Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected] 
Law and the regulatory authority
Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?
Switzerland has dedicated data protection laws. On the federal level the Federal Data Protection Act (DPA) of 19 June 1992, together with its Ordinance (DPO) of 14 June 1993, governs processing of what in Switzerland is called ‘personal data’ by private parties or federal bodies. Processing of PII by cantonal authorities (cantons are the Swiss states) is subject to state legislation, which will not be discussed here. Additionally, several other federal laws contain provisions on data protection, especially laws that apply in regulated industries (such as financial markets and telecommunications), which further address the collection and processing of PII:
Switzerland is a member state to certain international treaties regarding data protection, such as:
Although Switzerland is not a member of the EU and, hence, has neither implemented the EU Data Protection Directive 95/46/EC nor is directly subject to the EU General Data Protection Regulation 2016/679 (GDPR), it has been officially recognised by the European Commission as providing an adequate level of protection for data transfers from the EU.
A revision of the DPA (see question 46) shall align the DPA with international rules on data protection in order to comply with the upcoming revision of Convention ETS 108 and the GDPR. This will allow Switzerland to uphold its status as a country adequately protecting personal data from an EU perspective, which allows for easier transfer of personal data from the EU and to ratify Convention ETS 108 of the Council of Europe.
Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.
The Federal Data Protection and Information Commissioner (FDPIC) is the federal data protection authority in Switzerland. In addition, cantons are competent to establish their own data protection authorities for the supervision of data processing by cantonal and communal bodies. The FDPIC’s contact details are as follows:
Federal Data Protection and Information Commissioner
Feldeggweg 1
3003 Berne
Switzerland
Tel: +41 58 462 43 95
Fax: +41 58 465 99 96
www.edoeb.admin.ch
The FDPIC has no direct enforcement or sanctioning powers against private bodies processing PII. Nevertheless, the FDPIC can carry out investigations on its own initiative or at the request of a third party if methods of processing are capable of violating the privacy of a large number of persons (system errors), if data collections must be registered (see question 25) or if there is a duty to provide information in connection with a cross-border data transfer (see question 35). To this effect, the FDPIC may request documents, make inquiries and attend data processing demonstrations. On the basis of these investigations, the FDPIC may recommend that a certain method of data processing be changed or abandoned. However, these recommendations are not binding. If a recommendation made by the FDPIC is not complied with or is rejected, he or she may refer the matter to the Federal Administrative Court for a decision. The FDPIC has the right to appeal against such decision to the Federal Supreme Court.
The draft of the revised DPA (see ‘Update and trends’) foresees that the FDPIC may upon investigation issue binding administrative decisions (instead of recommendations under the current DPA), for example, to modify or terminate unlawful processing.
Are there legal obligations on the data protection authority to cooperate with data protection authorities, or is there a mechanism to resolve different approaches?
The FDPIC may cooperate with domestic and foreign data protection authorities. This includes general professional exchange with such authorities related to certain specialist areas or regular cooperation within committees, working groups, conferences, etc. However, the FDPIC does not have a mandate or competence to collaborate with other data protection authorities (whether domestic or foreign) as regards supervision and control of processing activities or to share information with them. A collaboration of the FDPIC with foreign data protection authorities in relation to data processing in specific cases may (with the exception of data processing related to judicial and police cooperation or Schengen law respectively) be particularly difficult, as in general, the ordinary course of international judicial assistance must be followed (subject to applicable specific laws).
As already mentioned, certain exceptions to the above rule apply within the applicability of the Schengen law, whereby the Ordinance on the national part of the Schengen Information System and the SIRENE Bureau (N-SIS-Ordinance) explicitly foresees a collaboration of the FDPIC with Swiss cantonal data protection authorities as regards coordinated supervision of PII processing, all in accordance with their respective competences. The N-SIS-Ordinance provides further that the FDPIC in performing its tasks shall closely work together with and serve as a national point of contact for the European Data Protection Supervisor.
Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?
Violations of the data protection principles (see question 11) are generally not criminally sanctioned. However, private persons are liable to a fine of up to 10,000 Swiss francs if they wilfully:
In addition, the wilful non-compliance with the following duties is, on complaint, punishable by a fine of up to 10,000 Swiss francs:
The draft of the revised DPA (see ‘Update and trends’) foresees a fine of up to 250,000 Swiss francs for the wilful breach of the obligations set forth above and further obligations set forth in the DPA. In contrast to the preliminary draft, a negligent breach is not intended to be sanctioned. Wilful breach of professional secrecy shall also be punishable by a fine of up to 250,000 Swiss francs. This new sanction will not be limited to the usual bearers of professional secrets (such as banks under article 47 Banking Act, securities dealers under article 43 Stock Exchange Act, financial market infrastructures under article 147 Financial Market Infrastructure Act or attorneys, auditors, doctors, etc, under article 321 Swiss Penal Code) but extend to any profession for which protection of confidentiality is essential.
