Law

The processing of personal data is mainly regulated by the Federal Act on Data Protection of June 19, 1992 (DPA) and its ordinances, i.e., the Ordinance to the Federal Act on Data Protection (DPO) and the Ordinance on Data Protection Certification (ODPC).

In addition, the processing of personal data is further restricted by provisions in other laws, mainly with regard to the public sector and regulated markets.

It should be noted that the DPA has recently been subject to a substantial revision. On September 15, 2017, the Federal Council published the final draft and the dispatch to the Federal Parliament regarding the new DPA. In the summer of 2018, the revision was split into two parts. The first part relates to the implementation of the EU Directive 2016/680 in the context of the Schengen/Dublin treaty and has no immediate impact on data subjects (as it is generally limited to the federal authorities' competencies in the context of administrative and judicial assistance in criminal matters). This first part has come into force on March 1, 2019.

The second part is the actual comprehensive revision of the DPA (based on the draft legislation of September 15, 2017). The detailed consultation in Parliament started in June 2018. On September 25, 2020, the Parliament has approved the final text of the revised law, and the referendum period has expired on January 14, 2021. This concludes the legislative project to revise the DPA. In the aftermath, the corresponding implementing provisions of the DPO were also revised. A first draft of the revised DPO published by the Federal Council on June 23, 2021 had met harsh criticism, in particular regarding far-reaching extensions of obligations which had no legal basis in the DPA. The Federal Council had taken note of this and redrafted some of the provisions. The final text was published by the Federal Council on August 31, 2022. The revised DPA and DPO as well as the revised ODPC will enter into force on September 1, 2023. It should be noted that the revised DPA does not provide for a transition period, but will become effective immediately upon its entry into force.

The revision of the DPA aims to strengthen data protection in general and to align the DPA with the requirements of the EU General Data Protection Regulation (GDPR), in order to facilitate compliance of Swiss companies with those aspects of the GDPR that are applicable to controllers or processors outside of the EU, and to ensure that the EU will continue to consider Switzerland as providing an adequate level of data protection. However, the revised DPA will still provide for certain deviations from the GDPR provisions, thus requiring certain "Swiss Add-Ons" in a number of areas.

Territorial scope

The current DPA's extraterritorial applicability is very limited and based on Swiss private international law. The revised DPA will, like the GDPR, have an extraterritorial scope and thus be applicable, for instance, to international companies with group entities in Switzerland or, under certain circumstances, to international companies even without such subsidiary in Switzerland based on doing business in Switzerland.

In addition, the revised DPA provides that private controllers domiciled abroad must designate a representative in Switzerland if they process personal data of data subjects in Switzerland and the data processing fulfils all of the following requirements:

• The data processing is connected to offering goods or services in Switzerland or to monitoring the behavior of data subjects in Switzerland.
  
  
• The processing is extensive.
  
  
• The processing is regular.
  
  
• The processing involves a high risk for the personality of the data subjects.

For civil claims, the Swiss conflict of law rules apply.

Definition of personal data

Personal data means all information relating to an identified or identifiable natural or legal person. It should be noted that data relating to legal entities falls within the scope of current Swiss data protection law, as opposed to the GDPR. However, the revised DPA will, like the GDPR, apply only to personal data pertaining to individuals.

Definition of sensitive personal data

Sensitive personal data is defined as data on:

• Religious, ideological, political or trade union related views or activities
• Health, the intimate sphere or racial or ethnic origin
• Social security measures
• Administrative or criminal proceedings and sanctions

The revised DPA provides that in addition genetic data and biometric data which unequivocally identifies a natural person be considered "sensitive personal data".

The current DPA defines "personality profiles" as collections of data that permit an assessment of essential characteristics of the personality of a natural person and assigns them the same level of protection as "sensitive personal data".

The revised DPA will replace the concept of "personality profiles" with the concept of "profiling", similar to that notion under the GDPR, with "high-risk profiling" (entailing a high risk to the personality or fundamental rights of the data subject) being subject to more stringent requirements similar to "sensitive personal data".

Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1
CH - 3003 Berne Switzerland
T +41 (0)58 462 43 95
F +41 (0)58 465 99 96

The FDPIC supervises federal and private bodies, advises and comments on the legal provisions on data protection and assists federal and cantonal authorities in the field of data protection.

The FDPIC informs the public about his findings and recommendations, and maintains and publishes the register for data files.

Under the revised DPA  the FDPIC's supervisory powers will be extended.

Under the current DPA the processing of personal data by private persons does not usually have to be notified or registered, respectively. However, private persons must register their data files before the data files are opened, if:

• They regularly process sensitive personal data or personality profiles, or
• They regularly disclose personal data to third parties;

...and if none of the following exemptions applies:

• The data is processed pursuant to a statutory obligation.
• The Swiss Federal Council has exempted the particular processing from the registration requirement because it does not prejudice the rights of the data subjects (which the Swiss Federal Council has done in the DPO, inter alia, regarding data files from suppliers or customers, provided they do not contain any sensitive personal data or personality profiles).
• The data controller uses the data exclusively for publication in the edited section of a periodically published medium and does not pass on any data to third parties without informing the data subjects.
• The data is processed by journalists who use the data file exclusively as a personal work aid.
• The data controller has designated a data protection officer who independently monitors internal compliance with data protection regulations and maintains a list of the data files.
• The data controller has acquired a data protection quality mark under a certification procedure and has notified the FDPIC of the result of the evaluation.

Under the revised DPA, this obligation does not exist anymore. Rather, the revised DPA provides for a general duty for controllers and processors to maintain a list of processing activities with certain minimal information, whereby the revised DPO provides for certain exceptions for companies with less than 250 employees as well as for natural persons if they do neither process sensitive personal data on a broad scale nor conduct high-risk profiling.

There is no requirement under the current and the revised Swiss data protection law to appoint a data protection officer.

However, under the current law a data controller can be dispensed from registering its data files if it has designated a data protection officer who:

• Carries out his / her duties autonomously and independently
• Has a certain level of expertise that is appropriate for the relevant data processing at the company (whereas it is not relevant whether or not the respective expertise was acquired in Switzerland)
• Must check and audit the processing of personal data within the company
• Must be in a position to recommend corrective measures when detecting any breaches of applicable data protection rules
• Must have access to all data files and all data processing within the company as well as to all other information that he/she requires to fulfill his/her duties
• Must maintain records of all data files controlled by the company and provide this list to the FDPIC or affected data subjects upon request, and
• May not carry out any other activities that are incompatible with his/her duties as data protection officer

The data controller must notify the FDPIC of the appointment of a data protection officer and thereupon such data controller will be listed on the public list of companies exempt from the requirement to register their data files.

The revised DPA also provides that controllers have the option to appoint a data protection officer as a contact point for the data subjects and the competent data protection authorities. A data protection officer's main tasks would be to train and advise private controllers in data protection matters and to participate in the enforcement of data protection regulations. Also, the contact data of a data protection officer may be published and notified to the FDPIC. In such case, the controller has no obligation to consult with the FDPIC in the event that a data protection impact assessment indicates a significant risk to the personality or the fundamental rights of the data subject.

Data Processing Principles

The following principles apply to the collection and processing of personal data (while under current law personal data of legal entities is included, the revised DPA will apply only to personal data pertaining to individuals):

• Personal data may only be processed lawfully, in good faith and according to the principle of proportionality. In addition, the revised DPA introduces the concepts of privacy by design and default. 
• The collection of personal data and, in particular, the purpose of its processing must be evident to the data subject. In addition, the revised DPA explicitly introduces the following duties on data controllers:
  
  
• Duty to inform the data subject on the collection of personal data similar as under the GDPR, with the list of minimum information being shorter (however providing for information on the countries of processing), but drafted more openly with a non-exhaustive list of minimum information;
  
  
• Under certain circumstances the duty to inform the data subject on decisions based solely on automated processing that have legal consequences or significant impact on the data subject (automated individual decision).
  
