Answer ... According to Article 10 of the Data Protection Act, the Data Protection Authority is responsible for supervising the processing of data by public and non-public bodies.
The authority monitors and enforces the application of this act and other data protection regulations, as well as all laws and regulations implementing the EU Data Protection Directive (2016/680). Among other things, it:
- handles complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 55 of the directive;
- investigates, to the extent appropriate, the subject matter of the complaint; and
- informs the complainant of the progress and the outcome of the investigation within a reasonable period – in particular, if further investigation or coordination with another supervisory authority is necessary.
It also investigates the application of the Data Protection Act and other data protection legislation, including legislation adopted to implement the Data Protection Directive, including on the basis of information received from another supervisory authority or other public authority.
Within the scope of the GDPR, the Data Protection Authority has the powers referred to in Article 58 of the GDPR.
If the Data Protection Authority concludes that there has been a breach of the data protection regulations or that there are other shortcomings regarding the processing of personal data, it will inform the competent supervisory authority.
Before exercising its powers pursuant to Articles 58(2)(b) to (g), (i) and (j) of the GDPR, the Data Protection Authority will notify the controller of its intention to do so within a reasonable period. However, the Data Protection Authority may refrain from doing so where immediate action is required due to imminent danger, reasons of public security or in the public interest, or if this would conflict with compelling public interests.
According to Article 40 of the Data Protection Act, the Data Protection Authority will impose fines pursuant to paragraph 2 for violations of the GDPR – including where the violation is determined to be negligent – according to Articles 83(4) to (6) of the GDPR.
In cases pursuant to Article 83(4) of the GDPR, fines may be imposed of up to CHF 11 million or up to 2% of total worldwide annual turnover in the preceding financial year, whichever is higher. In cases pursuant to Articles 83(5) and (6) of the GDPR, fines may be imposed of up to CHF 22 million or up to 4% of total worldwide annual turnover in the preceding financial year, whichever is higher.