Switzerland - Data Protection Overview
1. Governing Texts
Swiss data protection law is rooted in the civil law protection of personality rights. The Federal Constitution of the Swiss Confederation ('the Constitution') provides a constitutional right to privacy. Article 13 SFC protects the right to privacy in personal or family life and in a person's home. Article 28 of the Swiss Civil Code ('the Civil Code') and the Federal Act on Data Protection 1992 ('FADP') put this fundamental right to privacy into concrete terms at a statutory level.
In essence, the data processing principles set out in the FADP provide for protection against infringements of personality rights (data privacy) through excessive use of personal data. Article 28 of the Civil Code remains relevant, from a privacy law perspective, where libel, slander, or defamation is the concern. Furthermore, Article 28 of the Civil Code is relevant for the protection of personality rights of legal entities.
In addition to criminal liability governed by the FADP, a number of provisions of the Swiss Criminal Code ('the Criminal Code') are relevant in a data protection and privacy context. These include criminal law protection of a person's reputation against defamation (including libel and slander) and criminal law provisions prohibiting unauthorised recording of private conversations or wiretapping.
Sector-specific data protection and security requirements set out in laws regulating businesses and organisations in certain sectors (including the healthcare, pharmaceutical, energy, telecommunications, and finance), provide more specific requirements applying to the processing of e.g. patient personal data, bank customer data, or smart metre data. Sector-specific provisions typically supersede the provisions of the FADP.
The 26 Cantons, the federal states of the Swiss Confederation, have enacted their own data protection acts. These govern the processing of personal data by Cantonal authorities.
On September 25, 2020, the Federal Parliament enacted a revised FADP (the final text of which is accessible in German here, French here, and Italian here) ('the Revised FADP'). The Revised FADP will enter into force in the course of 2022 or at the beginning of 2023. It implements the requirements of the Council of Europe's modernised Convention 108 on the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), and it aligns the FADP with the European Union's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') with the aim of retaining the European Commission's adequacy finding.
The FADP is the key act regulating data protection in Switzerland. The Ordinance on the Federal Act on Data Protection ('FODP') puts certain aspects of the FADP into more concrete terms. For example, it sets out the specifics of notification requirements and the modalities of the right of access. A revised FODP (draft text available in French here, in Italian here, and in German here), which is open for comments until 14 October 2021, will enter into force together with the Revised FADP.
In addition, the Swiss Civil Code and the Criminal Code regulate aspects of privacy and data protection. See above (Intro) for details.
Note that only the German, French, and Italian versions of the Federal laws referenced in this Note are official texts. English versions are provided only for reference purposes.
Key non-binding guidelines issued by the Federal Data Protection and Information Commissioner ('FDPIC') include:
- Guidelines on data subjects' rights regarding the processing of personal data (only available in German here, in French here, and in Italian here);
- Guidelines on the processing of personal data by companies or organisations (only available in German here, in French here, and in Italian here);
- Guidelines on technical and organisational security measures;
- Guidelines on transborder data flows;
- Guidelines on the processing of personal data in the employment context (only available in German here, in French here, and in Italian here);
- Guidelines on the monitoring of internet and email use at the workplace (only available in German here, in French here, and in Italian here); and
- Guidelines on the processing of personal data in the healthcare sector (only available in German here, in French here, and in Italian here).
1.3. Case law
The following are leading decisions of the Swiss Federal Supreme Court:
- Decision BGE 144 I 126 (Retention of telecommunications traffic data) (only available in German here);
- Decision BGE 143 I 253 (FINMA Watchlist) (only available in German here);
- Decision BGE 142 III 263 (Video surveillance system) (only available in German here);
- Decision BGE 141 III 119 (Employees' right of access) (only available in German here);
- Decision BGE 138 III 425 (Bank customers' right of access) (only available in German here);
- Decision BGE 138 II 346 (Google Street View) (only available in German here); and
- Decision BGE 136 II 508 (Logistep) (only available in German here).
