Switzerland - Data Protection Overview
1. Governing Texts
Swiss data protection law is rooted in the civil law protection of personality rights. The Federal Constitution of the Swiss Confederation ('the Constitution') provides a constitutional right to privacy. Article 13 of the Constitution protects the right to privacy in personal or family life and in a person's home. Article 28 of the Swiss Civil Code ('the Civil Code') and the Federal Act on Data Protection of 25 September 2020 ('FADP') put this fundamental right to privacy into concrete terms at a statutory level.
In essence, the data processing principles set out in the FADP provide for protection against infringements of personality rights (data privacy) through excessive, non-transparent, or unfair use of personal data. Article 28 of the Civil Code remains relevant, from a privacy law perspective, where libel, slander, or defamation is the concern. Furthermore, Article 28 of the Civil Code is relevant for the protection of the personality rights of legal entities.
In addition to criminal liability governed by the FADP, a number of provisions of the Swiss Criminal Code ('the Criminal Code') are relevant in a data protection and privacy context. These include criminal law protection of a person's reputation against defamation (including libel and slander), criminal law protection against identity theft, and criminal law provisions prohibiting unauthorized recording of private conversations or wiretapping.
Sector-specific data protection and security requirements set out in laws regulating businesses and organizations in certain sectors (including the healthcare, pharmaceutical, energy, telecommunications, and finance sectors), provide more specific requirements applying to the processing of e.g. patient personal data, bank customer data, or smart meter data. Sector-specific provisions typically supersede the provisions of the FADP.
The 26 'Cantons' (states), the Federal states of the Swiss Confederation, have enacted their own data protection acts. These govern the processing of personal data by public authorities on the Cantonal and communal levels. This derives from the competence of the Cantons to organize themselves autonomously and thus to determine the obligations of their authorities.
It is important to note that whereas the FADP contains similar provisions and is aligned with the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679 ('GDPR'), Switzerland has enacted its own law. The FADP largely draws from the requirements of the Council of Europe's Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data, and also from obligations under the EU Data Protection Directive with respect to Law Enforcement (Directive (EU) 2016/680), which Switzerland had to implement under the Schengen Association Agreement with the EU). However, the FADP is not a Swiss version of the GDPR. This is why case law or guidance issued by EU authorities under the GDPR (or opinions stated by commentators or the supervisory authorities in EU Member States) should not be used inconsiderately for the interpretation and application of the FADP.
The FADP is the key act regulating data protection in Switzerland. The Ordinance on the Federal Act on Data Protection ('the Ordinance') puts certain aspects of the FADP into more concrete terms. For example, it sets out the specifics of data security requirements, and the modalities of data breach notices as well as of the right of access and the right to data portability.
In addition, the Civil Code and the Criminal Code regulate aspects of privacy and data protection. See above (Introduction) for details.
Note that only the German, French, and Italian versions of the Federal laws referenced in this Guidance Note are official texts. English versions are provided only for reference purposes.
The Federal Data Protection and Information Commissioner ('FDPIC') provides guidance (in German, French, Italian, and English) on its website with regard to various focus topics in the following areas:
- employment and economy;
- research and statistics;
- leisure and sport;
- internet and technology, including information security;
- surveillance; and
- housing and mobility.
The guidance provided on the new FDPIC focus pages replaces or amends guidelines previously issued and made available in PDF format.
For example, the Guidelines on using CCTV have been amended and transformed into a focus site within on the focus page on 'Surveillance' focus page. Similarly, the guidance on monitoring of internet and email use at the workplace is now a focus site within the focus page on 'Employment and Economy'. Likewise, further guidelines, including the former guidelines on cross-border transfer of personal data, or the guidelines on processing personal data in the healthcare sector are now focus pages, and no longer guidelines made available in PDF format.
Further, the FDPIC issued fact sheets and guidelines that provide guidance or information on the following key topics:
- investigations by the FDPIC;
- Data Protection Impact Assessments (DPIAs);
- technical and organisational and organizational security measures; and
- keeping logs of storage, alteration, reading, disclosure, deletion, and destruction of personal data in accordance with Art. 4 of the Ordinance.
1.3. Case law
The following are leading decisions of the Swiss Federal Supreme Court:
- Decision 4A_518/2020, 5 August 2021 (access to private data stored on mobile phone provided by employer) (only available in French here);
- Decision BGE 147 I 372 (DNA Profile for law enforcement purposes) (only available in German here);
- Decision BGE 144 I 126 (Retention of telecommunications traffic data) (only available in German here);
- Decision BGE 143 I 253 (FINMA Watchlist) (only available in German here);
- Decision BGE 142 III 263 (Video surveillance system) (only available in German here);
- Decision BGE 141 III 119 (Employees' right of access) (only available in German here);
- Decision BGE 140 V 464 (Limitations of the right of access) (only available in German here)
- Decision BGE 138 III 425 (Bank customers' right of access) (only available in German here);
- Decision BGE 138 II 346 (Google Street View) (only available in German here); and
- Decision BGE 136 II 508 (Logistep) (only available in German here).
