The ISO 9 001 standard is internationally recognized and the most widely used standard in the field of quality management. It defines the criteria for a quality management system. Its focus is on the efficiency of processes, increasing customer satisfaction, maintaining relationships and continuous improvement.

The certification confirms our efforts to date and provides a guideline for future developments so that we can maintain a stable and healthy company in the long term.

We would like to thank our customers who have placed their trust in us along the way and are certain that our certification will continue to build trust.

What is the added value of ISO 9 001?

ISO certification offers us and our customers several advantages:

1. Quality and reliability: Our customers can trust that, as a certified company, we consistently deliver high-quality products and services.
2. Risk reduction: ISO 9 001 helps our company to identify and manage potential risks in our operating processes. For our customers, this means a higher likelihood that our services will be delivered as expected and that interruptions or problems will be minimized.
3. Commitment to continuous improvement: We are committed to actively improving our services and processes on an ongoing basis. Our customers can be confident that they are working with a successful company for the long term.

In summary, ISO 9 001 certification is a strong signal of our company’s quality, reliability and customer-focused commitment.

What is the ISO 9 001 standard?

The ISO 9 001 norm sets standards in quality management. It places the following priorities:

• Customer orientation: The central focus of quality management is to manage the company in a customer-oriented way. This is because a company can only be successful if it meets or even exceeds the expectations of existing and future customers.
• Exemplary leadership: Managers must lead the company in such a way that employees understand the company’s goals and are willing to accept, support and implement them.
• Employee commitment: The counterpart to exemplary leadership is committed and competent employees. A good team culture, mutual understanding and recognition of achievements are crucial for this.
• External relationship management: The involvement of interested parties (stakeholders) creates synergies through joint developments, mutual coordination, knowledge transfer and optimized supply chains.
• Fact-based decision-making: Decisions should be based on measurable criteria. In conjunction with their experience and intuition, decision-makers must have knowledge of measurable data, causes, effects, risks and key figures and be able to analyze and weigh these competently.
• Process-oriented approach: Processes determine the functioning of day-to-day business, and the efficient planning, coordination and improvement of internal processes play a key role in ensuring predictable quality and efficiency.
• Continuous improvement: The quality management system is designed to continuously and systematically optimize processes, services and products and to minimize risks and weaknesses on an ongoing basis.

Like the ISO 27 001 standard, ISO 9 001 follows a risk-based and goal-oriented approach: improvements should be consistently implemented where actual and urgent risks exist or where current and significant goals can be achieved.

What does certification for ISO 9 001 cost?

The financial outlay for ISO 9 001 certification can vary greatly depending on the size, complexity and structure of a company.

In our Open Startup Report for December, we already briefly announced the costs for our initial certification: CHF 20 820 (including certification for ISO 27 001).

This does not yet include the personnel costs that we have expended for the preparation of the certification and that we will continue to need for the continuous implementation of the required standards.

We will be reporting on this in more detail shortly.

PS: Find an overview of our certifications and awards here.

Der Beitrag Approved quality: Friendly receives ISO 9 001 certification erschien zuerst auf Friendly.

January at Friendly in Numbers

• Software revenue: 18 212 CHF (+1%)
• Consulting revenue: 8 275 CHF (+47%)
• Total revenue: 26 487 CHF (+12%)
• Costs: 27 354 CHF (+17%)
• Profit and loss: -867 CHF (-370%)
• Active customers: 122 (+2%)
• Churn rate (lost customers): 0.8% (-50%)
• New trials: 14 (+27%)
• Website visits: 4 229 (+12%)

These were the key developments in January:

Revenues: Slow growth in software sales, good result in consulting

Our monthly recurring revenue (MRR) from software subscriptions rose by just CHF 190 to CHF 18 212 in January, an increase of 1% on the previous month.

As our software subscriptions form the basis for consulting, they are the decisive growth factor for our company. The figures for the last few months show: We are growing slowly – but steadily.

And that is okay. Our company is growing healthily, we are continuously improving our quality and we are providing everyone in the team with a solid foothold in life. Not only financially, but also through a balanced working environment in which we do well in the long term.

Our customer numbers are also currently very stable. In January, we lost one customer and gained two new ones, so we currently have 122 customers.

This month, consulting turnover rose by a full 47% to CHF 8 275. The largest projects were assignments for an insurance company, a construction machinery dealer, a bank and a non-profit organization. We assisted with the design of newsletters, set up enterprise instances and provided employee training.

Our total revenue in January was a good CHF 26 487, an increase of 12% compared to December.

Costs: Costs explode due to freelancers and high advertising expenses

By contrast, our costs rose massively in January: from CHF 23 338 in the previous month to CHF 27 354.

The main reason for this was a consulting project that we covered with a freelancer. This project resulted in unforeseeable expenses that we were unable to charge directly to the customer and therefore had to bear ourselves.

I see these one-off costs as an investment in the customer relationship with an important customer. And as a lesson learned. I miscalculated and evaluated the mistake so as not to repeat it.

In addition, our advertising costs in search engine advertising also increased. This increase was directly caused by higher demand for our products on Google and Bing, and I am therefore very pleased with it.

Here are all our costs including salaries for January 2024 in detail:

Open Startup: Does it make sense?

We don’t just run from one success to the next. We grow slowly and make mistakes. And we also share these things in our Open Startup Reports. We are regularly asked if this is “necessary”.

I recently shared my motivation on indiehackers.com:

Marketing and visibility
“We benefit by getting attention. Our monthly open startup reports do very well on LinkedIn because being open is still novel in Switzerland, our home market. We are still the first and only “open startup” in Switzerland.”

Trust
“It creates trust because people see that their fees actually are invested into the product; not into the CEO’s Lamborghini.”

Feedback
“We often get valuable feedback. For example, people questioned our hosting costs and pointed us to better options.”

To summarize – we’ve had positive experiences with it. Others see it differently. Read more in the article on indiehackers.com.

Conclusion

The result of the good revenue figures and the high one-off costs on the other side: the new year starts with a narrow loss of CHF -867.

This is uncomfortable after we had already reached the “black figures”* quite reliably last year.

But it’s also manageable because we understand why it happened.

I expect that we will be able to sustainably consolidate our financial situation this year.

* “Black figures” is deliberately put in quotation marks because I have not yet paid myself a salary for my work and, as a sole founder without investors, I have yet to make up for the loss so far.

Der Beitrag We make a mistake and experience a setback: Open Startup Report January 2024 erschien zuerst auf Friendly.

We recently successfully passed the initial certification according to ISO 27 001 : 2022. The certification covers our entire company and therefore applies to all our products.

What is the added value of ISO 27 001?

Our ISO certification offers several advantages for us and our customers:

1. Increased security: We have introduced an information security management system (ISMS) that meets international standards. This ensures that we have a functional, robust, evolving system to protect data.
2. Compliance: Our ISO 27 001 certification provides our customers with proof that we know and implement the applicable legal regulations regarding IT security and data protection. This also supports them in complying with their legal obligations.
3. Reputation and trust: Being certified shows that we are committed to information security. And that also builds trust for our customers’ customers.
4. Sustainable improvement: The ISO 27 001 standard requires continuous monitoring and regular review of the ISMS to ensure that we remain at the cutting edge of security requirements and technologies in the future.

Our software is already being used more and more by companies who highly prioritize information security, such as insurance companies, banks and public institutions.

Last year, we were already awarded the “swiss made software” and “swiss hosting” labels, which recognize Swiss quality and data protection. The ISO 27 001 certification reinforces this promise.

What is the ISO 27 001 standard?

The ISO 27 001 standard takes a risk-based and goal-oriented approach: improvements are consistently implemented where actual and urgent risks exist or where current and significant goals can be achieved.

This ensures that the available resources can be used to deliver the most effective results.

The standard requires the introduction of an information security management system (ISMS) that addresses measures in the following areas:

• Compliance with applicable laws and regulations, for us in particular the Swiss nFADP and the European GDPR
• Security in using software and hardware, code reviews, regular updates, patches and backups
• Regular external penetration tests to uncover vulnerabilities and close security gaps before hackers can exploit them
• Internal guidelines and policies for information security, continuous training for all employees and consulting for our customers
• Clear management of information security incidents with ongoing evaluation and improvement
• Classification of information and assets according to confidentiality levels (asset management) and identification of appropriate protective measures
• Protection of infrastructure against intruders, fires, water damage and power outages
• Protection against unauthorized access to data through access rights and access controls, need-to-know principle and continuous monitoring of networks and systems
• Use of encryption for the transmission of sensitive information, guidelines for the secure use of communication channels
• Security in supplier and service relationships through audits, contracts and regular reviews of suppliers
• Developing and continuously updating plans for system maintenance or recovery in emergencies and crises (business continuity management)

The management system thus enables a continuous improvement process in all areas of information security.

What does certification for ISO 27 001 cost?

