The EU General Data Protection Regulation (GDPR) and the Swiss Data Protection Act (nDSG/nFADP) require companies that process personal data to implement appropriate technical and organizational safeguards. The principle is clear: data protection without IT security is not possible. If you process personal data, you must also protect it technically.
Does GDPR apply to you?
As a Swiss company, you are subject to GDPR if you:
- Process personal data of individuals located in the EU
- Offer goods or services to individuals in the EU
- Monitor the behavior of individuals in the EU (e.g., website tracking, profiling)
Since September 2023, the revised Swiss Data Protection Act (nDSG/nFADP) has been in force. It imposes comparable requirements for the protection of personal data and applies to all data processing activities with an effect in Switzerland. Companies with EU business must comply with both frameworks.
Technical Requirements
Both GDPR (Art. 32) and the nDSG (Art. 8) require “appropriate technical and organizational measures” to protect personal data. In practice, this means:
- Regular security assessments – Systems that process personal data must be periodically tested for vulnerabilities
- Vulnerability and patch management – Known vulnerabilities must be identified and remediated in a timely manner
- Access controls and encryption – Only authorized individuals may access personal data, and data must be encrypted in transit and at rest
- Breach notification obligations – GDPR requires notification to the supervisory authority within 72 hours; the nDSG requires reporting “as quickly as possible” to the FDPIC
- Data Protection Impact Assessment (DPIA) – Processing activities that pose a high risk to individuals require a prior risk analysis
How Zerberos helps
We help you demonstrably meet the technical requirements of GDPR and the nDSG:
- Penetration Testing – We identify vulnerabilities in your systems before attackers do. The results simultaneously document your compliance with testing obligations.
- Vulnerability Scanning – Regular automated scans with expert interpretation and prioritization of findings.
- Security Audits – Comprehensive review of your infrastructure, processes, and configurations.
- Compliance Consulting – Gap analysis of your technical measures against GDPR and nDSG requirements.
- Incident Response – Support when a data breach has occurred and rapid action is required.
Our focus is on the technical side of compliance. For legal and organizational matters — such as creating records of processing activities, privacy policies, or appointing a Data Protection Officer — we work with experienced partners and are happy to facilitate introductions.
Fines and Consequences
The financial and reputational risks of non-compliance are significant:
- GDPR – Fines of up to EUR 20 million or 4% of global annual turnover, whichever is higher
- nDSG – Fines of up to CHF 250,000, imposed as personal liability on the responsible individuals — not the company
- Reputational damage – Data breaches become public, mandatory notifications ensure transparency, and customers lose trust
- Business disruption – Supervisory authorities can prohibit processing activities until deficiencies are resolved
The investment in appropriate security measures is negligible compared to the potential consequences of non-compliance.
Contact us for a no-obligation consultation. We will show you where you stand and which measures make sense for your organization.