Data protection in Switzerland: overview

A Q&A guide to data protection in Switzerland.

This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.

To compare answers across multiple jurisdictions, visit the Data Protection Country Q&A tool.

This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.

Stéphanie Chuffart-Finsterwald, BCCC Attorneys-at-law LLC
Contents

Regulation

Legislation

1. What national laws regulate the collection and use of personal data?

General laws

At the federal level, the collection and use of personal data is regulated by the Federal Act on Data Protection (FADP) and its Ordinance, the Ordinance to the Federal Act on Data Protection (OFADP). Additionally, each of the 26 Swiss cantons has a cantonal data protection act, which regulates data processing by cantonal bodies.

A legislative review of the FADP is currently in preparation and a first project should be available in August 2016. The review aims to align the FADP with EU reforms and strengthen individuals' rights.

Sectoral laws

There is no specific sectoral data protection law in Switzerland. However, provisions applying to specific industries can be found in a number of laws, notably telecommunications, life sciences or banking laws.

 

Scope of legislation

2. To whom do the laws apply?

The Federal Act on Data Protection (FADP) and the Ordinance to the Federal Act on Data Protection apply to the processing of data pertaining to natural persons and legal persons by private persons (whether natural persons or legal entities) and federal bodies (Article 2, section 1, FADP).

Cantonal data protection acts apply to the processing of data by cantonal bodies (see Question 1).

 
3. What data is regulated?

The Federal Act on Data Protection (FADP) and the Ordinance to the Federal Act on Data Protection apply to personal data, that is, all information relating to an identified or identifiable person, whether natural or legal (Article 3(a) and (b) , FADP).

 
4. What acts are regulated?

The Federal Act on Data Protection (FADP) and the Ordinance to the Federal Act on Data Protection apply to personal data processing, that is, any operation with personal data, irrespective of the means applied and the procedure, and in particular the (Article 3(e), FADP):

  • Collection of data.

  • Storage of data.

  • Use of data.

  • Revision of data.

  • Disclosure of data.

  • Archiving of data.

  • Destruction of data.

 
5. What is the jurisdictional scope of the rules?

According to the Swiss Private International Law Act (Article 139, sections 1 and 3), the Federal Act on Data Protection (FADP) and the Ordinance to the Federal Act on Data Protection apply if the:

  • Data subject has its habitual residence in Switzerland (providing the data processor can anticipate that damage may be sustained in Switzerland).

  • Data processor has its habitual residence or registered office in Switzerland.

  • Damage resulting from the data process is sustained in Switzerland (providing again the data processor can anticipate that damage may be sustained in Switzerland).

 
6. What are the main exemptions (if any)?

The Federal Act on Data Protection (FADP) does not apply to (Article 2, section 2, FADP):

  • Personal data that is processed by a natural person exclusively for personal use and which is not disclosed to outsiders.

  • Deliberations of the Federal Assembly and in parliamentary committees.

  • Pending civil proceedings, criminal proceedings, international mutual assistance proceedings and proceedings under constitutional or under administrative law, with the exception of administrative proceedings of first instance.

  • Public registers based on private law.

  • Personal data processed by the International Committee of the Red Cross.

 

Notification

7. Is notification or registration required before processing data?

Under certain circumstances only, private person must register data files in advance with the Federal Data Protection and Information Commissioner (FDPIC). Private persons must declare their data files if they regularly (Article 11(a), section 3, Federal Act on Data Protection (FADP)):

  • Process sensitive personal data or personality profiles.

  • Disclose personal data to third parties.

The data files must be declared before they are opened (Article 11( a) , section 4, FADP). Registration is made by filing a form with the Commissioner. The form is available on the Commissioner's website (see below, Regulator details).

However, the controller of data files subject to the above conditions is not required to declare its files if (Article 11a, section 5, FADP):

  • Private persons are processing the data in terms of a statutory obligation.

  • The Federal Council has exempted the processing from the registration requirement because it does not prejudice the rights of the data subjects.

  • The data controller uses the data exclusively for publication in the edited section of a periodically published medium and does not pass on any data to third parties without informing the data subjects.

  • The data is processed by journalists who use the data file exclusively as a personal work aid.

  • The data controller has designated a data protection officer who independently monitors internal compliance with data protection regulations and maintains a list of the data files.

  • The data controller has acquired a data protection quality mark under a certification procedure and has notified the Commissioner of the result of the evaluation.