  
• Personal data should only be processed for a purpose that is indicated or agreed at the time of collection, evident from the circumstances at the time of collection, or provided for by law.
  
  
• The data controller and any processor must ensure that the data processed is accurate. Personal data must not be transferred abroad if the privacy of the data subject may be seriously endangered (see below).
  
  
• Personal data must be protected from unauthorized processing by appropriate technical and organizational measures.
  
  
• Personal data must not be processed against the explicit will of the data subject, unless this is justified by:
  
  
• An overriding private or public interest, or
  
  
• law, and
  
  
• Sensitive personal data or personality files must not be disclosed to a third party, unless this is justified by:
  
  
• the consent of the data subject (which must be given expressly in addition to being voluntary and based on adequate information)
  
  
• an overriding private or public interest, or
  
  
• law.

Whilst the current DPA does not provide for a formal duty to conduct a data protection impact assessment, the revised DPA introduces such formal obligation if the processing may constitute a high risk for the personality or the fundamental rights of the data subject (particularly when new technologies are used) and also defines specific cases where a data protection impact assessment is necessary, including in the event of processing sensitive personal data on a broad scale and systematic surveillance of extensive public areas. The FDPIC generally needs to be notified if the data protection impact assessment shows that the processing presents a high risk for the personality or fundamental rights of the data subject despite the measures envisaged by the controller.

Rights of the Data Subject

Data subjects enjoy certain rights to control the processing of their personal data:

Right of access

A data subject is generally entitled to request access to, and obtain a copy of, his or her personal data that is contained in a "data file" (or, under the revised DPA, that is being processed), together with prescribed information on the identity and contact details of the controller, the source of the data, the purpose of, and if applicable the legal basis for, the processing as well as the categories of personal data processed, the other parties involved with the file and the data recipients. The revised DPA requires additionally that the period of storage of personal data (or the criteria used to determine such period) and, if applicable, the existence of an automated individual decision as well as the logic on which the decision is based is provided to the data subject. There are certain exceptions, e.g. a data controller may invoke its own overriding interests, however only if it does not disclose the personal data to third parties (whereby companies controlled by the same legal entity are not considered third parties under the revised DPA).

Right to rectify / Right to erasure / Right to restriction of processing / Right to object

Data subjects may generally require inaccurate or incomplete personal data to be corrected or complemented. In addition, the above-mentioned rights may arise from the general data protection principles, in particular the principle of proportionality (i.e. the data must only be processed to the extent and as long it is required to achieve the legitimate processing purpose). The revised DPA explicitly states that data must be erased or anonymized once it is no longer required to achieve the processing purpose.

Right to data portability

Whilst current data protection law does not explicitly provide for any right to data portability, the revised DPA introduces such a right similar as in the GDPR.

Personal data may be transferred outside Switzerland if the destination country offers an adequate level of data protection. The FDPIC maintains and publishes a non-binding list of such countries (the revised DPA provides for binding adequacy decisions by the Federal Council). It should be noted that, under Swiss data protection law, remote access to data residing in Switzerland from outside of Switzerland is considered a transfer / disclosure abroad.

The FDPIC deems the data protection legislation of all EU and EEA countries to be adequate with regard to personal data of individuals. With regard to personal data of legal entities, this is not the case, as pursuant to the corresponding list of "safe countries" published by the FDPIC (which is, however, neither binding nor exhaustive) only the data protection law of Argentina covers personal data pertaining to legal entities as well (regarding legal entities domiciled in Argentina) and is thus deemed to provide an adequate level of data protection.

