DLA Piper Intelligence

Data Protection
Laws of the World

Law

Switzerland
Switzerland

The processing of personal data is mainly regulated by the Federal Act on Data Protection of 19 June 1992 (‘DPA’) and its ordinances, ie the Ordinance to the Federal Act on Data Protection (‘DPO’) and the Ordinance on Data Protection Certification (‘ODPC’).

In addition, the processing of personal data is further restricted by provisions in other laws, mainly with regard to the public sector and regulated markets.

It should be noted that a substantial revision of the DPA has just been initiated, the implementation of which is however, not to be expected before 2018. The revision of the DPA aims to strengthen data protection in general and to align the Swiss DPA with the requirements of the EU General Data Protection Regulation ("GDPR"), in order to facilitate compliance of Swiss companies with those aspects of the GDPR that are applicable to controllers or processors outside of the EU.

Last modified 26 Jan 2017
Law
Switzerland

The processing of personal data is mainly regulated by the Federal Act on Data Protection of 19 June 1992 (‘DPA’) and its ordinances, ie the Ordinance to the Federal Act on Data Protection (‘DPO’) and the Ordinance on Data Protection Certification (‘ODPC’).

In addition, the processing of personal data is further restricted by provisions in other laws, mainly with regard to the public sector and regulated markets.

It should be noted that a substantial revision of the DPA has just been initiated, the implementation of which is however, not to be expected before 2018. The revision of the DPA aims to strengthen data protection in general and to align the Swiss DPA with the requirements of the EU General Data Protection Regulation ("GDPR"), in order to facilitate compliance of Swiss companies with those aspects of the GDPR that are applicable to controllers or processors outside of the EU.

Last modified 26 Jan 2017
Definitions

Definition of personal data

Personal data means all information relating to an identified or identifiable natural or legal person. It should be noted that data relating to legal entities falls within the scope of Swiss data protection law, as opposed to most EU members' data protection laws. The ongoing revision proposes to exempt data regarding legal entities from scope of the DPA, but it is as of yet unclear whether such proposal will be accepted.

Definition of sensitive personal data

Sensitive personal data is defined as data on:

  • religious, ideological, political or trade union related views or activities 
  • health, the intimate sphere or racial origin
  • social security measures, and
  • administrative or criminal proceedings and sanctions.

‘Personality profiles’ are protected to the same extent under the DPA as sensitive personal data. Personality profiles are collections of data that allow the appraisal of essential characteristics of the personality of an individual.

Last modified 26 Jan 2017
Authority

Federal Data Protection and Information Commissioner ('FDPIC')

Feldeggweg 1
CH 3003 Berne
Switzerland

T +41 (0)58 462 43 95
F +41 (0)58 465 99 96

The FDPIC supervises federal and private bodies, advises and comments on the legal provisions on data protection and assists federal and cantonal authorities in the field of data protection.

The FDPIC informs the public about his findings and recommendations, and maintains and publishes the register for data files.

Last modified 26 Jan 2017
Registration

The processing of personal data by private persons does not usually have to be notified or registered, respectively. However, private persons must register their data files before the data files are opened, if:

  • they regularly process sensitive personal data or personality profiles, or
     
  • they regularly disclose personal data to third parties,

and if none of the following exemptions applies:

  • the data is processed pursuant to a statutory obligation
     
  • the Swiss Federal Council has exempted the particular processing from the registration requirement because it does not prejudice the rights of the data subjects
     
  • the data controller uses the data exclusively for publication in the edited section of a periodically published medium and does not pass on any data to third parties without informing the data subjects (which the Swiss Federal Council has done in the DPO, inter alia, regarding data files from suppliers or customers, provided they do not contain any sensitive personal data or personality profiles).
     
  • the data is processed by journalists who use the data file exclusively as a personal work aid
     
  • the data controller has designated a data protection officer who independently monitors internal compliance with data protection regulations and maintains a list of the data files, or
     
  • the data controller has acquired a data protection quality mark under a certification procedure according to Article 11 DPA and has notified the FDPIC of the result of the evaluation.
Last modified 26 Jan 2017
Data Protection Officers

There is no requirement under Swiss data protection law to appoint a data protection officer.

However, a data controller can be dispensed from registering its data files if it has designated a data protection officer who:

  • carries out his/her duties autonomously and independently
     
  • has a certain level of expertise that is appropriate for the relevant data processing at the company (whereas it is not relevant whether or not the respective expertise was acquired in Switzerland)
     
  • must check and audit the processing of personal data within the company
     
  • must be in a position to recommend corrective measures when detecting any breaches of applicable data protection rules
     
  • must have access to all data files and all data processing within the company as well as to all other information that he/she requires to fulfil his/her duties
     
  • must maintain records of all data files controlled by the company and provide this list to the FDPIC or affected data subjects upon request, and
     
  • may not carry out any other activities that are incompatible with his/her duties as data protection officer.

