFA itself need not be made public; the EDÖB may, however, inspect it in the course of an investigation (Art. 49 nDSG).
10. Consultation of the EDÖB where residual risk remains — Art. 23 nDSG
If a high risk remains after the protective measures, the EDÖB must be consulted. Art. 23 nDSG verbatim:
Art. 23 Consultation of the EDÖB
1 The controller consults the EDÖB in advance if the data protection impact assessment shows that the planned processing, despite the measures envisaged by the controller, still entails a high risk to the personality or the fundamental rights of the data subject.
2 The EDÖB communicates its objections to the planned processing to the controller within three months. This period may be extended by one month in complex cases.
3 If the EDÖB has objections to the planned processing, it proposes suitable measures to the controller.
Operational consequence for SIP. The EDÖB consultation is an emergency brake, not a routine procedure. SIP would typically trigger it in the case of:
the first-time introduction of high-risk profiling (e.g. permit success forecasting — this would be an anti-scope violation and is therefore not implemented);
substantial disclosure abroad to a third country without adequacy;
introduction of biometric identification (not envisaged at SIP).
Duration of the procedure. Three months as the standard deadline, four months in complex cases (Art. 23 para. 2). During this period the processing may not be commenced.
11. Obligation to report data security breaches — Art. 24 nDSG
In the case of data breaches there is an obligation to report to the EDÖB and, where there is a high risk, to the data subjects. Art. 24 nDSG verbatim:
Art. 24 Reporting of breaches of data security
1 The controller reports to the EDÖB as quickly as possible a breach of data security that is likely to result in a high risk to the personality or the fundamental rights of the data subject.
2 In the report it states at least the nature of the breach, its consequences and the measures taken or envisaged.
3 The processor reports a breach of data security to the controller as quickly as possible.
4 The controller informs the data subject if this is necessary for their protection or if the EDÖB so requires.
5 It may restrict, defer or dispense with the information to the data subject if:
a. a ground under Article 26 paragraph 1 letter b or paragraph 2 exists or a statutory duty of confidentiality prohibits this;
b. the information is impossible or requires disproportionate effort;
c. the information to the data subject is ensured in a comparable manner by a public announcement.
6 A report made on the basis of this article may be used in criminal proceedings against the person obliged to report only with that person's consent.
Operational consequence for SIP.
The "high risk" threshold. Not every data incident is reportable. Criteria: sensitivity of the data (particularly sensitive = lower threshold for high risk); scope (number of data subjects); likelihood of the consequences (identity misuse, discrimination, official measures). Since SIP, as a matter of principle, processes particularly sensitive data, the threshold is in practice almost always exceeded.
"As quickly as possible". The federal act does not set a rigid deadline (unlike the EU GDPR with its 72-hour rule). In its 2023 explanatory note, the EDÖB clarified that the report must be made within a few days; delays beyond a week without a substantive reason are classified as a breach of the reporting obligation. SIP-internal SLA: report to the EDÖB within 72 hours of becoming aware.
Precedent "Xplain" 2023. In June 2023, the IT service provider Xplain fell victim to a ransomware attack. Police and Fedpol data, among other things, was leaked. The EDÖB investigation concluded in 2024 that the delayed and incomplete report to the affected authorities constituted a self-standing breach of the nDSG. This case substantially shaped the practice on the reporting deadline and the depth of reporting.
Information to data subjects. Where there is a high risk, the data subjects must be informed directly in addition to the EDÖB report (Art. 24 para. 4). For this, SIP sends an email to the address stored in the account and blocks the account until confirmation, insofar as this serves their protection.
Protection against self-incrimination in criminal law. Art. 24 para. 6 is a central protective clause: the report may not be used in criminal proceedings against SIP. This lowers the inhibition threshold to report in case of doubt.
12. Cross-border disclosure of data — Art. 16–18 nDSG
Personal data may be disclosed abroad only under certain conditions. Art. 16 nDSG (extract) verbatim:
Art. 16 Principles
1 Personal data may be disclosed abroad if the Federal Council has determined that the legislation of the state concerned or the international body ensures adequate protection.