Scope
Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?
The DPA does not apply to:
Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.
The DPA does not cover the interception of communications, electronic marketing or monitoring and surveillance. These issues are dealt with in the following laws:
Identify any further laws or regulations that provide specific data protection rules for related areas.
Additional regulations concerning PII protection can be found in the following laws:
Further regulations may apply depending on the given subject matter.
What forms of PII are covered by the law?
The DPA and DPO apply to any data relating to an identified or identifiable person (natural persons or legal entity), irrespective of its form. A person is identifiable if a third party having access to the data on the person is able to identify such person with reasonable efforts.
The draft of the revised DPA (see ‘Update and trends’) foresees to remove the protection of personal data relating to legal entities in order to ease cross-border disclosure to jurisdictions that do not protect respective personal data.
Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?
The DPA applies to any PII processing that occurs within Switzerland. In addition, if a Swiss court decides on a violation of privacy by the media or other means of public information (eg, the internet), the DPA may apply (even if the violating PII processing occurred outside Switzerland) if the data subject whose privacy was violated chooses Swiss law to be applied. Swiss law may be chosen as the applicable law if:
Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?
The DPA applies to any processing of PII. ‘Processing’ is defined in the DPA as any operation with PII irrespective of the means applied and the procedure. In particular, processing includes the collection, storage, use, revision, disclosure, archiving or destruction of PII. An exemption is made for PII that is processed by a natural person exclusively for personal use and is not disclosed to third parties.
Unlike in EU countries, there is no specific distinction between ‘owners’ of a data collection (ie, ‘controllers’) and mere ‘processors’. All persons or entities processing personal data are equally subject to the provisions in the DPA and the DPO and have to adhere to the rules set out therein.
Legitimate processing of PII
Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?
PII must always be processed (this includes its holding) lawfully. The processing is lawful if it is either processed in compliance with the general principles set out in the DPA or non-compliance with these general principles is justified. The disclosure of PII to third parties is generally lawful under the same conditions. The principles set out in the DPA are:
Non-compliance with these principles may be justified by:
According to the DPA, an overriding interest of the person processing the PII can, in particular, be considered if that person:
Does the law impose more stringent rules for specific types of PII?
In addition to ‘normal’ PII, the DPA introduced ‘sensitive PII’ and ‘personality profiles’ as special categories of PII that are subject to stricter processing conditions. Sensitive PII is data on:
A personality profile is a collection of PII that permits an assessment of essential characteristics of the personality of a natural person.
There are certain restrictions applying to processing sensitive PII and personality profiles in addition to the general principles:
Also, there are more stringent rules in certain subject matters, such as employment law, health, telecommunications, finance and such like (see questions 6 and 7.)
Data handling responsibilities of owners of PII
Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?
Generally, it suffices if the collection of PII and, in particular, the purpose of its processing, is evident to the data subjects from the circumstance of collection. However, in the case of collection of sensitive PII or personality profiles, the owner of such collection is obliged to actively inform the data subject at least of the following:
This duty to actively provide information also applies if the data is collected from third parties.
The data subject has to be informed before the PII is collected. If the data is not collected from the data subject, the data subject must be informed at the latest when the data is stored or if the data is not stored, on its first disclosure. The information does not have to be provided in a specific form. For evidentiary purposes, however, the information should be provided in writing or in another recordable form.
The draft of the revised DPA (see ‘Update and trends’) foresees that the FDPIC must be notified in case of unlawful processing or loss of personal data (see question 21). The data subject shall also be informed about unlawful processing or loss of personal data if it is necessary to protect his or her privacy or if the FDPIC so requests. Further, the data subject shall be informed about automated decisions (ie, decisions taken solely on the basis of automated data processing) that have legal consequences or significantly affect him or her, and – under certain circumstances – be given the opportunity to comment on such decisions and processed PII.
When is notice not required?
There are certain exceptions to this duty to inform, for example, if providing the information would result in the violation of overriding interests of third parties or if the data collection owner’s own overriding interests justify not informing the data subject (in the latter case this exception only applies if the PII is not shared with third parties).