The data controller must notify the FDPIC of the appointment of a data protection officer and thereupon such data controller will be listed on the public list of companies exempt from the requirement to register their data files.

Last modified 26 Jan 2017
Collection & Processing

The following principles apply to the collection and processing of personal data (including data of legal entities):

  • personal data may only be processed lawfully, in good faith and according to the principle of proportionality
     
  • the collection of personal data and, in particular, the purpose of its processing must be evident to the data subject
     
  • personal data should only be processed for a purpose that is indicated or agreed at the time of collection, evident from the circumstances at the time of collection, or provided for by law
     
  • the data controller and any processor must ensure that the data processed is accurate
     
  • personal data must not be transferred abroad if the privacy of the data subject may be seriously endangered (see below)
     
  • personal data must be protected from unauthorised processing by appropriate technical and organisational measures
     
  • personal data must not be processed against the explicit will of the data subject, unless this is justified by:
     
    • an overriding private or public interest, or
       
    • law, and
       
  • sensitive personal data or personality files must not be disclosed to a third party, unless this is justified by:

    • the consent of the data subject (which must be given expressly in addition to being voluntary and based on adequate information)
       
    • an overriding private or public interest, or
       
    • law.
Last modified 26 Jan 2017
Transfer

Personal data may be transferred outside Switzerland if the destination country offers an adequate level of data protection. The FDPIC maintains and publishes a list of such countries. It should be noted that under Swiss data protection law, remote access from outside of Switzerland is considered as transfer/disclosure abroad.

The FDPIC deems the data protection legislation of all EU and EEA countries to be adequate with regard to personal data of individuals. With regard to personal data of legal entities, only a few EU or EEA countries, such as Austria and Liechtenstein, are deemed to provide an adequate level of data protection.

In the absence of legislation that guarantees adequate protection, personal data may be disclosed abroad only if at least one of the following conditions if fulfilled:

  • Sufficient safeguards, such as data transfer agreements, or other contractual clauses, ensure an adequate level of protection abroad. Data transfer agreements or other contractual clauses must be notified and submitted to the FDPIC whereas mere information is sufficient if model clauses approved by the FDPIC (such as the EU Standard Contractual Clauses for Controller-to-Controller or Controller-toProcessor Transfers) are used.
  • For transfers to the USA based on data transfer agreements or other contractual clauses, the following additional two requirements must be complied with according to guidance issued by the FDPIC:

    • data subjects must be informed that their data is being transferred to the USA and that there is a possibility that the authorities there may access them; and

    • the contractual parties shall undertake to support affected data subjects to exercise their rights vis-à-vis foreign authorities in any way possible.

  • Please note that following the Judgment of the Court of Justice of the European Union on 6 October 2015 in the case of Schrems (C-362/14), the FDPIC declared that it deems the US-Swiss Safe Harbor Framework (which mirrored the US-EU Safe Harbor Framework) inadequate with a view to guaranteeing adequate protection of personal data and amended his list of countries indicating adequate data protection legislation, listing the US among the countries without adequate legislation, even if the transferee is certified under the US-Swiss Safe Harbour Framework. On 11 January 2017, the Swiss Federal Council announced that it had reached an agreement with the US to replace the US-Swiss Safe Harbour Framework for transferring personal data from Switzerland to the US. The new agreement, i.e, the so-called Swiss-US Privacy Shield, is "modeled on" and aligns with, its EU counterpart, the EU-US Privacy Shield. US companies that process data can be certified under the Swiss-US Privacy Shield regime and thereby make themselves subject to its rules. Accordingly, the FDPIC has once again amended his list of countries indiciating adequate data protection legislation, now listing the US among the countries with adequate legislation is the transferee is certified under the Swiss-US Privacy Shield. It is expected that the US Department of Commerce will start accepting self-certification applications for the Swiss-US Privacy Shield by April 12 2017. Certification under the EU-US Privacy Shield does by itself not entail certification for the Swiss-US Privacy Shield.

  • Binding corporate rules that ensure an adequate level of data protection in cross border data flows within a single legal entity or a group of affiliated companies. Such rules must be notified to the FDPIC.
     
  • The data subject consents to the particular data export (consent must be given for each individual case, a generic consent is not sufficient)
     
  • The processing is directly connected with the conclusion or performance of a contract with the data subject
     
  • The disclosure is essential in order to safeguard an overriding public interest or for the establishment, exercise or enforcement of legal rights before the courts
     
  • The disclosure is required in order to protect the life or the physical integrity of the data subject, or the data subject has made the personal data publicly accessible and has not expressly prohibited its processing.
Last modified 26 Jan 2017
Security

The data controller and any processor must take adequate technical and organisational measures to protect personal data against unauthorised processing and ensure its confidentiality, availability and integrity. In particular, personal data must be protected against the following risks:

  • unauthorised or accidental destruction
     
  • accidental loss
     
  • technical errors
     
  • forgery, theft or unlawful use, and
     
  • unauthorised altering, copying, accessing or other unauthorised processing.