In the absence of legislation that guarantees adequate protection, personal data pertaining to individuals or, under current Swiss data protection law, to legal entities, may be disclosed abroad only if at least one of the following conditions is fulfilled:

• Sufficient safeguards, such as data transfer agreements, or other contractual clauses, ensure an adequate level of protection abroad. Under the current DPA, data transfer agreements or other contractual clauses must be notified and submitted for approval to the FDPIC whereas mere information will suffice if model clauses acknowledged by the FDPIC are used, e.g. such as the EU Standard Contractual Clauses ("SCC") with the necessary amendments for Switzerland. On June 4, 2021, the European Commission has issued new SCC. According to the FDPIC, these new SCC can also be used to safeguard cross-border data transfers from Switzerland to countries without an adequate level of data protection, provided they are (slightly) amended to comply with the DPA. "Old" safeguards based on the former SCC may not be used anymore and as of January 1, 2023, they have to be replaced by safeguards based on the new SCC, with the necessary amendments for Switzerland. Under the revised DPA, the FDPIC will not have to be notified about the implementation of SCC anymore, to the extent he has previously approved, issued or recognized the corresponding model clauses. Safeguards based on the new EU SCC (amended for Switzerland) will thus not have to be notified anymore under the revised DPA. Other safeguards will still have to be notified under the revised DPA (but do not require prior approval of the FDPIC anymore).
  
  
• Binding corporate rules that ensure an adequate level of data protection in cross-border data flows within a single legal entity or a group of affiliated companies. Such rules must be notified and submitted for approval to the FDPIC.
  
  
• The data subject consents to the particular data export (consent must be given for each individual case or, according to legal doctrine and practice, for a number of cases under the same specific circumstances, e.g., data export for certain specifically defined purposes; in contrast, a generic consent which does not further specify the circumstances under which data is disclosed is not sufficient). The revised DPA provides that the consent must be explicit.
  
  
• The processing is directly connected with the conclusion or performance of a contract with the data subject.
  
  
• The disclosure is essential in order to safeguard an overriding public interest or for the establishment, exercise or enforcement of legal rights before the courts (the revised DPA extends the derogations to include the establishment, exercise or enforcement of legal rights before other competent foreign authorities, i.e. not necessarily courts).
  
  
• The disclosure is required in order to protect the life or the physical integrity of the data subject (or, under the revised DPA, of a third party).
  
  
• The data subject has made the personal data publicly accessible and has not expressly prohibited its processing.
  
  
• Finally, and only introduced under the revised DPA, the data originates from a register provided for by law which is accessible to the public or to persons with a legitimate interest, provided that the legal conditions for the consultation are met in the specific case.

Under the current DPA, only the violation of the notification obligation relating to safeguards for cross-border transfers is subject to sanctions, whereas under the revised DPA, violations of the obligations regarding cross-border transfers of personal data themselves will be subject to sanctions.

Regarding cross-border data transfers to the US, it is to be noted that the Swiss-US Privacy Shield is no longer considered a sufficient measure: According to the FDPIC's position paper of September 8, 2020, the Swiss-US Privacy Shield regime does not provide an adequate level of protection for data transfers from Switzerland to the US pursuant to the DPA. The FDPIC has thus followed the ECJ decision (regarding the inadequacy of the EU-US Privacy Shield) for the Swiss-US Privacy Shield as well. It should be noted that the US issued an Executive Order on October 7, 2022 that shall establish the one building block of the new "EU-US Data Privacy Framework" (as successor of the EU-US Privacy Shield). The second part is the recognition of the Executive Order by the EU. So far, the EU Commission published the draft of a corresponding adequacy decision in December 2022 on which the European Data Protection Board ("EDPB") may now give an opinion within six months. While neither the US Executive Order nor an adequacy decision by the EU directly impact data transfers from Switzerland to the US, the FDPIC took note of these developments. It may be anticipated that the FDPIC will aim at establishing a similar framework. 

The data controller and any processor must take adequate technical and organizational measures to protect personal data against unauthorized processing and ensure its confidentiality, availability and integrity. In particular, personal data must be protected against the following risks:

• Unauthorized or accidental destruction
• Accidental loss
• Technical errors
• Forgery, theft or unlawful use
• Unauthorized altering, copying, accessing or other unauthorized processing

The technical and organizational measures must be appropriate, in particular with regard to the purposes of the data processing, the scope and manner of the data processing, the risks for the data subjects and the current technological standards. The current DPO sets out these requirements in more detail. The revised DPO will hold on to these and impose additional requirements.

Under the revised DPA, willful violations of the minimum data security requirements (which, however, are only defined generally in the revised DPO) will be subject to sanctions.

The current DPA does not impose an explicit statutory requirement to notify the FDPIC or the affected data subjects of data security breaches. However, depending on the scale and severity of a breach, a notification of the data subjects may be necessary based on the data controller's and processor's obligation to ensure data security (to avoid further damage), the principle of good faith or pursuant to contractual obligations.

The revised DPA introduces the obligation to notify the FDPIC of a data security breach, i.e. a security breach which leads to an unintentional or unlawful loss, deletion, destruction or modification of personal data or to personal data being disclosed or made accessible to unauthorized persons.  However, a breach only has to be notified if it is probable to result in a high risk to the personality rights or the fundamental rights of the data subject. The notification has to occur as soon as possible (i.e., unlike the GDPR, there is no strict time frame of 72 hours). In addition, a formal obligation to notify the data subject exists under the revised DPA in case that such notification is necessary to protect the data subject's interests or if the FDPIC so requests. The revised DPO sets out the information the notification has to include.

Investigations by the FDPIC

Under current data protection law the FDPIC does not have specific direct powers to enforce the DPA. He may investigate cases on his own initiative or at the request of a third party and may issue recommendations that a specific data processing practice be changed or abandoned. If the FDPIC's recommendation is not complied with, he may refer the matter to the Swiss Federal Administrative Court for a decision.

For example, in a proceeding that concluded with a final report on August 4, 2021, the FDPIC addressed privacy concerns regarding a contact tracing app for restaurants and other venues which had been developed by a private company in the context of the COVID-19 pandemic. The FDPIC identified numerous shortcomings regarding the tracing app, such as organizational and technical deficiencies. His investigation also revealed that the company granted authorities of two cantons direct access to the central database, making it available for almost any person-related queries, thereby violating the principle of proportionality. As a result, personal data was (allegedly) processed for purposes other than those initially intended. Further privacy concerns related to the completeness of the information provided to users, the transfer of telephone numbers to the US as part of the number verification process, and the configuration of the platform on which the central database was located.

After a lengthy procedure, the FDPIC issued ten recommendations, the majority of which were accepted and implemented by the company in question. Some of the deficiencies were initially disputed, but later acknowledged and, according to the company's own statement, resolved. The FDPIC reserved the right to verify the implementation of his recommendations as part of follow-up inspections. To the extent that his recommendations were not fully acknowledged by the company, the FDPIC has also reserved the right to conduct follow-up checks and, if necessary, to bring an action before the Federal Administrative Court, which could then issue a (legally binding) decision.

The revised DPA will extend the FDPIC's supervisory powers: In particular, the FDPIC may under certain conditions initiate an investigation against a federal body or a private person and will have the authority to directly issue orders and warnings. With regard to the above-mentioned investigation regarding the contact tracing app, the revised DPA would allow the FDPIC, for example, to directly order that certain data processing activities be adjusted, suspended or terminated, without having to first issue (non-binding) recommendations only and then, to the extent necessary, involve the Federal Administrative Court.

Sanctions

The current DPA provides for criminal liability and fines of up to CHF 10,000 if a private person intentionally fails to comply with the following obligations under the DPA:

• Duty to provide information when collecting sensitive data and personality profiles,
• Duty to safeguard the data subject’s right to information,
• Obligation to notify the FDPIC with regard to contractual clauses or binding corporate rules in connection with data transfers abroad,
• Obligation to register data files, or
• Duty to cooperate in an FDPIC investigation.

Furthermore, the DPA provides for criminal liability and fines of up to CHF10,000 if a private person willfully discloses confidential, sensitive personal data or personality profiles that have come to his or her knowledge in the course of his or her professional activities, where such activities require the knowledge of such data, or in the course of his or her activities for a person bound by professional secrecy obligations or in the course of training with such a person.

