Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.
In Switzerland, data privacy is regulated by the Federal Act on Data Protection of 19 June 1992 (DPA) and the Ordinance to the Federal Act on Data Protection of 14 June 1993.
Further, every Swiss canton has its own data protection laws with respect to data processing by cantonal authorities.
Switzerland is not a member of the European Union and hence does not have to comply with the EU General Data Protection Regulation (GDPR) or any other directives in this field. However, a comprehensive revision of the Data Protection Act is pending which provides for substantial alignment with the GDPR provisions.
The DPA itself contains special regulations on the processing of data that is considered to be sensitive personal data (eg, data on health – see question 3). With regard to biometric data, which does not necessarily qualify as sensitive personal data, additional provisions to the DPA – such as the Federal Act on DNA Profiling, the Ordinance on the Processing of Biometric Identification Data and the Swiss Criminal Code – may apply, depending on the purpose for which data is processed.
The Swiss banking secrecy and guidelines provide for bank-client confidentiality, which aims to safeguard financial privacy and protects all conclusions of fact, value judgements and other information (including personal evaluation results) that can be attributed to a bank client. Bank-client confidentiality therefore goes further than data protection law. Additionally, the Federal Act on Financial Services (FinSA) contains specific requirements relating to data protection for data retention and processing by financial service providers. The FinSA and the Financial Institutions Act were deliberately closely aligned with the EU Second Markets in Financial Instruments Directive by incorporating equivalent but not identical provisions into the laws.
Furthermore, Article 321 of the Swiss Criminal Code sets forth secrecy obligations, such as patient secrecy regarding health data and attorney-client privilege, which have an impact on the processing of such data.
In the telecommunications sector, specific regulations apply to data retention and processing.
Moreover, Swiss labour law provides special provisions with respect to the processing of employees' data (see question 10).
The Schengen Federal Data Protection Act has been in force since March 2019. The GDPR has also had an impact on the pending revisions to the DPA.
The Federal Data Protection and Information Commissioner (FDPIC) is in charge of supervising federal and private bodies and advising on data privacy law, as well as on technical aspects of data security. It maintains and publishes the Register for Data Files. In conflict situations between private bodies or between private persons and federal bodies, it can act as a mediator. It can also comment on draft federal legislation that may have an impact on data privacy. Furthermore, it interacts and cooperates with data protection authorities in Switzerland and abroad.
To accomplish its tasks, the FDPIC can investigate facts on its own initiative or at the request of a third party. Based on these investigations, it can issue recommendations. However, the FDPIC has no enforcement powers and, in particular, does not have the power to impose sanctions.
The FDPIC plays a decisive role in establishing industry standards and best practices in all areas of data protection, such as internet and computer, video surveillance, e-commerce and transborder data flows. It also provides model letters and documentation templates. Guidelines and working tools prepared by the FDPIC are not directly enforceable by the courts; however, they form a relevant basis to be considered by controllers and processors of personal data.
The Federal Act on Data Protection (DPA) applies to the processing of data pertaining to natural persons and legal persons by private persons (individuals and legal entities) and federal bodies. In other words, all types of companies are captured by the data protection law.
In accordance with Article 2(2), the DPA does not apply to:
Due to the principle of territoriality, the data protection legislation is generally applicable to situations that take place in Switzerland. Therefore, the processing of data as the main factor to determine the geographical scope must take place locally. An extra-territorial application may occur, for example, in the case of outsourcing to a foreign company. In addition, the principle of impact must be observed if circumstances abroad have an impact on Switzerland, such as through websites that can be accessed for business transactions in Switzerland.
(a) Data processing
Any operation with personal data, irrespective of the means applied and the procedure, and in particular the collection, storage, use, revision, disclosure, archiving or destruction of data.
(b) Data processor
The DPA does not explicitly use this term and accordingly, there is no statutory definition. The Federal Data Protection and Information Commissioner (FDPIC) defines a ‘data processor' or ‘data importer' as a natural or legal person, public authority, agency or any other body (established in another country) that agrees to receive personal data from the ‘data exporter'/‘data controller' for the purpose of processing such data on behalf of the latter after the transfer in accordance with its instructions.