If the PII has not been obtained directly from the data subject, but rather from a third party, the owner of the data collection must, nevertheless, provide the information stated above, except if:
Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?
See question 37 et seq.
Does the law impose standards in relation to the quality, currency and accuracy of PII?
Anyone who processes PII must ensure that the data is accurate and take all reasonable measures to ensure that PII, which, in view of the purpose of its collection is or has become incorrect or incomplete, is either corrected or destroyed.
Does the law restrict the amount of PII that may be held or the length of time it may be held?
Other than the general principle that processing of PII must be proportionate, there are no rules on amount or duration of its holding. According to this principle, processing may only be conducted in so far as it is necessary and fits the purpose for which PII is processed. The same applies to the duration. Accordingly, the permitted amount and duration must be assessed on a case-by-case basis.
Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?
According to the DPA, PII may only be processed for the purpose stated or evident at the time of collection or that is provided for by law.
If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?
Use of PII for other purposes than those stated or apparent at the time of collection or provided for by law constitutes a breach of a general principle of the DPA, which is only permissible in the case of appropriate justification (see question 11).
Security
What security obligations are imposed on PII owners and service providers that process PII on their behalf?
PII must be protected by appropriate technical and organisational measures against unauthorised processing. Anyone processing PII or providing a data communication network must ensure the protection against unauthorised access, the availability and the integrity of the data. In particular, the PII must be protected against the following risks:
The technical and organisational measures must be adequate and must be reviewed periodically. In particular, the following criteria must be taken into account:
In relation to automated data processing, the owner of the data collection must take the appropriate technical and organisational measures to achieve, in particular, the following goals:
The draft of the revised DPA (see ‘Update and trends’) foresees that appropriate measures shall be taken to avoid breaches of privacy (privacy by design) and data-protection-friendly presets shall be provided (privacy by default).
Does the law include (general or sector-specific) obligations to notify the supervisory authority or individuals of data breaches? If breach notification is not required by law, is it recommended by the supervisory authority?
There is no general or sector-specific data security breach notification obligation under Swiss data protection law. As a rule, it would contravene the general principles of tort law to provide for an obligation of the violator to proactively inform the damaged person or persons. Nevertheless, the FDPIC has advised lawmakers to oblige providers of social networking sites to inform data subjects of data breaches.
The draft of the revised DPA (see ‘Update and trends’) foresees an explicit obligation of data breach notifications (see question 13).
Internal controls
Is the appointment of a data protection officer mandatory? What are the data protection officer’s legal responsibilities?
The appointment of a data protection officer is not mandatory in Switzerland. However, the registration of data collections is not required if the owner of a data collection has appointed a data protection officer that independently monitors data protection compliance within the owner’s business organisation and maintains a list of data collections.
The data protection officer must have the necessary knowledge of:
The appointment of a data protection officer will only result in a release of the duty to register data collections if the FDPIC is notified of the appointment of a data protection officer. A list of such business organisations who have appointed a data protection officer is publicly accessible on the FDPIC’s website.
The data protection officer has two main duties. First, the data protection officer audits the processing of PII within the organisation and recommends corrective measures if he or she finds that the data protection regulations have been violated. He or she must not only assess compliance of the data processing with the data protection requirements on specific occasions, but also periodically. The auditing involves an assessment of whether the processes and systems for data processing fulfil the data protection requirements, and whether these processes and systems are in fact enforced in practice. If the data protection officer takes note of a violation of data protection regulations, he or she must recommend corrective measures to the responsible persons within the organisation and advise them on how to avoid such violations in the future. The data protection officer does not, however, need to have direct instruction rights.
Second, the data protection officer maintains a list of the data collections that would be subject to registration with the FDPIC. The list must be kept up to date. Unlike the data collections registered with the FDPIC, the internal data collections do not have to be maintained electronically nor must they be available online. However, they must be made available on request to the FDPIC and to data subjects.
The data protection officer must:
There is no particular protection against dismissal of the data protection officer. The data protection officer can be an employee of the data controller or an external person.
Are owners or processors of PII required to maintain any internal records or establish internal processes or documentation?
Although the owner of a data collection may have to provide available information about the source of collected data (see question 37), there is no obligation to actually keep the according records. However, if such information would be deleted upon receiving an inquiry by a data subject, this could be deemed to be breaching the principle of good faith.
The draft of the revised DPA (see ‘Update and trends’) foresees a record-keeping obligation for both controllers and processors.