The technical and organisational measures must be appropriate, in particular with regard to the purposes of the data processing, the scope and manner of the data processing, the risks for the data subjects and the current technological standards. The DPO sets out these requirements in more detail.

Last modified 26 Jan 2017
Breach Notification

There is no explicit statutory requirement to notify the FDPIC or the affected data subjects of data security breaches under the DPA. However, depending on the scale and severity of a breach, a notification of the data subjects may be necessary based on the data controller and processor's obligation to ensure data security (to avoid further damage), the principle of good faith or pursuant to contractual obligations.

Last modified 26 Jan 2017
Enforcement

The FDPIC does not have specific direct powers to enforce the DPA. He may investigate cases on his own initiative or at the request of a third party and may issue recommendations that a specific data processing practice be changed or abandoned. If the FDPIC’s recommendation is not complied with, he may refer the matter to the Swiss Federal Administrative Court for a decision.

Furthermore, the DPA provides for criminal liability and fines of up to CHF 10,000 if a private person intentionally fails to comply with the following obligations under the DPA:

  • duty to provide information when collecting sensitive data and personality profiles
     
  • duty to safeguard the data subject’s right to information
     
  • obligation to notify the FDPIC with regard to contractual clauses or binding corporate rules in connection with the data transfers abroad
     
  • obligation to register data files, or
     
  • duty to cooperate in an FDPIC investigation.

Criminal proceedings must be initiated by the competent cantonal prosecution authority.

Finally, under Swiss civil law the data subject may apply for injunctive relief and may file a claim for damages as well as satisfaction and/or surrender of profits based on the infringement of its privacy.

Last modified 26 Jan 2017
Electronic Marketing

Electronic marketing practices must comply with the provisions of the Swiss Federal Act against Unfair Competition ('UCA').

With regard to the sending of unsolicited automated mass advertisement (which, in addition to emails, includes SMS, automated calls and fax message(s)), the UCA generally requires prior consent by the recipient, ie 'opt-in'. As an exception, mass advertisings may be sent without the consent of the recipient:

  • if the sender received the contact information in the course of a sale of his products or services
  • if the recipient was given the opportunity to refuse the use of his/her contact information upon collection (opt-out), and
  • if the mass advertising relates to similar products or services of the sender.

In addition, mass advertising emails must contain the sender’s correct name, address and email contact and must provide for an easy-access and free of charge 'opt-out' from receiving future advertisements.

The UCA generally applies to business-consumer relationships as well as to business-business relationships, ie, mass advertisements sent to individuals and to corporations are subject to the same rules.

Direct marketing by telephone is lawful in Switzerland as long as it is not done in an aggressive way (eg by repeatedly calling the same person). However, the UCA prohibits direct marketing by telephone to people who do not wish to receive commercial communication and have expressed that wish (ie opted-out) by having their entry marked in the telephone books and online telephone registers (eg through an asterisk next to their name).

In addition to the rules of the UCA, the general data protection principles under the DPA also apply with regard to electronic marketing activities, eg the collection and maintenance of email addresses or processing of any other personal data.

Last modified 26 Jan 2017
Online Privacy

The processing of personal data in the context of online services is subject to the general rules pertaining to the collection of personal data under the DPA. In addition, certain aspects of online privacy are covered by other regulations, such as the use of cookies which is also subject to the Swiss Telecommunications Act ('TCA').

Under the TCA, the use of cookies is considered to be processing of data on external equipment, eg another person’s computer. Such processing is only permitted if users are informed about the processing and its purpose as well as about the means to refuse the processing, eg by configuring their web browser to reject cookies.

In addition, the general rules under the DPA apply where cookies collect data related to persons who are identified or identifiable, ie, personal data. The collection of personal data through cookies as well as the purpose of such a collection must be evident to the data subject. The personal data collected may only be processed for the purpose:

  • indicated at the time of collection
  • that is evident from the circumstances, or
  • that is provided for by law.

Where the personal data collected through a cookie is:

  • considered sensitive data, eg data regarding religious, ideological, political views or activities, or
  • so comprehensive that it forms a personality profile, ie permits an assessment of essential characteristics of the personality of a person

the stricter rules pertaining to the processing of sensitive personal data are applicable.

These stricter rules provide, inter alia, that the data subject must be informed of:

  • the identity of the data controller
  • the purpose of data processing, and
  • the categories of data recipients if the data shall be disclosed to third parties.

Further, in relation to the processing of sensitive personal data implied consent is not sufficient; consent must be given expressly.

Last modified 26 Jan 2017
Contacts
Christine Beusch-Liggenstorfer
Christine Beusch-Liggenstorfer
Of Counsel/Attorney at Law
T +41 (0)44 215 5272
Nadin Schwibs
Nadin Schwibs
Senior Associate/Attorney at Law
T +41 (0)44 215 9335
Last modified 26 Jan 2017