The financial outlay for ISO 27 001 certification can vary greatly depending on the size, complexity and structure of a company.

In our Open Startup Report for December, we already briefly announced the costs for our initial certification: CHF 20 820 (including certification for ISO 9 001).

This does not yet include the personnel costs that we have expended for the preparation of the certification and that we will continue to need for the continuous implementation of the required standards.

We will be reporting on this in more detail shortly.

PS: Find an overview of our certifications and awards here.

Der Beitrag Acclaimed information security: Friendly receives ISO certification 27 001 erschien zuerst auf Friendly.

We reach the black figures

2023 is the year in which we reached the “black figures” with Friendly. Although total revenue increased reliably in the first few financial years, so too did costs. It was not until 2023 that we succeeded in significantly increasing total revenue with only slight cost increases.

In 2023, our annual recurring revenue (ARR) from software subscriptions was CHF 188 691, while consulting revenue amounted to CHF 90 313. This brought our total revenue to CHF 279 004, an increase of 60% compared to the previous year.

Meanwhile, our costs rose by only 29% to CHF 266 038. After the previous annual losses, we thus achieved a small profit of CHF 12 966 at the end of the year for the first time.

The balance for the entire business time still shows a loss of CHF 59 554, which Stefan, as the sole founder without investors, paid out of his own pocket and which the company still has to make up.

And we missed our repeatedly communicated target of being able to pay Stefan a salary within 2023.

That is why we continue to write “black figures” in quotation marks. But we have come one step closer to real profitability.

Open Startup – what’s the point? Stefan shares his motivations on indiehackers.com.

We establish consulting as a key business area

After initially maintaining our strategy of generating most of our revenue through software subscriptions, we started offering consulting as a service in March 2022.

At first, our monthly consulting turnover was only just in the four-digit range, but since shortly before the turn of 2022/23, we have been achieving a significant turnover.

In 2023, consulting has established itself as one of our core business areas. To be sure, in the Open Startup Reports we have repeatedly described the rollercoaster ride that our consulting turnover represents month after month.

However, a quarterly comparison and the annual overview show that we can count on solid consulting income.

Over the whole of 2023, we earned an average of CHF 7 526 per month through consulting, or a total of CHF 90 313, which accounts for 32% of our annual turnover.

We support innovative projects

Our customers implemented some impressive projects with Friendly Automate and Friendly Analytics in 2023, some of which we would like to highlight:

• Knies Kinderzoo and Knies Zauberhut simplified their marketing activities and event management with Friendly Automate (see the case study here).
• For the Swiss branch of the French pharmaceutical company Pierre Fabre, we used Friendly Automate to develop individual applications such as a sales portal, an intranet and an event management platform (case study to follow shortly).
• A Swiss bank integrated Friendly Analytics into its e-banking system.
• Bofrost Switzerland, the Bürgenstock Collection, wemakeit, Switch and other companies and organizations implemented high-quality tracking projects with Friendly Analytics.

We strengthen our position in data protection

Since our company was founded in 2020, we have been focusing on data protection and information security with Friendly.

In 2023, we were able to significantly strengthen our position in data protection even further, as the introduction of the revised Swiss Federal Act on Data Protection in September 2023 sensitized many Swiss companies and institutions to the issue.

We set high data protection standards for our software, are visible with a detailed blog post and at events (link in german language) and now also offer data protection training courses on request.

Read more: The new Swiss Federal Act on Data Protection will be introduced on September 1: The comprehensive guide (+ checklists and templates)

We obtain important industry certifications

With “swiss made software” and “swiss hosting”, we received our first official labels last year. These labels confirm that we are a Swiss company that generates most of its added value in Switzerland and that the data we host remains entirely in Switzerland.

Then shortly before the end of 2023, we successfully passed the initial certification for ISO standards 27 001 & 9 001.

Both standards are recognized worldwide and are among the leading standards in their respective fields. ISO 27 001 certifies that we have implemented an information security management system (ISMS) and ISO 9 001 that we have introduced a quality management system (QMS).

We are proud of these awards and are certain that they will strengthen our value proposition and our customers’ trust in us.

We build our team culture

At Friendly, we place a high value on team culture. This includes mutual appreciation, which we would like to express to all our team members for their achievements in 2023.

József “Joey” Keller, our CTO and first employee of Friendly, continued to work with great dedication in 2023 to maintain and further develop our infrastructure, and competently answered numerous support requests for Friendly Automate with his technical knowledge.

At the same time, Joey continued to be a key member of the Mautic open source team in 2023, on which our Friendly Automate software is based. He was the third most active individual member of the Mautic community and even brought Friendly to the 2nd place of the most active companies. We are proud to have Joey on our team.

Most active members at Mautic 2023	Contributions
1   Ruth Cheesley	5390
2   Jan Linhart	1700
3    Joey Keller	1505
4   Mohammed Abu Musa	1358
5   Matthias Michaux	995

Most active companies at Mautic 2023	Contributions
1   Acquia	1926
2    Friendly	1511
3   Dropsolid	1425
4   Steer Campaign	1359
5   Leuchtfeuer	1064

Lukas Sigel, our CCO, has managed demanding customer projects in 2023 and thus significantly developed and expanded the consulting sector at Friendly.

Our customers appreciate Luke’s professional approach, his accessibility, the creative design of templates for Friendly Automate and his innovative solution finding. Luke’s contribution is extremely valuable to Friendly.

Peter Boehlke, our independent analytics consultant, worked numerous freelance hours for us again in 2023 and advised our customers on Friendly Analytics. Peter is part of the core team at Matomo, the open source software behind Friendly Analytics, and his expertise is a great asset to us and our customers.

Matic Zagmajster has been supporting us as a developer with a small part-time job since August 2023. Thanks to Matic, we have already been able to improve the important link between Friendly Automate and the Microsoft Dynamics CRM and fix several software bugs.

Dr. Kathrin Schmid, our CMO & CISO, has expanded the marketing and data protection area at Friendly over the past year.

With her contributions on our website and at events, she increases our visibility in the public eye, and her achievements for ISO certification and data protection strengthen public trust in us. Both are very important to Friendly.

Stefan Vetter, our founder and CEO, has continued to shape Friendly in 2023 with his forward-thinking management style.

His focus on team culture, appreciative working conditions, personal responsibility, sustainability and friendliness creates a company that the team is very happy to work for.

We are focused on a sustainable future

Like the reflections on the company’s two-year and three-year anniversaries, we conclude this review with a reminder of the future:

We don’t see the journey with Friendly as a sprint, but as a marathon. We have an exist strategy, not an exit strategy. We’ll see whether we’re successful after 10 years. Not before. And we very much want to go down this path. If possible, for much longer than 10 years.

Der Beitrag Our year in numbers and events: Open Startup Annual Review 2023 erschien zuerst auf Friendly.

November at Friendly in numbers

• Software revenue: 17 726 CHF (+5%)
• Consulting revenue: 11 310 CHF (+87%)
• Total revenue: 29 036 CHF (+27%)
• Costs: 23 139 CHF (-2%)
• Profit and loss: +5 897 CHF (-947%)
• Active customers: 120 (+4%)
• Churn rate (lost customers): 4.3% (+59%)
• New trials: 10 (-41%)
• Website visits: 3 934 (-10%)

These were the key developments in November:

Revenues: Record software revenue for five months in a row, new record for new and active customers

Our monthly recurring revenue (MRR) from software subscriptions continues to rise slowly but reliably. We have now recorded revenue growth for the fifth month in a row, with an increase of 5% to CHF 17 726 in November. This means that we have now set a new record for our most important KPI for the fifth month in a row.

In November, we also achieved a small record with new customers: we were able to conclude 10 new software subscriptions. Among our existing customers, however, we recorded a slightly higher churn rate of 4.3% with 5 terminations compared to an average of around 2% in the previous months. Overall, our customer base has thus increased by 5 to 120 customers. This is also a record.

In Consulting, the rollercoaster continued – this time upwards again. At CHF 11 310, we recorded the second-highest consulting turnover in our company’s history; the only time this turnover was higher was in September 2023. We advised more than 15 clients, including customers from the financial sector, insurance and trade unions.

Despite the major fluctuations in consulting, we were able to count on an income of around CHF 7 000 per month on average last year. In absolute terms, the figure has never been below CHF 4 000 in the last 12 months, so we can also rely on this income with some certainty.

As a result, we also recorded the second-highest figure in our history for total revenue at CHF 29 036, having already reached a one-time figure of CHF 33 215 in September. Compared to the previous month, our revenue rose by an impressive +27%. Looking back a year, our total revenue has almost doubled compared to the same month last year: in November 2022, it was still at CHF 15 625 and has increased relatively steadily since then.

Costs: Wage cuts finally lifted, costs still down slightly due to further savings on freelancers

A year ago, our balance sheet did not look good: Our MRR was declining and we were only reaching a few new customers. As a self-financed start-up, we were forced to cut our costs. The result was self-imposed wage cuts.