Are there any obligations in relation to new processing operations?
In general, PII must be protected against unauthorised processing through adequate technical and organisational measures (see question 20); however, there is currently no obligation to carry out a privacy impact assessment.
The draft of the revised DPA (see ‘Update and trends’) foresees additional obligations in relation to new processing operations, such as appropriate measures to be taken to avoid breaches of privacy (privacy by design) and the carrying out of a privacy impact assessment under certain circumstances.
Registration and notification
Are PII owners or processors of PII required to register with the supervisory authority? Are there any exemptions?
The owner of a data collection that regularly processes sensitive PII or personality profiles, or regularly discloses PII to third parties, has the obligation to register such data collection with the FDPIC.
A data processor that transfers PII outside Switzerland is, under certain circumstances, obligated to notify the FDPIC of the data protection safeguards put in place.
The owner of a data collection is not required to register a data collection if:
What are the formalities for registration?
In the case of a registration obligation, the collection has to be registered before it is created and the FDPIC has to be informed by the owner of the data collection about:
The owner of the data collection is under the obligation to keep the data collection registration up to date. Online registration is possible at www.datareg.admin.ch. No fees are charged for registration of a data collection.
What are the penalties for a PII owner or processor of PII for failure to make or maintain an entry on the register?
Private persons are, as owners of a data collection, subject to a fine of up to 10,000 Swiss francs if:
The draft of the revised DPA imposes fines of up to 250,000 Swiss francs in case of breach of certain duties under the DPA (such as information, notification and cooperation duties, compliance measures, etc), including the failure to make or maintain an entry on the register (see questions 4 and 46). In contrast to the preliminary draft, a negligent failure is no longer foreseen to be sanctioned.
On what grounds may the supervisory authority refuse to allow an entry on the register?
Swiss law does not provide for the FDPIC to refuse an entry on the register.
Is the register publicly available? How can it be accessed?
The database of data collections registered with the FDPIC is publicly available and can be accessed by anyone free of charge via the internet at www.datareg.admin.ch. On request, the FDPIC also provides paper extracts free of charge.
Does an entry on the register have any specific legal effect?
Registering a data collection with the FDPIC does not have additional legal effects.
Are there any other public transparency duties?
Other than the registration of a data collection or the notification to and publication by the FDPIC of the appointment of a data protection officer, as applicable (see questions 22 and 29 respectively), there are no public transparency duties under Swiss data protection law.
The appointment of a data protection officer results in a release of the duty to register data collections with the FDPIC, provided the FDPIC is notified of such an appointment. A list of respective companies and organisations that have appointed a data protection officer is publicly accessible on the FDPIC’s website.
Transfer and disclosure of PII
How does the law regulate the transfer of PII to entities that provide outsourced processing services?
The processing of PII may be transferred to a third party if the transferor ensures that the third party will only process data in a way that the transferor is itself entitled to and if no statutory or contractual secrecy obligations prohibit the processing by third parties. The transferor must ensure that the third party will comply with the applicable data security standards.
Although this is not a statutory requirement, data processing should be outsourced to third parties by written agreement only. Such agreement will typically require the third party to process the PII solely for the purposes of, and only under the instructions of, the transferor.
Special rules may apply in regulated markets. Circular 2018/3 relating to outsourcing issued by the FINMA applies to banks and securities dealers with a registered office in Switzerland and Swiss branches of foreign banks and securities dealers, as well as insurance companies with a registered office in Switzerland and branches of foreign insurance companies requiring authorisation to commence business operations (initial authorisation) or authorisation for individual elements of the business plan (authorisation for changes). Before outsourcing a significant business area, these institutions must comply with the detailed measures set out in the circular, including:
With FINMA’s issuance of Circular 2018/3 (formerly Circular 2008/07), any references to data protection and customer-focused requirements (in particular with respect to comprehensive information duties and the extraordinary termination right) have been removed. Such aspects are now governed by the respective federal acts only.
Describe any specific restrictions on the disclosure of PII to other recipients.
For general requirements regarding disclosing of PII, sensitive PII and personality profiles, see questions 11 and 12. It should be noted that even the communication of PII between companies belonging to the same corporate group is deemed to be disclosure of PII to third parties. Only transmission to an outsourcing provider (see question 32 for requirements) does not constitute such disclosure.
Regularly disclosing information contained in a PII collection entails a registration obligation for such collections.
Is the transfer of PII outside the jurisdiction restricted?