In addition, the following judgments of the Swiss Federal Administrative Court ('FAC') are notable:
- Judgement A-3548/2018 of March 19, 2019, FDPIC v. Helsana Zusatzversicherungen (only available in German here);
- Judgement A–4232/2015 of April 18, 2017, FDPIC v. Moneyhouse (only available in German here); and
- Judgement A–5225/2015 of April 12, 2017, FDPIC v. Lucency (only available in German here).
2. Scope of Application
The FADP and the FODP apply to the processing of personal data by businesses and organisations in all sectors of the economy as well as to the processing of personal data by Federal authorities. They also apply to the processing of personal data by natural persons in the context of business activities, but not in the context of personal household uses.
Chapter 3 of the FADP only applies to the processing of personal data by businesses, organisations, and natural persons. Chapter 4 of the FADP only applies to the processing of personal data by public authorities of the Federation (and to the processing of personal data by businesses or organisations performing tasks in the exercise of Federal public authority vested in them).
Sector-specific data protection and security requirements apply to businesses and organisations in certain sectors (e.g. regulated medical device manufacturers, hospitals, energy suppliers, banks, or telecommunications services providers). Note that the cookie-related information obligations set out in the Swiss Telecommunications Act ('TCA') apply to any business or organisation processing personal data on users' devices by means of using telecommunications services.
The Cantonal data protection acts govern the processing of personal data by public authorities of the relevant Canton (and the processing of personal data by businesses or organisations performing tasks in the exercise of Cantonal public authority vested in them).
The principle of effects determines the FADP's territorial scope. In other words, the FADP applies to the processing of personal data that has actual or potential effects in Switzerland. This includes processing activities that are conducted or initiated outside of Switzerland but actually or potentially adversely affect the privacy rights of individuals in Switzerland. According to established case law, this territorial scope already applies to investigation proceedings of the FDPIC under the current FADP. The Revised FADP will codify this case law. Further, the Revised FADP may apply, in accordance with the principle of effects under private international law, in private enforcement.
The FADP is an omnibus law governing any processing (including collection, storage, adaptation or alteration, disclosure, archiving, destruction or other use) of personal data. Processing of personal data by natural persons for personal household uses is exempted.
The FADP does not apply to the processing of anonymous data (i.e. information that the respective holder or receiver of the information will not reasonably likely relate to an identified or identifiable individual).
3.1. Main regulator for data protection
The FDPIC enforces the substantive provisions of the FADP and the FODP.
State prosecutors of the Cantons enforce criminal law provisions of the FADP against the natural persons responsible for the violation (or against businesses or organisations, under certain circumstances). State prosecutors also enforce the data protection law-related offences under the Criminal Code.
The data protection supervisory authorities of the Cantons enforce the Cantonal data protection acts.
In addition, private enforcement plays a role, in particular as regards injunctions banning disclosure of personal data, and the enforcement of the right of access or the right to have personal data rectified or deleted (see section on data subject rights below).
3.2. Main powers, duties and responsibilities
Under the current FADP, the FDPIC may only issue non-binding recommendations. However, where the business, organisation, or Federal authority concerned does not agree to implement the recommendation, the FDPIC may file a complaint with the Federal Administrative Court and request that the court order the defendant to implement the recommendation.
Under the Revised FADP, the FDPIC will have the power to issue binding decisions: The FDPIC may (ex officio or upon a data subject's complaint) require the respective business or organisation or Federal authority to correct, suspend, or cease certain processing of personal data, or to delete personal data entirely or partially. The FDPIC may also require the business, organisation, or Federal authority concerned to comply with specific obligations, such as to inform individuals, grant a right of access, or to perform a Data Protection Impact Assessment ('DPIA'). In contrast to supervisory authorities in most jurisdictions where the GDPR is enforced, the FDPIC will not, however, have the power to impose administrative fines on businesses or organisations. Nor will the FDPIC have the power to impose fines on individuals.
4. Key Definitions
Data controller: The Revised FADP will distinguish controllers and processors. Similarly, the current FADP distinguishes owners of data filing systems and third parties processing personal data on behalf of such owner. The term 'controller' (under the Revised FADP) refers to the business, organisation, natural person, or federal authority that determines (alone or jointly with others) the purpose and means of the processing of personal data.
