Business site and data protection
An e-commerce website must process the data collected about its customers transparently and securely.
Federal Data Protection Law
Swiss companies that process personal data are subject to the new Federal Data Protection Law. This law will come into force on September 1, 2023.
With this in mind, SMEs should check whether the data protection declarations on their e-commerce site comply with the new legal requirements. They must take into account a number of new features such as the introduction of "Privacy by Design" and "Privacy by Default"; or the obligation to inform in advance of the collection of all personal data (and no longer of so-called sensitive data only).
A checklist is available on the SME Portal, as well as various other content on the website of the Federal Data Protection and Information Commissioner (FDPIC).
Data protection recommendations
As far as data protection is concerned, traders are strongly recommended to adopt the following practices:
- Provide a data protection declaration on the e-commerce website (see below).
- Implement user authentication techniques (e.g. SuisseID) and data encryption (secure connection, https).
- Only ask customers for essential information. Irrelevant questions generate mistrust.
- Clearly indicate the personal data used and the purpose.
- Give the user the right to limit the use made of their data and with whom it is shared (consumer profile, advertising).
The remit of the Federal Data Protection and Information Commissioner (FDPIC) is to explain the Data Protection Law and offer its recommendations in this area.
Data protection declaration on an e-commerce site
On an e-commerce website, a data protection declaration is used to communicate the methods put in place to protect user privacy. To win customer confidence, traders are recommended to have such a document and display it in an easily accessible part of the website.
The data protection declaration must contain the following points as a minimum:
- To which legal provisions is the service-provider’s practice subject in terms of data processing?
- Which personal data is collected and for what purpose?
- Which personal data is communicated to third parties and for what purpose?
- What choices is the user offered in terms of the processing of their data?
- What rights (particularly right of access and right of correction) do users have?
- Which department is responsible for answering questions about data processing?
- Which security measures are applied to protect personal data?