PII may only be transferred outside Switzerland if the privacy of the data subject is not seriously endangered, in particular, due to the absence of legislation that guarantees adequate protection in the jurisdiction where the receiving party resides. The FDPIC has published on its website a list of jurisdictions that provide adequate data protection (www.edoeb.admin.ch/edoeb/en/home/data-protection/handel-und-wirtschaft/transborder-data-flows.html). The EEA countries and Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, Monaco, New Zealand and Uruguay are generally considered to provide an adequate level of data protection as regards PII of individuals (however, many do not with regard to PII of legal entities), while the laws of all other jurisdictions do not provide adequate data protection.
In the absence of legislation that guarantees adequate protection, PII may only be transferred outside Switzerland if:
Data transfer agreements or data transfer clauses are regularly used in practice. It is the responsibility of the data transferor to ensure that an agreement is concluded that sufficiently protects the rights of the data subjects. The data transferor is free to decide whether or not to make use of a standard form. The FDPIC provides a model data transfer agreement (owner of a data collection to a data processor), which can be accessed on its website. The model data transfer agreement is based on Swiss law and reflects to a large extent the standard contractual clauses of the European Commission for data transfers. Further, the FDPIC has pre-approved the European Commission’s standard contractual clauses for data transfers and the model contract of the Council of Europe as safeguards, which provide adequate data protection, although it is unclear whether they must be adapted to also cover PII of legal entities and the protection of personality profiles.
An acceptable method for ensuring adequate data protection abroad are binding corporate rules (BCRs) that sufficiently ensure data protection in cross-border data flows within the same legal person or company or between legal persons or companies that are under the same management. The owner of the data collection must notify the BCRs to the FDPIC. BCRs should address at a minimum the elements covered by the model data transfer agreement provided by the FDPIC.
The draft of the revised DPA (see question 46) foresees BCRs to be approved (not only notified to the FDPIC).
The US-Swiss Safe Harbor Framework, established in 2009, was considered to provide adequate protection for the transfer of personal data from Switzerland to the US. In its decision of 6 October 2015, the CJEU held that the US-EU Safe Harbor Framework does not provide adequate protection for the transfer of personal data abroad. Even though that decision only concerns the US-EU Safe Harbor Framework and is not directly applicable to Switzerland, the FDPIC declared that the US-Swiss Safe Harbor Framework can no longer be considered to provide adequate protection.
In February 2017, Switzerland and the US agreed on a new framework for the transfer of personal data from Switzerland to the US called the Swiss-US Privacy Shield, thereby replacing the US-Swiss Safe Harbor Framework. US companies processing personal data may self-certify to the Swiss-US Privacy Shield with the US Department of Commerce and thus publicly commit to comply with the new framework. Switzerland acknowledges that the level of protection of personal data for such certified US companies is adequate. As a result, Swiss companies are able to transfer personal data to those US business partners without the need to procure the consent of each data subject or to put additional measures in place.
Does cross-border transfer of PII require notification to or authorisation from a supervisory authority?
As stated in question 34, PII may be transferred outside Switzerland to a jurisdiction that does not provide for adequate data protection based on safeguards that ensure adequate protection such as contractual clauses or binding corporate rules; however, the FDPIC must be notified of such safeguards. The FDPIC may, during a period of 30 days, review the safeguards, though the data transferor does not have to wait for the result of the FDPIC’s review or obtain approval. Moreover, if PII is transferred outside Switzerland on the basis of safeguards that have been pre-approved by the FDPIC (eg, the model data transfer agreement issued by him or her), the FDPIC only has to be informed about the fact that such safeguards form the basis of the data transfers.
If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?
In the case of service providers, onwards transfer is only permissible under the same conditions as the initial transfer abroad, otherwise, the owner of the data collection in Switzerland may be breaching DPA provisions. Accordingly, when transferring data abroad under a data transfer agreement, this point should be addressed explicitly (as, eg, the FDPIC’s model data transfer agreement does).
Rights of individuals
Do individuals have the right to access their personal information held by PII owners? Describe how this right can be exercised as well as any limitations to this right.
Any data subject may request information from the owner of a data collection as to whether PII concerning him or her is being processed (right of access). If this is the case, the data subject has the right to be informed about:
The owner of a data collection must generally comply with requests by a data subject and provide the requested information in writing within 30 days of the receipt of the request. If it is not possible to provide the information within such time period, the owner of the data collection must inform the data subject of the time period during which the information will be provided.
