Data protection in Switzerland: overview
A Q&A guide to data protection in Switzerland.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
Please note: this Q&A was written before the ruling of the ECJ concerning the validity of the EU-US Safe Harbor framework. Therefore, the answers referring to safe harbours do not reflect the ruling.
To compare answers across multiple jurisdictions, visit the Data Protection Country Q&A tool.
This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.
Data protection is mainly regulated in the Swiss Federal Data Protection Act (DPA) and the related Data Protection Ordinance (DPO). The DPA and DPO apply to private persons and legal entities, and also to federal governmental bodies as data controllers or processors.
This guide will focus on the provisions of the DPA in the private sector.
Each canton in Switzerland has a cantonal data protection act in place. These cantonal acts are directed to cantonal governmental bodies as data controllers.
Additional provisions that only apply to specific sectors or circumstances can be identified in a number of statutes, for example, employment law, criminal law, banking law, telecom law, life sciences law, social security law or unfair competition law.
Scope of legislation
The Swiss Federal Data Protection Act (DPA) and the Data Protection Ordinance (DPO) apply to all private persons, legal entities and federal bodies controlling or processing personal data.
The cantonal data protection acts apply to the processing of data by governmental bodies of the respective canton in Switzerland.
The Swiss Federal Data Protection Act (DPA) and the Data Protection Ordinance (DPO) regulate all acts of processing. Processing is defined and interpreted very broadly, and means any operation with personal data, irrespective of the means applied and the procedure, and in particular the collection, storage, use, revision, disclosure, archiving or destruction of data (Article 3(e), DPA).
In private international law, the Swiss Federal Data Protection Act (DPA) and the Data Protection Ordinance (DPO) apply (Article 139, paragraph 1 and 3, Swiss Federal Act on Private International Law (PILA)):
If the data subject (as the potentially infringed party) is a Swiss resident.
If the data controller or processor (as the potentially infringing party) is a Swiss resident; or
If a data protection breach has an effect in Switzerland.
In the non-private sector, the DPA and the DPO (or cantonal legislations) apply to the processing of data by the respective Swiss federal or cantonal governmental bodies.
The Swiss Federal Data Protection Act (DPA) does not apply to (Article 2, paragraph 2, DPA):
The processing of data by a natural person exclusively for his private use (if the data is not disclosed to third parties).
Pending civil, criminal or similar proceedings.
Public registers based on private law, for example, the commercial register.
Data files or collections must be registered in advance by federal bodies. Private persons only need to register data collections (Article 11a, paragraphs 2 and 3, Swiss Federal Data Protection Act (DPA)):
If they regularly process sensitive personal data or personality profiles; or
If they regularly disclose personal data to third parties.
There are some exceptions from the duty to register, for example, if the data controller has designated an internal data protection officer (Article 11a, paragraph 5 DPA).
In addition, there is a duty under the DPA to provide the affected data subject with specific information on the collection of sensitive personal data and personality profiles. This includes information on the data controller, the purpose of collection and the categories of potential data recipients (Article 14, DPA).
In the case of a cross border data transfer, certain specific safeguards taken by the data controller to ensure an adequate level of data protection abroad must also be notified (see Question 24).
Main data protection rules and principles
Main obligations and processing requirements
The Swiss Federal Data Protection Act (DPA) provides several principles that must be observed when processing personal data. The principles are as follows (Article 4, DPA):
Personal data may only be processed lawfully (principle of lawfulness).
Processing must be carried out in good faith and must be proportionate (principle of proportionality).
Personal data can only be processed for the purpose indicated at the time of collection, or that is evident from the circumstances or that is provided for by law (principle of appropriation).
The collection of personal data and in particular the purpose of its processing must be evident to the data subject (principle of transparency).
In addition, proper processing requires:
The processed personal data to be accurate and correct (Article 5, DPA).
The personal data to be protected against unauthorised processing by appropriate organisational and technical means (data security) (Article 7, DPA).
Consent is not necessarily required for the lawful processing of personal data. The processing of personal data is generally considered as lawful if the core principles of data processing are followed (see Question 8). However, the disclosure of sensitive data or personality profiles to third parties always requires the data subject's consent (or some other reason for justification) (Article 12, paragraph 2(b), Swiss Federal Data Protection Act (DPA)). Generally, consent may justify an act of data processing that would otherwise be considered unlawful (Article 13, paragraph 1, DPA).
Consent can be implied or inferred, provided it is given voluntarily on the provision of adequate information (informed consent). Express consent is required for the processing of sensitive personal data or personality profiles (Article 4, paragraph 5, DPA) (see Question 11).
It is generally recommended to ask the data subject for express consent, as this is the most clear and evidential way to prove that consent has indeed been given.
There are no specific rules applying to consent by minors. The general rules on minor's capacity to act (minor's capability of judgement and consent of the minor's legal representative) are applicable.