2 Where there is no decision of the Federal Council under paragraph 1, personal data may be disclosed abroad if appropriate data protection is ensured by:
a. an international treaty;
b. data protection clauses in a contract between the controller or the processor and its contractual partner, which were communicated to the EDÖB in advance;
c. specific safeguards which the competent federal body has drawn up and communicated to the EDÖB in advance;
d. standard data protection clauses which the EDÖB has approved, issued or recognised in advance;
e. binding corporate data protection rules which have been approved in advance by the EDÖB or by a data protection authority of a state that ensures adequate protection.
EDÖB adequacy list — as at 1.9.2023. Adequate third countries (extract, non-exhaustive): EU/EEA states, the United Kingdom, Andorra, Argentina, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, Canada (private sector), New Zealand, Uruguay, Japan, South Korea.
Not adequate — relevant for SIP: United States of America (USA). A "Swiss-US Data Privacy Framework" (the counterpart to the EU-US DPF) has been in force since September 2024, but only for those US recipients who have self-certified. As at May 2026, Anthropic PBC is not on the Swiss-US DPF self-certification list of the U.S. Department of Commerce.
Operational consequence for SIP. For disclosures to Anthropic (USA) — the LLM inference for Clara — EDÖB-approved standard data protection clauses ("Swiss SCCs") in the contract between SIP and Anthropic are required under Art. 16 para. 2 lit. d nDSG. These must be:
concluded before the first data transfer;
communicated to the EDÖB in the context of a DSFA, where the DSFA indicates high residual risk;
reviewed regularly.
Stripe special case. Stripe Payments Europe Limited (Ireland) is the contractual partner for Swiss payment processing. Stripe Switzerland Payments Limited (Stripe SPEL) was registered in 2024 as a Swiss data controller. For SIP payment data, there is therefore no longer any cross-border transfer scenario; Stripe SPEL is a processor under Swiss law and under the Stripe group's internal processor clauses.
Infomaniak. Swiss hosting provider located in Switzerland; no cross-border transfer.
Vault. HashiCorp Vault as a secrets store runs self-hosted at Infomaniak; no third-country transfer.
13. Processor contract — Art. 9 nDSG
Where SIP delegates data processing to third parties, the requirements of Art. 9 nDSG apply. Verbatim:
Art. 9 Processing by processors
1 The processing of personal data may be assigned to a processor by contract or by legislation if:
a. the data is processed only in the manner in which the controller itself would be permitted to process it; and
b. no statutory or contractual duty of confidentiality prohibits the assignment.
2 The controller must in particular satisfy itself that the processor is able to ensure data security.
3 The processor may assign the processing to a third party only with the prior approval of the controller.
4 It may assert the same grounds of justification as the controller.
SIP processor chain.
Processor
Registered office
Purpose
Data category
Transfer scenario
Infomaniak Network SA
Switzerland (Geneva)
Hosting, storage
All SIP data
None (domestic)
Stripe Switzerland Payments Ltd (SPEL)
Switzerland (Zurich)
Payment processing
Payment data
None (domestic)
HashiCorp Vault (self-hosted at Infomaniak)
Switzerland
Secrets store
Keys, tokens
None (domestic)
Anthropic PBC
USA
Each processor is subject to a written data processing agreement (DPA) with the following minimum contents:
subject matter, duration, purpose of the processing;
categories of data subjects and data;
obligation of confidentiality;
technical and organisational measures (TOM);
sub-processing permission or prohibition;
return or deletion at the end of the contract;
audit right in favour of SIP.
For Anthropic, additionally EDÖB standard contractual clauses (see section 12).
14. EDÖB supervisory powers — Art. 49–51 nDSG
The EDÖB is a supervisory authority with limited — but, compared to the aDSG, expanded — powers of intervention. Extract from Art. 49 nDSG verbatim:
Art. 49 Investigations
1 The EDÖB opens an investigation against a federal body or a private person, ex officio or upon a complaint, if there are sufficient indications that a data processing operation could be in breach of the data protection provisions.
2 It may refrain from opening an investigation if the breach of the data protection provisions is of minor significance.
Art. 51 nDSG (measures) verbatim, in part:
Art. 51 Administrative measures
1 If there is a breach of data protection provisions, the EDÖB may order that the processing be adapted, suspended or terminated in whole or in part and that the personal data be deleted or destroyed in whole or in part.