We are proud that these measures and constant hard work have enabled us to overcome the crisis by our own efforts and that we have now been able to fully reverse the wage cuts. Lastly, we raised Joey’s salary by EUR 500 back to the original EUR 5 500.

This increase in costs was offset by further savings on freelancers, meaning that our costs fell by a total of -2% to CHF 23 139 last month.

Here are all our costs including wages for November 2023 in detail:

Is this all going too slowly?

One criticism we received in response to our last Open Startup Report was that Friendly should finally be profitable. According to them, there was not enough healthy pressure to drive us forward.

This is true. We have less pressure than some others.

I still earn my income from my second company Wortspiel. This means I can afford to work for Friendly for free.

If this were not the case, we would indeed have to invest more in short-term successes such as outbound sales.

However, this does not mean that we are not “putting our foot down” and working less hard.

On the contrary, we can afford to invest in things that will take us forward in the long term:

• Building our brand
• Enhancing safety and quality with certifications in ISO 27 001 and ISO 9 001 (to be completed shortly)
• Strengthening our team culture

This does not bring high short-term profits, but I am convinced that it will pay off and is currently the right use of our resources. And I am glad to have this freedom.

Conclusion

Thanks to strong revenue in Software and Consulting and stable costs, we achieved a “plus”* of CHF +5 897 in November.

This is the second-highest “profit”* in our history. The only time we did better was two months ago in September 2023.

Looking back on the current year, we are very satisfied with what we have achieved. Overall, we were in the black* in 5 out of 11 months in 2023.

This is a clearly positive trend, after we only just managed one “profitable”* month each in 2021 and 2022. Over the whole of 2023 so far, we have even achieved a “plus” of CHF 12 645.

I am particularly pleased that we were also able to completely reverse last year’s pay cuts in November.

In addition to a salary for me, my main goal for 2024 is to build up financial reserves at Friendly.

* “Profit”, “plus” and “in the black” are deliberately put in quotation marks because I have not yet paid myself a salary for my work and, as a sole founder without investors, I have yet to make up for the loss so far.

Der Beitrag The second best month in our history: Open Startup Report November 2023 erschien zuerst auf Friendly.

As a self-funded startup, we watch our budget, so our third team retreat took us to Budapest in early August 2023, where we were able to spend a long weekend with our CTO Joey Keller and his family. After our arrival on Thursday, it did take a while until we could switch off from our tasks…

… but that changed at the latest when we had a barbecue in the evening in the Kellers’ family garden and then immersed ourselves in the fascinating atmosphere of Szimpla Kert. More and more colorful ruin pubs have been reviving formerly abandoned and dilapidated buildings for the past 20 years and have become an integral part of Budapest’s nightlife. We drifted in the colorful lights, fancy decor and a drink or two, celebrating our time together.

On Friday, after a hearty breakfast of Ieva’s scrambled eggs à la carte, we visited one of Keller’s Stenders stores. Joey’s wife Ieva runs a cosmetics franchise and we took the opportunity to store for some of the handmade soaps as souvenirs.

Then we set off for Lake Balaton (Plattensee), which is about a two-hour drive west of Budapest. We enjoyed a relaxing day in the picturesque surroundings with delicious lunch at Cheche Burger, swimming in Lake Balaton, coffee and nice conversations.

The lake made a strong impression on Luke:

“I was really impressed by Lake Balaton. It is 79 km long and almost 8 km wide, one of the largest lakes in Europe. From the Tihany peninsula we had a breathtaking panoramic view of the lake. The lake bottom conjures different colors on the surface, so the lake looks like a work of art. I like to think back to this moment.”

Lukas Sigel, our CCO

Back in Budapest, an authentic goulash soup from Joey’s mother awaited us. We still had no idea of the violent thunderstorm that would hit the residential area during the night.

Saturday morning: fallen trees, crushed cars and missing pets all over the area. Keller’s dog also ran away and did not return for weeks.

We found a passable way through the neighborhood streets and drove to the city center to play an Escape Room. We couldn’t pass this up – Budapest was the first city to bring Live Escape Games to Europe in 2011. The concept originated in video games and was first popular in Japan before it was also discovered in Hungary (supposedly independently) and quickly spread worldwide. We played “Metro” by Locked Room Budapest.

The game director’s explanation of the waiver we had to sign was particularly entertaining: “It’s about you doing your best not to break the room and us doing our best not to break you.” Makes sense!

After 52 intense minutes, we had defused the bomb in the subway and were very proud of ourselves. It was an exciting experience for Joey:

“I really enjoyed the Escape Room. We had to work together as a team in a locked room to disarm a bomb. It made us realize how different mindsets and backgrounds can help us succeed faster.”

Joey Keller, our CTO

And we didn’t break anything.

We spent the rest of the day at ease. The afternoon was free and in the evening we took a boat trip to see the sights of Budapest from the Danube. A Prosecco boat trip. An Unlimited prosecco boat trip. But we don’t want to go into details.

For Sunday we had saved some highlights for ourselves. We visited the Párisi Passage Café, a beautiful coffee house in the “Párisi Udvar”. The richly decorated building was built in the 19th century as a luxurious department store. It is a monument to Hungary’s fascinating past with its Arabic, Moorish and Gothic style elements and was recently renovated.

From there, we walked across Budapest’s oldest Danube bridge, then through the Buda Castle District, and had an impressive view of the river and the city from the Fishermen’s Bastion. We snacked on lángos along the way, a Hungarian specialty that Kathrin describes as a combination of pizza and churros (a more qualified explanation can be found here).

As another highlight and almost conclusion of our retreat, we then visited the Széchenyi Thermal Bath, which is one of the largest spas in Europe with its 15 indoor pools and the impressive 3 large outdoor pools.

On Monday we happily made our way back home. We laughed, ate, talked, played and worked together and are already looking forward to the next retreat.

Kathrin’s conclusion of the trip:

“I value our retreats because they give me the opportunity to really get to know my colleagues personally and understand what is important to them and what makes them ‘tick’. This helps me to deal well with each other in everyday work.”

Kathrin Schmid, our CMO and CISO

Fun Facts

1 – Joey has official tour guide qualifications, which he eloquently convinced us of as we toured the city.

2 – Stefan had a theory that the rain was following him as a “rain maker”, which we were beginning to be firmly convinced of by the thunderstorms and unexpected showers every night.

3 – Last evening we played “The Crew”, a cooperative card game that is addictive, which you can see for yourself here.

The retreat in numbers

As an Open Startup, we also disclose our numbers to you here: This is what our retreat cost. Friendly generally covers all expenses for our employees on retreats. On this retreat, the Keller family hosted and cooked for us in their house for free. A big thank you for that! And of course we also bought each other a drink or two.

Der Beitrag Visiting our CTO Joey in Hungary: Our Friendly Team Retreat No. 3 in Budapest erschien zuerst auf Friendly.

We are not lawyers. Our recommendations are therefore based, but not limited to, opinions from the most renowned Swiss data protection attorneys. Our goal was to gather all the relevant information for companies in one place and make it as easy as possible to implement by means of checklists and templates.

Introduction

The current Swiss Federal Act on Data Protection (FADP) has become outdated. At its core, it dates back to 1992, when the web was three years old, Mark Zuckerberg was only eight and the technical possibilities for collecting and processing data were not comparable with today.

So firstly, it needs to be adapted to the current circumstances. Secondly, the new Data Protection Act (nFADP) also has a political dimension. Namely, the EU has recognized data protection in Switzerland as equivalent to that in the EU through a so-called “adequacy decision”. This enables companies in the EU and Switzerland to exchange and process data between them in a legally secure manner.

However, since the EU significantly increased privacy requirements with the General Data Protection Regulation (GDPR), data protection in Switzerland has lagged behind. So the country had to react and brought the Swiss level of protection in line with the EU standard. However, Switzerland would not be Switzerland if it did not go its own way to some extent after all. The nFADP gives more flexibility and fewer specific minimum requirements than the GDPR. It is somewhat stricter in the area of data transfers to foreign countries.

Overall, the nFADP gives individuals more control over their personal data, more rights in terms of transparent information and more protection against unwanted data use. At the same time, this means more obligations for companies to provide data security and data subjects’ rights.

Project planning

It’s important to be aware from the outset that implementing the new privacy rules will likely take several months and can’t be done on the fly.

A reasonable amount of time as well as human and financial resources are required to ensure that at least the essential measures can be implemented as soon as possible. (By now we have some experience in this and can offer support as external consultants).

Therefore, the first step of the process is project planning. This includes at least the following tasks:

• Get well informed about the new data protection law (you’re already doing that by reading this blog post )
• Define clear responsibilities and roles for the planning and execution of the project
• Allocate the necessary financial and human resources
• Identify the areas in your company that are relevant for data protection, i.e. the areas where personal data is processed
• Identify the necessary technical and organizational measures to achieve compliance with the nFADP
• Clarify the project process and plan the individual steps
• Set a realistic time schedule

By carefully preparing the project, your company will lay the foundation for a successful implementation of the new data protection rules, which we will explain to you below.