If consent cannot be requested due to practical reasons or is not given by the data subject, processing can be justified on the basis of an overriding private or public interest or by law (Article 13, paragraph 1, Swiss Federal Data Protection Act (DPA)). The DPA contains a non-exhaustive list of potentially overriding private interests, including the processing of data in connection with the conclusion or performance of a contract and processing for research purposes (Article 13, paragraph 2, DPA).
Special rules apply for sensitive data and personality profiles.
Sensitive personal data is defined as data on (Article 3(c) Swiss Federal Data Protection Act (DPA)):
Religious, ideological and political views and activities.
Health, the intimate sphere or racial origin.
Social security measures.
Administrative or criminal proceedings and sanctions.
Data on financial standing, wealth and income is not considered to be sensitive data.
A personality profile is a collection of data that permits an evaluation of essential characteristics of the personality of a natural person (Article 3 (d), DPA).
For sensitive data and personality profiles, the following special rules exist:
The disclosure of sensitive data or personality profiles to third parties, without justification, always constitutes a data protection breach (Article 12, paragraph 2 (c), DPA).
Rights of individuals
In general, the data subject needs to be informed, or be aware, of the purposes of data collection and processing.
For sensitive personal data and personality profiles, the data subject must be notified of the data collection and given some basic information with the notification (Article 14, Swiss Federal Data Protection Act (DPA)) (see Question 7).
The Swiss Federal Data Protection Act (DPA) provides data subjects with the right to request deletion of their data. However, this right is only granted if the prior collection or processing of the data has been unlawful (Article 15, paragraph 1, DPA).
There is no general right to deletion of personal data. However, the general principle of proportionality (see Question 8) can limit the time period for processing and storing personal data. If the limit is exceeded, the data subject can request the deletion of his data.
The security requirements concerning personal data are set out in Article 7 of the Swiss Federal Data Protection Act (DPA) and, in further detail, in the Data Protection Ordinance (DPO). In general, the data controller is required to provide adequate technical and organisational protection measures.
There is no notification requirement under the Swiss Federal Data Protection Act (DPA). However, the general principle of transparency in data processing recommends notification (see Question 8).
Processing by third parties
Data processing may be assigned to third parties by agreement or by law if (Article 10a, paragraph 1, Swiss Federal Data Protection Act (DPA)):
The third party data processor processes the data in the same way that has been authorised for the data controller; and
The assignment is not prohibited by a statutory or contractual duty of confidentiality.
If the third party processes personal data outside of Switzerland, the specific provisions on cross border data transfer must be observed (see Question 20).
Swiss data protection legislation does not provide specific terms relating to the use or storage of cookies. Cookies regularly constitute or contain personal data and are subject to the general principles (see Question 8). As a result, cookies should only be stored if the data subject is informed and is given the choice to de-activate cookies (opt-out mechanism). This mechanism is also encouraged by the Swiss Federal Data Protection and Information Commissioner (FDPIC).
For analytics tools (for example, Google Analytics), similar rules apply. In addition, personal data (in particular the IP address) can be transferred to jurisdictions with a lower level of data protection. For that reason, the data subject must be made aware by the website operator of the use of analytics tools and of the possibility to technically truncate the IP address for anonymisation purposes.
The sending of unsolicited electronic communications (spam) is not specifically addressed in the Swiss Federal Data Protection Act (DPA) but in the Unfair Competition Act (UCA). The mass sending of spam is considered an act of unfair competition unless (Article 3(o), UCA):
The receiver has given consent.
The sender is disclosed and identifiable; and
The receiver is given a convenient and free of charge opportunity to unsubscribe from the communication.
International transfer of data
Transfer of data outside the jurisdiction
The cross border transfer of personal data requires that the privacy of the data subjects will not be seriously endangered. The risk is obvious if the legislation in the receiving state does not provide for adequate data protection (Article 6, Swiss Federal Data Protection Act (DPA)).
The Swiss Federal Data Protection and Information Commissioner (FDPIC) regularly publishes and updates a (non-binding) country list that states whether the level of data protection in a foreign jurisdiction is adequate or not. As a general rule, most jurisdictions in the EU provide for adequate protection, but most EU countries do not award protection to the personal data of legal entities. Outside of the EU, many jurisdictions do not provide a sufficient level of protection. In the case of inadequate protection, alternative measures must be taken. Such measures include the data subject's consent or contractual solutions (see Question 22).
The transfer of personal data within a group of companies in different jurisdictions is still considered a cross border data transfer and the rules set out above apply. Binding corporate rules may be invoked to provide adequate protection (Article 6, paragraph 2 (g), DPA).
Under Swiss law, a cross border data transfer does not necessarily imply a physical transfer of the personal data from Switzerland and storage of that data abroad. Instead, access (from abroad) to personal data stored in Switzerland is also considered a cross border transfer subject to the rules set out above.