In addition, the following judgments of the Swiss Federal Administrative Court ('FAC') are notable:
- Judgment A-3548/2018 of March 19, 2019, FDPIC v. Helsana Zusatzversicherungen (only available in German here);
- Judgment A–4232/2015 of April 18, 2017, FDPIC v. Moneyhouse (only available in French here); and
- Judgment A–5225/2015 of April 12, 2017, FDPIC v. Lucency (only available in German here).
2. Scope of Application
The FADP and the FDPO apply to the processing of personal data by businesses and organizations in all sectors of the economy as well as to the processing of personal data by Federal authorities. They also apply to the processing of personal data by natural persons in the context of business activities, but not in the context of personal household uses.
Chapter 5 of the FADP only applies to the processing of personal data by businesses, organizations, and natural persons. Chapter 6 of the FADP only applies to the processing of personal data by public authorities of the Federation (and to the processing of personal data by businesses or organizations performing tasks in the exercise of Federal public authority vested in them).
Sector-specific data protection and security requirements apply to businesses and organizations in certain sectors (e.g., regulated medical device manufacturers, hospitals, energy suppliers, banks, or telecommunications services providers). Note that the cookie-related information obligations set out in the Swiss Telecommunications Act ('TCA') apply to any business or organization processing personal data on users' devices by means of using telecommunications services (see the Note 'Switzerland – Cookies and Similar Technologies').
The Cantonal data protection acts govern the processing of personal data by public authorities of the relevant Canton or its communes (and the processing of personal data by businesses or organizations performing tasks in the exercise of Cantonal or communal public authority vested in them).
The principle of effects determines the FADP's territorial scope with regard to its enforcement by the FDPIC. In other words, the FADP applies to the processing of personal data that has actual or potential effects in Switzerland. This includes processing activities that are conducted or initiated outside of Switzerland but actually or potentially adversely affect the privacy rights of individuals in Switzerland.
Further, the FADP may apply, in accordance with the principle of effects under private international law, in private enforcement.
The criminal law provisions of the FADP (Articles 60 to 66) apply to offenses committed in Switzerland (criminal law principle of territoriality).
The FADP is an omnibus law governing any processing (including collection, storage, adaptation or alteration, disclosure, archiving, destruction, or other use) of personal data. Processing of personal data by natural persons for personal household uses is exempted.
The FADP does not apply to the processing of anonymous data (i.e., information that the respective holder or receiver of the information will not reasonably likely relate to an identified or identifiable individual).
3.1. Main regulator for data protection
The FDPIC supervises businesses, organizations, and Federal public authorities' compliance with their respective obligations under the FADP and the Ordinance.
State prosecutors of the Cantons enforce criminal law provisions of the FADP (see the section on penalties below for details). State prosecutors also enforce data protection law-related offenses under the Criminal Code.
The data protection supervisory authorities of the Cantons supervise the data processing activities of Cantonal and communal authorities in accordance with the Cantonal data protection acts.
In addition, private enforcement plays a role, in particular as regards injunctions banning disclosure of personal data, and the enforcement of the right of access or the right to have personal data rectified or deleted (see sections on Data Subjects Rights and on Penalties below).
3.2. Main powers, duties and responsibilities
The FDPIC has the power to issue binding decisions: The FDPIC may (ex officio or upon a data subject's complaint) require the respective business or organization or Federal authority (controllers) to correct, suspend, or cease certain processing of personal data, or to delete personal data entirely or partially. The FDPIC may also require the businesses, organizations, or Federal authorities concerned to comply with specific obligations that apply to them as controllers or processors; such as, in the case of controllers, to inform individuals of data breaches notified to the FDPIC, grant a right of access or other data subject rights (see the section on data subject rights below), or to perform a DPIA.
In contrast to supervisory authorities in most jurisdictions where the GDPR is enforced, the FDPIC does not, however, have the power to impose administrative fines on businesses or organizations. Nor does the FDPIC have the power to impose fines on individuals.
4. Key Definitions
Data controller: The FADP distinguishes the roles of controllers and, respectively, processors. The term 'controller' refers to the business, organization, natural person, or Federal authority that determines (alone or jointly with others) the purpose and means of the processing of personal data.
Personal data: The FADP defines 'personal data' as any information relating to an identified or identifiable natural person. This includes information that directly identifies a natural person (e.g. a full name or picture showing a person's face) and information that allows identification indirectly by reference to additional information (e.g. email address, telephone number, social security number, or customer number). A 'relative' approach to identification applies. Information may qualify as personal data in the hands of one party and as anonymous data in the hands of another party. Identifiability means that the party holding or receiving the information has (or will reasonably likely gain) access to means it will reasonably likely use to identify a specific individual to which the data relates (data subject) directly or indirectly. To ascertain whether such identification is reasonably likely, account is taken of the costs of and the amount of time the holder or receiver of the information requires for identification, taking into consideration the technology available to such business, organization, or natural person.
- personal data concerning religious, ideological, political, or trade union-related views or activities;
- personal data concerning health, the intimate sphere, or the racial or ethnic origin of an individual;
- genetic data;
- biometric data that uniquely identifies an individual;
- personal data concerning administrative or criminal proceedings and sanctions; and
- personal data concerning social security measures.
Note that the above list of categories of sensitive personal data is conclusive.