Data processor: 'Processors' (under the Revised FADP) are businesses, organisations, natural persons, or federal authorities that process personal data on behalf (and for the purposes of) the controller.
Personal data: The FADP defines 'personal data' as any information relating to an identified or identifiable person. This includes information that directly identifies a (natural) person (e.g. a full name or picture showing a person's face) and information that allows identification indirectly by reference to additional information (e.g. email address, telephone number, social security number, or customer number). A 'relative' approach to identification applies. Information may qualify as personal data in the hands of one party and as anonymous data in the hands of another party. Identifiability means that the party holding or receiving the information has (or will reasonably likely gain) access to means it will reasonably likely use to identify the (natural) person directly or indirectly. To ascertain whether such identification is reasonably likely, account is taken of the costs of and the amount of time the holder or receiver of the information requires for identification, taking into consideration the technology available to such business, organisation, or natural person. Note that the current FADP also governs the processing of information relating to an identified or identifiable legal entity. The Revised FADP will not apply to processing of information relating to an identified or identifiable legal entity.
Under the FADP, the following categories of personal data qualify as 'sensitive:'
- personal data concerning religious, ideological, political, or trade union-related views or activities;
- personal data concerning health, the intimate sphere, or the racial origin of an individual;
- personal data concerning social security measures; and
- personal data concerning administrative or criminal proceedings and sanctions.
These categories of personal data will continue to be considered sensitive under the Revised FADP. The Revised FADP will add two new categories:
- genetic data; and
- biometric data that uniquely identifies an individual.
Disclosure: 'Disclosure' means making personal data available; for example, by permitting access, transferral to a third party (except to processors engaged by the controllers), or publication.
Processing: 'Processing' means any operation performed on personal data, irrespective of the means or procedures applied, and in particular the collection, storage, use, adaption or alteration, disclosure, archiving, or destruction of data.
5. Legal Bases
In contrast to the principle of 'lawfulness of processing' on which the GDPR is based, the processing of personal data by businesses, organisations, or natural persons is generally allowed under the FADP. Only public authorities require a legal basis for processing. Private controllers do not need a legal basis for lawful processing of personal data under the FADP.
Legal bases – or rather 'justifications' are relevant only as a basis to justify an otherwise unlawful personality rights infringement. See section on principles for details. This concept will remain the same under the Revised FADP (Article 30(2) of the Revised FADP).
Personality rights infringements (see Section on principles) may be justified on grounds of overriding private or public interests, necessity to comply with a legal obligation laid down in Swiss law, or the consent of the data subject.
Consent is valid as a ground for justification of personality rights infringements only if it is informed and freely given. If the controller seeks to justify the disclosure of sensitive personal data or so-called 'personality profiles' to third parties (other controllers) or if it otherwise seeks to justify a personality rights infringement (e.g. processing for further purposes or for longer than necessary) concerning sensitive personal data, consent needs to be given expressly (clear affirmative action).
Under the Revised FADP, consent will be valid only if it is informed, freely given and specific to one or several processing activities (Article 6(6) of the Revised FADP). Further, if a controller seeks to justify personality rights infringements involving sensitive personal data or high-risk profiling, consent needs to be expressly given (Article 6(7) of the Revised FADP).
Despite the lengthy Parliamentary debate and the misconceptions surrounding it, there will be no general requirements under the Revised FADP to obtain consent for so-called high-risk profiling (a concept introduced late in the Parliamentary debate; meaning profiling that poses a high risk to the privacy of individuals by pairing between data that enables an assessment of essential aspects of the personally of a natural person). Rather, consent or another valid ground for justification (such as overriding private or public interests or a legal obligation) will only be required to justify high-risk profiling that does not comply with the fair processing principles. See section on principles for details.
Interests of the controller may justify an otherwise unlawful infringement of personality rights if the interests override the data subject's privacy interests (Article 13(1) of the FADP; Article 31(1) of the Revised FADP). Necessity for the conclusion or performance of a contract with the data subject is considered such interest that may override the data subject's privacy interests (Article 13(2)(a) of the FADP; Article 31(2)(a) of the Revised FADP).