(c) Data controller
The DPA does not explicitly use this term and accordingly, there is no statutory definition. The FDPIC defines a ‘data controller' or ‘data exporter' as a natural or legal person, public authority, agency or any other body established in Switzerland which, individually or together with others, determines the purpose and means of the processing of personal data and which transfers such data for the purpose of its processing on their behalf.
(d) Data subject
A natural or legal persons whose data is processed.
(e) Personal data
All information relating to an identified or identifiable person.
(f) Sensitive personal data
Data relating to:
(g) Consent
Consent must be given voluntarily, based on the provision of adequate information. Additionally, consent must be given expressly in the case of processing of sensitive personal data or personality profiles
‘Personality profile': A collection of data that permits the assessment of essential characteristics of the personality of a natural person.
‘Data file': Any set of personal data that is structured in such a way that the data is accessible by the data subject.
In Switzerland, there is no registration of data controllers and processors. Notwithstanding the foregoing, the Federal Data Protection and Information Commissioner maintains a register of data files (see question 3.2(b)). Companies must declare their data files if they regularly process sensitive personal data or personality profiles; or if they regularly disclose personal data to third parties.
Data files must be registered prior to their operational use and each controller of a data file must update this information on an ongoing basis.
Yes, the register of data files is accessible online at www.datareg.admin.ch.
In Switzerland, the meaning of the principle of legality is different for federal bodies and private persons. In the public law sector, the legality of state action is the basic principle and therefore the processing of personal data always requires a legal basis.
With respect to data processing by private persons, the legal situation is more differentiated. Data processing by private persons does not per se constitute a breach of the privacy rights of the data subjects concerned. Consequently, data processing requires a justification – that is, the consent of the data subject, a legal basis or an overriding private or public interest – only if it unlawfully breaches the privacy of the data subject (Article 12(1) in relation to Article 13 of the Federal Act on Data Protection (DPA)). As a general rule, no justification for processing personal data is required if the data subject has made the data generally available and has not expressly restricted the data processing (Article 12(3) of the DPA).
On the other hand, justification is required if:
The DPA provides for the following key principles:
In general, there is no obligation of automatic notification for data processing under the DPA. However, if particularly sensitive personal data or personality profiles are processed by the controller of the data file, the data subject must be notified in advance (Article 14 of the DPA). These notification requirements also apply where data is outsourced to third parties for processing.
In any case, the data subject generally has the right to request information about the processing of his or her personal data, and may inspect and correct false, incomplete or erroneous data. This right may be restricted only if there is an overriding public or private interest in doing so.
With respect to the outsourcing of data, the DPA states the following requirements:
Furthermore, the third parties must observe the key principles as set forth above.
Even the transfer of data to another legal entity in the same group of companies is considered a transfer to a third party.
The data processor and controller are advised to monitor the processing of personal data. If irregularities or non-compliance with data protection regulations is detected, corrective measures must be implemented. Furthermore, it is recommended to maintain a list of all data files.
Yes, under the conditions set forth in question 5.4.
Article 6 of the Federal Act on Data Protection (DPA) stipulates that personal data may not be disclosed abroad if the privacy of the data subject would be seriously endangered thereby, in particular due to the absence of legislation that guarantees adequate protection. Accordingly, either adequate protection must be guaranteed in the country of destination or other safeguards must be in place to protect the data subject's privacy, such as:
The transfer of data abroad includes access to data from abroad if the data remains stored in the country of origin. The Federal Data Protection and Information Commissioner maintains a list of the countries which, in its view, ensure adequate data protection. This non-binding list is publicly available. All European countries governed by the General Data Protection Regulation guarantee more than adequate protection and therefore the transfer of data to such countries is of no concern.
A legal basis or a reasonable close connection is required to transfer data, and the general principles of data processing remain applicable (eg, transparency, purpose limitation, data minimisation, proportionality). Article 6 of the DPA stipulates the following legal bases for the transfer of data abroad:
To exercise the right to access data, the data subject must typically file a written request and provide proof of his or her identity, although an online request is also possible if the controller of the data file has made this available. The ‘right to information' includes information about:
The requested information must normally be provided within 30 days of receipt of the request, in writing, in the form of a printout or a photocopy, and must be free of charge.
In addition, data subjects have the ordinary judicial remedies available under civil law to protect their personality rights (Article 15 of the DPA in relation to Articles 28–28l of the Swiss Civil Code. In particular, the data subject may request that the data processing be stopped, that data not be disclosed to third parties and that personal data be corrected or deleted.