Processing directory

The Swiss Federal Act on Data Protection now requires companies to create a processing directory in which all processing activities of personal data are recorded. The processing directory is thus an inventory of all privacy-relevant processing steps of a company.

Such an inventory is also required by the European GDPR. If your company already has to comply with the GDPR, it is very likely that you already have an appropriate directory. Since the minimum contents for the processing inventory required in Switzerland are also included in the requirements of the GDPR, an inventory created for the EU can be adopted 1:1.

In Switzerland, the creation of a processing directory is generally only mandatory for companies with 250 or more employees. Smaller companies only need a processing directory if they process highly sensitive personal data on a large scale or if they carry out profiling with a high risk to personal privacy.

However, the creation of a processing directory is almost indispensable even if your company is not legally obligated to do so according to the Swiss nFADP. This is because a processing directory provides a comprehensive overview of all data processing within the company. That is why this point is listed here first. The processing directory provides a solid basis on which all subsequent measures can be reliably planned and implemented. It ensures that nothing is overlooked.

In any case, the processing directory is for internal use only and must be made available to the supervisory authorities only upon request. The exact format for the processing directory is not prescribed; we recommend an Excel spreadsheet.

The processing directory must first contain all the necessary information on the identity of the person responsible, i.e. details of the company with address and contact details. It makes sense to keep the actual inventory in tabular form and group it by departments. The table must contain at least the following mandatory fields:

• Description of the processing activity
• Purpose of processing
• Description of the category(ies) of data subjects
• Description of the categories of the personal data being processed
• Categories of recipients of personal data (internal and external)
• Data transfer to third countries with information on security
• Retention periods and deletion policy
• Description of technical and organizational measures to ensure data security

We have created an Excel template for you to use as a processing directory. It is based on a sample template created by the legal service of SWICO. You can download it for free (in German):

This is how you can approach the task of creating the processing directory:

• Create an appropriate file or download our template and check whether the mandatory fields are sufficient for your company or need to be expanded
• Identify the departments where personal data is collected
• Train your staff on how to fill out the Excel spreadsheet correctly and what information needs to be collected
• Have the departments record all processing activities
• Review the collected inventories to ensure accuracy and completeness
• Compile the results into a single spreadsheet: Collect all the information from the different departments and merge it into one central spreadsheet
• Implement a process for updates: determine at what intervals the spreadsheet will be updated to ensure that changes in data processing are incorporated on a regular basis. This must be done at least annually

Creating a processing directory allows you to identify what content your privacy policy must contain, with which data processors you must sign contracts, which cross-border transfers need to be secured, which data individuals can ask for in an access request, which data processing activities individuals must be informed about in advance, and where additional technical and organizational measures are required to adequately protect personal data – in short, the processing directory is the basis for the entire transition to the new data protection law.

Privacy Policy

The privacy policy is the shop window of your company’s data protection measures. As such, its purpose is not only to comply with legal requirements, but also to build trust with your customers and visitors. Therefore, try not to simply compile the mandatory content, but to design it in a good and appealing way. It is worth investing in this point in particular.

To revise your privacy policy, you need an overview of all processing activities of your company – i.e. a processing directory. The privacy policy is basically a much simplified version of this directory, bundled by category. It should primarily aim to be written in a comprehensible way and be clearly structured.

If you already have a GDPR-compliant privacy policy, you can adopt it almost 1:1, as the Swiss Federal Act on Data Protection specifies less mandatory content. The only important adjustment is that the nFADP requires the mention of all countries to which data is exported.

In general, you do not need a data protection officer under the nFADP, as required by the GDPR. However, you can optionally appoint an (internal or external) data protection advisor for your company. This person is the contact point for data subjects as well as for the Federal Data Protection and Information Commissioner (FDPIC). He or she trains and advises the company on data protection issues and assists in the application of data protection regulations.

To ensure that your privacy policy complies with the legal requirements of the nFADP, the following information should be included:

• Identity and contact details of the data controller: Provide your company name and, if applicable, the data protection advisor
• Information on how to exercise data subject rights: provide contact information by which data subjects can submit access requests
• Categories of collected data: such as address data, website usage data, cookies, and interests. Also explain the data sources
• Purposes of collecting personal data: such as the sale of products, entering into contracts, development of the website, marketing, logistics and financial accounting. If applicable, mention the software (category) used and the purpose of the processing with the respective software
• Third parties or categories of third parties with whom the data is shared: such as suppliers, government agencies, software and hosting providers. It is particularly important to name the countries to which data is exported
• Data retention policies: Explain how long the data collected will be retained and the criteria for deleting it
• If relevant: Information on carrying out automated individual decisions

You can find an excellent example (in german) of a transparent and trust-building privacy policy at the Nidwaldner Kantonalbank (not only because we are featured ). And the law firm Wicki Partners also provides text modules for the privacy policy among other helpful resources on the nFADP.

The following steps can help you revise your privacy policy:

• Collect and document all processing activities in your company
• Group processing activities by data category, processing purpose, processor, and retention criteria
• Revise your privacy policy. You can also include the affected departments
• Place references to your privacy policy on your website, in e-mails, and in apps
• Implement a process for updates. Determine at what intervals your privacy policy will be updated to ensure that changes are incorporated regularly. At least annual updates are recommended

If you have little capacity, it is also possible to use a service such as the privacy policy generator from Datenschutzpartner.ch (this one is only available in german). The generator creates a legally compliant privacy policy and takes into account the nFADP and the DSGVO. Among the more than 300 third-party services included you will also find Friendly Automate and Friendly Analytics. Note, however, that there too you must know and carefully enter all your processing activities. The time-consuming process of collecting and documenting all processing activities is therefore indispensable.

Last but not least, make sure you communicate your privacy policy. Be generous and place notices on your website, in the footer of your e-mails, in apps and wherever data processing takes place. Only when your customers and visitors are aware of the privacy policy, the effort has been worthwhile.

Data processing by third parties

If you as a company pass on personal data to external service providers, you are legally obliged under the nFADP to ensure comparable data security standards. You achieve this by concluding data processing agreements (DPAs).

It is important to note that you, as the data controller, are always liable for the security of the data you pass on. The conclusion of the DPAs is also your responsibility as controller, not the responsibility of the data processor. The data processor only acts on your behalf and is obliged to ensure an equivalent level of data protection.

If you are already subject to the GDPR and have concluded corresponding DPAs with your data processors, you only need to adapt them slightly: You only need to refer to the Swiss FADP in addition to the GDPR.

The nFADP does not prescribe any minimum content for the data processing agreement. It is recommended to follow the requirements of the GDPR. Based on this, we recommend the following content:

• Identification of the parties: Information about the contracting parties and their roles as data controller and data processor.
• Purpose of the data transfer/data processing: The purpose and type of data processing should be defined
• Obligation of the third party to follow instructions: the data processor acts exclusively in accordance with your instructions
• Confidentiality: Rules on the non-disclosure of the transferred data.
• Data security: Measures and standards for securing the data against unauthorized access, loss or theft
• Sub-processing: If the data processor wishes to pass on the data to third parties, your express consent is required to do so
• Breach notification requirements: Establish procedures and deadlines for reporting data breaches
• Support obligations: Regulations of responsibilities in the event of data security breaches or access requests
• Audit rights: agree on possible implementation of data protection audits
• Return/deletion of data: Regulations on how to deal with the data after the end of order processing

Here’s how to legally secure your third-party processing activities:

• Get an overview of all data processors with whom you share personal data
• Use sample contracts and adapt them according to your needs, or ask the processors whether they offer their own sample contract (here is our own DPA).
• Negotiate the exact contract content with each data processor individually.
• Conclude the contracts and keep them: After all the details are settled, sign the DPAs and keep them safe to prove your legal compliance.

Note that these regulations only apply to processors in Switzerland or in safe third countries. For transfers abroad, special precautions are necessary, which we explain in the next chapter.

Cross-border data transfers

When it comes to transferring personal data to foreign data processors, you must exercise particular caution. As a data exporter, it is your responsibility to ensure that the data importer abroad complies with security standards comparable to those required in Switzerland.

Right from the start: Data transfer to insecure third countries is possible under the nFADP under certain conditions, but always involves additional effort and risks. Consider therefore that there are alternatives, namely not sending the data abroad, but rather switching to Swiss or European providers.

The data transfer is unproblematic if it goes to a safe third country. Switzerland has defined a list of safe third countries, which mainly includes the countries of the EU.

Unsafe third countries include the USA, which can make cooperation with companies based there problematic. However, the European Commission recently recognized a new EU-US data protection framework that introduces new binding data protection safeguards. As a result, EU companies are now allowed to work with U.S. data processors without further safeguards.

Switzerland is also in discussions with the U.S. to establish a similar framework. So far, however, the list of safe third countries remains unchanged. So for data transfers to the U.S. (and other insecure third countries), you need to take special precautions.

What this means is that you have to sign a contract with the data processor that contains special data protection clauses. It is possible to draft these yourself, but this is not recommended, as you will then be subject to a special obligation to notify the Swiss data protection authority.

Instead, it is safer to use the so-called standard contractual clauses (SCC) developed by the EU and recognized by Switzerland. Note, however, that even these do not imply unrestricted clearance. The SCC require that you, as the data controller, perform your own risk analysis to check whether the legal situation in the third country makes access to the data by authorities possible and likely. If this is the case, the SCCs alone are not sufficient; the transmitted data must then be additionally secured, for example through encryption.

The Swiss data protection authority has published instructions for conducting such a risk analysis.

If your risk analysis concludes that the legal situation in the third country does not make adequate data protection impossible, you can use the standard contractual clauses by the EU. You do this by creating an agreement in which you incorporate the text of the SCC, taking it verbatim. However, there are some places where contextual adjustments can and must be made. These are marked accordingly.

If you use the SCC from Switzerland, you must supplement them according to the requirements of the FDPIC with an annex. In this annex, it must be made clear that the term “Member State” must be extended so that data subjects in Switzerland can also assert their rights under clause 18c. Furthermore, it must be clarified that references to the GDPR are to be understood as references to the nFADP wherever data transfers are subject to the nFADP.

In summary – here’s how you should go about securing your cross-border transfers:

• Make an overview of all your data processors abroad.
• Create an agreement with each data processor and include the SCC.
• Read the SCC carefully and adapt them to your context only where explicitly necessary.
• Finalize the contracts and keep them to prove your legal compliance.

Finally, you must inform the data subjects about the cross-border data transfer. Your revised privacy policy must contain this information. If data subjects submit an access request to you, you must also inform them about the countries to which you have transferred their data and how you have secured these data transfers.

Even if it is possible to transfer personal data abroad in this way, you should ask yourself whether it still makes sense in each particular case. Not only does it mean extra work and legal uncertainty, but your customers and visitors may not appreciate sharing their data with US corporations.

It’s safer and strengthens the Swissness of your business if you switch to Swiss providers instead. In most cases, there are suitable alternatives from Switzerland or Europe.

With Friendly we offer two software alternatives: Friendly Automate for Marketing Automation and Friendly Analytics for Web Analytics, both fully hosted in Switzerland (or Germany upon request).

Data subject rights

When you process personal data, data subjects have various rights. Generally, data subjects are entitled to all the information they need to assert their rights and ensure transparent data processing. Specifically, they have the right to:

• Information about any data processing
• Information about cross-border data transfer
• Access to their stored data
• data portability
• Correction and deletion of data
• Revocation of consent
• Complaints to the supervisory authority (FDPIC)

These rights can be divided into two groups:

• The first two rights are for information before any data processing happens and are already covered by the privacy policy. Data subjects have a right to transparent information about what personal data is collected and processed and when. This means that you must refer to the privacy policy every time you collect data.
• All further rights – the rights to request access, data portability, correction and deletion, revocation and the right of complaint – are rights that data subjects must exercise themselves. The right to complain only has something to do with you if a complaint about your company is received by the FDPIC. Hopefully, this will not be the case if you comply with the data protection obligations to the best of your knowledge. You should actively prepare for the other rights mentioned by implementing internal processes for inquiries.

In particular, you need to prepare for the rights of access and data portability, as some specific rules apply here.

The new Swiss data protection law states that data subjects have a right to know what personal data is stored in your company. When a person requests access to their data, you must first verify their identity, for example, through an ID, a known e-mail address, or a user account. This is because data subjects are only allowed to know what data is stored about them personally. If data contains information about other persons, it may not be disclosed.

The information must be provided in writing or electronically within 30 days. You must provide the information free of charge, unless the effort is disproportionately high or a request is made more than once a year.

In a few cases, you have the right to refuse to provide the information. This is the case if the disclosure violates professional confidentiality, if there are significant interests of third parties, or if the persons concerned pursue abusive purposes.

It is always the data controller who must provide the information, not other data processors. However, you can ensure the support of your data processors in providing information via the data processing agreement (DPA).

This is the required minimum content of the response to an access request:

• Identity and contact details of the data controller
• The personal data collected, e.g. name, address, e-mail address, date of birth, etc.
• Purposes of processing
• Criteria for storage and deletion of the data
• Information on the origin of those personal data that were not given by the person themselves
• Where applicable: third parties or categories of third parties with whom the data has been shared
• Where applicable: transfer of personal data to foreign countries, including the security measures taken

In addition to the right to access, data subjects also have the right to data portability. This means that, upon request, they can have their data handed over to them in a standard electronic format, for example in order to hand it over to another data controller. This type of request differs from pure information in that you are not allowed to transmit the data as a print letter or PDF document; instead, you must choose a data format that allows electronic, structured, automatic reading. The format depends on the data set and can be, for example, a CSV or XML file.

In this request, you must provide only certain data: on one hand, data that the data subject has voluntarily given to your company, and on the other hand, data that has been directly observed through the behavior of the person (for example, data from a fitness tracker or purchases in an online store). Information derived through data analysis and data from third-party sources do not have to be disclosed. Apart from that, the rules and restrictions are the same as for the right to access, such as that you have to hand over the data free of charge, or that you can refuse the request if there are relevant reasons.

Data subjects also have the right to have their data corrected and deleted, and the right to revoke any given consent. These two rights require little preparation. You just need to make sure that, in both cases, internal policies are in place to manage consents and delete or correct records.

Here’s how you can proceed to prepare for data subject requests:

• Identify all locations in the company where personal data is stored. This should be evident from the processing directory, if you have created one
• Make sure there is a way to export this data in a structured way
• Develop and implement internal processes to handle requests (a separate process for requests for access, data transfer, correction or deletion of data, and revocation of consent)
• Create sample letters for the various requests
• Define the responsibilities for responding to requests and train the employees involved

Data security through TOMs

The new Swiss Data Protection Act also contains regulations on data security. Your company must ensure that the processed data is protected as best as possible against unwanted access and that privacy is guaranteed in the most suitable way.

One challenge in the legislation is that the specific measures required to achieve this can change rapidly with technological developments and become outdated. Therefore, the law first establishes two general principles, Privacy by Design and Privacy by Default, and indicates that these must be implemented with appropriate up-to-date technical and organizational measures (TOMs). The law then leaves open what these measures might be.

In addition to the new Data Protection Act, however, the Swiss Data Protection Ordinance (DSV, not available in English) was also issued. It contains important detailed guidelines on the nFADP, especially on data security. They are intended mainly as a guide, and it is still unclear whether non-compliance with these regulations can be subject to criminal sanctions. But you can face complaints and conditions from the supervisory authority if you don’t make sufficient efforts to ensure data security.

The first principle for data security is Privacy by Design. This means that data protection must be ensured in the best possible way by the technology used. The measures must be proportionate to the state of the art. So you need to consider what has been proven effective in practice and incorporate these standards into your technical setup. This may include encryption, anonymization and access restrictions.

The second principle is Privacy by Default. This means that default settings for data processing must always be set in such a way that only data that is absolutely necessary for the intended purpose is processed, and that data is only passed on to third parties where absolutely necessary. No hidden default settings may be made to which users must give their tacit consent. The persons concerned must consciously and actively authorize further processing.

The guidelines for implementing these principles in the DSV first state that absolute security is not required. It is to be accepted that a residual risk remains and may even materialize in a data protection breach at some point. What is important is that a reasonable range of measures is taken at all.

What is considered appropriate depends on the degree of protection required for the personal data in question, the risk to the data subjects, the state of the art, and the financial and time resources required for implementation. In order to know what is appropriate, one can explicitly also be guided by the requirements of the European GDPR. Although Switzerland does not specify any concrete minimum requirements, companies should be able to assume that they are also adequately protected in Switzerland if they comply with the requirements of the GDPR in this regard.

In the assessment of the necessary measures, one can also be guided by the protection goals. The processed data should:

• be treated confidentially, i.e. only be accessible to authorized persons
• be available when it is needed
• protected from unauthorized or unintentional modification, and
• be processed in a traceable manner.

From this a list of control measures is derived, that the DSV intends to serve as a didactic aid. With this list, you can pragmatically assess and improve the level of protection in your company. It is important to mention that the measures mentioned here are not absolute requirements, but the effort of implementation may be considered and assessed in its relation to the risk. This means that data processing that entails a high risk for the personality or the fundamental rights of the data subjects requires a high level of data security, while personal data with a low risk also requires less protection.

Measures for confidentiality:

• Access control 1: authorized persons should have access only to those personal data that are necessary for the performance of their duties.
• Access control 2: Only authorized persons should have access to premises or facilities where personal data are processed.
• User control: Users of processing systems should be required to identify themselves and use by unauthorized persons should be prevented.

Measures for availability and integrity:

• Data carrier control: data carriers must be protected against unauthorized reading, editing, copying, deletion, and destruction.
• Memory control: Personal data in memory must be protected against unauthorized reading, modification, storage, deletion or destruction.
• Transport Control: Personal data must be protected from unauthorized reading, modification, storage, deletion, or destruction during transfer or transport.
• Recovery: The availability of personal data must be quickly restored in the event of an incident.
• Availability, reliability, and data integrity: personal data must always be available, system malfunctions must be reported immediately, and personal data must not be corrupted by system malfunctions.
• System security: Operating systems and software must always be kept up to the latest security standards and known critical gaps must be closed.

Measures for traceability:

• Input control: It should be made possible to check which person has entered or changed personal data at which point in time.
• Disclosure control: It should be possible to check which personal data is shared with which recipients.
• Detection and elimination of data security breaches: Data security breaches should be detected quickly and measures to mitigate or eliminate the consequences should be taken quickly.

As mentioned, the measures should be kept in reasonable proportion to the risk. In particular, traceability measures, i.e., the accurate tracking of data entries and the handling of data security breaches, are only relevant for your company if errors or losses in the data records can have potentially serious consequences for the data subjects. Therefore, perform a risk analysis and find out what level of protection is generally considered appropriate for this type of data processing.

These steps can then help you implement the appropriate TOMs:

• Identify a person in your company to coordinate the process of implementing the measures. This can be your data protection advisor, if your company has appointed one.
• Based on the list of measures, identify potential vulnerabilities and risks related to data processing in your company. Also check whether the principle of privacy by default is adhered to.
• Clarify with the relevant departments and IT specialists what measures can be taken to increase data security. On the technical side, these can include improved access controls, encryption, backups, data deletion and system updates; on the organizational side, processing regulations, training, emergency plans and documentation.
• Create a priority list and monitor implementation.
• Implement a process to regularly review and update TOMs to ensure they remain relevant to current threats and requirements.

In conclusion, it can be said that the implementation of the appropriate TOMs is always about improvement, not about absolutely achieving perfect protection. A residual risk, including the risk of a complaint, will always remain. As stated, to the best of our knowledge, it is still unclear whether and how you can be criminally sanctioned if you have not ensured adequate protection of data. In case of a complaint, you have the opportunity to comply with the demands within a set period of time. However, you should be able to prove that you have studied the guidelines and are continuously working on improving data security.

Extra: E-mails

With Friendly Automate we offer a Swiss software for marketing automation and newsletter sending. Therefore, we would also like to inform you about the requirements you need to be aware of when sending e-mails. The information in this chapter refers in part to other applicable Swiss laws, such as the competition law, in addition to the nFADP. To the best of our knowledge, they reflect the current legal status in Switzerland.

What has remained the same: You may always send transactional e-mails. These are e-mails (also automated ones) that refer to a specific correspondence or a specific request from your customers or leads.

According to the Swiss law against unfair competition (UWG Art. 3), you may send marketing e-mails without separate consent if a contractual relationship already exists – for example, through a purchase that has already been made – but only for similar offers.

Beyond that, you may only send marketing messages to recipients with explicit consent and clear information. This means that you cannot tacitly imply to your leads and customers that you will send them additional marketing messages when they enter data. Instead, the option to receive advertising messages must be actively selected by the recipients. The consent must also not be linked to other (possibly necessary) consents.

To ensure that a person has truly personally entered their own email address and actively consented to receive messages, double opt-in (DOI) has become the standard. When you use the double opt-in process, the interested person receives a confirmation email after entering their email address, which they must click on to confirm their subscription. This prevents a person from entering email addresses that are not their own. A weaker version is the Confirmed Opt-In (COI), in which a confirmation email is sent without a link. However, neither DOI nor COI are required by law in Switzerland, and Swiss courts recognize single opt-in (SOI) as sufficient evidence of consent. It is therefore up to you to decide whether you want to add an extra safeguard or whether higher registration rates through the simpler SOI are more important to you.

Prior to each data collection, you have to provide a reference to the privacy policy, e.g. if you use an online form for newsletter registration or participation in a raffle. The privacy policy is not a contract, but rather an information, and therefore consent is not required. The link to the privacy policy must be placed prominently when data is collected so that it is realistically possible for data subjects to learn about the company’s privacy policy before submitting data. Make sure the privacy policy addresses the sending of promotional messages as a processing purpose.

When sending e-mails, the majority opinion among legal experts is that the use of a sender address that cannot be contacted is not permissible. Instead, an actively attended e-mail address should be used. For this purpose, advertising messages must also contain complete and correct information about the sender and the contact options. It is also important that the possibility of a simple and free unsubscribe is offered in every newsletter.

If you use third-party services (such as Friendly Automate) to send marketing messages, you must ensure that they adhere to the same data protection rules as your company. In any case, you are responsible for the data you share with third parties. Therefore, conclude data processing agreements with these service providers as described above.

In summary, you can implement these steps to make your e-mailing privacy compliant:

• Make sure your CRM includes the ability to record consent for marketing messages.
• Add a consent option for receiving marketing messages to your data forms where necessary.
• Set up the double opt-in process for all e-mail sign-ups.
• Ensure that the privacy policy is referenced each time data is collected.
• Make sure your e-mails are sent from a sender address that can be written to, and that all promotional messages include sender and contact details and an unsubscribe option.
• Enter into a data processing agreement with your e-mail service provider.

Conclusion

The new Federal Data Protection Act is an important milestone for the protection of people in Switzerland, because data protection is ultimately the protection of individuals. You should keep this in mind, even if the implementation of the measures means a lot of work for your company. Despite the alignment with the GDPR, the nFADP leaves more room for maneuver, so you can proceed with moderation and common sense.

Lastly… after the game is before the game. Once you’ve completed the initial implementation of the nFADP in your company, it’s time to train your employees so that everyone involved has the necessary knowledge and skills to ensure data protection in practice. And keep the ball rolling: Schedule regular reviews and updates regarding your data protection compliance to ensure that you can respond to changes in both your company and in technological developments in a timely manner.

Checklist

We have compiled all the steps in this overview as a comprehensive checklist. Download it here:

FAQs (Cookie banner, differences to GDPR, Liechtenstein…)

How does the nFADP differ from the GDPR?

The nFADP is very similar to the GDPR, but there are some differences:

• Sanctions: The nFADP fines individuals with up to CHF 250,000; the GDPR fines companies with up to EUR 20 million or 4% of the company’s total annual global turnover.
• Information vs. consent: Under the nFADP, the information principle applies with respect to data collections: individuals must be informed about planned data collections and their purposes. Under the GDPR, individuals must actively consent to any data processing.
• Data protection officer: under the nFADP, the appointment of a data protection advisor is only recommended; under the GDPR, a data protection officer is mandatory.
• Minimum requirements: The nFADP specifies fewer minimum requirements, such as for the mandatory content of the privacy policy, data processing agreements (DPAs) and technical and organizational measures (TOMs) for data security. As a result, the Swiss law is more accommodating and open to future developments than the GDPR.
• Cross-border transfers: Here, the nFADP is stricter than the GDPR. When personal data is transmitted abroad, the specific countries must be specified in the privacy policy and in access requests.

Do Swiss companies also have to comply with the GDPR?

Yes, under certain conditions, Swiss companies must comply with the GDPR. These include:

• processing the personal data of individuals in the EU (and Liechtenstein)
• offering goods or services to individuals in the EU (and Liechtenstein)
• monitoring the behavior of individuals in the EU (and Liechtenstein)

Do you need a cookie banner in Switzerland?

Yes and no.

Under the nFADP, you don’t need the consent of data subjects to track them with cookies or process their personal data. However, you must inform them when you do so.

Unfortunately, it has not yet been clarified by the high courts how this information has to be provided in practice.

If the data processing is extensive and significant, then the requirements for information are high. In this case, you should make the information visible directly on the screen when the website is visited, for example by means of a banner that provides information and a link to the privacy policy. Unlike the cookie banner in the EU, however, this banner in Switzerland does not have to contain any options for consent or objection. It can be hidden either automatically after a certain time or by clicking on an OK button.

If the data processing is less extensive and impactful, some lawyers suggest that it is sufficient to provide the information via a link to the privacy policy, for example in the footer of the page, rather than “bothering visitors with a cookie banner”.

Of course, a specialist lawyer can best answer the question of where exactly the boundary lies between the two scenarios. When in doubt, provide your visitors with a cookie banner that is immediately visible.

Even if a cookie banner is not absolutely necessary in Switzerland – don’t you have to display a banner anyway if you are also targeting a European audience?

Yes, you must obtain consent from visitors from the EU via a cookie banner if you set cookies or track personal data. It is possible to use geolocalization to display such a banner only for visits from the EU. Depending on the use case, a reference to the privacy policy or a simple info banner without the option of consent is then sufficient for visits from Switzerland. However, you are of course free to go beyond the minimum requirements and always display a GDPR-compliant cookie banner.

What fines do you face under the nFADP?

The nFADP imposes fines of up to CHF 250,000. In contrast to the EU, in Switzerland the responsible natural person is fined, not the company. The company is also not allowed to pay the fine on behalf of the employee. This applies to the person in charge, not the person who merely carries out the work. However, it remains to be seen which organizational level will actually be targeted in practice.

There is one exception: if the fine is less than CHF 50,000 and the investigative effort to identify the responsible person seems disproportionate, the company can be fined instead. In the opinion of wickipartners.ch, this case could often be applied, especially in larger companies.

However, only intentional violations are fined. Negligent behavior is not fined. However, failure to take measures against one’s better knowledge is also an intentional act. It is important to note that prosecution will only be carried out if affected persons file a complaint.

The fines focus on intentional violations of the obligations concerning information, disclosure, cooperation and due diligence (nFADP Articles 60 and 61).

Examples include:

• intentionally false or withheld information in response to an access request
• intentionally false or withheld information about the processing of personal data in the privacy policy, in particular about cross-border data transfers
• Cross-border data transfers without adequate safety measures
• Transfer of personal data to processors without a data processing agreement (DPA)

What special measures must be taken in the case of high-risk data processing?

If the data processing carried out in your company may involve a high risk to the personality or fundamental rights of the data subjects, then you must implement special regulations, which we have not dealt with in detail in this article. This is the case when you process highly sensitive personal data on a large scale, when you carry out high-risk profiling, and when you systematically monitor public areas on a large scale. If this applies to your company, educate yourself on the additional measures you need to take. These include, as briefly mentioned in part above:

• compiling a processing directory despite a company size of less than 250 employees
• creating data protection impact assessments
• the obligation to report data security breaches
• the obligation to log all data processing activities, and
• the creation of a processing policy.

Does the nFADP also apply to associations and private persons?

Yes, the Swiss Federal Act on Data Protection applies to all persons and bodies that process personal data. It therefore applies equally to companies, federal bodies, associations and private individuals who operate a website, for example.

And what about Liechtenstein?

Liechtenstein has aligned itself with Switzerland in many areas of the law. However, unlike Switzerland, Liechtenstein is a member of the EEA – and is therefore subject to the GDPR. You should therefore regard visitors from Liechtenstein in the same way as those from the EU in terms of data protection.

Der Beitrag The new Swiss Federal Act on Data Protection will be introduced on September 1: The comprehensive guide (+ checklists and templates) erschien zuerst auf Friendly.

At Friendly, we work completely location-independently and otherwise only meet in our virtual daily team meetings. This has many advantages for us: We can work where we feel happy and enhance our team with good people from all over the world. Joint coffee breaks are usually out of the question.

The moment when four of us stood at the jetty was therefore a special one. Kathrin welcomed the team with goodie bags and 1st class upgrades for the MS Diamant, so we could cruise with the best view over Lake Lucerne.

Thereby we enjoyed coffee and croissants in typical Swiss fashion and joked about the fact that Joey, who works from Hungary, really exists. After all, we knew him (except for Stefan, who met Joey last year for Friendly Retreat No. 1) only from television.

We took the Hinterbergen cable car up to the Rigi, still known locally as the “Queen of the Mountains”. With the first cog railroad in Europe, the Rigi was the most popular mountain in Europe 200 years ago. One of the first famous tourists there was the young poet Johann Wolfgang Goethe in 1775. He noted in his diary: “And all around the glory of the world.”

We could convince ourselves of the breathtaking view on the hike “path of natural treasures”. Almost kitschy, luckily the clouds were still there.

After a steep climb, on which we were preoccupied with the question of why the alpine cows do not fall from the slopes, we treated ourselves to a lunch break: with cervelats from the grill, Swiss cheese and chocolate bananas, which warmly reminded Lukas of his childhood.

After another hour on the panoramic hiking trail, we reached the Mineral Bath & Spa Rigi Kaltbad, built by the Swiss star architect Mario Botta. We spent two hours carefree relaxing in the water…

drank a “Herrgöttli” (merci Lukas for this delightful term )…

… before we took the cable car back down to the lake, accompanied by good humor and Stefan’s background music, and let the evening come to a culinary end in the garden restaurant of the Seehotel Gotthard.

The personal exchange did us all good, and that’s why our retreats are an integral part of our company culture.

The bill, please!

In the spirit of our open startup philosophy, we would like to show last but not least what we have let the day together cost us. All expenses for the team retreats are covered by Friendly for our employees.

Der Beitrag Friendly on the “Queen of the Mountains”: Our Team Retreat No. 2 in Switzerland erschien zuerst auf Friendly.

Thanks to lead scoring, you can see in real time which are your most valuable leads. This gives your sales department the opportunity to focus on the contacts that have the highest probability of closing a deal. Or you can make special offers to your VIP contacts – fully automated.

Introduction

What is lead scoring? Simply put, you give your contacts points when they interact with your offering, and subtract points when they stop interacting for an extended period of time. The latter is also important and often neglected.

You’ll find a lot of articles online about the importance of developing a custom lead scoring model tailored to your marketing strategy.

You are advised to define

• what factors turn your visitors into potential customers
• what process your specific leads will take in their customer journey
• how many points you want to give them for each action along the way
• at which score threshold your lead should be considered a qualified sales-ready lead
• and in turn, for what behaviors you want to deduct points.

This advice is really good and you should definitely keep it in mind.

The problem is that with this general advice, it’s really hard to get started with actual lead scoring.

So we’re going to present you with a simple model that you can use to get started right away. It is based on the helpful suggestions of a market companion and gives you all the numbers you need to get started. From here, you can gradually adapt the model to the needs of your company.

Step 1: Set a threshold for sales-ready leads

Your leads will accumulate points until they reach a certain point value. At a certain threshold, they’re considered sales-ready leads: they have interacted with your brand enough that they’re likely to make a purchase soon. These are the leads your sales team should focus on.

For the simple lead scoring model that we are recommending for you to start with, we will set a threshold of 100 points.

Step 2: Award points for specific actions

Now you can assign points for specific interactions. There are actions that can give points to each contact only once, and actions that can give points to the contact any number of times. For example, a one-time action can be a newsletter subscription, a repeatable action can be a visit to the website.

Of course, it’s up to you to decide which actions give your contacts one-time points and which ones are repeatable, and also how much the different activities of your contacts are worth to you.

This simple model can help you rank the point value of your custom actions. Think about how many points you want to assign to each action so that 100 points reliably reflects a sales-ready lead.

Based on this simple model, you can probably think of other actions that are important for your specific business and that you want to award points to your leads for.

Step 3: Deduct points for inactivity and negative actions

For certain actions you can also deduct points from your contacts, in other words, give them negative points. For example, you should deduct points from your leads if they unsubscribe from your newsletter, if they haven’t interacted for a long time, or perhaps if they have looked at your jobs page (implying that they are interested in your company as an employee, not as a customer).

The period of inactivity from which you start deducting points should reflect the length of your sales cycle. If your sales cycle usually lasts 6 months, you should start deducting points only after 6 months.

Step 4: Put your lead scoring model into practice

Of course, the implementation of the scoring depends on the software you use for marketing automation.

In Friendly Automate, you have two ways to assign points to your contacts.

On the one hand, you can assign general points, that is, whenever a contact does a certain action. To set up these point actions, click on “Points” on the left side in Friendly Automate, then “Manage actions”, and then click on “New” in the upper right corner. Now you can create a point action:

On the other hand, you can award points within campaigns, for example for clicks on specific emails. You will find some examples in upcoming our campaign tutorial.

Step 5: Evaluate your lead scoring model

In the contacts overview in Friendly Automate (and in the corresponding function in other software) you can see how the scores of your contacts develop.

Regularly monitor whether your lead scoring model is delivering reliable results and adjust it if necessary.

This way, you always have an overview of which leads are particularly loyal to your offer and your brand, and can use this valuable information for your sales and marketing.

Der Beitrag Lead Scoring for Beginners erschien zuerst auf Friendly.

The global Covid crisis has accelerated this development. More and more companies are investing in digital technologies, and the results speak for themselves: 80% of companies have been able to increase both their leads and conversions with marketing automation. And 91% of users agree that marketing automation is essential to the overall success of their online marketing activities.

It’s no surprise then that marketing automation is one of the fastest growing digital marketing industries, expected to reach $8.42 billion dollars by 2027.

In this post, we present the five marketing automation trends that we think will define 2022, and that you should know if you want to take full advantage of marketing automation opportunities.

Right from the start: AI and the end of the cookie are only mentioned in passing. You’ll find out why at the end of the article.

So let’s take a look at how the industry is evolving and what exciting features you might want to take advantage of right now and in the near future.

