Who are affected by the changes in the law?
Private companies, federal bodies, but also associations and private blog or newsletter operators. In other words, anyone who obtains/processes personal data (e.g. via contact form, comment function, chat, order lists).
 
The concrete changes in the revDSG are
1. directory obligation of data processing activities: A directory of all data processing activities must be kept and kept up to date. Exceptions for SMEs with up to 250 employees are possible.

2. data protection declaration for more transparency is mandatory: the persons responsible for websites/blogs etc. must create a data protection declaration for each procurement of personal data (only natural persons). This info is mandatory: purpose of processing; identity and contact details of the responsible entity or person; any third-party recipients of the personal data and any countries if the data is exported abroad.

3. contract processing agreement is mandatory: the client may transfer the data processing to third parties (outsourcing), but must conclude a contract and remains responsible for data security. If the contractor involves another party, this is only permitted with the prior approval of the client.
 
4. Data Breach Notification: If a data breach occurs, which leads to a high risk for the personality or fundamental rights of the data subjects, this must be reported to the FDPIC.

5. Specific rights: Every person has the right to obtain information about the data stored about him or her. They can have this corrected or deleted.
 
6. higher fines: Anyone who violates the duties of disclosure, information or cooperation can be fined up to CHF 250,000.
 
What do I have to do now?
All Swiss companies must adapt their existing policies and data protection statements by September 1, 2023.