 

Main data protection rules and principles

Main obligations and processing requirements

8. What are the main obligations imposed on data controllers to ensure data is processed properly?

The Federal Act on Data Protection (FADP) provides for numerous principles that regulate the process of personal data, including (Article 4, FADP):

  • Personal data can only be processed lawfully.

  • Personal data processing must be carried out in good faith and must be proportionate.

  • Personal data must only be processed for the purpose indicated at the time of collection, that is evident from the circumstances, or that is provided for by law.

  • The collection of personal data and in particular the purpose of its processing must be evident to the data subject.

  • If the consent of the data subject is required for the processing of personal data, the consent is only valid if given voluntarily on the provision of adequate information. Additionally, consent must be given expressly for processing sensitive personal data or personality profiles.

For further information, see Question 11.

In addition, the FADP provides that anyone who processes personal data must ensure that it is correct (Article 5, FADP) and that personal data must be protected against unauthorised processing through adequate technical and organisational measures (Article 7, FADP).

 
9. Is the consent of data subjects required before processing personal data?

Consent must be given expressly in the case of the processing of sensitive personal data or personality profiles (Article 4, Federal Act on Data Protection (FADP)) (see Question 11).

Additionally, in the case of cross-border data disclosure in the absence of legislation that guarantees adequate protection, a data subject's consent can make the disclosure legal (Article 6, section 2 (b), FADP).

Informed online consent can suffice. As for consent by minors, no specific rule exists with respect to data protection and, therefore, general civil rules on minors' capacity apply (Articles 17 to 19(c), Civil Code).

If the consent of the data subject is required for the processing of personal data, such consent is only valid if given voluntarily and providing adequate and clear information was received beforehand (Article 4, section 5, FADP) (see Question 8).

 
10. If consent is not given, on what other grounds (if any) can processing be justified?

According to the Federal Act on Data Protection (FADP), in the absence of consent, personal data processing can be justified by an overriding private or public interest, or by law (Article 13, section 1, FADP).

Under the FADP, an overriding interest of the person processing the data is notably recognised if that person (Article 13, section 2, FADP):

  • Processes personal data in direct connection with the conclusion or the performance of a contract and the personal data is that of a contractual party.

  • Is or intends to be in commercial competition with another and for this purpose processes personal data without disclosing the data to third parties.

  • Processes data that is neither sensitive personal data nor a personality profile in order to verify the creditworthiness of another, and discloses such data to third parties only if the data is required for the conclusion or the performance of a contract with the data subject.

  • Processes personal data on a professional basis exclusively for publication in the edited section of a periodically published medium.

  • Processes personal data for purposes not relating to a specific person, in particular for the purposes of research, planning and statistics and publishes the results in such a manner that the data subjects may not be identified.

  • Collects data on a person of public interest, provided the data relates to the public activities of that person.

 

Special rules

11. Do special rules apply for certain types of personal data, such as sensitive data?

Consent must be given expressly in the case of the processing of sensitive personal data or personality profiles (Article 4, Federal Act on Data Protection (FADP)) (see Question 9).

In addition, the disclosure of sensitive personal data or personality profiles to third parties without justification amounts to an unlawful breach of the data subjects' privacy (Article 12, FADP).

Sensitive personal data is defined as data related to the following (Article 3(c), FADP):

  • Religious, ideological, political or trade union-related views or activities.

  • Health, the intimate sphere or the racial origin.

  • Social security measures.

  • Administrative or criminal proceedings and sanctions.

A personality profile is defined as a collection of data that permits an assessment of essential characteristics of the personality of a natural person (Article 3(d), FADP).

 

Rights of individuals

12. What information should be provided to data subjects at the point of collection of the personal data?

If the data collection purpose is not evident from the circumstances or provided for by law, it must be indicated at the time of collection (Article 4, sections 3 and 4, Federal Act on Data Protection (FADP)).

For the collection of sensitive personal data or personality, the controller of the data file must inform the data subject of the collection of sensitive personal data or personality profiles (Article 14, section 1, FADP). This duty to provide information also applies where the data is collected from third parties. In such case, the data subject must, as a minimum, be informed of the (Article 14, section 2, FADP):

  • Controller of the data file.

  • Purpose of the processing.

  • Categories of data recipients if a disclosure of data is planned.