Necessity of the controller's compliance with legal obligations may justify an otherwise unlawful personality rights infringement (Article 13(1) of the FADP; Article 31(1) of the Revised FADP). Only legal obligations laid down in Swiss law will be considered.
Interests of the data subject may qualify as 'private interests' under Article 13(1) of the FADP (Article 31(1) of the Revised FADP) that may justify an otherwise unlawful personality rights infringement. At the same time, processing that is in the (vital) interest of the data subject is less likely to qualify as a personality rights infringement in the first place.
Overriding public interests may justify an otherwise unlawful personality rights infringement, particularly if invoked by public authorities. Courts are reluctant to accept public interests as grounds for justification if private controllers invoke it.
Legitimate interests of the controller are 'private interests' within the meaning of Article 13(1)of the FADP (Article 31(1) of the Revised FADP) that may justify an otherwise unlawful personality infringement, provided they override the privacy interests of the data subject. Legitimate interests of the data controller include, in particular and without this being a conclusive list of interests (see Article 13(2) of the FADP; Article 31(2) of the Revised FADP):
- processing in order to conclude or perform a contract with the data subject;
- processing for the purpose of competing economically with another organisation, provided the controller will not share the personal data with third parties (except intragroup transfers); and
- processing for the purpose of checking the creditworthiness of a data subject (subject to restrictions).
Generally, employers may only process employee personal data to the extent the processing relates to the workplace. This includes processing that is necessary for the performance of the employer's obligations to the employee under the employment contract, for compliance with statutory obligations, or for the purposes of legitimate interests of the employer or third parties that have a sufficient connection to the workplace (e.g. the enforcement of legal claims, measures ensuring safety at work or information security, fleet management, or marketing of professional services performed by the employee). Obtaining the employees' consent is typically not necessary (and will not be valid unless the employee has a real choice).
Employees have a duty of loyalty to their employers. This means that employees have to tolerate certain restraints on their privacy interests. At the same time, employers have a duty of care to their employees. Even if employees are under a loyalty obligation, employers have to process employee personal data in ways that are least intrusive to the privacy interests of their employees (principle of proportionality). Thereby, of particular importance is adequate information of the employees about the functioning and purposes of, for example, fleet management, internet use monitoring, or video surveillance systems that the employer intends to use, and about the employees' rights in connection with the processing of personal data for such purposes.
The following processing principles are key principles and responsibilities of controllers under the FADP:
- Lawfulness: Businesses or organisations (controllers) may only process personal data that has been collected in accordance with other applicable laws. For example, processing personal data that has been collected through unlawful trespassing or wiretapping would infringe the 'lawfulness' principle. Note that, in contrast to the principle of 'lawfulness of processing' on which the GDPR is based, the processing of personal data by businesses, organisations, or natural persons is generally allowed under the FADP (see also above section on legal bases). Only public authorities require a legal basis for processing.
- Fairness (good faith): Controllers may only perform such processing activities as data subjects may reasonably expect. Furthermore, fairness (good faith) means that processing must be performed as described in privacy notices.
- Transparency: Controllers have to convey to data subjects all information necessary in order to ensure transparent data processing. The information needs to enable data subjects to exercise their rights under the FADP. The Revised FADP will set out in more detail the types of information that controllers need to convey to data subjects. At a minimum, controllers will need to inform data subjects about:
- the identity and contact details of the controller;
- the contact details of the DPO (if any);
- the contact details of the Swiss representative (if any);
- the purposes of the processing;
- (if any) the recipients or categories of recipients of the personal data;
- (if the controller intends to transfer personal data internationally) the countries the controller intends to transfer personal data to and (in the absence of an adequacy decision taken by the Federal Council) based on which safeguards (e.g. Standard Contractual Clauses ('SCCs'));
- (if the controller has not obtained the personal data directly from the data subject) the categories of personal data collected and processed; and
- (if any) the existence of automated individual decision-making.
- Purpose limitation: Controllers may only process personal data for the specified purposes that have been notified to or are obvious to data subjects; and may only process personal data in a manner compatible with those purposes. The information about the purposes of the processing needs to be specific. Controllers also need to ensure that further processing of personal data received from other controllers is compatible with the purposes determined and communicated to the data subjects at the time of collection.
