Since the revised Swiss Federal Act on Data Protection (nLPD) came into force on 1 September 2023, many Swiss businesses assume that, because they operate only in Switzerland, only the nLPD concerns them. The reality is more nuanced: depending on where contacts originate and which markets you target, the European Union's General Data Protection Regulation (GDPR) can also apply to leads handled from Switzerland. For a business buying or reselling customer requests, knowing which law governs the data received is not an abstract legal formality: it determines how consent must be collected, how data may circulate, and who bears responsibility if something goes wrong.
This dossier compares the two frameworks specifically from the angle of buying qualified leads, without needless jargon. It doesn't replace a lawyer's advice on your particular situation, but it gives you the reference points to ask a provider the right questions and to check that the data chain reaching you is compliant. It complements our dedicated dossier on the nLPD and B2B lead buying, as well as our dossiers on lead quality and on choosing a provider, where the contractual side is covered in more detail.
Why both laws can apply to your business
The first mistake is to reason by the nationality of the business rather than by the processing situation. The nLPD applies to data processing that produces effects in Switzerland, regardless of where the processing physically takes place. The GDPR, for its part, has extraterritorial reach: it applies as soon as a business, even one established outside the Union, offers goods or services to people located in the EU or monitors their behaviour. In practice, a Swiss business buying leads that correspond exclusively to Swiss residents remains primarily under the nLPD; but as soon as a lead concerns a person residing in the EU, or your activity targets cross-border customers, the GDPR comes into play in parallel.
For a lead buyer, this has a practical consequence: you need to know where the contacts you receive come from. A provider collecting requests through forms accessible from neighbouring France or aimed at cross-border workers is potentially handling data covered by the GDPR. This is not an obstacle in itself — the two regimes are largely compatible — but it means checking that the provider applies the stricter of the two standards, rather than assuming that "since we are in Switzerland, the nLPD is enough." When in doubt, it is safer to treat all leads according to the strictest standard.
The common ground shared by both regimes
Despite their differences, the nLPD and the GDPR rest on the same broad principles, and that is good news for anyone buying leads: complying seriously with one gets you most of the way to the other. Both texts require transparency (the person must know who is collecting their data and for what purpose), purpose limitation (data collected for a matchmaking service cannot be diverted to an unrelated use), minimisation (collect only what is necessary), data security, and respect for individuals' rights: access, rectification, erasure and objection.
For the receiving business, these principles translate into concrete obligations. You must be able to tell a customer, if asked, where their request came from and why you are contacting them. You must be able to delete their data if they object or if you no longer have a legitimate reason to keep it. You must protect the file of received leads like any other personal data. These requirements are identical or very close under both regimes; the real differences, the ones that matter when choosing a provider or drafting a contract, lie elsewhere.
What really changes: legal basis, consent and penalties
The most structural difference concerns the legal basis for processing. The GDPR requires, for every processing operation, an explicit legal basis from a closed list: consent, performance of a contract, legal obligation, legitimate interest, and so on. The nLPD reasons differently: for a private business, processing non-sensitive data is in principle lawful as long as it does not unlawfully breach the personality of the person concerned. Consent is not systematically required; it becomes necessary in particular to lift a breach, for sensitive data, or for certain communications. In practice, the nLPD leaves slightly more room when processing professional contacts, but that flexibility never removes the duty to inform people or to respect their right to object.
The second major difference lies in the penalties and whom they target. The GDPR provides for administrative fines directed at the responsible business, calculated in proportion to its worldwide turnover. The nLPD, by contrast, provides for criminal penalties that primarily target the responsible natural person within the business (for example a manager who breached certain obligations), rather than the entity itself. This very different logic explains why nLPD compliance depends heavily on clearly assigned internal responsibilities. Other gaps exist — the deadline for notifying a data breach, exemption thresholds for the processing register of SMEs, the appointment of a representative in Switzerland for controllers established abroad — but legal basis and the penalty regime are the two points every lead buyer must keep in mind.
Consent, prospecting and the role of the UCA
For leads, the question of consent comes with a rule that is often forgotten: in Switzerland, mass commercial prospecting is governed not by the nLPD alone but also by the Unfair Competition Act (UCA / LCD). It subjects the sending of mass advertising by electronic means (e-mail, SMS) to an opt-in regime: in principle it requires the recipient's prior consent, correct identification of the sender, and a simple way to refuse. This rule targets the business exploiting the lead, not only the one that collected it. In other words, buying a lead does not exempt you from checking on what basis you are allowed to contact it, and through which channel.
The reassuring point for the buyer is that a properly qualified lead resolves most of the problem: the person filled in a form explicitly asking to be contacted by a professional in your sector. That consent, provided it is documented and traceable, forms a solid basis under both the nLPD and the GDPR, and covers the initial contact contemplated by the UCA. This is precisely why consent traceability — timestamp, the exact wording of the form, IP address where relevant — is the most important criterion to require from a provider. A lead with no proof of consent is a legal risk disguised as a commercial opportunity, whatever the applicable regime.
What the lead buyer should check in practice
When choosing a provider, a few simple checks secure the whole chain. First ask for proof of consent: the provider must be able to show you, for a given lead, what the person consented to, when and how. Then make sure the contract binding you specifies each party's role in data protection terms — who decides the purposes, who processes on whose behalf — because it is this document that will determine your liability in the event of an audit or a complaint. Check how leads are transmitted and stored, and how long the provider keeps the data after transferring it to you.
Two points deserve particular attention if a European dimension exists. First, data transfers: Switzerland has its own regime for cross-border flows, and the EU recognises Switzerland as offering adequate protection, which smooths exchanges — but a provider hosting or subcontracting outside this area must be able to justify it. Second, the existence of a clear point of contact for requests from data subjects (access, deletion), which you will need to be able to honour. Once these elements are in place, your legal exposure becomes manageable: you are working from consented requests, within a clear contractual framework, with a provider able to document the compliance of its collection. It is this upfront rigour, far more than the choice between nLPD and GDPR, that durably protects the receiving business.