Privacy statements on the internet


Privacy statements on the internet

Swiss companies must have a transparent data processing policy by writing a privacy statement that is comprehensible to users and displaying it on their website.

What is the purpose of privacy statements?

Privacy statements should inform the users of a website about the personal data that are collected and purposes for which the data are processed. In addition, it should be clear whether and which data is passed on to third parties. The privacy statement specifies the duties of the data controllers to provide information in accordance with Article 19 FADP. Users must thus be informed adequately and comprehensibly in order to be able to decide freely whether and how they want their data to be processed. In addition, users must have the information that they need to assert their rights. The statement must therefore be drafted with the necessary care and accuracy and be worded in a way that the target group can understand. If a company's website is provided in several languages, the privacy statement must also be provided in these languages. Transparent information about the company's data processing policy is also essential in order to gain the trust of the users.

What should be considered when drafting a privacy statement?

Before starting to draft a privacy statement, the company's data needs must be ascertained, the current data processing operations analysed and clear guidelines issued on the handling of personal data. The privacy statement should then be written based on this information. The statement must take into account the provisions of the Data Protection Act and be consistent with the company's current data processing policy. General formulations such as 'under certain circumstances we may process your data in such or such a way' should be avoided.

We recommend that you do not start writing the privacy statement until at least the following questions have been answered:

  • What personal data are collected?
  • What personal data are required for the provision of the service?
  • How and from where (internal or external sources) are personal data obtained?
  • For what purposes are personal data used?
  • Who is responsible for controlling the personal data collected?
  • Who has access to the data?
  • How, where and for how long are personal data stored?
  • Will data be transferred abroad?
  • Will personal data be disclosed to third parties and for what purpose?
  • Are third party services or products integrated into the website that transmit data to these third parties (analysis tools, social plugins, maps, weather information, stock market prices, etc.)? 

For further information on the use of web analysis tools, such as tracking using cookies or the integration of social plugins, please see our web page on tracking.

  • Are there internal policies or regulations governing the collection, processing and disclosure of these data?
  • Who can the data subjects contact to request the opportunity to inspect, delete or correct the data or to object to data processing, and how should they go about such a request?

What must a privacy statement look like?

The statement should provide the following information to the users:

  • Who is responsible for data processing
  • What personal data are collected
  • The reason for processing the collected personal data
  • How long the collected personal data are kept 
  • What choices users have about the processing of their data
  • What data are passed on to third parties and for what purposes
  • Which services or products, especially from third parties, are integrated and how users can object to the associated data transfer
  • Which contact address can be used to ask questions about data processing or where data protection rights (e.g. information, correction, deletion, objection, portability) can be asserted
  • What legislation forms the basis for the provider's data processing practices

The privacy statement should be written for the target audience. We recommend using several levels. The initial level accessed should provide concise and easy-to-understand information, e.g. key words, and provide an overview of the essential aspects of the data processing so that users can easily and quickly understand what data relating to them are being collected and how the data are used. Users should then be given a link to access the detailed privacy statement. You can also link the keywords in the overview directly to the relevant passages in the detailed privacy statement. If necessary, more in-depth and detailed information for experts could then be offered at a third level. 

If a website targets an international audience, you must also check whether international regulations require further information.

Finally, the statement must be placed on the website in such a way that it is easily accessible to users from any page.

Cross-border transfer of personal data

The cross-border transfer of personal data is subject to special rules. The following must be considered before data is transferred to other countries.

Advertising & marketing

Mail, e-mail, telephone: Depending on the type of contact, different rules apply for data protection-compliant advertising.

Credit and collection

Credit reporting agencies, debt collection agencies and other bodies process and share data about your payment history – when this is allowed.


Tracking is the use of technologies to record and evaluate the behaviour of people in an online environment or a physical space.

Questions on data protection

Take a look at our FAQ or call our hotline.

The main provisions

Here you can find out more about changes to the Data Protection Act, which came into force on 1 September 2023.

Last modification 11.05.2023

Top of page