The data subject may further claim compensation for moral suffering and payment of damages or the handing over of profits, provided that he or she can prove actual damage based on privacy infringements, which is difficult in practice.
The Federal Act on Data Protection currently in force does not stipulate an obligation for companies to appoint a data protection officer; thus, this appointment is optional and no consequences of failure apply.
If a company intends to appoint a data protection officer, such person should be adequately skilled, with expert knowledge of data protection law and practices, in order to be able to assist the company in monitoring internal compliance with the legal framework and training employees in the field of data protection. The necessary level of expert knowledge should be connected to the specific data processing operations carried out and the protection required for the personal data processed by the company. It is equally important that the data protection officer is in a position to perform his duties in an independent manner.
The data protection officer's key responsibilities include the following:
In principle, no special rules apply. The outsourcing company must ensure that the external data protection officer has the necessary skills and is able and empowered to conduct his role in an independent manner.
The general provisions on the archiving of business documents apply; unless otherwise stipulated, all records and documents in relation to personal data must be kept for 10 years.
Not applicable.
Article 7(1) of the Act on Data Protection (DPA) states the general rule that personal data must be protected against unauthorised processing through adequate technical and organisational measures.
Additionally, Article 8 of the Ordinance to the Federal Act on Data Protection contains additional detailed provisions on data security: anyone who, as a private individual, processes personal data or provides a data communication network must ensure the confidentiality, availability and integrity of the data in order to ensure an appropriate level of data protection. In particular, he or she must protect systems against the following risks:
The technical and organisational measures must be adequate and reviewed periodically. In particular, they must take account of the following criteria:
There are even more extensive obligations for the controllers of data files. For the automated processing of personal data, such controllers must take the necessary technical and organisational measures to achieve the following goals, in particular:
The data files must be structured so that data subjects can assert their right of access and their right to have data corrected.
No, there is no legal obligation to notify the Federal Data Protection and Information Commissioner.
No, there is no legal obligation to notify the data subject. However, in view of the general principles of the DPA – in particular, the principle of transparency – it is advisable to notify the data subject in case of a data breach.
See question 9.3
Article 328b of the Swiss Code of Obligations governs the obligations of employers in respect of the protection of employees' personality rights while handling personal data. It states that an employer may process data concerning employees only to the extent that such data:
In all other respects, the provisions of the Federal Act on Data Protection shall apply. It is not possible to derogate from these provisions to the detriment of the employee by individual agreement, standard employment contract or collective employment contract, or even with the consent of the employee, due to the relationship of subordination between the parties.
A distinction must be drawn between surveillance of internet use, email and telephone, as well as surveillance by video. The surveillance of employees is permitted only to a very limited extent. In general, employees must be informed of the planned surveillance in advance and in a transparent way, and in most cases must give their consent. The employer should ideally specify in an internal directive, based on its right to issue instructions, how employees may use the Internet and email for private purposes. Such rules create transparency and legal certainty for such use, and for the establishment of control and surveillance instruments. Video surveillance systems designed to specifically monitor the behaviour of employees are prohibited. Where video surveillance is necessary for other reasons (eg, security), it must be implemented in such a way that the health and freedom of movement of employees are not unduly affected. The surveillance of employees may be considered illegal and a violation of personality rights unless it is justified by the consent of the injured party, by an overriding private or public interest or by law. The principles of proportionality, good faith and transparency must also be taken into account.
Consent in the employment relationship is valid only to a limited extent, as the voluntary nature is restricted by the subordination relationship between employer and employee. It is therefore advisable to refer to another legal basis to process the personal data of employees.
Cookies are governed by Article 45c of the Telecommunications Act, which provides that the processing of data on external equipment by means of transmission using telecommunications techniques is permitted only if, among other things, users are informed of the processing and its purpose, and are informed that they may refuse to allow such processing. Swiss companies commonly inform internet users of the data protection policy on their websites regarding the use and deactivation of cookies. An opt-in process is not mandatory.