 
13. What other specific rights are granted to data subjects?

Any person can ask the controller of a data file whether data concerning them is being processed (Article 8, section 1, Federal Act on Data Protection (FADP)). In such case, the controller of a data file must notify the data subject of (Article 8, section 2, FADP):

  • All available data concerning the subject in the data file, including the available information on the source of the data.

  • Of the purpose of and, if applicable, the legal basis for the processing, as well as the categories of the personal data processed, the other parties involved with the file and the data recipient.

The provisions for right of access are detailed by the Ordinance to the Federal Act on Data Protection (OFADP) (Article 1 and 2, OFADP).

Additionally, any data subject can request that incorrect data be corrected (Article 5, section 2, FADP).

 
14. Do data subjects have a right to request the deletion of their data?

If the data collection and/or data processing has been unlawful (that is, contrary to the Federal Act on Data Protection (FADP)), the data subject can request that the personal data be destroyed (Article 15, section 1, FADP).

Such unlawfulness includes a violation of the proportionality or purpose principles (Article 4, sections 2 and 3, FADP).

 

Security requirements

15. What security requirements are imposed in relation to personal data?

The Federal Act on Data Protection (FADP) provides that personal data must be protected against unauthorised processing through adequate technical and organisational measures (Article 7, section 1, FADP). The Ordinance to the Federal Act on Data Protection (OFADP) further details the security requirements imposed relating to personal data (Article 8 to 12, OFADP). In particular, the Ordinance provides that anyone who as a private individual processes personal data or provides a data communication network must protect the systems against (Article 8, section 1, FADP):

  • Unauthorised or accidental destruction.

  • Accidental loss.

  • Technical faults.

  • Forgery, theft or unlawful use.

  • Unauthorised alteration, copying, access or other unauthorised processing.

 
16. Is there a requirement to notify personal data security breaches to data subjects or the national regulator?

A private person must register data files in advance with the Commissioner if they regularly (Article 11a, section 3, Federal Act on Data Protection (FADP)):

  • Process sensitive personal data or personality profiles.

  • Regularly disclose personal data to third parties.

Additionally, personal data can only be processed for the purpose indicated at the time of collection, that is evident from the circumstances, or that is provided for by law, which presupposes some kind of notification during data collection (see Question 8).

 

Processing by third parties

17. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

Under the Federal Act on Data Protection (FADP), the processing of personal data may be assigned to third parties by agreement or by law if the (Article 10, section 1, FADP):

  • Data is processed only in the manner allowed for the instructing party itself.

  • The assignment is not prohibited by a statutory or contractual duty of confidentiality.

The instructing party must in particular ensure that the third party guarantees data security (Article 10a, section 2, FADP). For information regarding cross-border transfers to third parties, see Question 20, International transfer of data.

 

Electronic communications

18. Under what conditions can data controllers store cookies or equivalent devices on the data subject's terminal equipment?

The Federal Act on Data Protection (FADP) and the Ordinance to the Federal Act on Data Protection do not provide specific rules regarding the storage of cookies or equivalent devices on the data subject's terminal equipment.

If the cookies or equivalent devices contain personal data, they will nevertheless be subject to the FADP's principles (see Question 8).

 
19. What requirements are imposed on the sending of unsolicited electronic commercial communications (spam)?

The Federal Act on Data Protection (FADP) and the Ordinance to the Federal Act on Data Protection do not provide specific rules regarding the sending of unsolicited electronic commercial communications. Nevertheless, spam can be considered as an act of unfair competition under the Swiss Unfair Competition Act (Article 30, Unfair Competition Act). Additionally, the Telecommunications Act provides that providers of telecommunications services must address unfair mass advertising (Article 45a, section 1, Unfair Competition Act). Where a customer credibly shows in writing that he is the victim of nuisance calls or has received unfair mass advertising, the telecommunications service provider must supply him with the following information provided it is available to it (Article 82, section 1, Ordinance on the Telecommunications Services):

  • Date, time and duration of the calls or date and time of the message.

  • Addressing resources, names and addresses of the customers whose connections were used for the calls or from which the unfair mass advertising was sent.

 

International transfer of data

Transfer of data outside the jurisdiction

20. What rules regulate the transfer of data outside your jurisdiction?

According to the Federal Act on Data Protection (FADP), personal data must not be disclosed abroad if the privacy of the data subjects would be seriously endangered, in particular due to the absence of legislation that guarantees adequate protection (Article 6, section 1, FADP).

