Become a member
Become a member

Data protection for startups: Key rules and best practices

Startups often treat data protection as something to figure out later. However, with the revised Federal Act on Data Protection (FADP) now in force, waiting is no longer an option. If you are storing names, sending emails, using cookies, or tracking users, this law applies to you.

In a recent SSA webinar, Helen Reinhardt from Schellenberg Wittmer shared a clear, founder-friendly breakdown of what the FADP means in practice. Her message was simple – data protection is not just a legal box to tick. It is a core part of building a scalable and trustworthy business.

It starts with personal data

If you collect any information that identifies a person, or could identify them when combined with other data, you are processing personal data. That includes names, emails, IP addresses, or behavioral data from tools like Google Analytics.

The law also defines a second category: sensitive personal data. This includes health data, biometrics, religious beliefs, or anything that could put someone at risk if misused. If you are working with this kind of data, the expectations are much higher.

FADP is not GDPR, but it is close

The FADP is Switzerland’s own data protection law, but it shares a lot of common ground with the European General Data Protection Regulation (GDPR). Both apply internationally. That means even foreign companies must comply if they serve Swiss users, and Swiss companies must follow GDPR if they handle data from EU citizens.

The biggest difference is around consent. In Switzerland, data processing is allowed by default unless it clearly violates someone’s privacy. In the EU, you always need a legal basis like consent or a contract.

Do startups need a data register?

In most cases, no. If you have fewer than 250 employees and are not working with sensitive data or doing large-scale profiling, you are not required to maintain a full record of processing activities.

That said, Helen recommended keeping a basic internal overview of what data you collect, where it is stored, and why you need it. An Excel sheet is enough. It helps if questions ever come up and keeps your team aligned.

Transparency is not optional

The law says people must be informed before their data is processed. That means you need a privacy notice. This applies even if you are just collecting emails for a newsletter or using cookies for site analytics.

At a minimum, your privacy notice should include:

  • Who you are
  • What data you collect
  • Why you collect it
  • Who you share it with
  • Where the data goes, especially if stored abroad

Third-party tools count as data processors

If you use cloud tools or newsletter providers, you are still responsible for what happens to that data. You need a written agreement with each processor. This is called a Data Processing Agreement.

If the provider is outside Switzerland or the EU, you also need standard contractual clauses that are adapted to Swiss law.

Security is a legal requirement

Every company that handles personal data must ensure it is kept secure. The FADP does not list specific tools or technologies. Instead, it expects you to take reasonable steps based on the risks involved.

This includes access control, encryption, backups, and clear internal policies. The more sensitive the data, the more careful you need to be.

People have rights. You must support them

Under FADP, individuals have the right to:

  • Access their data
  • Correct or delete it
  • Object to processing
  • Receive their data in a usable format

You must respond to these requests within 30 days, and in some cases, you may need to redact information about others if data is shared.

What if you get it wrong?

The revised law includes criminal penalties. That means individuals at a company, not just the company itself, can be fined if they intentionally violate data protection rules.

The risks are higher for startups that handle sensitive data without proper transparency, or for those using AI tools without clear oversight.

What about newsletters and cookies?

For newsletters, double opt-in is required. The confirmation email must not include any promotional content. It should only contain the activation link and the details from the registration form.

For cookies, users must be informed about their use and the purpose. A banner is helpful but not legally required in Switzerland. However, your privacy notice must explain clearly what cookies are being used and how users can object.

Final thought

Data protection is not just legal compliance. It is part of your product. It affects user trust, international growth, and your ability to scale without running into problems later.

Helen advises not to wait for legal problems to arise, but start building transparency into your processes now. Use the FADP as a foundation. It is much easier to start simple than to clean up later.

Catch the Full Webinar Replay! Visit our Education Session Library to watch the full session and download the slides – free for all Swiss Startup Association members.

Not a member yet? Explore our membership benefits and join the community that empowers Swiss startups!

Don’t miss out on the latest news and events. Subscribe to our newsletter and stay up to date.

Back to the top
Back
News

Other, related articles you may like

Investment Screening Act: Political Debate
Read more
Startup Sales Strategy in 2025: How AI can help your startup grow
Read more
Stamp Duty: Why It Hurts Startups and Innovation
Read more

We use cookies to make our website user-friendly and reliable; this includes measuring performance and reach.
Further information can be found in our Privacy Policy.

Become a member today

Join us as a member and enjoy various benefits that will take your startup to the next level!

Join the movement!