Penalty provisions (Art. 60 ff. nDSG). In contrast to the EU GDPR, the nDSG provides for criminal fines directed at natural persons (typically the responsible managing directors), not primarily at the legal entity. Maximum amount: CHF 250,000 per breach. Punishable in particular are:
intentional breach of the information, access and cooperation obligations (Art. 60);
intentional breach of the duties of care regarding disclosure abroad (Art. 61 lit. a);
intentional breach of the minimum data security requirements (Art. 61 lit. c);
breach of the duty of confidentiality (Art. 62).
Significant. These are personal penalties against the natural persons responsible, not "corporate fines" as under the EU GDPR. The threshold of intent is, however, high; negligence is punishable only in narrowly defined offences.
15. Cantonal data protection laws — what they govern and what they do not
Cantonal relationship. The nDSG does not apply to processing by cantonal bodies (Art. 2 nDSG, a contrario). For cantonal migration offices, cantonal tax administrations, cantonal police, cantonal social services etc., the respective cantonal data protection laws apply. These exist in each of the 26 cantons in their own form; they are similar to the nDSG at their core, but differ in details (e.g. access deadline, structure of the supervisory authority).
Examples of cantonal data protection laws.
Zurich: Gesetz über die Information und den Datenschutz (IDG, LS 170.4); supervision: Data Protection Commissioner of the Canton of Zurich.
Bern: Datenschutzgesetz (KDSG, BSG 152.04); supervision: Data Protection Supervisory Authority of the Canton of Bern.
Geneva: Loi sur l'information du public, l'accès aux documents et la protection des données personnelles (LIPAD, A 2 08); supervision: Préposé(e) cantonal(e).
Vaud: Loi sur la protection des données personnelles (LPrD, BLV 172.65); supervision: Préposé(e) cantonal(e).
Ticino: Legge sulla protezione dei dati personali (LPDP); supervision: Incaricato cantonale per la protezione dei dati.
Operational consequence for SIP. SIP, as a private-law company, is in principle subject to federal law (nDSG), not to the cantonal laws. However, as soon as SIP users send data to cantonal migration offices — e.g. by directly submitting a completed family-reunification application — the respective cantonal law applies to the official further processing.
Clarity for users. The information from section 4 (Art. 19 nDSG) must make clear that SIP is responsible only for its own processing; what the cantonal migration office does with the data transmitted to it falls under cantonal law and is not subject to SIP's data protection practice.
Summary — the nDSG framework from SIP's perspective
Provision
Content
Operational consequence
Art. 5 lit. c
Definition of particularly sensitive data
Migration data fulfils ≥4 of 6 sub-categories
Art. 6 para. 6+7
Express consent required
A terms-and-conditions clause alone is not sufficient; separate opt-ins per purpose
Art. 19
Information obligation at collection
Layered Privacy Notice before entry
Art. 22
DSFA obligation
DSFA per permit class and major release
Art. 23
EDÖB consultation
Where high residual risk; 3–4 month procedure
Art. 24
Cross-references
anti-scope/fw_anti_scope_boundaries.md — what SIP expressly does not provide (in particular §5: no server-side form storage);
framework/fw_aig_vzae_glossary.md — AIG/VZAE terms to which migration-relevant data categories refer;
framework/fw_asylg_glossary.md — AsylG terms, in particular on N, F and S status;
framework/fw_sem_directives_index.md — SEM directives on data processing in the procedure.
Versioning note
This file is reviewed for currency quarterly (every 90 days). Triggers for an extraordinary revision:
a new EDÖB recommendation with precedential effect;
a Federal Council decision on the adequacy of a further third country (e.g. extension of the USA-Swiss DPF);
entry into force of the DSV revision (ordinance to the nDSG);
a significant change of processor at SIP;
a Federal Supreme Court ruling (BGE) or Federal Administrative Court ruling (BVGE) affecting the interpretation of the nDSG.
Last review: 2026-05-18. Next regular review due: 2026-08-18.
As of: 01.06.2026 · Snapshot
Reflects the cited law as of the snapshot — not a check of current force.