Data transfer agreements
There is no such requirement from a data protection perspective (provided the level of data protection is adequate in storage locations outside of Switzerland). Storage of personal data in Switzerland may, however, be requested by other regulatory frameworks and provisions, for example, in the banking and finance sector.
Data transfer agreements are in use in Switzerland. They have been derived from the EU model clauses for transferring personal data. Templates in English and French can be downloaded from the website of the Federal Data Protection and Information Commissioner (FDPIC) (see box, Regulator details).
There is no requirement for the Federal Data Protection and Information Commissioner (FDPIC) to approve data transfer agreements if the standard forms provided by the FDPIC on his website are adopted as they stand (see Question 22). However, the FDPIC must be informed of data transfer agreements (Article 6, paragraph 3 ,Swiss Federal Data Protection Act ( DPA)).
If the standard forms are altered or if other forms of data transfer agreements are used, the FDPIC will examine these agreements and will notify the data controller within 30 days of receiving information regarding the examination result (Article 6, paragraph 5, Swiss Federal Data Protection Ordinance (DPO)).
Enforcement and sanctions
The Federal Data Protection and Information Commissioner (FDPIC) has the power to initiate investigations and issue recommendations to change or stop a method of data processing. If the data controller does not comply with the recommendations, the FDPIC may refer the matter to the Federal Administrative Court, with a right to appeal to the Federal Supreme Court (Article 29 DPA). The FDPIC has taken this approach in a number of cases (for example, the landmark Google Street View Case).
The FDPIC has no authority to issue binding orders to, or to directly impose fines or other sanctions upon data controllers.
Civil, administrative and criminal sanctions and remedies are available for non-compliance with data protection laws.
In civil proceedings, potentially infringed data subjects may file actions and request interim measures. Actions and interim measures include the (Article 15, DPA):
Prohibition of data processing or disclosure.
Correction of inaccurate personal data.
Destruction of personal data that has been collected or processed unlawfully.
Administrative proceedings may be initiated by the Federal Data Protection and Information Commissioner (FDPIC) (see Question 25).
Some specific data protection breaches are sanctioned with criminal charges (fines up to CHF10,000). These include breaches of:
The obligation to provide information, to register and to cooperate (Article 34, DPA).
Professional confidentiality (Article 35, DPA).
Federal Data Protection and Information Commissioner (FDPIC) Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB)
Main areas of responsibility.
The FDPIC advises private persons on data protection matters, conducts investigations, issues recommendations and files complaints to the Federal Administrative Court, reports to the Federal Council and informs the public on data protection matters of general interest, renders opinions on data protection matters and new legislation (Article 28-31, DPA).
Description. Official website of the Swiss Federal Government with full text of the DPA in German.
Description. Official website of the Swiss Federal Government with a non-binding English translation of the DPA.
Description. Official website of the Swiss Federal Government with full text of the DPO in German.
Description. Official website of the Swiss Federal Government with a non-binding English translation of the DPO.
Roland Mathys, Partner/Attorney at law
Schellenberg Wittmer Ltd
Professional qualifications. MLaw, Basel, 1998; Attorney at law, Switzerland, 2000
Areas of practice. Data protection, general ICT, ICT outsourcing, ICT compliance, ICT dispute resolution.
Non-professional qualifications. MA in Economics and Computer Science, Zurich, 1994; Information Technology LL.M, London School of Economics, 2003
Acting for a major Swiss retail chain and for a multinational life sciences company in all their data protection issues and setting up of respective compliance programs.
Advising a global pharmaceutical company in data protection issues related to the pooling of data centres.
Rendering a legal opinion for an association faced with employee data disclosure to foreign jurisdictions and authorities.
Reviewing privacy policies for a number of companies in the health care sector.
Data protection compliance review of a customer loyalty programme for a large Swiss retail company.
Data protection compliance review of the global digital presence of a multinational pharmaceutical company.
Support of the inhouse data protection officer of a global manufacturer of medical devices, including the setup and implementation of a comprehensive training programme.
Languages. English, German, French
Professional associations/memberships. International Technology Law Association (ITechLaw, Director), International Bar Association (IBA)(Member of the Technology Committee), Swiss Bar Association (SBA), Swiss Arbitration Association (ASA), German Association for Law and Information Technology (DGRI), International Association of Privacy Professionals (IAPP), SwissICT, panellist to the WIPO Arbitration and Mediation Centre
Publications. What Changes Big Data to the Qualification of Personal Data as Sensitive Data? (2015), A A Data Protection Perspective on Tracking (2014), You have Zero Privacy anyway - Get over it! (2014), Legal and Data Protection Challenges of Wearable Computing (2014), E-Discovery and Data Protection (2012), Cross Border Data Transfer (2009), How to Protect my Virtual Identity (2007).