Cloud computing services are basically regarded as data processing by third parties. Such outsourcing is allowed if personal data is processed only in the manner in which the cloud user itself would be allowed to process it, and if no legal or contractual obligation of secrecy prohibits it. It must be ensured that the third-party cloud service provider guarantees data security through appropriate technical and organisational measures. The cloud service provider must also be obliged to fully comply with the data protection regulations applicable in Switzerland. If personal data is transmitted abroad through outsourcing, Article 6 of the Federal Act on Data Protection applies (see question 6).
It is important to have a legal basis for the use of personal data for marketing purposes. Article 3(1)(o) of the Unfair Competition Act stipulates that it is considered unlawful to send mass advertising without a direct connection to the requested content by means of telecommunications technology, or to arrange for such broadcasts, and in doing so fail to:
However, a company which receives contact information from customers when selling goods, works or services and, in doing so, points out the possibility of refusal (again: opt-out) does not act unfairly if it sends those customers mass advertising for its own similar goods, works or services without their consent. It is recommended that the underlying contract or the applicable general terms and conditions also govern data protection and the use of contact information for own marketing purposes.
As set forth in question 7.2, data subjects have ordinary judicial remedies available under civil law to protect their personality rights. However, private law disputes in connection with data privacy issues are rare in Switzerland.
The Federal Data Protection and Information Commissioner (FDPIC) – that is, the supervising authority of both federal bodies and private persons regarding data privacy – regularly investigates cases that involve potential privacy issues. If the investigation reveals a data protection breach, the FDPIC may make recommendations as to how the method of data processing should be changed or that the data processing activity be stopped. If this recommendation is not complied with, the FDPIC may initiate proceedings leading to a formal decision on the matter. In the case of recommendations to federal bodies, the FDPIC may refer the case to the competent department or the Swiss Federal Chancellery for a formal decision. Both the FDPIC and any persons concerned by such a decision may appeal this decision to the Swiss Federal Administrative Court. The appeal decision may be further appealed to the Swiss Federal Supreme Court. In the case of recommendations to private persons, the FDPIC may refer the case to the Swiss Federal Administrative Court for a decision. The decision of the Swiss Federal Administrative Court is subject to an appeal before the Swiss Federal Supreme Court.
Disputes between private individuals, which include data protection issues, often relate to labour disputes.
In 2015 the Swiss Federal Supreme Court issued a noteworthy decision on the right of access in connection with a tax dispute between certain Swiss banks and the United States. Based on the right of access set forth in Article 8 of the Federal Act on Data Protection, the court obliged a Swiss bank to provide its employees with copies of all documents transferred to the US Department of Justice in April 2012 containing their personal data. With respect to the processing of employee personal data, the Swiss Federal Supreme Court held that the monitoring of an employee's use of email and Internet that lasted for three months and included the taking of regular screenshots was illegal and disproportionate. Furthermore, there was no internal policy that permitted monitoring under specific, transparently disclosed circumstances, which would have been required.
Yes, the Federal Act on Data Protection is currently under revision and should be replaced shortly by a new act, based largely on the European data protection regime. According to the official message of the Federal Council, the new act aims to strengthen data protection by improving the transparency of data processing and data subjects' ability to control their data. At the same time, the general awareness of those responsible for processing data is increasing. Switzerland's competitiveness should be further enhanced, in particular, by facilitating the disclosure of data abroad and by promoting the development of new economic sectors in the field of digitisation of society, on the basis of a high, internationally recognised standard of protection. It will be crucial to balance the legislative proposal with the Swiss specifics and avoid regulations which exceed European standards and provisions.
Every company should implement a data protection programme which reasonably reflects its size, business, markets and the associated risks. This programme should start with an overview of the data flows resulting in the record and documentation of processing activities. Based on this, companies would be well advised to take care of internal and external communication regarding the use of data. Communication ensures transparency and trust, which again are vital for success.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
© Mondaq® Ltd 1994 – 2022. All Rights Reserved.
Forgot your password?
Free, unlimited access to more than half a million articles (one-article limit removed) from the diverse perspectives of 5,000 leading law, accountancy and advisory firms
Articles tailored to your interests and optional alerts about important changes
Receive priority invitations to relevant webinars and events
You’ll only need to do it once, and readership information is just for authors and is never sold to third parties.
We need this to enable us to match you with other users from the same organisation. It is also part of the information that we share to our content providers (“Contributors”) who contribute Content for free for your use.