Moreover, a request may be refused, restricted or delayed if:
An access request must usually be processed free of charge. As an exception, the owner of the data collection may ask for an appropriate share of the costs incurred if:
The share of the costs may not exceed 300 Swiss francs. The data subject must be notified of the share of the costs before the information is provided and may withdraw its request within 10 days.
Do individuals have other substantive rights?
The DPA further provides for the following rights for data subjects:
Further, if it is impossible to demonstrate whether PII is accurate or inaccurate, the data subject may also request the entry of a suitable remark to be added to the particular piece of information or data.
Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?
Violations of the DPA may be asserted by the data subject in a civil action against the violator. The data subject may file claims for damages and reparation for moral damages or for the surrender of profits based on the violation of his or her privacy and may request that the rectification or destruction of the PII or the judgment be notified to third parties or be published.
Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?
In the case of breach, a data subject needs to exercise these rights by itself through civil action. The FDPIC does not have the authority to enforce such individual rights by him or herself (see question 2 for details on the FDPIC’s competences).
Exemptions, derogations and restrictions
Does the law include any derogations, exclusions or limitations other than those already described? Describe the relevant provisions.
The most important derogations, exclusions and limitations have been mentioned above. As previously stated, depending on the subject matter, there may be additional regulations applicable that can have significant impact on the general data protection rules, adding to them, modifying them or even exempting them from application.
Supervision
Can PII owners appeal against orders of the supervisory authority to the courts?
The FDPIC’s recommendations are non-binding, hence, there is no need for them to be reviewed by a judicial body. The verdicts of the Federal Administrative Court, which may ensue when the owner of a data collection refuses to follow such recommendation (see question 2), on the other hand, are appealable to the Federal Supreme Court both by the FDPIC as well as the defendant.
Specific data processing
Describe any rules on the use of ‘cookies’ or equivalent technology.
The use of cookies is generally permissible, provided that the operator of the website (or other online service), which installs the cookie on the user’s computer (or other device) informs the user about:
There is no statutory requirement or judicial practice concerning form, but prevailing opinion considers such information to be sufficient if it is placed on a data protection or a questions and answers sub-page or similar. The cookie banners or pop-ups, which are often seen on websites of other European countries nowadays, seem to be dispensable, although this has not yet been subject to judicial review.
Describe any rules on marketing by email, fax or telephone.
In 2007, Switzerland adopted a full consent opt-in regime with respect to unsolicited mass advertisement by means of telecommunications (eg, email, SMS/MMS, fax or automated telephone calls). Pursuant to this law, the sender of an unsolicited electronic mass advertisement must seek the concerned recipient’s prior consent to receive such mass advertisement and indicate in the advertisement the sender’s correct contact information and a cost- and problem-free method to refuse further advertising. If a supplier collects PII relating to his or her customer in connection with a sales transaction, the supplier may use such data for mass advertisement for similar products or services if the customer has been given the option to refuse such advertisement (opt out) at the time of sale. The law does not specify for how long the supplier may use such customer data obtained through a sales transaction for mass advertisement. A period of about one year from the time of sale seems adequate.
Describe any rules or regulator guidance on the use of cloud computing services.
There are no rules specifically applicable to cloud services. In general, personal data must be protected by appropriate technical and organisational measures against unauthorised processing regardless of where it is stored. Anyone processing personal data must ensure its protection against unauthorised access, its availability and its integrity (see question 20). Further, the use of cloud services constitutes an outsourced processing service if the personal data is not encrypted during its storage in the cloud (for requirements in this regard, see question 32 et seq) and, in case the servers of the cloud are located outside Switzerland and the personal data is not encrypted during its transfer and storage, an international transfer of personal data (for requirements in this regard, see question 34 et seq). Additionally, the FDPIC has issued a non-binding guide outlining the general risks and data protection requirements of using cloud services (www.edoeb.admin.ch/edoeb/en/home/data-protection/Internet_und_Computer/cloud-computing/guide-to-cloud-computing.html).
Update and trends
Are there any emerging trends or hot topics in international data protection in your jurisdiction?
The DPA is currently undergoing revision in order to uphold the EU adequacy decision for Switzerland and will presumably include provisions similar to those introduced in the EU through the GDPR. A draft for the revised DPA has been published in September 2017. However, the draft is still subject to parliamentary debate and therefore the final wording of the revised DPA remains uncertain. The respective timing is not yet known although it is currently expected that the revision will not enter into force before 2020.
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
© Copyright 2006 – 2022 Law Business Research