Switzerland - Data Protection Overview
1. Governing Texts
Swiss data protection law is rooted in the civil law protection of personality rights. The Federal Constitution of the Swiss Confederation ('the Constitution') provides a constitutional right to privacy. Article 13 SFC protects the right to privacy in personal or family life and in a person's home. Article 28 of the Swiss Civil Code ('the Civil Code') and the Federal Act on Data Protection 1992 ('FADP') put this fundamental right to privacy into concrete terms at a statutory level.
In essence, the data processing principles set out in the FADP provide for protection against infringements of personality rights (data privacy) through excessive use of personal data. Article 28 of the Civil Code remains relevant, from a privacy law perspective, where libel, slander, or defamation is the concern. Furthermore, Article 28 of the Civil Code is relevant for the protection of personality rights of legal entities.
In addition to criminal liability governed by the FADP, a number of provisions of the Swiss Criminal Code ('the Criminal Code') are relevant in a data protection and privacy context. These include criminal law protection of a person's reputation against defamation (including libel and slander) and criminal law provisions prohibiting unauthorised recording of private conversations or wiretapping.
Sector-specific data protection and security requirements set out in laws regulating businesses and organisations in certain sectors (including the healthcare, pharmaceutical, energy, telecommunications, and finance sectors), provide more specific requirements applying to the processing of e.g. patient personal data, bank customer data, or smart metre data. Sector-specific provisions typically supersede the provisions of the FADP.
The 26 Cantons, the Federal states of the Swiss Confederation, have enacted their own data protection acts. These govern the processing of personal data by public authorities on the Cantonal and communal levels. This derives from the competence of the Cantons to organise themselves autonomously and thus to determine the obligations of their authorities.
On 25 September, 2020, the Federal Parliament enacted a revised FADP (the final text of which is accessible in German here, French here, and Italian here) ('the Revised FADP'). The Revised FADP will enter into force on 1 September 2023. It implements the requirements of the Council of Europe's Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data ('Convention 108+'), and it aligns the FADP with the requirements of the European Union's General Data Protection Regulation (Regulation (EU) 2016/679 ('GDPR') with the aim of retaining the European Commission's adequacy finding.
It is important to note that whereas the Revised FADP contains similar provisions and is aligned with the requirements of the GDPR, Switzerland has enacted its own law. The Revised FADP largely draws from the requirements of Convention 108+ (and also from obligations under Data Protection Directive with respect to Law Enforcement (Directive (EU) 2016/680), which Switzerland had to implement under the Schengen Association Agreement with the EU) and not from the GDPR. This is why case law or guidance issued by EU authorities under the GDPR should not be used inconsiderately for the application of the Revised FADP.
The FADP is the key act regulating data protection in Switzerland. The Ordinance on the Federal Act on Data Protection ('FODP') puts certain aspects of the FADP into more concrete terms. For example, it sets out the specifics of notification requirements and the modalities of the right of access. A revised FODP (draft text available in French here, in German here, and in Italian here), which was open for comments until 14 October 2021, will enter into force together with the Revised FADP.
In addition, the Swiss Civil Code and the Criminal Code regulate aspects of privacy and data protection. See above (Introduction) for details.
Note that only the German, French, and Italian versions of the Federal laws referenced in this Note are official texts. English versions are provided only for reference purposes.
Key non-binding guidelines issued by the Federal Data Protection and Information Commissioner ('FDPIC') include:
- Guidelines on data subjects' rights regarding the processing of personal data (only available in German here, in French here, and in Italian here);
- Guidelines on the processing of personal data by companies or organisations (only available in German here, in French here, and in Italian here);
- Guidelines on technical and organisational security measures;
- Guidelines on transborder data flows;
- Guide to checking the admissibility of direct or indirect data transfers to foreign countries (Art. 6 para. 2 letter a FADP);
- Guidelines on the processing of personal data in the employment context (only available in German here, in French here, and in Italian here);
- Guidelines on the monitoring of internet and email use at the workplace (only available in German here, in French here, and in Italian here); and
- Guidelines on the processing of personal data in the healthcare sector (only available in German here, in French here, and in Italian here).
1.3. Case law
The following are leading decisions of the Swiss Federal Supreme Court:
- Decision 4A_518/2020, 5 August 2021 (access to private data stored on mobile phone provided by employer) (only available in French here);
- Decision BGE 147 I 372 (DNA Profile for law enforcement purposes) (only available in German here);
- Decision BGE 144 I 126 (Retention of telecommunications traffic data) (only available in German here);
- Decision BGE 143 I 253 (FINMA Watchlist) (only available in German here);
- Decision BGE 142 III 263 (Video surveillance system) (only available in German here);
- Decision BGE 141 III 119 (Employees' right of access) (only available in German here);
- Decision BGE 138 III 425 (Bank customers' right of access) (only available in German here);
- Decision BGE 138 II 346 (Google Street View) (only available in German here); and
- Decision BGE 136 II 508 (Logistep) (only available in German here).
In addition, the following judgments of the Swiss Federal Administrative Court ('FAC') are notable:
- Judgement A-3548/2018 of March 19, 2019, FDPIC v. Helsana Zusatzversicherungen (only available in German here);
- Judgement A–4232/2015 of April 18, 2017, FDPIC v. Moneyhouse (only available in German here); and
- Judgement A–5225/2015 of April 12, 2017, FDPIC v. Lucency (only available in German here).
2. Scope of Application
The FADP and the FODP apply to the processing of personal data by businesses and organisations in all sectors of the economy as well as to the processing of personal data by Federal authorities. They also apply to the processing of personal data by natural persons in the context of business activities, but not in the context of personal household uses.
Chapter 3 of the FADP only applies to the processing of personal data by businesses, organisations, and natural persons. Chapter 4 of the FADP only applies to the processing of personal data by public authorities of the Federation (and to the processing of personal data by businesses or organisations performing tasks in the exercise of Federal public authority vested in them).
Sector-specific data protection and security requirements apply to businesses and organisations in certain sectors (e.g. regulated medical device manufacturers, hospitals, energy suppliers, banks, or telecommunications services providers). Note that the cookie-related information obligations set out in the Swiss Telecommunications Act ('TCA') apply to any business or organisation processing personal data on users' devices by means of using telecommunications services (see the Note 'Switzerland – Cookies and Similar Technologies').
The Cantonal data protection acts govern the processing of personal data by public authorities of the relevant Canton or its communes (and the processing of personal data by businesses or organisations performing tasks in the exercise of Cantonal or communal public authority vested in them).
The principle of effects determines the FADP's territorial scope. In other words, the FADP applies to the processing of personal data that has actual or potential effects in Switzerland. This includes processing activities that are conducted or initiated outside of Switzerland but actually or potentially adversely affect the privacy rights of individuals in Switzerland. According to established case law, this territorial scope already applies to investigation proceedings of the FDPIC under the current FADP. The Revised FADP will codify this case law.
Further, the Revised FADP may apply, in accordance with the principle of effects under private international law, in private enforcement.
The criminal law provisions of the FADP (Articles 34–35) apply to offences committed in Switzerland (criminal law principle of territoriality). This will remain the same for criminal law provisions (Articles 60–66) of the Revised FADP.
The FADP is an omnibus law governing any processing (including collection, storage, adaptation or alteration, disclosure, archiving, destruction, or other use) of personal data. Processing of personal data by natural persons for personal household uses is exempted.
The FADP does not apply to the processing of anonymous data (i.e. information that the respective holder or receiver of the information will not reasonably likely relate to an identified or identifiable individual).
3.1. Main regulator for data protection
The FDPIC supervises businesses, organisations and Federal public authorities' compliance with their respective obligations under the FADP and the FODP.
State prosecutors of the Cantons enforce criminal law provisions of the FADP (see section on Penalties below for details). State prosecutors also enforce the data protection law-related offences under the Criminal Code.
The data protection supervisory authorities of the Cantons supervise the data processing activities of Cantonal and communal authorities in accordance with the Cantonal data protection acts.
In addition, private enforcement plays a role, in particular as regards injunctions banning disclosure of personal data, and the enforcement of the right of access or the right to have personal data rectified or deleted (see sections on Data Subjects Rights and on Penalties below).
3.2. Main powers, duties and responsibilities
Under the current FADP, the FDPIC may only issue non-binding recommendations. However, where the business, organisation, or Federal authority concerned does not agree to implement the recommendation, the FDPIC may file a complaint with the Federal Administrative Court and request that the court order the defendant to implement the recommendation.
Under the Revised FADP, the FDPIC will have the power to issue binding decisions: The FDPIC may (ex officio or upon a data subject's complaint) require the respective business or organisation or Federal authority (controllers) to correct, suspend, or cease certain processing of personal data, or to delete personal data entirely or partially. The FDPIC may, under the Revised FADP, also require the businesses, organisations, or Federal authorities concerned to comply with specific obligations that apply to them as controllers or processors; such as, in the case of controllers, to inform individuals, grant a right of access, or to perform a Data Protection Impact Assessment ('DPIA').
In contrast to supervisory authorities in most jurisdictions where the GDPR is enforced, the FDPIC will not, however, have the power to impose administrative fines on businesses or organisations. Nor will the FDPIC have the power to impose fines on individuals.
4. Key Definitions
Data controller: The Revised FADP will distinguish controllers and processors. Similarly, the current FADP distinguishes owners of data filing systems and third parties processing personal data on behalf of such owner. The term 'controller' (under the Revised FADP) refers to the business, organisation, natural person, or Federal authority that determines (alone or jointly with others) the purpose and means of the processing of personal data.
Data processor: 'Processors' (under the Revised FADP) are businesses, organisations, natural persons, or Federal authorities that process personal data on behalf (and for the purposes of) the controller.
Personal data: The FADP defines 'personal data' as any information relating to an identified or identifiable person. This includes information that directly identifies a (natural) person (e.g. a full name or picture showing a person's face) and information that allows identification indirectly by reference to additional information (e.g. email address, telephone number, social security number, or customer number). A 'relative' approach to identification applies. Information may qualify as personal data in the hands of one party and as anonymous data in the hands of another party. Identifiability means that the party holding or receiving the information has (or will reasonably likely gain) access to means it will reasonably likely use to identify the (natural) person directly or indirectly. To ascertain whether such identification is reasonably likely, account is taken of the costs of and the amount of time the holder or receiver of the information requires for identification, taking into consideration the technology available to such business, organisation, or natural person. Note that the current FADP also governs the processing of information relating to an identified or identifiable legal entity. The Revised FADP will not apply to processing of information relating to an identified or identifiable legal entity.
Under the FADP, the following categories of personal data qualify as 'sensitive':
- personal data concerning religious, ideological, political, or trade union-related views or activities;
- personal data concerning health, the intimate sphere, or the racial origin of an individual;
- personal data concerning social security measures; and
- personal data concerning administrative or criminal proceedings and sanctions.
These categories of personal data will continue to be considered sensitive under the Revised FADP. The Revised FADP will add two new categories:
- genetic data; and
- biometric data that uniquely identifies an individual.
Note that the above list of categories of sensitive personal data is conclusive.
Disclosure: 'Disclosure' means making personal data available; for example, by permitting access, transferral to a third party (except that disclosures to processors, or rather entrusting processors with data processing activities of the controllers, will not qualify as disclosures to third parties; see sections on Special Categories of Personal Data and Controller and Processor Contracts below for details), or publication.
Processing: 'Processing' means any operation performed on personal data, irrespective of the means or procedures applied, and in particular the collection, storage, use, adaption or alteration, disclosure, archiving, or destruction of data.
5. Legal Bases
In contrast to the principle of 'lawfulness of processing' on which the GDPR is based, the processing of personal data by businesses, organisations, or natural persons is generally allowed under the FADP. Only public authorities require a legal basis for processing. Private controllers do not need a legal basis for lawful processing of personal data under the FADP.
Legal bases – or rather 'justifications' are relevant only as a basis to justify an otherwise unlawful personality rights infringement. See the section on Principles below for details. This concept will remain the same under the Revised FADP (Article 30(2) of the Revised FADP).
Preliminary remarks: It is important to note that Article 4(5) of the FADP and, respectively Article 6(6)–(7) of the Revised FADP (see below) do not set out a general consent requirement for processing personal data. These provisions merely define the conditions for valid consent that apply if a controller needs to justify processing and seeks to use consent as a basis for the justification (and not another basis such as the performance of a contract or other legitimate interests).
Where a controller needs to justify processing (see the introductory remarks to section on 'Legal Bases' and the definition of 'lawfulness of processing' in section on 'Principles') and seeks to rely on consent for that purpose, consent is valid only if it is informed and freely given. If the controller seeks to justify the disclosure of sensitive personal data or so-called 'personality profiles' to third parties (other controllers; not processors) or if it otherwise seeks to justify a personality rights infringement (e.g. processing for further purposes or for longer than necessary) concerning sensitive personal data, consent needs to be given expressly (clear affirmative action).
Under the Revised FADP, where a controller needs to justify processing (see the introductory remarks to section on 'Legal Bases' and the definition of 'lawfulness of processing' in section on 'Principles') and seeks to rely on consent for that purpose, consent will be valid only if it is informed, freely given and specific to one or several processing activities (Article 6(6) of the Revised FADP). Further, where a controller needs to justify processing involving sensitive personal data or high-risk profiling and seeks to rely on consent for that purpose, consent needs to be expressly given (Article 6(7) of the Revised FADP).
Despite the lengthy Parliamentary debate and the misconceptions surrounding it, there will be no general requirements under the Revised FADP to obtain consent for so-called high-risk profiling (a concept introduced late in the Parliamentary debate; meaning profiling that poses a high risk to the privacy of individuals by pairing between data that enables an assessment of essential aspects of the personally of a natural person). Rather, the relevant provision (Article 6(7) of the Revised FADP) defines a condition for valid consent that applies if a controller needs to justify processing and seeks to rely on consent for that purpose (and not on other grounds for justification, (such as overriding private or public interests or a legal obligation. See the introductory remarks to this section above and the definition of 'lawfulness of processing' in the section on Principles below for details.
Where a controller needs to justify processing (see the introductory remarks to this section above and the definition of 'lawfulness of processing' in the section on Principles below), interests of the controller may justify the processing if the interests override the data subject's privacy interests (Article 13(1) of the FADP; Article 31(1) of the Revised FADP). Necessity for the conclusion or performance of a contract with the data subject is considered such interest that may override the data subject's privacy interests (Article 13(2)(a) of the FADP; Article 31(2)(a) of the Revised FADP).
Where a controller needs to justify processing (see the introductory remarks to this section above and the definition of 'lawfulness of processing' in the section on Principles below), necessity of the controller's compliance with legal obligations may justify the processing (Article 13(1) of the FADP; Article 31(1) of the Revised FADP). Only legal obligations laid down in Swiss law will be considered.
Interests of the data subject may qualify as 'private interests' under Article 13(1) of the FADP (Article 31(1) of the Revised FADP) that may justify an otherwise unlawful personality rights infringement. At the same time, processing that is in the (vital) interest of the data subject is less likely to qualify as a personality rights infringement in the first place.
Overriding public interests may justify an otherwise unlawful personality rights infringement, particularly if invoked by public authorities (Article 13(1) of the FADP; Article 31(1) of the Revised FADP). Courts are reluctant to accept public interests as grounds for justification if private controllers invoke it.
Legitimate interests of the controller are 'private interests' within the meaning of Article 13(1)of the FADP (Article 31(1) of the Revised FADP) that may processing that requires justification (see the introductory remarks to this section above and the definition of 'lawfulness of processing' in the section on Principles below), provided they override the privacy interests of the data subject. Legitimate interests of the data controller include, in particular and without this being a conclusive list of interests (see Article 13(2) of the FADP; Article 31(2) of the Revised FADP):
- processing in order to conclude or perform a contract with the data subject;
- processing for the purpose of competing economically with another organisation, provided the controller will not share the personal data with third parties (whereby, in this context, intragroup transfers are not considered transfers to third parties); and
- processing for the purpose of checking the creditworthiness of a data subject (subject to restrictions).
To account for the principles of proportionality (data minimisation and storage limitation) and purpose limitation (as put into more concrete terms in Article 328b of the Code of Obligations), employers may, in principle, only process employee personal data to the extent the processing relates to the workplace. This includes processing that is necessary for the performance of the employer's obligations to the employee under the employment contract, for compliance with statutory obligations, or for the purposes of legitimate interests of the employer or third parties that have a sufficient connection to the workplace (e.g. the enforcement of legal claims, measures ensuring safety at work or information security, fleet management, or marketing of professional services performed by the employee).
According to case law of the Swiss Federal Supreme Court (4A_518/2020, 5 August 2021, only available in French here), however, the workplace-relation requirement does not per se prohibit the processing of employee personal data for non-work-related purposes. Specifically, processing for further purposes may be justified in individual cases based on statutory obligations or overriding legitimate interests of the employer or a third-party, or even based on interests of the employee.
Obtaining the employees' consent is typically not necessary (and will not be valid unless the employee has a real choice).
Employees have a duty of loyalty to their employers. This means that employees have to tolerate certain restraints on their privacy interests. At the same time, employers have a duty of care to their employees. Even if employees are under a loyalty obligation, employers have to process employee personal data in ways that are least intrusive to the privacy interests of their employees (principle of proportionality). Thereby, of particular importance is adequate information of the employees about the functioning and purposes of, for example, fleet management, internet use monitoring, or video surveillance systems that the employer intends to use, and about the employees' rights in connection with the processing of personal data for such purposes.
The following processing principles are key principles and responsibilities of controllers under the FADP:
- Lawfulness: Businesses or organisations (controllers) may only process personal data that has been collected in accordance with other applicable laws. For example, processing personal data that has been collected through unlawful trespassing or wiretapping would infringe the 'lawfulness' principle. Note that, in contrast to the principle of 'lawfulness of processing' on which the GDPR is based, the processing of personal data by businesses, organisations, or natural persons is generally allowed under the FADP (see also above the section on legal bases). Only public authorities require a legal basis for processing.
- Fairness (good faith): Controllers may only perform such processing activities as data subjects may reasonably expect. Furthermore, fairness (good faith) means that processing must be performed as described in privacy notices.
- Transparency: Controllers have to convey to data subjects all information necessary in order to ensure transparent data processing. The information needs to enable data subjects to exercise their rights under the FADP. The Revised FADP will set out in more detail the types of information that controllers need to convey to data subjects. At a minimum, controllers will need to inform data subjects about:
- the identity and the contact details of the controller;
- (where applicable) the contact details of the data protection officer ('DPO');
- the contact details of the Swiss representative, if any;
- the purposes of the processing of personal data;
- the recipients or categories of recipients of the personal data, if any;
- the categories of personal data concerned, where the personal data is not obtained directly from the data subject;
- where the controller intends to transfer personal data to a recipient outside of Switzerland, the countries the controller intends to transfer personal data to and (in the absence of an adequacy decision taken by the Federal Council) based on which safeguards (e.g. Standard Contractual Clauses ('SCCs') or derogations; and
- (where applicable) the existence of automated individual decision-making.
- Purpose limitation: Controllers may only process personal data for the specified purposes that have been notified to or are obvious to data subjects; and may only process personal data in a manner compatible with those purposes. The information about the purposes of the processing needs to be specific. Controllers also need to ensure that further processing of personal data received from other controllers is compatible with the purposes determined and communicated to the data subjects at the time of collection.
- Proportionality: The processing of personal data needs to be proportionate; that is, limited to what is necessary to achieve the specified purposes, considering the type of personal data concerned and the scope and duration of the processing. The data minimisation and storage limitation principles are key aspects of the proportionality principle. This means that controllers need to limit the scope of personal data collected and processed to what is necessary for the intended purposes, and to delete personal data once it is no longer needed for the specified purposes.
- Accuracy: Controllers need to ensure they only process personal data that is accurate and kept up to date. They must take all reasonable steps to ensure that personal data that is inaccurate or incomplete, having regard to the purposes for which it is processed, is deleted or rectified.
- Data security: Both controllers and (under the Revised FADP) processors are under an obligation to ensure an adequate level of data security. They are required to protect the integrity, confidentiality, and availability of personal data by means of adequate technical and organisational security measures. In assessing the appropriate level of security, controllers and processors have to account for the purpose, type, and scope of the data processing, the assessment of potential risks for data subjects, and the state-of-the-art security solutions.
If businesses and organisations process personal data in accordance with the processing principles set out above, the processing will generally be considered lawful as long as the data subject has not expressly objected to the processing. Infringements of these processing principles (e.g. processing for further purposes than those initially specified, or processing for longer than necessary for the specified purposes), or continued processing despite the data subject's objection, are breaches of personality rights of the affected data subject. In addition, disclosure of sensitive personal data or (under the current FADP only) personality profiles to third parties without a valid ground for justification is deemed a breach of personality rights.
Breaches of personality rights are deemed unlawful unless the controller can demonstrate that the relevant data processing is justified on grounds of overriding private or public interests or the necessity for its compliance with legal obligations laid down in Swiss law. See section on legal bases above.
7. Controller and Processor Obligations
No registration with or notification to the FDPIC is generally required in order to process personal data in Switzerland (or to perform data processing operations with effects in Switzerland). However, under the current FADP, businesses or organisations have to register their data files with the FDPIC if they regularly process sensitive personal data, personality profiles, or regularly disclose personal data to third parties.
Data files must be registered with the FDPIC before their operational use (Article 3(1) of the Ordinance). The notification must include the following information (Article 3(1) of the Ordinance):
- the name and address of the controller of the data file;
- the name and complete designation of the data file;
- the person against whom the right of access may be asserted;
- the purpose of the data file;
- the categories of personal data processed;
- the categories of data recipients; and
- the categories of persons participating in the data file, i.e. third parties who are permitted to enter and modify data in the data file.
Controllers must update the information included in the registration of the data files on an ongoing basis (Article 3(2) of the Ordinance). The FDPIC has issued the following relevant guidance:
- Guidelines on the processing of personal data by companies or organisations (only available in German here, in French here, and in Italian here);
- Summary on registration (only available to download in German here and in French here);
- Paper on exemptions from registration for lawyers, doctors, and HR (only available to download in German here, in French here, and in Italian here); and
- Notification form for the FDPIC and additional information on how to complete it (only available in German here, French here, and Italian here).
With reference to the processing of personal data by private persons, the data controller is not required to declare its files if (Article 11a(5) of the FADP):
- the data is processed pursuant to a statutory obligation;
- the Federal Council has exempted the processing from the registration requirement because it does not prejudice the rights of the data subjects;
- the data controller uses the data exclusively for publication in the edited section of a periodically published medium and does not pass on any data to third parties without informing the data subjects;
- the data is processed by journalists who use the data file exclusively as a personal work aid;
- the data controller designated a DPO who independently monitors internal compliance with data protection regulations and maintains a list of the data files; or
- the data controller has acquired a data protection quality mark under a certification procedure (under Article 11 of the FADP) and has notified the FDPIC of the result of the evaluation.
Furthermore, the controller is exempt from the duty to register its files with the FDPIC if (Article 4 of the Ordinance):
- the data files originate from suppliers or customers, provided that they do not contain any sensitive personal data or personality profiles;
- the data files contain data which is used exclusively for purposes unrelated to specific persons, in particular in research, planning and statistics;
- the files are archived data files, and that the data is preserved solely for historical or scientific purposes;
- the data files contain only data that has been published or that the data subjects have themselves made generally accessible without expressly prohibiting the processing of such files;
- the data exclusively serves to fulfil the requirements of maintaining a record of the automated processing of sensitive personal data or profiling (Article 10 of the Ordinance);
- the data files are accounting records; or
- the files are secondary data files for personnel management of the controller of the data file, provided they do not contain any sensitive personal data or personality profiles.
The obligation to register data files will no longer apply to business or organisations under the Revised FADP.
Under the current FADP, the FDPIC publishes a list of states that, according to the FDPIC's assessment, provide an adequate level of data protection. Under the Revised FADP, the Federal Council will adopt adequacy decisions in relation to jurisdictions that provide an adequate level of protection. The Federal Council will (just as the FDPIC has done in the past) likely follow the European Commission's lead and consider adequate those jurisdictions in relation to which the European Commission has adopted an adequacy decision.
Appropriate safeguards (or derogations for specific situations) are required in order to transfer personal data to states without an adequate level of protection. Appropriate safeguards include, under the Revised FADP: SCC issued, approved or recognised by the FDPIC, Binding Corporate Rules ('BCRs') approved by the FDPIC or a competent data protection supervisory authority in a state that provides adequate protection, or (subject to prior notification to the FDPIC) contractual clauses incorporated into a controller-to-processor data processing agreement.
The FDPIC has recognised the new SCC issued by the European Commission in June 2021 as a valid safeguard for transfers from Switzerland to states without an adequate level of protection, provided that the parties supplement the SCC with an annex that implements Swiss law-specific safeguards. The following supplements are (except in the case of onward-transfers) expected:
- Clause 4(a): References to the GDPR are to be understood as references to the FADP;
- Clause 13: The competent supervisory authority (to be named in Annex I.C) is the Swiss FDPIC; and
- Clause 18(c): the term 'Member State' must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of bringing legal proceedings against the data exporter and/or data importer before courts of Switzerland.
Further, the FDPIC expects the performance of a Transfer Impact Assessment ('TIA') in connection with the use of SCC.
In addition, the Revised FADP provides for derogations for data transfers in specific situations, such as where the transfer is directly related to the conclusion or the performance of a contract between the data subject and the controller.
The above rules on data transfers also apply in an outsourcing context, where a controller in Switzerland engages a processor in another state, or where a processor in Switzerland engages a sub-processor in another state. In addition, controller-to-processor relationships and processor-to-sub-processor relationships have to be governed by a data processing agreement.
Under the Revised FADP, controllers (and processors) will be required to maintain records of processing activities. Exemptions apply in relation to low-risk processing of personal data by businesses with less than 250 employees. The revised FODP will lay out the specifics of this and other exemptions that may apply.
Under the Revised FADP, controllers will be required to perform DPIAs for intended high-risk processing of personal data. The high risk may result from the type, scope, circumstances, or purposes of the processing or from the use of new technologies. A DPIA will be required under the Revised FADP, in particular, in the case of processing on a large scale of sensitive personal data, or the systematic monitoring of publicly accessible areas on a large scale. The implementation of profiling will require a prior privacy risk assessment and, potentially, a DPIA.
The Revised FADP provides that the DPIA should include a description of the planned processing, an assessment of the risks for the personality or the fundamental rights of data subjects, as well as the measures planned to protect their personality and fundamental rights (Article 22(3) of the Revised FADP). In regard to exemptions, the Revised FADP provides an exemption for controllers conducting processing activity on the basis of a legal obligation in Article 22(4) and controllers using a system, product, or service certified in accordance with Article 13 of the Revised FADP or if it complies with a code of conduct within the meaning of Article 11 of the Revised FADP.
The Revised FADP stipulates that a controller must consult the FDPIC when the DPIA reveals that the processing presents a high risk for the personality or fundamental rights of the data subject despite the measures envisaged by the controller (Article 23 of the Revised FADP). However, the Revised FADP provides for an exemption to such consultation requirement where the controller has consulted its appointed data protection advisor (Article 23(4) of the Revised FADP).
Appointing a DPO is not mandatory for businesses and organisations under the FADP or the Revised FADP. However, the Revised FADP incentivises the appointment of a DPO, i.e. a 'data protection advisor' (cf. above, regarding DPIAs and prior consultations). In practice, it may also be advisable to appoint a DPO voluntarily, as compliance with documentation and notification obligations and responding to data subjects' requests under the Revised FADP requires businesses, in practice, to establish an internal data protection function.
The DPO must be independent in terms of organisation and their professional expertise. From an organisational point of view, they may not perform tasks that are incompatible with the tasks of the DPO (avoidance of conflicts of interest). As regards professional expertise, the controller or processor has to ensure the DPO does not receive any instructions regarding the exercise of their tasks, and can be either an employee or a third party.
The DPO's functions include (Article 11a(5)(e) of the FADP and Article 12b of the Ordinance):
- auditing the processing of personal data;
- monitoring internal compliance with data protection regulations;
- recommending corrective measures where they ascertain that the data protection regulations have been infringed; and
- maintaining a list of the data files.
Importantly, Article 10(3)(d) of the draft Revised FADP and the Guidance on the Revised FADP ('the Revised FADP Guidance') emphasise that the DPO is responsible for acting as links to official data protection bodies as well as for being the first point of contact with the FDPIC.
Further, the DPO must have the professional skills and expertise necessary to perform the statutory tasks of a DPO. Basic knowledge of data protection law is generally sufficient in order to perform the tasks of advising on and monitoring compliance with data protection laws (in particular, if supported by external legal advisors), and for consultation with the FDPIC. At least as important (namely in connection with a DPIA or with regard to data security) is knowledge of the relevant technology, data flows, and business processes.
The DPO must be provided with the resources, as well as access to all files and information, which are necessary in order to carry out their duties (Article 12b(2) of the Ordinance). The FDPIC recommends that organisations establish internal procedures for the notification of processing activities to their DPO (Corporate DPO (only available in German here, in French here and in Italian here))
Businesses or organisations that appoint a DPO in accordance with the Revised FADP will have to publish and provide to the FDPIC the contact details of the DPO.
Under the Revised FADP, business or organisations (private controllers) established outside of Switzerland will have to appoint a representative in Switzerland under certain conditions. They will be required to do so if they regularly perform high-risk and large-scale processing of personal data in connection with the offering of goods or services in Switzerland, or in connection with the monitoring of individuals' behaviour taking place in Switzerland.
Under the Revised FADP, controllers will be required to notify the FDPIC of personal data breaches that may result in a high risk for data subjects (the current FADP does not set out any data breach notification obligations, but notification is considered a best practice). No deadline is defined for the notification. Controllers will need to notify the FDPIC as quickly as possible, i.e. without undue delay. In their notification, they will need to address the type of personal data breach, its consequences, and the measures taken or planned to remedy the breach and mitigate risks for data subjects.
Controllers are required to notify the data subjects affected by the personal data breach if such notification is necessary in order to protect the data subjects or if the FDPIC so requests.
Processors who detect a personal data breach are required to notify the controller of the breach as quickly as possible, i.e. without undue delay.
Data breach notification obligations that apply to regulated banks or insurance companies (in relation to customer data) or hospitals (in relation to electronic patient records) may apply in addition to the obligation to notify personal data breaches under the Revised FADP.
Controllers have to delete or sufficiently de-identify (i.e. render anonymous) personal data once they no longer need it for the specified purposes, or in order to pursue legitimate interests (such as enforcement of legal claims or archival purposes) or to comply with legal obligations (such as records-keeping obligations).
Disclosing special categories of personal data (also referred to as 'sensitive data') to third parties requires justification, such as the consent of the data subject, or necessity for the purposes of overriding interests of the controller or compliance with legal obligations.
Note that only disclosures of sensitive data (not the processing of sensitive personal data per se) requires justification. This is often misunderstood, including by the FDPIC. Also note that engaging processors to perform (sensitive) data processing activities does not qualify as disclosing (sensitive) personal data. See section on Controller and Processor Contracts below for details.
In addition, higher standards for transparency and data security apply in relation to the processing of special categories of personal data, and a DPIA is more likely be required if the envisaged processing activity involves the processing of special categories of personal data.
The controller-to-processor relationship needs to be governed by a contract (or established by law). The controller needs to be sure that the processor only performs processing activities that the controller would also be allowed to perform and to ensure that the processor is capable of providing for adequate data security. Further, the Revised FADP provides that a processor may only hire a sub-processor with the prior consent of the controller. The standard required by Article 28(3) of the GDPR will suffice in most circumstances for the purposes of the Revised FADP. Thereby, parties should clarify that Switzerland is considered a member of the European Economic Area ('EEA') for the purposes of the data processing agreement.
Controllers will continue to be primarily responsible for compliance with the Revised FADP. Yet, in contrast to the current FADP, the Revised FADP will also set out legal obligations applying directly to processors (including data security obligations, restrictions on engaging sub-processors, and the requirement to maintain a record of processing activities).
Note that the disclosure of personal data by controllers to processors are 'privileged' under the FADP (as well as the Revised FADP) in the sense that disclosures to processors (or rather entrusting processors with data processing activities of the controller) do not qualify as disclosures to third parties in the sense of Article 12(2)(c) FADP (Article 30(2)(c) Revised FADP) and hence do not require justification.
8. Data Subject Rights
The current FADP requires that the collection of personal data and the processing purposes be transparent ('recognisable') to the data subject. It follows that data subjects have a right to be informed about the fact that the controller collects personal data about them and about the purposes of the processing if the collection and processing is not evident from the circumstances (Articles 4(2) and 4(4) of the FADP).
Under the Revised FADP, this transparency principle follows from the 'fairness' principle set out in Article 6(2) of the Revised FADP. And privacy notices become a must. To some extent, controller will also have to inform data subjects actively about personal data collection and processing that may seem obvious to the data subject and would not require active information under the current FADP. Article 19 of the Revised FADP contains a list of minimum elements of information that controllers need to convey to data subject at collection of personal data. Further obligations to actively inform data subjects are set out in Article 10 (3)(d) (obligation to publish the contact details of the DPO) Article 14(3) (obligation to publish the contact details of the Swiss representative), and Article 21(1) (obligation to inform about automated individual decision-making) of the Revised FADP. Also see the section on principles above.
Article 8 of the FADP provides data subjects with the right to access personal data undergoing processing and which relate to the data subject. This includes a right to receive a copy of the personal data undergoing processing. In an access request, data subjects may also ask for available information about the origin (sources) of the personal data, the purposes of processing, the categories of the personal data undergoing processing and the categories of recipients of the personal data.
The controller needs to provide the information in writing and provide a copy of the personal data, e.g. in the form of a print-out or an excerpt from relevant data bases. A 30-day deadline applies, but controllers may also inform the data subject that gathering the relevant information and data requires more time, or provide the information and data staggered.
Controller may refuse, limit, or defer their provision of information and data if this is required to comply with a legal obligation laid down in Swiss law or in order to protect the overriding interests of third parties, or (provided the controller does not disclose the personal data to third-party recipients) based on prevailing interests of the controller (Article 9 of the FADP). The fact that prevailing interests of the controller are only valid grounds for refusal, limitation or deferral if the controller does not share the personal data with other controllers (recipients) results in a relatively weak protection of the controller's business secrets.
This concept remains substantially the same under the Revised FADP (Articles 25–27), except that the new law will set out a list of minimum elements of information that a controller needs to provide in response to access requests (Article 25(2) of the Revised FADP), namely:
- the identity and contact details of the controller;
- the personal data undergoing processing (this includes a right to receive a copy of the personal data);
- the purposes of the processing;
- the storage duration or, if not possible, the criteria used to determine this duration;
- (if the controller has not obtained the personal data directly from the data subject) the available information as to the origin of the personal data;
- (if any) the existence of automated individual decision-making; and
- (if any) the recipients or categories of recipients of the personal data.
The reasons for refusal, limitation, or deferral of the information and data remain substantially the same. Articles 26(1)(a) of the Revised FADP clarifies that professional secrecy obligations are a legal obligation that may justify a refusal, limitation, or deferral. Further, Article 26(1)(c) of the Revised FADP clarifies that a controller may refuse information and access to personal data if the access request is manifestly unfounded, is not made for data protection purposes, or is obviously of a frivolous nature.
Data subjects have a right to ask that inaccurate data a controller holds about them be rectified. The controller may refuse the rectification based on legal obligations or prevailing private or public interests.
The right to rectification will also be provided under the Revised FADP, which will however limit the ground for refusal of the rectification. According to Article 32(1) of the Revised FADP, controllers may only refuse to rectify incorrect personal data if a statutory obligation prohibits the rectification or if the personal data is being processed for archiving purposes in the public interest.
The right to object to the processing of personal data provided under Article 12(2)(b) of the FADP includes a right to erasure. A controller may refuse to delete personal data based on legal obligations or prevailing private or public interests. The Revised FADP will expressly stipulate the right to erasure in Article 32(4). The ground for refusal will continue to apply.
Article 12(2)(b) of the FADP (Article 31(2)(b) of the Revised FADP) provides data subject a right to object to the processing of their personal data (essentially an opt-out right). The objection/opt-out right is, however, not absolute. Controllers may continue to process the personal data or, respectively refuse to restrict processing or deletion of personal data if and to the extent this is necessary for their compliance with legal obligations, the performance of a contract, or for the purposes of other prevailing public or public interests.
The FADP does not currently include a right to data portability. Yet courts have repeatedly held that the right to access includes a right to a copy of the personal data undergoing processing.
Article 28 of the Revised FADP introduces a right to data portability. This data subject right has been introduced late in the Parliamentary debate. It provides for a right to receive a copy of the personal data relating to the data subject in a commonly used format, or to ask that the personal data be transferred to another controller. These rights are subject to the following conditions:
- the controller processes the data in an automated manner; and
- the data is processed with the data subject's consent or in direct connection with the conclusion or performance of a contract with the data subject.
Note that in contrast to what is the case under the GDPR, controllers (except public authorities) do not have to determine and document nor notify data subjects of any legal basis or justification for the processing of personal data under the FADP or the Revised FADP. Justification is required only in limited circumstances (see section on Legal Bases above), and there is no documentation or notification requirement regarding justifications.
Yet, the second condition set-out above does not intend to limit the data portability right to situations where the processing requires justification (and where the controllers rely on consent or necessity for the performance of a contract as grounds for justification). Rather, the second condition should be interpreted in such a way that the right to data portability applies to (i) personal data the data subject has voluntarily provided to the data controller (hence the reference to consent) or (ii) personal data the data subject has voluntarily and self-determinedly generated when using a service (provided data) or has had observed by the respective service provider (observed data) in the context of this self-chosen contractual situation; but excluding data derived from the controller's analysis of the provided or observed data (derived data).
The exceptions to the right to access (Article 29 of the Revised FADP in conjunction with Article 26(1) and (2); see section on Right to Access above) also apply as exceptions to the right to data portability. In addition, a controller may refuse to grant the right to transfer personal data to another controller if this would require a disproportionate effort.
The FADP does not currently include a right not to be subject to automated decision-making. Article 21 of the Revised FADP introduces an obligation of controllers to inform data subjects if they use automated individual decision-making. It also provides that data subjects have a right to be heard in the case of automated individual decision-making.
These rights will not apply if the decision is made in connection with the conclusion or the performance of a contract with the data subject, and where the controller grants the request made by the data subject, or if the data subject has consented to the automated individual decision-making.
Further, data subjects may object to automated individual decision-making by invoking and subject to the limitations of the right to object (see section on Right to Object/Opt-Out above).
The Revised FADP grants data subjects all rights also granted under GDPR, and potentially more, as remedies available in cases of personality rights infringements under the Civil Code are also available under the Revised FADP (cf. Article 32(2) of the Revised FADP).
Courts have interpreted the right to objection pursuant to Article 12(2)(b) of the FADP to also include a right to restriction of processing and a right to erasure (i.e. to have personal data deleted, destroyed or anonymised). The identical provision in Article 31(2)(b) of the Revised FADP will also be interpreted to include these rights. Further, the Revised FADP now expressly mentions deletion or destruction of personal data and prohibition of processing as remedies that data subjects may seek in court.
The FDPIC does not (and will not under the Revised FADP) have the right to issue administrative fines. But the FDPIC has corrective powers. It may oblige businesses or organisations or Federal authorities (controllers) to correct, suspend, or cease certain processing of personal data, or to delete personal data entirely or partially. The FDPIC may also require the business, organisation, or Federal authority concerned to comply with specific obligations that apply to them as controllers or processors (cf. section on 'Main Powers, Duties and Responsibilities' above).
The state prosecutors enforce the criminal law provisions of the FADP. Currently, the FADP provides that natural persons may be fined up to CHF 10,000 (approx. €9,760) if they are responsible for the violation of certain information and notification requirements under the FADP (e.g. wilfully providing false or incomplete information in response to a data subject access request).
Under the Revised FADP, the maximum amount of the fine will be CHF 250,000 (approx. €257,900). The Revised FADP will also extend criminal liability to the violation of additional data protection obligations under the Revised FADP, such as failing to ensure there are sufficient guarantees for international data transfers or failure to comply with minimum data security requirements.
The Revised FADP will also introduce criminal liability of businesses and organisations. The responsible natural persons (e.g. directors or managers) will primarily be liable. However, the business or organisation (controller or processor) may be held liable for a fine of up to CHF 50,000 (approx. €51,600) under the Revised FADP if determining who in the organisation is responsible for the infringement would require disproportionate investigative efforts.
The FADP provides private rights of actions against infringements of personality rights protected under the FADP. Of particular practical relevance is litigation concerning the exercise of the rights of access, rectification, and deletion. Yet data subjects may also claim infringement of key data privacy principles such as purpose limitation, data minimisation, and data security. The following remedies are available for claims brought under the FADP:
- prior restraints and other injunctions preventing an imminent infringement (such as unlawful disclosure of personal data);
- removal of an existing infringement (this includes enforcement of the right to rectification or deletion);
- an order of the court requiring the controller to provide information or access;
- a declaratory judgment (if the infringement continues to affect the privacy interests of the data subject); and
- claims for compensatory damages, moral damages, and disgorgement of profits.
See section on Case Law above.