Criminal proceedings must be initiated by the competent cantonal prosecution authority.

Under the revised DPA a number of violations of the DPA or lack of cooperation with the FDPIC can result in criminal fines of up to CHF 250,000 against responsible individuals (acting intentionally).

Finally, under Swiss civil law the data subject may apply for injunctive relief and may file a claim for damages as well as satisfaction and/or surrender of profits based on the infringement of his/her privacy.

Electronic marketing practices must comply with the provisions of the Swiss Federal Act against Unfair Competition (UCA).

With regard to the sending of unsolicited automated mass advertisement (which, in addition to emails, includes SMS, automated calls and fax messages), the UCA generally requires prior consent by the recipient, i.e., 'opt-in'. As an exception, mass advertisings may be sent without the consent of the recipient:

• If the sender received the contact information in the course of a sale of his / her products or services,
• If the recipient was given the opportunity to refuse the use of his / her contact information upon collection (opt-out), and
• If the mass advertising relates to similar products or services of the sender.

In addition, mass advertising emails must contain the sender’s correct name, address and email contact and must provide for an easy-access and free of charge 'opt-out' from receiving future advertisements.

The UCA generally applies to business-consumer relationships as well as to business-business relationships, i.e., mass advertisements sent to individuals and to corporations are subject to the same rules.

Direct marketing by telephone is not per se impermissible in Switzerland as long as it is not done in an aggressive way (e.g., by repeatedly calling the same person). However, the UCA prohibits direct marketing by telephone:

• if the recipient is not listed in the Swiss telephone directory or if the recipient is listed in the Swiss telephone directory, but has indicated that he/she does not wish to receive advertising from persons with whom he/she has no business relationship; or
• if the caller is not calling from a telephone number that (i) is listed in the Swiss telephone directory, (ii) is shown when calling, and (iii) he/she is entitled to use.

In order to enforce the above criteria, the UCA not only sanctions the violation of these principles, but also the use of information that has been obtained in violation thereof (e.g. someone using the information obtained from non-compliant call centers). An intentional violation can be sanctioned with a custodial sentence of up to three years or a monetary penalty.

In addition to the rules of the UCA, the general data protection principles under the DPA also apply with regard to electronic marketing activities, e.g., the collection and maintenance of email addresses or processing of any other personal data.

The processing of personal data in the context of online services is subject to the general rules pertaining to the collection of personal data under the DPA. In addition, certain aspects of online privacy are covered by other regulations, such as the use of cookies which is also subject to the Swiss Telecommunications Act (TCA).

Under the TCA, the use of cookies is considered to be processing of data on external equipment, e.g., another person’s computer. Such processing is only permitted if users are informed about the processing and its purpose as well as about the means to refuse the processing, e.g., by configuring their web browser to reject cookies.

In addition, the general rules under the DPA apply where cookies collect data related to persons who are identified or identifiable, i.e., personal data. The collection of personal data through cookies as well as the purpose of such a collection must be evident to the data subject. The personal data collected may only be processed for the purpose:

• Indicated at the time of collection,
• That is evident from the circumstances, or
• That is provided for by law.

Where the personal data collected through a cookie is:

• Considered sensitive data, e.g., data regarding religious, ideological, political views or activities, or
• So comprehensive that it forms a personality profile, i.e., permits an assessment of essential characteristics of the personality of a person, or (under the revised DPA) is considered resulting from high-risk profiling

the stricter rules pertaining to the processing of sensitive personal data are applicable. These stricter rules provide, inter alia, that the data subject must be informed of:

• The identity of the data controller
• The purpose of data processing, and
• The categories of data recipients if the data shall be disclosed to third parties.

The revised DPA will contain a number of information obligations the violation of which will be subject to sanctions. Furthermore, in relation to the processing of sensitive personal data or personality profiles, or (under the revised DPA) in relation to high-risk profiling implied consent is not sufficient; consent must be given expressly.