Buy Qualified LeadsSuisse

Published on February 10, 2026

nLPD & B2B Lead Buying: Switzerland's Legal Framework

Consent, traceability, and the obligations of both buyer and provider: what the nLPD concretely requires from any business that buys leads in Switzerland.

Buying leads inherently involves processing personal data: name, contact details, a description of a need. In Switzerland, this processing is governed by the federal data protection act (nLPD), which came into force in its revised version in September 2023. It isn't designed to prevent lead buying, which remains a perfectly legal commercial practice, but to ensure that the people whose data circulates have given their consent and retain control over how it's used.

This dossier presents the general principles applicable to B2B lead buying in Switzerland. It isn't personalised legal advice: for any question specific to your situation, seeking a legal advisor's opinion remains recommended. The goal here is to give you the reference points needed to have a useful conversation with a provider and assess how seriously they take this issue.

What the nLPD says about an end customer's data

The nLPD governs the processing of any data that can identify a natural person — which includes a name, phone number, e-mail address or postal address, the data typically contained in a lead. The central principle is transparency and purpose limitation: a person must know what their data will be used for at the moment they share it, and that data must only be used for that specific purpose.

Applied to lead buying, this means the customer filling in a request form must be clearly informed that they'll be contacted by one or several professionals in the relevant sector in response to their request. This information must appear visibly at the point of collection, not buried in unreadable terms and conditions or in a separate text you'd have to go looking for.

Consent: what's concretely required

Consent to be contacted must be freely given, specific and informed: the person must understand what they're consenting to, with no pre-checked box or ambiguous wording nudging them into accepting without paying attention. An active checkbox (unchecked by default), paired with clear wording such as "I agree to be contacted by a professional in the sector regarding this request," is a compliant practice widely adopted by serious platforms.

That consent must also be tracked and timestamped by the provider, so its existence can be demonstrated if challenged. A provider unable to prove the origin and timing of consent — or that simply asserts "all data is compliant" without detail — doesn't offer sufficient guarantees for buying leads with peace of mind.

Obligations of the business buying leads

By receiving a customer's contact details through a lead, your business in turn becomes responsible for processing that personal data under the nLPD. Concretely, this involves several obligations: keeping the data only as long as needed to process the request (no indefinite "just in case" retention), not passing it to a third party without a legal basis, and respecting the customer's right to object to further contact if they request it.

It also means checking, at least once, how your provider collects consent — a reliable provider should be able to answer this question directly. If there's any doubt about a provider's compliance, the legal risk remains attached to the business using the data, not only to the one that originally collected it.

Obligations of the lead provider

A serious lead provider must be able to demonstrate the origin of each consent collected (form, timestamp, the exact wording shown to the customer), limit the number of businesses a given piece of data is sent to, to what was disclosed to the customer (a lead marketed as "shared between 3 businesses" shouldn't be resold to ten), and at any time let an end customer exercise their right to access or object regarding their own data.

These obligations aren't mere formalities: they shape the reliability of the lead itself. Poorly collected or poorly tracked consent isn't just a legal risk — it's also often a sign of lower-quality data, collected without real engagement from the customer, and therefore statistically less likely to turn into an appointment.

Compliance best practices before you buy

Before committing to a provider, a few simple checks limit your risk: ask how consent is collected and whether this can be documented on request; check that the provider specifies the disclosed sharing level (exclusive, or shared among how many businesses); and make sure there's a clear procedure if an end customer wants to opt out of further contact.

On your own side, formalise a simple rule for your team: only keep a lead's data for as long as it takes to process the request, and delete contacts that didn't convert after a reasonable period. This discipline remains the best protection, regardless of the provider's own quality, and applies to any customer data you process, not just purchased leads.

Frequently asked questions

Is it legal to buy leads in Switzerland?

Yes. Buying leads is a legal commercial practice, provided each customer whose contact details circulate gave explicit, freely given and tracked consent to be contacted, in line with the nLPD.

Who's responsible if a lead didn't give consent?

Responsibility can fall on the provider that collected the data, but the business using the lead also remains responsible for processing it once received — hence the value of checking a provider's seriousness before buying.

How long can I keep a lead's data?

Only as long as needed to process the request. The nLPD doesn't set a single universal duration, but the proportionality principle requires you not to keep data beyond its original purpose.

Can a customer opt out of being contacted after filling in a form?

Yes, at any time. The nLPD guarantees a right to object and to access personal data; a business receiving that kind of request must respond to it and stop contacting the person.

How do I check that a lead provider complies with the nLPD?

Ask how it collects and tracks consent, how many businesses a given piece of data is sent to, and whether it has a process for handling opt-out requests. A serious provider answers these questions clearly.

Explore our leads by sector

This dossier applies to every sector. Discover our qualified leads offering sector by sector, across Switzerland.

Ready to fill your sales pipeline?

Tell us your sector, area and volume: we connect you with customer requests that are ready to be contacted.

Get qualified leads