Disclosure: means transmitting or making personal data available; specifically, by making available personal data to a processor or transferring personal data to a third party; note that disclosures to processors, or rather entrusting processors with data processing activities of the controllers, will not qualify as disclosures to third parties (see sections on Special Categories of Personal Data and Controller and Processor Contracts below for details).
Processing: means any operation performed on personal data, irrespective of the means or procedures applied, and in particular the collection, storage, use, modification, disclosure, archiving, deletion or destruction of data.
5. Legal Bases
In contrast to the principle of 'lawfulness of processing' on which the GDPR is based, the processing of personal data by businesses, organizations, or natural persons is generally allowed under the FADP. Only public authorities require a legal basis for processing ( Article 34 of the FADP). Private businesses or organizations do not need a legal basis for the lawful processing of personal data under the FADP.
Legal bases, or rather 'justifications,' are relevant to the processing by private businesses or organizations only (except if and to the extent they process personal data in the exercise of Federal public authority vested in them) as a basis to justify an otherwise unlawful personality rights infringement (Articles 30–31 of the FADP). See the section on Principles below for details.
Preliminary remarks: It is important to note that Articles 6(6) and 6(7) of the FADP (see below) do not set out a general consent requirement for processing personal data. These provisions merely define the conditions for valid consent that apply if a controller needs to justify processing and seeks to use consent as a basis for the justification (and not another basis such as the performance of a contract or other legitimate interests).
Where a controller needs to justify processing (see the introductory remarks to the section on 'Legal Bases' and the definition of 'lawfulness of processing' in the section on 'Principles') and seeks to rely on consent for that purpose, consent is valid only if it is informed, freely given and specific to one or several processing activities (Article 6(6) of the FADP).
Further, if the controller seeks to justify the disclosure of sensitive personal data to third parties (other controllers; not processors) or if it otherwise seeks to justify a personality rights infringement (e.g. processing for further purposes or for longer than necessary) concerning sensitive personal data, consent needs to be given expressly (clear affirmative action) (Article 6(7) of the FADP).
The same (clear affirmative action) requirement applies if a controller seeks to justify a personality rights infringement concerning high-risk profiling (a concept introduced late in the Parliamentary debate; meaning profiling that poses a high risk to the privacy of individuals by pairing between data that enables an assessment of essential aspects of the personally of a natural person), e.g., high-risk profiling for further purposes or for longer than necessary; or if a public authority seeks to perform high-risk profiling (Article 6(7) of the FADP).
Note, however, that high-risk profiling by private businesses or organizations does not per se require consent – despite the lengthy debate and the misconceptions pertaining thereto. Rather, the relevant provision (Article 6(7) of the FADP) defines a condition for valid consent that applies only if a controller needs to justify processing and seeks to rely on consent for that purpose – and not on other grounds for justification, such as overriding private or public interests or a legal obligation. See the introductory remarks to this section above and the definition of 'lawfulness of processing' in the section on principles below for details.
Where a controller needs to justify processing (see the preliminary remarks to this section above and the definition of 'lawfulness of processing' in the section on principles below), the interests of the controller may justify the processing if the interests override the data subject's privacy interests (Article 31(1) of the FADP). A necessity for the conclusion or performance of a contract with the data subject is considered such interest that may override the data subject's privacy interests (Article 31(2)(a) of the FADP).
Where a controller needs to justify processing (see the preliminary remarks to this section above and the definition of 'lawfulness of processing' in the section on principles below), the necessity of the controller's compliance with legal obligations may justify the processing (Article 31(1) of the FADP). Only legal obligations laid down in Swiss law will be considered.
Interests of the data subject may qualify as 'private interests' under Article 31(1) of the FADP that may justify an otherwise unlawful personality rights infringement. At the same time, processing that is in the (vital) interest of the data subject is less likely to qualify as a personality rights infringement in the first place.
Overriding public interests may justify an otherwise unlawful personality rights infringement, particularly if invoked by public authorities (Article 31(1) of the FADP). Courts are reluctant to accept public interests as grounds for justification if private controllers invoke it.
Legitimate interests of the controller are 'private interests' within the meaning of Article 31(1) of the FADP that may justify an otherwise unlawful personality rights infringement, provided they override the privacy interests of the data subject. Legitimate interests of the data controller include, in particular, and without this being a conclusive list of interests (Article 31(2) of the FADP):
- processing in order to conclude or perform a contract with the data subject;
- processing for the purpose of competing economically with another organization, provided the controller will not share the personal data with third parties (whereby, in this context, intragroup transfers are not considered transfers to third parties)
- processing for the purpose of checking the creditworthiness of a data subject (subject to restrictions);
- processing on a professional basis and exclusively for publication in an edited section of a periodically published medium;
- processing for purposes not relating to a specific person, in particular, for the purposes of research, planning, and statistics (subject to restrictions); and
- collection of personal data relating to a person of public interest, where the purposes of the collection and processing relate to the public activities of that person.
To account for the principles of proportionality (data minimization and storage limitation) and purpose limitation (as put into more concrete terms in Article 328b of the Civil Code), employers may, in principle, only process employee personal data to the extent the processing relates to the workplace. This includes processing that is necessary for the performance of the employer's obligations to the employee under the employment contract, for compliance with statutory obligations, or for the purposes of legitimate interests of the employer or third parties that have a sufficient connection to the workplace (e.g. the enforcement of legal claims, measures ensuring safety at work or information security, fleet management, or marketing of professional services performed by the employee).