The Federal Data Protection and Information Commissioner publishes a list of the states whose legislation ensures an adequate level of protection, which is available online (Article 7, Ordinance to the Federal Act on Data Protection). This list notably includes all EU countries (2 May 2016 version).

In the absence of legislation that guarantees adequate protection, personal data can be disclosed abroad only if (Article 6, section 2, FADP):

  • Sufficient safeguards, in particular contractual clauses, ensure an adequate level of protection abroad.

  • The data subject has consented in the specific case.

  • The processing is directly connected with the conclusion or the performance of a contract and the personal data is that of a contractual party.

  • Disclosure is essential in the specific case in order either to safeguard an overriding public interest or for the establishment, exercise or enforcement of legal claims before the courts.

  • Disclosure is required in the specific case in order to protect the life or the physical integrity of the data subject.

  • The data subject has made the data generally accessible and has not expressly prohibited its processing.

  • Disclosure is made within the same legal person or company or between legal persons or companies that are under the same management, provided those involved are subject to data protection rules that ensure an adequate level of protection.

The Federal Data Protection and Information Commissioner must be informed of the safeguards implemented to ensure an adequate level of protection abroad (Article 6, section 3, FADP).

 
21. Is there a requirement to store any type of personal data inside the jurisdiction?

While the Federal Act on Data Protection and the Ordinance to the Federal Act on Data Protection do not contain a requirement to store personal data inside the jurisdiction, the storage of personal data in Switzerland can be required under some circumstances by banking and/or financial regulations.

 

Data transfer agreements

22. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?

Certain data transmissions abroad must be notified to the Federal Data Protection and Information Commissioner and, under certain circumstances, transmission is only allowed after concluding a special agreement (see Question 20). Data transfer agreements are in use in Switzerland and templates based on the Council of Europe's model contract are available on the Federal Data Protection and Information Commissioner's website.

 
23. Is a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?

Additional requirements, such as the need to obtain consent, must be satisfied in particular circumstances, for example in the case of sensitive or personality profiles data (Article 4, Federal Act on Data Protection).

 
24. Does the relevant national regulator need to approve the data transfer agreement?

The Federal Act on Data Protection (FADP) provides that the Federal Data Protection and Information Commissioner must be informed of data transfer agreements (Article 6, section 3, FADP). The Ordinance to the Federal Act on Data Protection (OFADP) regulates the details of this duty to provide information. In particular, the Commissioner assesses the safeguards and the data protection rules that have been submitted to him and notifies the data file's controller of the result of his examination within 30 days of receipt of the information (Article 6, section 5, OFADP).

 

Enforcement and sanctions

25. What are the enforcement powers of the national regulator?

The Federal Data Protection and Information Commissioner supervise compliance by federal bodies with the Federal Act on Data Protection (FADP) and other federal data protection regulations of Switzerland (Article 27, section 1, FADP). The Commissioner investigates cases either on his own initiative or at the request of a third party (Article 27, section 2, FADP). He can request the production of files, obtain information and arrange for processed data to be shown to him (Article 27, section 3, FADP). If a recommendation is not complied with or is rejected, he can refer the matter to the relevant federal department or to the Federal Chancellery for a decision. The decision is communicated to the data subjects in the form of a ruling (Article 27, section 5, FADP).

The Federal Data Protection and Information Commissioner investigates and makes recommendations in the private sector. To this end, he can request files, obtain information and arrange for processed data to be shown to him (Article 29, section 2, FADP). On the basis of his investigations, the Federal Data Protection and Information Commissioner can recommend that the method of processing be changed or abandoned (Article 29, section 3, FADP). If a recommendation made by the Federal Data Protection and Information Commissioner is not complied with or is rejected, he can refer the matter to the Federal Administrative Court for a decision. The Federal Data Protection and Information Commissioner has the right to appeal against this decision (Article 29, section 4, FADP). However, the Federal Data Protection and Information Commissioner has no authority to issue binding decisions or directly impose sanctions.

 
26. What are the sanctions and remedies for non-compliance with data protection laws?

Under Swiss law, civil, criminal and administrative remedies are available for non-compliance with data protection laws.

Civil remedies

Data subjects can in particular request that data processing be stopped, that no data be disclosed to third parties, or that the personal data be corrected or destroyed (Article 15, Federal Act on Data Protection ( FADP); Article 28, 28a and 28l, Civil Code).