1. Personalization vs. privacy

Digital marketing experts estimate that consumers are exposed to at least 400 ads a day. And that’s the most conservative estimate: calculations range up to 10,000 ads a day.

72% of customers state accordingly that they only respond to personalized marketing communications. At the same time, an increasing number of consumers are concerned about the protection of their data:

So while customers want to see information that is relevant to them, it makes them uncomfortable when they realize they are being “stalked.” Consumers get this feeling especially when sales tactics seem sneaky to them. And the tactics seem sneaky when:

• consumers were unaware that their data was being tracked
• their data is used more widely than was communicated to them proactively
• there is no obvious way to opt out of the use of data
• they get the feeling of being reduced to an advertising target
• and when they notice that companies make incorrect assumptions about their interests

The costs of these tactics are high: 63% of consumers say they stop buying when they are annoyed by perceived data misuse.

So if companies want to continue to be successful in digital marketing, they need to show that they take data privacy seriously, e.g., by providing easy-to-understand privacy statements with details of where and how the data is stored and processed. They need to work with the trust of their customers and treat them as partners, not targets.

An ideal way to obtain data in a trustworthy manner is to collect so-called zero-party data. This is data that customers offer voluntarily and knowingly, for example, to participate in a webinar, contest, or survey. Customers are also willing to share data to get a discount, get a problem solved, or receive a notification about a sold-out product. In all these cases, too, it should be made transparent how and to what extent the data will be used after the specific interaction has been completed.

All of this may seem limiting. But forward-thinking companies already recognize the inherent opportunities. By building their marketing strategies on trust and transparency, they can create real connections with their audiences and remove the obstacles that can stand in the way of a long-term relationship.

Thus, good personalized communication is needed that gives customers the feeling that their needs are understood and taken seriously. However, 66% of marketers say they lack the resources to implement personalized advertising campaigns. This is where affordable and privacy-oriented marketing automation solutions like Friendly Automate come in.

Good marketing automation software lets you automate campaigns with little effort, offering customers highly personalized content that matches their preferences and product interests, their interaction history, and their consumer status. Marketing automation can thus promote customer communication that is personalized, contextualized, and fosters trust and sympathy in the brand.

2. Own Your Audience

If you’re advertising on social media, your audience belongs to Facebook, Twitter, Instagram or another social media network. Even if advertising on social media has worked well for you so far, and even if social media advertising continues to be included in numerous marketing trend lists, we think you should be concerned. Why?

First, because the organic reach of free social media posts is steadily declining, as this graphic shows based on the examples of Facebook and Instagram:

So you’ll increasingly need to spend financial resources to reach your audience on social media with paid advertising.

Secondly, even with paid ads on these platforms, you are still dependent on numerous algorithms. You put the advertising in someone else’s hands and can’t control whether your ad actually reaches your target audience and whether your target audience even hears you in the marketing noise.

Thirdly, advertising is unpopular among social media users, and the sympathy of your future customers is a potential you should not squander.

That’s why in 2022, you should own your audience again.

Surprisingly, email remains the most popular channel among customers, far ahead of advertising on social media and other channels such as mailings, text messages and promotional calls.

Besides your own company website, email is thus the second central channel that you have in your own hands and which is not controlled by another company.

The inbox of your target audience is an area where customers deliberately let you in. They are actively interested in your products and want to receive relevant, personalized recommendations to which they will respond with purchases: A study by Cheetah Digital and E-consultancy showed that email marketing increased sales by 180% compared to display ads. 78% of marketers also say that email contributes significantly to their business success.

This makes email marketing one of the top trends for marketing automation in 2022.

3. Content Is No Longer the King, Simplicity Is

In the early days of the Internet, Bill Gates coined the phrase: “Content is King.” He predicted that the Internet as a “marketplace for content” would prove extremely lucrative for companies. That was in 1996, and today people are drowning in the tons of content on the Internet.

The flood of mediocre content is becoming more and more annoying and consumers are less and less willing to tolerate it.

What is needed today is simplicity. Or to put it another way: “Content is no longer the king, simplicity is.“

What customers want is selected, high-quality information that is easy to understand and, above all, relevant to them. They want a unique twist, a good idea.

That means you don’t have to post something every day. It’s better to provide high-quality, relevant and engaging content less frequently. Don’t go for the masses, but reduce to the essentials.

This is also true on the flip side: many marketers have limited resources and don’t venture into marketing automation. It seems too big, too complex and too expensive.

But in the long run, marketing automation is the only way to deliver more relevant content with less effort.

Once again, the key is to choose a cost-effective marketing automation solution and start with a single simple workflow. From there, you can build out your automations incrementally. Then, automation gradually frees your team from manual processes so they can focus on other tasks. This way, you create a sustainable foundation for the scalability of your marketing activities.

4. Customer Retention Is Better Than Customer Acquisition

Advertising successfully doesn’t just mean winning new customers. It also means reactivating existing relationships. Why is this so important to keep in mind?

Retaining existing customers and motivating them to buy again is 5x cheaper than attracting new customers. Existing customers already have trust in the brand and the paths are shorter.

But while this is true, many companies don’t have this big lever on their radar. While 44% of businesses focus on new customer acquisition, only 18% consciously focus on customer retention. Yet a 5% increase in customer retention can positively impact a company’s profitability by more than 75%, according to a Bain & Company report. And the likelihood of selling something to an existing customer is 60-70% compared to only 5-20% for new customers.

The key factor in retaining existing customers is their user experience. Satisfied customers will act as brand ambassadors among their friends. Consumers today trust the reviews and recommendations of their acquaintances much more than advertising. Therefore, it is essential to keep customers happy and provide them with continuous positive experiences with the brand. According to Forbes, this pays off in higher conversion and retention rates.

Again, personalized email marketing is the key channel, as this graphic on the most effective digital marketing tactics for customer engagement shows:

5. Better Integration With Sales

While Marketing and Sales form different departments of a company, it is obvious that they work towards the same goal, namely to grow and advance the company.

In reality, however, these departments don’t always work together efficiently, for example, by not automatically synchronizing customer data and not defining goals together.

Only 23% of salespeople say marketers hand them sales-ready leads. Aligning marketing and sales can lead to 36% higher customer retention rates and 38% higher sales profit rates. There is great potential here.

Marketing automation can greatly streamline these processes. Good marketing automation software can not only automate various workflows, but it also provides a wealth of information that can be used to make better decisions in all areas of the business.

Marketing automation gives you a complete picture that allows both the marketing team and the sales team to understand where your leads are coming from, how they are behaving, and how they are progressing toward a purchase. This can help both teams align their goals based on verifiable factors, provide the sales team with the best possible results, and continually adjust marketing efforts based on success rates.

In addition to good personal communication, good collaboration requires integrations at the software level: an integration of the marketing automation software with the sales CRM, and sales reporting and mutual updating of lead status to accurately reflect the success of specific marketing campaigns.

What about AI?

The use of machine learning and artificial intelligence in marketing has been hyped for years among marketing trends for the following year.

Reality, however, has been showing for years: Only corporate giants like Amazon, Netflix and Starbucks can afford practical solutions, and this is likely to remain the case in the coming years.

While 48% of companies are already using marketing automation (2019 figures, and rising), only 8% of companies are using artificial intelligence. So for the large number of small and medium-sized companies, this is (still) pie in the sky.

And what about the “End of the Cookie”?

Are cookies dying? Yes and no. Cookies are fundamentally important to the functioning of the Internet. At the same time, they are a threat to privacy. How does this fit together?

Cookies are a technology that allows a website to uniquely identify a visitor:in. It is important to distinguish between so-called first-party cookies and third-party cookies.

A first-party cookie comes from the website that a visitor is currently visiting. Such a cookie is set, for example, when a visitor logs in. Without this technology, a visitor would have to log in again for each visit.

A third-party cookie, on the other hand, comes from another website, meaning a third party. These are usually advertising networks such as those of Google and Facebook or tracking tools such as Google Analytics.

The announced “end of the cookie” is only about third-party cookies. The browsers Firefox and Safari already block these or delete them after a short time, Chrome is expected to follow suit after all not until 2023.

For marketers, this means that web tracking across multiple websites will become less accurate or even impossible.

That’s why it’s worth it to already invest in obtaining zero-party data today (see above, trend 1) and to establish direct access to leads and customers without detours via the advertising networks (trend 2).

By the way, our own software is not affected by the end of third-party cookies. Starting from the Pro version, our customers can operate Friendly Automate under their own (sub-)domain and thus employ first-party cookies.

Conclusion

Marketing automation is more relevant than ever. Choose an affordable and privacy-compliant marketing automation solution, focus on the right communication channels, start with simple workflows, take care of existing customers, and integrate sales and marketing – and you’ll be well on your way for 2022.

Der Beitrag The Top 5 Marketing Automation Trends for 2022 erschien zuerst auf Friendly.