- Proportionality: The processing of personal data needs to be proportionate; that is, limited to what is necessary to achieve the specified purposes, considering the type of personal data concerned and the scope and duration of the processing. The data minimisation and storage limitation principles are key aspects of the proportionality principle. This means that controllers need to limit the scope of personal data collected and processed to what is necessary for the intended purposes, and to delete personal data once it is no longer needed for the specified purposes.
- Accuracy: Controllers need to ensure they only process personal data that is accurate and kept up to date. They must take all reasonable steps to ensure that personal data that is inaccurate or incomplete, having regard to the purposes for which it is processed, is deleted or rectified.
- Data security (integrity and confidentiality): Both controllers and (under the Revised FADP) processors are under an obligation to ensure an adequate level of data security. They are required to protect the integrity, confidentiality, and availability of personal data by means of adequate technical and organisational security measures. In assessing the appropriate level of security, controllers and processors have to account for the purpose, type, and scope of the data processing, the assessment of potential risks for data subjects, and the state-of-the-art security solutions.
If businesses and organisations process personal data in accordance with the processing principles set out above, the processing will generally be considered lawful as long as the data subject has not expressly objected to the processing. Infringements of these processing principles (e.g. processing for further purposes than those initially specified, or processing for longer than necessary for the specified purposes), or continued processing despite the data subject's objection, are breaches of personality rights of the affected data subject. In addition, disclosure of sensitive personal data to third parties without a valid ground for justification is deemed a breach of personality rights.
Breaches of personality rights are deemed unlawful unless the controller can demonstrate that the relevant data processing is justified on grounds of overriding private or public interests or the necessity for its compliance with legal obligations laid down in Swiss law. See section on legal bases above.
7. Controller and Processor Obligations
Under the Revised FADP, a controller will be required to consult the FDPIC prior to processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. Business or organisations (private controllers) that have appointed a DPO and have involved the DPO in the DPIA may forego prior consultation of the FDPIC.
No registration with or notification to the FDPIC is generally required. However, under the current FADP, businesses or organisations have to register their data files with the FDPIC if they regularly process sensitive personal data or regularly disclose personal data to third parties. They are exempted from this registration obligation if they have appointed a data protection officer ('DPO') and have notified the FDPIC of such appointment. The obligation to register data files will no longer apply to business or organisations under the Revised FADP.
Under the current FADP, the FDPIC publishes a list of states that, according to the FDPIC's assessment, provide an adequate level of data protection. Under the Revised FADP, the Federal Council will adopt adequacy decisions in relation to jurisdictions that provide an adequate level of protection. The Federal Council will (just as the FDPIC has done in the past) likely follow the European Commission's lead and consider adequate those jurisdictions in relation to which the European Commission has adopted an adequacy decision.
Appropriate safeguards are required in order to transfer personal data to states without an adequate level of protection. Appropriate safeguards include, under the Revised FADP: SCC issued, approved or recognised by the FDPIC, Binding Corporate Rules approved by the FDPIC or a competent data protection supervisory authority in a state that provides adequate protection, or (subject to prior notification to the FDPIC) contractual clauses incorporated into a controller-to-processor data processing agreement. In addition, the Revised FADP provides for derogations for data transfers in specific situations, such as where the transfer is directly related to the conclusion or the performance of a contract between the data subject and the controller.
The above rules on data transfers also apply in an outsourcing context, where a controller in Switzerland engages a processor in another state, or where a processor in Switzerland engages a sub-processor in another state. In addition, controller-to-processor relationships and processor-to-sub-processor relationships have to be governed by a data processing agreement.
Under the Revised FADP, controllers (and processors) will be required to maintain records of processing activities. Exemptions may apply in relation to low-risk processing of personal data by businesses with less than 250 employees. The revised FODP will lay out the specifics of this and other exemptions that may apply.
Under the Revised FADP, controllers will be required to perform DPIAs for intended high-risk processing of personal data. The high risk may result from the type, scope, circumstances, or purposes of the processing or from the use of new technologies. A DPIA will be required under the Revised FADP, in particular, in the case of processing on a large scale of sensitive personal data, or the systematic monitoring of publicly accessible areas on a large scale. The implementation of profiling will require a prior privacy risk assessment and, potentially, a DPIA.
Appointing a DPO is not mandatory for businesses and organisations under the FADP or the Revised FADP. However, the Revised FADP incentivises the appointment of a DPO, i.e. a 'data protection advisor' (cf. above, regarding DPIAs and prior consultations). In practice, it may also be advisable to appoint a DPO voluntarily, as compliance with documentation and notification obligations and responding to data subjects' requests under the Revised FADP requires businesses, in practice, to establish an internal data protection function.
The DPO must be independent in terms of organisation and their professional expertise. From an organisational point of view, he or she may not perform tasks that are incompatible with the tasks of the DPO (avoidance of conflicts of interest). As regards professional expertise, the controller or processor has to ensure the DPO does not receive any instructions regarding the exercise of his or her tasks.
Further, the DPO must have the professional skills and expertise necessary to perform the statutory tasks of a DPO. Basic knowledge of data protection law is generally sufficient in order to perform the tasks of advising on and monitoring compliance with data protection laws (in particular, if supported by external legal advisors), and for consultation with the FDPIC. At least as important (namely in connection with a DPIA or with regard to data security) is knowledge of the relevant technology, data flows, and business processes.
Businesses or organisations that appoint a DPO in accordance with the Revised FADP will have to publish and provide to the FDPIC the contact details of the DPO.
Under the Revised FADP, business or organisations (private controllers) established outside of Switzerland will have to appoint a representative in Switzerland under certain conditions. They will be required to do so if they regularly perform high-risk and large-scale processing of personal data in connection with the offering of goods or services in Switzerland, or in connection with the monitoring of individuals' behaviour taking place in Switzerland.
Under the Revised FADP, controllers will be required to notify the FDPIC of personal data breaches that may result in a high risk for data subjects (the current FADP does not set out any data breach notification obligations, but notification is considered a best practice). No deadline is defined for the notification. Controllers will need to notify the FDPIC as quickly as possible, i.e. without undue delay. In their notification, they will need to address the type of personal data breach, its consequences, and the measures taken or planned to remedy the breach and mitigate risks for data subjects.
Controllers are required to notify the data subjects affected by the personal data breach if such notification is necessary in order to protect the data subjects or if the FDPIC so requests.
Processors who detect a personal data breach are required to notify the controller of the breach.
Data breach notification obligations that apply to regulated banks or insurance companies (in relation to customer data) or hospitals (in relation to electronic patient records) apply in addition to the obligation to notify personal data breaches under the Revised FADP.
Controllers have to delete or sufficiently de-identify (i.e. render anonymous) personal data once they no longer need it for the specified purposes, or in order to pursue legitimate interests (such as enforcement of legal claims) or to comply with legal obligations (such as records-keeping obligations).
Disclosing special categories of personal data (also referred to as 'sensitive data') to third parties requires justification, such as the consent of the data subject, or necessity for the purposes of overriding interests of the controller or compliance with legal obligations.
In addition, higher standards for transparency and data security apply in relation to the processing of special categories of personal data, and a DPIA is more likely be required if the envisaged processing activity involves the processing of special categories of personal data.
The controller-to-processor relationship needs to be governed by a contract (or established by law). The controller needs to be sure that the processor only performs processing activities that the controller would also be allowed to perform and to ensure that the processor is capable of providing for adequate data security. Further, the Revised FADP provides that a processor may only hire a sub-processor with the prior consent of the controller. The standard required by Article 28(3) of the GDPR will suffice in most circumstances for the purposes of the Revised FADP. Thereby, parties should clarify that Switzerland is considered a member of the European Economic Area for the purposes of the data processing agreement.
Controllers will continue to be primarily responsible for compliance with the Revised FADP. Yet, in contrast to the current FADP, the Revised FADP will also set out legal obligations applying directly to processors (including data security obligations, restrictions on engaging sub-processors, and the requirement to maintain a record of processing activities).