According to case law of the Swiss Federal Supreme Court (4A_518/2020, 5 August 2021, only available in French here), however, the workplace-relation requirement does not per se prohibit the processing of employee personal data for non-work-related purposes. Specifically, processing for further purposes may be justified in individual cases based on statutory obligations or overriding legitimate interests of the employer or a third party, or even based on interests of the employee.
Obtaining the employees' consent is typically not necessary (and will not be freely given and thus not valid unless the employee has a real choice).
Employees have a duty of loyalty to their employers. This means that employees have to tolerate certain restraints on their privacy interests. At the same time, employers have a duty of care to their employees. Even if employees are under a loyalty obligation, employers have to process employee personal data in ways that are least intrusive to the privacy interests of their employees (principle of proportionality). Thereby, of particular importance is adequate information of the employees about the functioning and purposes of, for example, fleet management, internet use monitoring, or video surveillance systems that the employer intends to use, and about the employees' rights in connection with the processing of personal data for such purposes.
The following processing principles are key principles and responsibilities of controllers under the FADP:
- Lawfulness: Businesses or organizations (controllers) may only process personal data that has been collected in accordance with other applicable laws. For example, processing personal data that has been collected through unlawful trespassing or wiretapping would infringe the 'lawfulness' principle. Note that, in contrast to the principle of 'lawfulness of processing' on which the GDPR is based, the processing of personal data by businesses, organizations, or natural persons is generally allowed under the FADP (see also above the section on 'Legal bases'). Only public authorities require a legal basis for processing.
- Fairness (good faith): Controllers may only perform such processing activities as data subjects may reasonably expect. Furthermore, fairness (good faith) means that processing must be performed as described in privacy notices.
- Transparency: Controllers have to convey to data subjects all information necessary in order to ensure transparent data processing. The information needs to enable data subjects to exercise their rights under the FADP. At a minimum, controllers need to inform data subjects about:
- the identity and the contact details of the controller;
- (where applicable) the contact details of the data protection officer ('DPO');
- the contact details of the Swiss representative, if any;
- the purposes of the processing of personal data;
- the recipients or categories of recipients of the personal data, if any;
- the categories of personal data concerned, where the personal data is not obtained directly from the data subject;
- where the controller intends to transfer personal data to a recipient outside of Switzerland, the countries the controller intends to transfer personal data to, and (in the absence of an adequacy decision taken by the Federal Council) based on which safeguards (e.g. Standard Contractual Clauses ('SCCs') or derogations; and
- (where applicable) the existence of automated individual decision-making.
- Purpose limitation: Controllers may only process personal data for the specified purposes that have been notified to or are obvious to data subjects; and may only process personal data in a manner compatible with those purposes. The information about the purposes of the processing needs to be specific. Controllers also need to ensure that further processing of personal data received from other controllers is compatible with the purposes determined and communicated to the data subjects at the time of collection.
- Proportionality: The processing of personal data needs to be proportionate; that is, limited to what is necessary to achieve the specified purposes, considering the type of personal data concerned and the scope and duration of the processing. The data minimization and storage limitation principles are key aspects of the proportionality principle. This means that controllers need to limit the scope of personal data collected and processed to what is necessary for the intended purposes and to delete personal data once it is no longer needed for the specified purposes.
- Accuracy: Controllers need to ensure they only process personal data that is accurate and kept up to date. They must take all reasonable steps to ensure that personal data that is inaccurate or incomplete, having regard to the purposes for which it is processed, is deleted or rectified.
- Data security: Both controllers and processors are under an obligation to ensure an adequate level of data security. They are required to protect the integrity, confidentiality, and availability of personal data by means of adequate technical and organizational security measures. In assessing the appropriate level of security, controllers, and processors have to account for the purpose, type, and scope of the data processing, the assessment of potential risks for data subjects, and the state-of-the-art security solutions.
If businesses and organizations process personal data in accordance with the processing principles set out above, the processing will generally be considered lawful as long as the data subject has not expressly objected to the processing. Infringements of these processing principles (e.g. processing for further purposes than those initially specified, or processing for longer than necessary for the specified purposes), or continued processing despite the data subject's objection, are breaches of personality rights of the affected data subject. In addition, disclosure of sensitive personal data to third parties without a valid ground for justification is deemed a breach of personality rights.
Breaches of personality rights are deemed unlawful unless the controller can demonstrate that the relevant data processing is justified on grounds of overriding private or public interests or the necessity for its compliance with legal obligations laid down in Swiss law. See section on 'Legal bases' above.
7. Controller and Processor Obligations
No registration with or notification to the FDPIC is generally required in order to process personal data in Switzerland (or to perform data processing operations with effects in Switzerland).
The Federal Council adopts adequacy decisions in relation to jurisdictions that provide an adequate level of protection. Thereby, the Federal Council usually follows the European Commission's lead and considers adequate those jurisdictions in relation to which the European Commission has adopted an adequacy decision. Annex 1 of the Ordinance lists the States, territories, and specified sectors in a State or international bodies that, according to the Federal Council's adequacy decisions, guarantee an adequate level of data protection.
Appropriate safeguards (or derogations for specific situations) are required in order to transfer personal data to states without an adequate level of protection. Appropriate safeguards include: SCC issued, approved, or recognized by the FDPIC, Binding Corporate Rules ('BCRs') approved by the FDPIC or a competent data protection supervisory authority in a state that provides adequate protection, or (subject to prior notification to the FDPIC) contractual clauses incorporated into a controller-to-processor data processing agreement.
The FDPIC has recognized the SCC issued by the European Commission in June 2021 as a valid safeguard for transfers from Switzerland to states without an adequate level of protection, provided that the parties supplement the SCC with an annex that implements Swiss law-specific safeguards. The following supplements are (except in the case of onward transfers) expected:
- References to the GDPR are to be understood as references to the FADP;
- the competent supervisory authority (to be named in Annex I.C) is the Swiss FDPIC; and
- the term 'Member State' must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of bringing legal proceedings against the data exporter and/or data importer before the courts of Switzerland.
Further, the FDPIC expects the performance of a Transfer Impact Assessment ('TIA') in connection with the use of SCC.
In addition, the FADP provides for derogations for data transfers in specific situations, such as where the transfer is directly related to the conclusion or the performance of a contract between the data subject and the controller.
The above rules on data transfers also apply in an outsourcing context, where a controller in Switzerland engages a processor in another state, or where a processor in Switzerland engages a sub-processor in another state. In addition, controller-to-processor relationships and processor-to-sub-processor relationships have to be governed by a data processing agreement.
Under the FADP (Article 12), controllers (and processors) are required to maintain records of processing activities. An exemption applies in relation to low-risk processing of personal data by businesses with less than 250 employees, provided such small or medium enterprise's data processing activities pose a negligible risk of harm to the personality of data subjects. The FDPO lays out the specifics.
Controllers are required to perform DPIAs for intended high-risk processing of personal data. The high risk may result from the type, scope, circumstances, or purposes of the processing or from the use of new technologies. A DPIA is required under the FADP, in particular, in the case of processing on a large scale of sensitive personal data, or the systematic monitoring of publicly accessible areas on a large scale. The implementation of high-risk profiling requires a prior privacy risk assessment and, potentially, a DPIA.
The FADP provides that the DPIA should include a description of the planned processing, an assessment of the risks for the personality or the fundamental rights of data subjects, as well as the measures planned to protect their personality and fundamental rights (Article 22(3) of the FADP). The FADP exempts private controllers (businesses or organizations) from the obligation to perform a DPIA in the following cases:
- if they perform the relevant processing activity on the basis of a legal obligation (Article 22(4));
- if they use a system, product, or service certified in accordance with Article 13 of the FADP; or
- (subject to the conditions set out in Article 22(5)) if they comply with a code of conduct within the meaning of Article 11 of the FADP.
The FADP stipulates that a controller must consult the FDPIC when the DPIA reveals that the processing presents a high risk for the personality or fundamental rights of the data subject despite the measures envisaged by the controller (Article 23 of the FADP). However, the FADP provides for an exemption to such consultation requirement where the private controller (business or organization) has consulted its DPO (Article 23(4) of the FADP).
Appointing a DPO (i.e., a 'data protection advisor') is not mandatory for businesses and organizations under the FADP (Article 10). However, Federal authorities (including businesses or organizations) processing personal data in the exercise of Federal public authority vested in them) are required to appoint a DPO (Article 25 of the FDOP).
Even if the FADP does not require businesses and organizations to appoint a DPO, the FADP incentivizes the appointment of a DPO (cf. above, regarding DPIAs and prior consultations). In any case (if not a DPO), it is advisable to appoint a data protection contact person or coordinator (even if not appointed formally as DPO) voluntarily. For compliance with documentation and notification obligations and responding to data subjects' requests under the FADP requires businesses and organizations, in practice, to establish an internal data protection function.
The (formally appointed) DPO (Article 10 of the FADP) must be independent in terms of organization and his or her professional expertise. From an organizational point of view, the DPO may not perform tasks that are incompatible with the tasks of the DPO (avoidance of conflicts of interest). As regards professional expertise, the controller has to ensure the DPO does not receive any instructions regarding the exercise of the DPO tasks and can be either an employee or a third party.
The DPO's functions include (Article 10 of the FADP and Article 26(2) FDPO, applying to public authorities’ DPO, which provides examples of tasks that may also guide private controllers’ definition of DPO tasks):
- act as point of contact for data subjects and the FDPIC;
- train and advise the controller (and its employees) in data protection matters;
- participate in the implementation of data protection compliance in the business, organization or at the public authority, in particular by
- auditing compliance with the FADP and the Ordinance
- recommending corrective measures if the DPO ascertains that processing is not compliant with the FADP and the Ordinance; and by
- advising the controller in performing DPIAs and reviewing the DPIA.
The DPO must have the professional skills and expertise necessary to perform the statutory tasks of a DPO. Basic knowledge of data protection law is generally sufficient in order to perform the tasks of advising on and auditing compliance with the FADP and the Ordinance (in particular, if supported by external legal advisors), and for consultation with the FDPIC. At least as important (namely in connection with a DPIA or with regard to data security) is knowledge of the relevant technology, data flows, and business processes.
The DPO must be provided with the resources, as well as access to all files and information, which are necessary in order to carry out their duties.
Businesses or organizations that appoint a DPO in accordance with the FADP have to publish and provide to the FDPIC the contact details of the DPO.
Under the FADP (Article 14), businesses or organizations (private controllers) established outside of Switzerland have to appoint a representative in Switzerland under certain conditions. They will be required to do so if they regularly perform high-risk and large-scale processing of personal data in connection with the offering of goods or services in Switzerland, or in connection with the monitoring of individuals' behavior taking place in Switzerland.
Controllers are required to notify the FDPIC of personal data breaches that may result in a high risk for data subjects (Article 24(1) of the FADP). No specific deadline is defined for the notification. Controllers need to notify the FDPIC as quickly as possible, i.e., without undue delay.
The notification to the FDPIC needs to include the following (Article 15 of the Ordinance):
- a description of the nature of the data breach;
- as far as possible, the time and duration of the data breach;
- as far as possible, the categories and the approximate number of personal data concerned;
- as far as possible, the categories and the approximate number of data subjects concerned;
- the impact, including any risks, for the data subjects;
- what measures the controller has taken or envisages to remedy the defect and mitigate the impact, including any risks; and
- the name and contact details of a contact person.
The FDPIC makes available an online form (data breach notification portal) for reporting a data breach to the FDPIC.
Controllers are required to notify the data subjects affected by the personal data breach if such notification is necessary in order to protect the data subjects or if the FDPIC so requests. Notifications to data subjects have to include the following information:
- a description of the nature of the data breach;
- as far as possible, the categories and the approximate number of data subjects concerned;
- the impact, including any risks, for the data subjects;
- what measures the controller has taken or envisages to remedy the defect and mitigate the impact, including any risks; and
- the name and contact details of a contact person.
Furthermore, controllers are required to document the personal data beach. Such documentation has to include a description of the facts and impacts of the data breach as well as of the measures taken.
Processors who detect a personal data breach are required to notify the controller of the breach as quickly as possible, i.e. without undue delay.
Data breach notification obligations that apply to regulated banks or insurance companies (in relation to customer data) or hospitals (in relation to electronic patient records) may apply in addition to the obligation to notify personal data breaches under the FADP.
Controllers have to delete or sufficiently de-identify (i.e., render anonymous) personal data once they no longer need it for the specified purposes, or in order to pursue legitimate interests (such as enforcement of legal claims or archival purposes) or to comply with legal obligations (such as record-keeping obligations).
Disclosing special categories of personal data (also referred to as 'sensitive data') to third parties requires justification, such as the consent of the data subject, or necessity for the purposes of overriding interests of the controller or compliance with legal obligations.
Note that only disclosures of sensitive data (not the processing of sensitive personal data per se) require justification. This is often misunderstood, including by the FDPIC. Also, note that engaging processors to perform (sensitive) personal data processing activities does not qualify as disclosing (sensitive) personal data. See the section on controller and processor contracts below for details.
In addition, higher standards for transparency and data security apply in relation to the processing of special categories of personal data, and a DPIA is more likely to be required if the envisaged processing activity involves the processing of special categories of personal data.
The controller-to-processor relationship needs to be governed by a contract (or established by law). The controller needs two objectives of control:
- to ensure that the processor only performs processing activities that the controller would also be allowed to perform (processing as instructed), and
- to ensure that the processor provides adequate data security (Articles 9(1) to 9(2) of the FADP).
Further (Article 9(3) of the FADP), the FADP provides that a processor may only engage a sub-processor with the prior consent of the controller. Article 7 of the Ordinance specified that the consent can either be specific or general, and that in the case of a general consent, the processor needs to inform the controller of any new or changes of existing sub-processors and to grant the controller a right to object to such change.
The standard for data processing agreements required by Article 28(3) of the GDPR suffices in most circumstances for the purposes of the FADP. Note that, where the data processing agreement also addresses data transfers, controllers and processors should ensure transfers from Switzerland to abroad are also covered. In practice, this can often be achieved if the parties simply agree that Switzerland is considered a member of the European Economic Area ('EEA') for the purposes of the data processing agreement.
Controllers are primarily responsible for compliance with the FADP. Yet, the FADP also sets out legal obligations applying directly to processors (including data security obligations, restrictions on engaging sub-processors, and the requirement to maintain a record of processing activities).
Note that the disclosure of personal data by controllers to processors is 'privileged' under the FADP in the sense that disclosures to processors (or rather entrusting processors with data processing activities of the controller) do not qualify as disclosures to third parties in the sense of Article 30(2)(c) of the FADP and hence do not require justification.
8. Data Subject Rights
The FADP requires that the collection of personal data and processing purposes be transparent. This transparency principle follows from the 'fairness' principle set out in Article 6(2) of the FADP.
Controllers are required to inform data subjects of the collection and processing of personal data. Article 19(2) of the FADP contains a list of minimum elements of information that controllers need to convey to data subject at collection of personal data (please see the above explanation of the transparency principle in the section on 'Principles' for details).
Further obligations to inform data subjects are set out in Article 10 (3)(d) (obligation to publish the contact details of the DPO), Article 14(3) (obligation to publish the contact details of the Swiss representative), and Article 21(1) (obligation to inform about automated individual decision-making) of the FADP.
Article 25 of the FADP provides data subjects with the right to access personal data undergoing processing and which relate to the data subject. Article 25(2) of the FADP sets out a list of minimum elements of information that a controller needs to provide in response to access requests, namely:
- the identity and contact details of the controller;
- the personal data undergoing processing (this includes a right to receive a copy of the personal data);
- the purposes of the processing;
- the storage duration or, if not possible, the criteria used to determine this duration;
- (if the controller has not obtained the personal data directly from the data subject) the available information as to the origin of the personal data;
- (if any) the existence of automated individual decision-making and information about the logic involved; and
- (if any) the recipients or categories of recipients of the personal data.
Article 16 of the Ordinance sets out the modalities of the exercise and granting of the right of access. Requests must be made (electronically or on paper) in writing (except if the controller agrees to receiving the request orally). The controller needs to provide the information (electronically or on paper) in writing and provide a copy of the personal data in the form in which the data exists. If the data subject agrees, the information may also be provided orally. Moreover, Article 16 of the Ordinance provides that the controller needs to take reasonable measures to check the identity of the data subject prior to providing the information and data.
A 30-day deadline applies (Article 18 of the Ordinance), but controllers may also inform the data subject that gathering the relevant information and data requires more time, or provide the information and data staggered.
A controller may refuse, limit, or defer their provision of information and data (Article 26 of the FADP):
- if this is required to comply with a legal obligation (e.g., a professional secrecy obligation) laid down in Swiss law;
- in order to protect the overriding interests of third parties; or
- if the request is manifestly unfounded (namely if the data subject pursues a purpose unrelated to privacy interests or if the request is manifestly querulous).
In addition, a controller may refuse, limit, or defer the provision of information and data based on its own prevailing interests; yet this applies only if the controller does not disclose the personal data to third-party recipients. The fact that prevailing interests of the controller are only valid grounds for refusal, limitation, or deferral if the controller does not share the personal data with other controllers (recipients) results in a relatively weak protection of the controller's business secrets.
Data subjects have a right to ask that inaccurate data a controller holds about them be rectified (Article 32(1) of the FADP).
The controller may refuse to rectify incorrect personal data if a statutory obligation prohibits the rectification or if the personal data is being processed for archiving purposes in the public interest.
The right to object to the processing of personal data provided under Article 30(2)(b) of the FADP includes (in conjunction with Article 32(4) of the FADP) a right to erasure.
A controller may refuse to delete personal data based on legal obligations or prevailing private or public interests (Article 31 of the FADP).
Article 30(2)(b) of the FADP provides data subjects a right to object to the processing of their personal data (essentially an opt-out right). The objection/opt-out right is, however, not absolute. Controllers may continue to process the personal data or, respectively refuse to restrict the processing or deletion of personal data if and to the extent this is necessary for their compliance with legal obligations, the performance of a contract, or for the purposes of other prevailing public or public interests (Article 31 of the FADP).
Data subjects have a right to data portability on the conditions set out in Article 28 of the FADP. This right provides for a right to receive a copy of the personal data relating to the data subject in a commonly used format, or to ask that the personal data be transferred to another controller. These rights are subject to the following conditions:
- the controller processes the data in an automated manner; and
- the data is processed with the data subject's consent or in direct connection with the conclusion or performance of a contract with the data subject.
Note that in contrast to what is the case under the GDPR, controllers (except public authorities) do not have to determine and document nor notify data subjects of any legal basis or justification for the processing of personal data under the FADP. Justification is required only in limited circumstances (see the section on legal bases above), and there is no documentation or notification requirement regarding justifications.
Yet, the second condition set out above does not intend to limit the data portability right to situations where the processing requires justification (and where the controllers rely on consent or necessity for the performance of a contract as grounds for justification). Rather, the second condition should be interpreted in such a way that the right to data portability applies to (i) personal data the data subject has voluntarily provided to the data controller (hence the reference to consent) or (ii) personal data the data subject has voluntarily and self-determinedly generated when using a service (provided data) or has had observed by the respective service provider (observed data) in the context of this self-chosen contractual situation; but excluding data derived from the controller's analysis of the provided or observed data (derived data). Article 20 of the Ordinance supports this interpretation of the scope of the right to data portability.
The exceptions to the right to access (Article 29 in conjunction with Article 26(1) and (2) of the FADP; see the section on right to access above) also apply as exceptions to the right to data portability. In addition, a controller may refuse to grant the right to transfer personal data to another controller if this would require a disproportionate effort.
The Ordinance sets out specifics as to technical requirements and modalities of exercising and granting the right to data portability. The same modalities and the deadline applying to the right to access apply to the right to data portability (Articles 21 and 22 of the Ordinance).
Controllers are obligated to inform data subjects if they use automated individual decision-making. In addition, controllers have to grant data subjects a right to be heard in the case of automated individual decision-making (Article 21 of the FADP).
These obligations do not apply if the decision is made in connection with the conclusion or the performance of a contract with the data subject and where the controller grants the request made by the data subject, or if the data subject has consented to the automated individual decision-making (Article 21(4) of the FADP).
Data subjects may object to automated individual decision-making by invoking and subject to the limitations of the right to object (see the section on the right to object/opt-out above).
