Overview

Is the privacy policy on the company website sufficient?

In the digital world, we are confronted with privacy policies practically every day. We usually have to accept them in connection with cookies or in some other way. They have therefore become indispensable for online shops and other corporate websites. If a website does not yet have a privacy policy today, it is high time to publish one. But what exactly is a privacy policy? What must or should it contain? And why is it needed at all?

Authors:

Nina Oehy
Publications
12. December 2025

In the digital world, we are confronted with privacy policies practically every day. We usually have to accept them in connection with cookies or in some other way. For online shops and other corporate websites, they have therefore become indispensable. If a website does not yet have a privacy policy today, it is high time to publish one. But what exactly is a privacy policy? What must or should it contain? And why is it needed at all?

A privacy policy is…

simply put, information regarding everything a company does with personal data.

The Swiss Federal Act on Data Protection (FADP) does not prescribe a specific form for a privacy policy. However, the FADP mandates that a company must inform natural persons of the purpose for which their personal data is being collected. This information must be provided before the data is collected for the first time. For example, if a company has a contact form on its website where a potential client can enter her name and e-mail address, the client must generally be informed about the data processing before the information is received by the company. The easiest way to do this is via a privacy policy,
which is also published on this website.

The Swiss Data Protection Act prescribes the following content:

  1. Identity and contact details of the company responsible for data processing
  2. Purpose of processing: Why is the personal data being processed?
  3. Persons or companies to whom the personal data is disclosed
  4. Category of personal data processed if the personal data is not collected from the data subject themselves
  5. If the personal data is disclosed abroad, the respective state

If a company also has to comply with the GDPR (EU Data Protection Act), further legal requirements apply.

Why does a company need a privacy policy at all?

Well, there are several reasons, depending on the perspective.

From the company’s or the responsible person’s point of view, one reason is certainly the criminal consequences. One can be fined if adequate information is not provided about how and for what purpose personal data is processed. In Switzerland, generally speaking, it is not the company that is fined, as is the case in the EU, but the natural person who would have been responsible for providing information about the data processing.

It is also a question of a professional web presence for a company. Data protection is a hot topic and increasing attention is being paid to how and whether companies address the protection of personal data. A professional privacy policy has therefore effectively become an image factor.

From the perspective of a client or other data subject, the privacy policy is needed so that they know what a company does with the data and to whom the data is disclosed.

A privacy policy is therefore essential for a company.

What does this mean regarding your privacy policy?

The privacy policy constitutes information about data processing and therefore does not necessarily have to be acknowledged or accepted, as we know, for example, from General Terms and Conditions (GTC). It is advisable to publish a privacy policy on the company website. It should be easily accessible, i.e. anyone should be able to call it up with a maximum of one or two clicks. Privacy policies should therefore be linked in the footer of a website, for example.

Many corporate websites merely have a note in the legal notice under the title “Data Protection” stating that they use Google Analytics and perhaps that data protection is important to them and that they only use their clients’ data in compliance with a data protection act. However, this is far from sufficient.

A privacy policy that only refers to website visitors is also insufficient; i.e. if the privacy policy only describes the processing of personal data collected from website visitors, such as IP addresses, cookies, etc.

It is not recommended to copy privacy policies from other websites. Data processing in a company can vary greatly, and there are numerous poor and insufficient privacy policies on the Internet which should not be copied.

 

Therefore, pay attention to the following regarding your privacy policy:

  • The privacy policy must at least name the responsible company and contain a contact e-mail address.
  • Information must be provided on which personal data (e.g. contact details) is collected and processed for which purposes (e.g. marketing). Under the GDPR, the legal basis must also be stated.
  • It must contain information on to whom the personal data is disclosed (e.g. IT service providers). If this is disclosed abroad, the foreign state must also be named.
  • Ensure that the privacy policy is not only addressed to website visitors, but generally also to your clientele, your business partners and all other persons whose data you process. There should be a separate privacy policy for employees.
  • Under the GDPR, you must also provide information about the rights of data subjects and disclose how long you store the respective data.
  • Information about cookies and tracking should also not be missing.

The privacy policy should also be formulated clearly and understandably.

Overview

Any questions?

Get trustworthy advice.

You have the right
to dialogue.

Thank you for your enquiry to Schochauer. We are delighted that you are joining our network on LinkedIn .

Contact