8. Data Subject Rights
The current FADP requires that the collection of personal data and the processing purposes be transparent ('recognisable') to the data subject. It follows that data subjects have a right to be informed about the fact that the controller collects personal data about them and about the purposes of the processing if the collection and processing is not evident from the circumstances (Articles 4(2) and 4(4) of the FADP).
Under the Revised FADP, this transparency principle follows from the 'fairness' principle set out in Article 6(2) of the Revised FADP. And, privacy notices become a must. To some extent, controller will also have to inform data subjects actively about personal data collection and processing that may seem obvious to the data subject and would not require active information under the current FADP. Article 19 of the Revised FADP contains a list of minimum elements of information that controllers need to convey to data subject at collection of personal data. Further obligations to actively inform data subjects are set out in Article 10 (3)(d) (obligation to publish the contact details of the DPO) Article 14(3) (obligation to publish the contact details of the Swiss representative), and Article 21(1) (obligation to inform about automated individual decision-making) of the Revised FADP. See also section on principles above.
Article 8 of the the FADP provides data subjects with the right to access personal data undergoing processing and which relate to the data subject. This includes a right to receive a copy of the personal data undergoing processing. In an access request, data subjects may also ask for available information about the origin (sources) of the personal data, the purposes of processing, the categories of the personal data undergoing processing and the categories of recipients of the personal data.
The controller needs to provide the information in writing and, provide a copy of the personal data, e.g. in the form of a print-out or an excerpt from relevant data bases. A 30-day deadline applies. But controllers may also inform the data subject that gathering the relevant information and data requires more time, or provide the information and data staggered.
Controller may refuse, limit or defer their provision of information and data if this is required to comply with a legal obligation laid down in Swiss law or in order to protect the overriding interests of third parties, or (provided the controller does not disclose the personal data to third-party recipients) based on prevailing interests of the controller (Article 9 of the FADP). The fact that prevailing interests of the controller are only valid grounds for refusal, limitation or deferral if the controller does not share the personal data with other controllers (recipients) results in a relatively weak protection of the controller's business secrets.
This concept remains substantially the same under the Revised FADP (Articles 25–27), except that the new law will set out a list of minimum elements of information that a controller needs to provide in response to access requests (Article 25(2) of the Revised FADP), namely:
- the identity and contact details of the controller;
- the personal data undergoing processing (this includes a right to receive a copy of the personal data);
- the purposes of the processing;
- the storage duration or, if not possible, the criteria used to determine this duration;
- (if the controller has not obtained the personal data directly from the data subject) the available information as to the origin of the personal data;
- (if any) the existence of automated individual decision-making; and
- (if any) the recipients or categories of recipients of the personal data;
The reasons for refusal, limitation or deferral of the information and data remain substantially the same. Articles 26(1)(a) of the Revised FADP clarifies that professional secrecy obligations are a legal obligation that may justify a refusal, limitation, or deferral. Further, Article 26(1)(c) of the Revised FADP clarifies that a controller may refuse information and access to personal data if the access request is manifestly unfounded, is not made for data protection purposes, or is obviously of a frivolous nature.
Data subjects have a right to ask that inaccurate data a controller holds about them be rectified.The controller may refuse the rectification based on legal obligations or prevailing private or public interests.
The right to rectification will also be provided under the Revised FADP, which will however limit the ground for refusal of the rectification. According to Article 32(1) of the Revised FADP, controllers may only refuse to rectify incorrect personal data if a statutory obligation prohibits the rectification or if the personal data is being processed for archiving purposes in the public interest.
The right to object to the processing of personal data provided under Article 12(2)(b) of the FADP includes a right to erasure. A controller may refuse to delete personal data based on legal obligations or prevailing private or public interests. The Revised FADP will expressly stipulate the right to erasure in Article 32(4). The ground for refusal will continue to apply.
Article 12(2)(b) of the FADP (Article 31(2)(b) of the Revised FADP) provides data subject a right to object to the processing of their personal data (essentially an opt-out right). The objection/opt-out right is, however, not absolute. Controllers may continue to process the personal data or, respectively refuse to restrict processing or deletion of personal data if and to the extent this is necessary for their compliance with legal obligations, the performance of a contract, or for the purposes of other prevailing public or public interests.
The FADP does not currently include a right to data portability. Yet courts have repeatedly held that the right to access includes a right to a copy of the personal data undergoing processing.
Article 28 of the Revised FADP introduces a right to data portability. This data subject right has been introduced late in the Parliamentary debate. It provides for a right to receive a copy of the personal data relating to the data subject in a commonly used format, or to ask that the personal data is transferred to another controller. These rights are subject to the following conditions:
- the controller processes the data in an automated manner; and
- the data is processed with the data subject's consent or in direct connection with the conclusion or performance of a contract with the data subject.
The exceptions to the right to access (Article 29 of the Revised FADP in conjunction with Article 26(1) and (2); see section on the right to access above) also apply as exceptions to the right to data portability. In addition, a controller may refuse to grant the right to transfer personal data to another controller if this would require a disproportionate effort.
The FADP does not currently include a right not to be subject to automated decision-making. Article 21 of the Revised FADP introduces an obligation of controllers to inform data subjects if they use automated individual decision-making. It also provides that data subjects have a right to be heard in the case of individual decision-making.
These rights will not apply if the decision is made in connection with the conclusion or the performance of a contract with the data subject, and where the controller grants the request made by the data subject, or if the data subject has consented to the automated individual decision-making.
Further, data subjects may object to automated individual decision-making by invoking and subject to the limitations of the right to object (see section on the right to object/opt-out above).
The Revised FDPA grants data subjects all rights also granted under GDPR, and potentially more, as remedies available in cases of personality rights infringements under the Civil Code are also available under the Revised FDPA (cf. Article 32(2) of the Revised FDPA).
Courts have interpreted the right to objection pursuant to Article 12(2)(b) of the FADP to also include a right to restriction of processing and a right to erasure (i.e. to have personal data deleted, destroy or anonymised). The identical provision in Article 31(2)(b) of the Revised FADP will also be interpreted to include these rights. Further, the Revised FADP now expressly mentions deletion or destruction of personal data and prohibition of processing as remedies that data subjects may seek in court.
The FDPIC does not (and will not under the Revised FADP) have the right to issue administrative fines. But the FDPIC has corrective powers. It may oblige businesses or organisations or federal authorities to correct, suspend, or cease certain processing of personal data, or to delete personal data entirely or partially. The FDPIC may also require the business, organisation, or federal authority concerned to comply with specific responsibilities (cf. section on main powers, duties and responsibilitiesabove).
The state prosecutors enforce the criminal law provisions of the FADP. Currently, the FADP provides that natural persons may be fined up to CHF 10,000 (approx. €9,100) if they are responsible for the violation of certain information and notification requirements under the FADP (e.g. wilfully providing false or incomplete information in response to a data subject access request).
Under the Revised FADP, the maximum amount of the fine will be CHF 250,000 (approx. €227,000). The Revised FADP will also extend criminal liability to the violation of additional data protection obligations under the Revised FADP, such as failing to ensure there are sufficient guarantees for international data transfers or failure to comply with minimum data security requirements.
The Revised FADP will also introduce criminal liability of businesses and organisations. The responsible natural persons (e.g. directors or managers) will primarily be liable. However, the business or organisation (controller or processor) may be held liable for a fine of up to CHF 50,000 (approx. €45,400) under the Revised FADP if determining who in the organisation is responsible for the infringement would require disproportionate investigative efforts.
The FADP provides private rights of actions against infringements of personality rights protected under the FADP. Of particular practical relevance is litigation concerning the exercise of the rights of access, rectification, and deletion. Yet data subjects may also claim infringement of key data privacy principles such as purpose limitation, data minimisation, and data security. The following remedies are available for claims brought under the FADP:
- prior restraints and other injunctions preventing an imminent infringement (such as unlawful disclosure of personal data);
- removal of an existing infringement (this includes enforcement of the right to rectification or deletion);
- an order of the court requiring the controller to provide information or access;
- a declaratory judgment (if the infringement continues to affect the privacy interests of the data subject); and
- claims for compensatory damages, moral damages, and disgorgement of profits.
See section on case law above.