The FADP grants data subjects all rights also granted under GDPR, and potentially more, as remedies available in cases of personality rights infringements under the Civil Code are also available under the FADP (Article 32(2) of the FADP).
Courts have interpreted the right to objection pursuant to Article 12(2)(b) of the old FADP (1992) to also include a right to restriction of processing and a right to erasure (i.e. to have personal data deleted, destroyed, or anonymized). The identical provision in Article 31(2)(b) of the FADP is also interpreted to include these rights. Further, the FADP expressly mentions deletion or destruction of personal data and prohibition of processing as remedies that data subjects may seek in court (Article 32(4) of the FADP).
The FDPIC does not have the power to issue administrative fines. However, the FDPIC has corrective powers. It may oblige businesses, organizations, or Federal authorities (controllers) to correct, suspend, or cease certain processing of personal data, or to delete personal data entirely or partially. The FDPIC may also require the business, organization, or Federal authority concerned to comply with specific obligations that apply to them as controllers or processors (cf. section on 'Main Powers, Duties and Responsibilities' above).
The Cantonal public prosecutor's offices enforce the criminal law provisions of the FADP.
Article 60 of the FADP provides for criminal liability (payment of a fine) in cases of knowing and willful violation of certain information, notification, and cooperation obligations:
- providing false or incomplete information in privacy notices or in responses to access requests;
- failing to inform individuals of the collection of personal data or about the existence of individual automated decision-making;
- failing to provide the data subject with the minimum information required under Article 19(2) of the FADP;
- providing false information to the FDPIC in the context of an investigation; or
- refusing to cooperate with the FDPIC in the context of an investigation.
Article 61 of the FADP provides for criminal liability (payment of a fine) in cases of knowing and willful violation of certain duties of diligence:
- transferring personal data abroad without there being an adequacy decision or appropriate safeguards or applicable derogations;
- assigning data processing to a processor without the conditions set forth in Articles 9(1) and 9(2) of the FADP being met; and
- failure to comply with the minimum data security requirements which the Federal Council has set out in the FDPO.
In addition, the FADP (Article 62) sets out a data secrecy obligation: knowing and willful disclosure of secret personal data of which the individual disclosing the data has gained knowledge while exercising their profession which requires knowledge of such data, is a criminal offense (payment of a fine).
Finally, the FDPIC may issue decisions stating that failure to comply with a decision (once it is binding) of the FDPIC carries a fine. This may then be enforced by state prosecutors (Article 63 of the FADP).
Criminally liable persons:
The criminal sanctions of the FADP are intended by the legislator to be directed at the managing directors. However, the law does not completely exclude the criminal liability of employees. This has resulted in a rather complicated rule, according to which the company itself can also be criminally liable.
In particular, infringements of Articles 60–63 of the FADP will usually happen in business operations. Accordingly, the FADP (Article 64) declares a special rule, specifically, Articles 6 and 7 of the Federal Act on Administrative Criminal Law ('the ACLA') (available in French here, in German here, and in Italian here) to be directly applicable. According to Article 6(2) and (3) ACLA, a company's principal is punished for violations of the criminal law provisions of the FADP that they have not averted "in breach of a legal obligation". Further, Article 64 of the FADP sets out (in conjunction with Article 7 ACLA) that the company can be punished.
The following persons are therefore criminally liable under the FADP:
Directly acting employees: Individuals (natural persons) who have decision-making power as concerns the data processing that violates a criminal law provision (typically, management functions) and have knowingly and willfully violated such provision are primarily liable. They may be fined up to CHF 250,000 (approx. $285,900) in case of a breach of the above-mentioned criminal law provisions.
Management (principals): Since data protection law usually concerns business operations, and since principals are responsible for the organization of business operations, principals could regularly be liable for violations of Articles 60–63 of the FADP (although this has been criticized). The principals can already be punished if they were negligent and if the data protection breach could have been averted without the negligent behavior – provided, however, that the direct perpetrator (i.e., the directly acting employee who committed the offense) acted knowingly and willfully). Principals may be liable to prosecution, even if the direct perpetrator cannot be punished. The maximum fine is CHF 250,000 (approx. $ 291,790).
Corporate liability: If the violation of Articles 60–63 of the FADP will only result in 20% of the fine limit (i.e., a fine of no more than CHF 50,000 (approx. $58,360)), the company can be ordered to pay a fine. However, the investigating public prosecutor's office must be of the opinion that the effort required to identify the persons responsible for the offense within the company would be disproportionately high. This liability then replaces the punishment of the directly acting employee or the management (principals).
The FADP provides private rights of actions against infringements of personality rights protected under the FADP. Of particular practical relevance is litigation concerning the exercise of the rights of access, rectification, and deletion. Yet data subjects may also claim infringement of key data privacy principles such as purpose limitation, data minimization, and data security. The following remedies are available for claims brought under the FADP:
- prior restraints and other injunctions preventing an imminent infringement (such as unlawful disclosure of personal data);
- removal of an existing infringement (this includes enforcement of the right to rectification or deletion);
- an order of the court requiring the controller to provide information or access;
- a declaratory judgment (if the infringement continues to affect the privacy interests of the data subject); and
- claims for compensatory damages, moral damages, and disgorgement of profits.
See the section on case law above.