Criminal remedies

Private persons are liable to a fine if they wilfully fail to comply with the FADP's obligations (Article 34, FADP). Persons who wilfully breach confidentiality obligations are also liable to a fine (Article 35, FADP).

The Federal Data Protection and Information Commissioner can also initiate administrative proceedings (see Question 25).

 

Regulator details

Federal Data Protection and Information Commissioner (Préposé fédéral à la protection des données et à la transparence) (PFPDT)

W www.edoeb.admin.ch/index.html?lang=en

Main areas of responsibility. The Federal Data Protection and Information Commissioner advises and informs private persons (whether natural persons or legal entities) as well as federal bodies on data protection matters and monitors the implementation of legal obligations with respect to data protection. In addition, the Federal Data Protection and Information Commissioner intervenes when data controllers violate data protection obligations. The Federal Data Protection and Information Commissioner investigates cases either on his own initiative or at the request of a third party and may recommend that a method of processing be changed or abandoned. If a recommendation made by the Federal Data Protection and Information Commissioner is not complied with or is rejected, he may refer the matter to the Federal Administrative Court for a decision. The Federal Data Protection and Information Commissioner reports to the Swiss Federal Council (Government).



Online resources

W www.admin.ch/opc/de/classified-compilation/19920153/index.html

Description. FADP English translation on the Swiss Federal Council's website. The translation is provided for information purposes only and has no legal force.

W www.admin.ch/opc/de/classified-compilation/19930159/index.html

Description. OFADP English translation on the Swiss Federal Council's website. The translation is provided for information purposes only and has no legal force.

W www.edoeb.admin.ch/index.html?lang=en

Description. Federal Data Protection and Information Commissioner's website in English. Note that more information is available in the French, German or Italian versions of the website.

W www.edoeb.admin.ch/index.html?lang=fr

Description. Federal Data Protection and Information Commissioner's website in French.



Contributor profile

Stéphanie Chuffart-Finsterwald, Associate

BCCC Attorney-at-law LLC

T +41 22 704 3600
F +41 22 704 3601
E s.chuffart@bccc.ch
W www.bccc.ch

Professional qualifications. Switzerland, Attorney-at-law

Areas of practice. Data protection; intellectual property; technology transfer; assignments, licences research and development contracts; privacy law; unfair competition.

Non-professional qualifications. Bachelor of law magna cum laude, University of Fribourg; Master in international law, the Graduate Institute of International and Development Studies (IHEID); LLM, Columbia Law School (Harlan Fiske Stone Scholar); PhD summa cum laude, IHEID

Recent transactions

  • Advising numerous companies in data protection issues and compliance.
  • Reviewing privacy policies for numerous companies.
  • Acting for a Swiss company in a trade mark litigation.
  • Acting for a Swiss company in an arbitration in front of the WIPO Arbitration and mediation center (UDRP).

Languages. French, English, German

Professional associations/memberships. Geneva Bar Association, Member of the Commission for innovation and modernization of the Bar, Swiss Bar Association (FSA), Licensing Executives Society Switzerland (LES-CH), Centre for Business Law of the University of Lausanne (CEDIDAC).

Publications

  • Optimising environmental technology diffusion under intellectual property constraints: A legal analysis, Schulthess (2016).
  • From the Other Shore: Economic, Social, and Cultural Rights from an International Environmental Law Perspective, in E. Riedel et al. (eds.), Economic, Social, and Cultural Rights in International Law: Contemporary Issues and Challenges, Oxford University Press (2014, with Jorge E. Viñuales).
  • Environmental Technology Transfer and Dissemination under the UNFCCC: Achievements and New Perspectives, Environmental Claims Journal, Volume 26, Issue 3, 2014.
  • Patent Markets: An Opportunity for Technology Diffusion and FRAND Licensing?, Marquette Intellectual Property Law Review, Volume 18, Summer 2014, Number 2, pp. 337-367.

{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1247372289755", "objName" : "Data protection in Switzerland overview ", "userID" : "2", "objUrl" : "http://us.practicallaw.com/cs/Satellite/us/resource/9-502-5369?q=&qp=&qo=&qe=", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "2692d739f:157819593bb:-7f1f", "analyticsSessionCookie" : "2692d739f:157819593bb:-7f1e", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }