1 Legal and enforcement framework
1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?
In Switzerland, data privacy is regulated by the Federal Act on Data Protection of 19 June 1992 (DPA) and the Ordinance to the Federal Act on Data Protection of 14 June 1993.
Further, every Swiss canton has its own data protection laws with respect to data processing by cantonal authorities.
Switzerland is not a member of the European Union and hence does not have to comply with the EU General Data Protection Regulation (GDPR) or any other directives in this field. However, a comprehensive revision of the Data Protection Act is pending which provides for substantial alignment with the GDPR provisions.
1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?
The DPA itself contains special regulations on the processing of data that is considered to be sensitive personal data (eg, data on health – see question 3). With regard to biometric data, which does not necessarily qualify as sensitive personal data, additional provisions to the DPA – such as the Federal Act on DNA Profiling, the Ordinance on the Processing of Biometric Identification Data and the Swiss Criminal Code – may apply, depending on the purpose for which data is processed.
The Swiss banking secrecy and guidelines provide for bank-client confidentiality, which aims to safeguard financial privacy and protects all conclusions of fact, value judgements and other information (including personal evaluation results) that can be attributed to a bank client. Bank-client confidentiality therefore goes further than data protection law. Additionally, the Federal Act on Financial Services (FinSA) contains specific requirements relating to data protection for data retention and processing by financial service providers. The FinSA and the Financial Institutions Act were deliberately closely aligned with the EU Second Markets in Financial Instruments Directive by incorporating equivalent but not identical provisions into the laws.
Furthermore, Article 321 of the Swiss Criminal Code sets forth secrecy obligations, such as patient secrecy regarding health data and attorney-client privilege, which have an impact on the processing of such data.
In the telecommunications sector, specific regulations apply to data retention and processing.
Moreover, Swiss labour law provides special provisions with respect to the processing of employees' data (see question 10).
1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?
The Schengen Federal Data Protection Act has been in force since March 2019. The GDPR has also had an impact on the pending revisions to the DPA.
1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?
The Federal Data Protection and Information Commissioner (FDPIC) is in charge of supervising federal and private bodies and advising on data privacy law, as well as on technical aspects of data security. It maintains and publishes the Register for Data Files. In conflict situations between private bodies or between private persons and federal bodies, it can act as a mediator. It can also comment on draft federal legislation that may have an impact on data privacy. Furthermore, it interacts and cooperates with data protection authorities in Switzerland and abroad.
To accomplish its tasks, the FDPIC can investigate facts on its own initiative or at the request of a third party. Based on these investigations, it can issue recommendations. However, the FDPIC has no enforcement powers and, in particular, does not have the power to impose sanctions.
1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?
The FDPIC plays a decisive role in establishing industry standards and best practices in all areas of data protection, such as internet and computer, video surveillance, e-commerce and transborder data flows. It also provides model letters and documentation templates. Guidelines and working tools prepared by the FDPIC are not directly enforceable by the courts; however, they form a relevant basis to be considered by controllers and processors of personal data.
2 Scope of application
2.1 Which entities are captured by the data privacy regime in your jurisdiction?
The Federal Act on Data Protection (DPA) applies to the processing of data pertaining to natural persons and legal persons by private persons (individuals and legal entities) and federal bodies. In other words, all types of companies are captured by the data protection law.
2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?
In accordance with Article 2(2), the DPA does not apply to:
- personal data that is processed by a natural person exclusively for personal use and which is not disclosed to outsiders;
- deliberations of the Federal Assembly and of parliamentary committees;
- pending civil and criminal proceedings, international mutual assistance proceedings and proceedings under constitutional or under administrative law, with the exception of administrative proceedings of first instance;
- public registers based on private law provisions; and
- personal data processed by the International Committee of the Red Cross.
2.3 Does the data privacy regime have extra-territorial application?
Due to the principle of territoriality, the data protection legislation is generally applicable to situations that take place in Switzerland. Therefore, the processing of data as the main factor to determine the geographical scope must take place locally. An extra-territorial application may occur, for example, in the case of outsourcing to a foreign company. In addition, the principle of impact must be observed if circumstances abroad have an impact on Switzerland, such as through websites that can be accessed for business transactions in Switzerland.
3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.
(a) Data processing
Any operation with personal data, irrespective of the means applied and the procedure, and in particular the collection, storage, use, revision, disclosure, archiving or destruction of data.
(b) Data processor
The DPA does not explicitly use this term and accordingly, there is no statutory definition. The Federal Data Protection and Information Commissioner (FDPIC) defines a ‘data processor' or ‘data importer' as a natural or legal person, public authority, agency or any other body (established in another country) that agrees to receive personal data from the ‘data exporter'/‘data controller' for the purpose of processing such data on behalf of the latter after the transfer in accordance with its instructions.
(c) Data controller
The DPA does not explicitly use this term and accordingly, there is no statutory definition. The FDPIC defines a ‘data controller' or ‘data exporter' as a natural or legal person, public authority, agency or any other body established in Switzerland which, individually or together with others, determines the purpose and means of the processing of personal data and which transfers such data for the purpose of its processing on their behalf.
(d) Data subject
A natural or legal persons whose data is processed.
(e) Personal data
All information relating to an identified or identifiable person.
(f) Sensitive personal data
Data relating to:
- religious, ideological, political or trade union-related views or activities;
- health, one's intimate life or racial origin;
- social security measures; and
- administrative or criminal proceedings and sanctions.
Consent must be given voluntarily, based on the provision of adequate information. Additionally, consent must be given expressly in the case of processing of sensitive personal data or personality profiles
3.2 What other key terms are relevant in the data privacy context in your jurisdiction?
‘Personality profile': A collection of data that permits the assessment of essential characteristics of the personality of a natural person.
‘Data file': Any set of personal data that is structured in such a way that the data is accessible by the data subject.
4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?
In Switzerland, there is no registration of data controllers and processors. Notwithstanding the foregoing, the Federal Data Protection and Information Commissioner maintains a register of data files (see question 3.2(b)). Companies must declare their data files if they regularly process sensitive personal data or personality profiles; or if they regularly disclose personal data to third parties.
4.2 What is the process for registration?
Data files must be registered prior to their operational use and each controller of a data file must update this information on an ongoing basis.
4.3 Is registered information publicly accessible?
Yes, the register of data files is accessible online at www.datareg.admin.ch.
5 Data processing
5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?
In Switzerland, the meaning of the principle of legality is different for federal bodies and private persons. In the public law sector, the legality of state action is the basic principle and therefore the processing of personal data always requires a legal basis.
With respect to data processing by private persons, the legal situation is more differentiated. Data processing by private persons does not per se constitute a breach of the privacy rights of the data subjects concerned. Consequently, data processing requires a justification – that is, the consent of the data subject, a legal basis or an overriding private or public interest – only if it unlawfully breaches the privacy of the data subject (Article 12(1) in relation to Article 13 of the Federal Act on Data Protection (DPA)). As a general rule, no justification for processing personal data is required if the data subject has made the data generally available and has not expressly restricted the data processing (Article 12(3) of the DPA).
On the other hand, justification is required if:
- the data processing violates one of the general data protection principles of the DPA outlined in question 5.2;
- the personal data is processed against the data subject's express will; or
- sensitive personal data or personality profiles are disclosed to third parties for such third parties' own purposes (Article 12(2) of the DPA).
5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?
The DPA provides for the following key principles:
- Transparency: The collection of personal data, and in particular the purpose of its processing, must be evident to the data subject.
- Lawful basis: Personal data must be processed lawfully.
- Principle of good faith and proportionality: Data processing must be carried out in good faith and must be proportionate.
- Purpose limitation: Personal data may be processed only for the purpose indicated at the time of collection, which is evident from the circumstances or which is provided for by law.
In general, there is no obligation of automatic notification for data processing under the DPA. However, if particularly sensitive personal data or personality profiles are processed by the controller of the data file, the data subject must be notified in advance (Article 14 of the DPA). These notification requirements also apply where data is outsourced to third parties for processing.
In any case, the data subject generally has the right to request information about the processing of his or her personal data, and may inspect and correct false, incomplete or erroneous data. This right may be restricted only if there is an overriding public or private interest in doing so.
With respect to the outsourcing of data, the DPA states the following requirements:
- Data must be outsourced on a contractual or a legal basis.
- The data must be processed only in the manner permitted for the instructing party itself.
- The transfer of data to third parties must not be prohibited by a statutory or contractual duty of confidentiality. The instructing party must ensure that the third party guarantees data security. Hence, the data controller is responsible for ensuring the security of the data and must prohibit unauthorised access.
Furthermore, the third parties must observe the key principles as set forth above.
Even the transfer of data to another legal entity in the same group of companies is considered a transfer to a third party.
5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?
The data processor and controller are advised to monitor the processing of personal data. If irregularities or non-compliance with data protection regulations is detected, corrective measures must be implemented. Furthermore, it is recommended to maintain a list of all data files.
6 Data transfers
6.1 What requirements and restrictions apply to the transfer of data to third parties?
Yes, under the conditions set forth in question 5.4.
6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?
Article 6 of the Federal Act on Data Protection (DPA) stipulates that personal data may not be disclosed abroad if the privacy of the data subject would be seriously endangered thereby, in particular due to the absence of legislation that guarantees adequate protection. Accordingly, either adequate protection must be guaranteed in the country of destination or other safeguards must be in place to protect the data subject's privacy, such as:
- contractual clauses;
- consent of the data subject; and
- implementation of binding corporate rules in a group of companies in which data is transferred.
The transfer of data abroad includes access to data from abroad if the data remains stored in the country of origin. The Federal Data Protection and Information Commissioner maintains a list of the countries which, in its view, ensure adequate data protection. This non-binding list is publicly available. All European countries governed by the General Data Protection Regulation guarantee more than adequate protection and therefore the transfer of data to such countries is of no concern.
6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?
A legal basis or a reasonable close connection is required to transfer data, and the general principles of data processing remain applicable (eg, transparency, purpose limitation, data minimisation, proportionality). Article 6 of the DPA stipulates the following legal bases for the transfer of data abroad:
- The processing is directly connected with the conclusion or the performance of a contract, and the personal data is that of a contractual party;
- Disclosure is essential in the specific case in order either to safeguard an overriding public interest or for the establishment, exercise or enforcement of legal claims before the courts;
- Disclosure is required in the specific case in order to protect the life or the physical integrity of the data subject; or
- The data subject has made the data generally accessible and has not expressly prohibited its processing.
7 Rights of data subjects
7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?
- Right of access to data/copies of data: Data subjects may request information from the controller of the data files as to whether data concerning them is being processed (Article 8(1) of the Federal Act on Data Protection (DPA)). Generally, the information must be provided in writing, in the form of a printout or copy, and free of charge.
- Right to rectification of errors: Data subjects may request that incorrect data be corrected (Article 5(2) of the DPA).
- Right to deletion: Data subjects may request that incorrect data be deleted.
- Right to object to processing: Data subjects may request that data processing be stopped and/or that data not be disclosed to third parties.
- Right to be forgotten: Although the right to be forgotten is not explicitly stated in the DPA, the Federal Data Protection and Information Commissioner and case law consider that the right to be forgotten results from the general principle of proportionality.
7.2 How can data subjects seek to exercise their rights in your jurisdiction?
To exercise the right to access data, the data subject must typically file a written request and provide proof of his or her identity, although an online request is also possible if the controller of the data file has made this available. The ‘right to information' includes information about:
- the source of the personal data;
- the purpose of and, if applicable, the legal basis for the processing;
- the categories of personal data processed;
- the other parties involved in the processing; and
- the data recipient concerned (Article 8(2) of the DPA).
The requested information must normally be provided within 30 days of receipt of the request, in writing, in the form of a printout or a photocopy, and must be free of charge.
In addition, data subjects have the ordinary judicial remedies available under civil law to protect their personality rights (Article 15 of the DPA in relation to Articles 28–28l of the Swiss Civil Code. In particular, the data subject may request that the data processing be stopped, that data not be disclosed to third parties and that personal data be corrected or deleted.
7.3 What remedies are available to data subjects in case of breach of their rights?
The data subject may further claim compensation for moral suffering and payment of damages or the handing over of profits, provided that he or she can prove actual damage based on privacy infringements, which is difficult in practice.
8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?
The Federal Act on Data Protection currently in force does not stipulate an obligation for companies to appoint a data protection officer; thus, this appointment is optional and no consequences of failure apply.
8.2 What qualifications or other criteria must the data protection officer meet?
If a company intends to appoint a data protection officer, such person should be adequately skilled, with expert knowledge of data protection law and practices, in order to be able to assist the company in monitoring internal compliance with the legal framework and training employees in the field of data protection. The necessary level of expert knowledge should be connected to the specific data processing operations carried out and the protection required for the personal data processed by the company. It is equally important that the data protection officer is in a position to perform his duties in an independent manner.
8.3 What are the key responsibilities of the data protection officer?
The data protection officer's key responsibilities include the following:
- to maintain a list of data files;
- to inform and advise the company;
- to monitor compliance with the legal framework for data protection;
- to raise awareness and train employees involved in processing operations; and
- to cooperate with and act as contact person for the supervisory authority, if applicable.
8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?
In principle, no special rules apply. The outsourcing company must ensure that the external data protection officer has the necessary skills and is able and empowered to conduct his role in an independent manner.
8.5 What record-keeping and documentation requirements apply in the data privacy context?
The general provisions on the archiving of business documents apply; unless otherwise stipulated, all records and documents in relation to personal data must be kept for 10 years.
8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?
9 Data security and data breaches
9.1 What obligations apply to data controllers and processors to preserve the security of personal data?
Article 7(1) of the Act on Data Protection (DPA) states the general rule that personal data must be protected against unauthorised processing through adequate technical and organisational measures.
Additionally, Article 8 of the Ordinance to the Federal Act on Data Protection contains additional detailed provisions on data security: anyone who, as a private individual, processes personal data or provides a data communication network must ensure the confidentiality, availability and integrity of the data in order to ensure an appropriate level of data protection. In particular, he or she must protect systems against the following risks:
- unauthorised or accidental destruction;
- accidental loss;
- technical faults;
- forgery, theft or unlawful use; and
- unauthorised alteration, copying, access or other unauthorised processing.
The technical and organisational measures must be adequate and reviewed periodically. In particular, they must take account of the following criteria:
- the purpose of the data processing;
- the nature and extent of the data processing;
- an assessment of the possible risks to data subjects; and
- the current state of the art.
There are even more extensive obligations for the controllers of data files. For the automated processing of personal data, such controllers must take the necessary technical and organisational measures to achieve the following goals, in particular:
- Entrance control: Unauthorised persons must be denied access to facilities in which personal data is being processed.
- Personal data carrier control: Unauthorised persons must be prevented from reading, copying, altering or removing data carriers.
- Transport control: On the disclosure of personal data, as well as during the transport of data carriers, the unauthorised reading, copying, alteration or deletion of data must be prevented.
- Disclosure control: Data recipients to whom personal data is disclosed by means of devices for data transmission must be identifiable.
- Storage control: Unauthorised storage in the memory as well as the unauthorised knowledge, alteration or deletion of stored personal data must be prevented.
- Usage control: The use by unauthorised persons of automated data processing systems by means of devices for data transmission must be prevented.
- Access control: Access by authorised persons must be limited to the personal data that they require to fulfil their task.
- Input control: In automated systems, it must be possible to carry out a retrospective examination of what personal data was entered at what time and by whom.
The data files must be structured so that data subjects can assert their right of access and their right to have data corrected.
9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
No, there is no legal obligation to notify the Federal Data Protection and Information Commissioner.
9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
No, there is no legal obligation to notify the data subject. However, in view of the general principles of the DPA – in particular, the principle of transparency – it is advisable to notify the data subject in case of a data breach.
9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?
See question 9.3
10 Employment issues
10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?
Article 328b of the Swiss Code of Obligations governs the obligations of employers in respect of the protection of employees' personality rights while handling personal data. It states that an employer may process data concerning employees only to the extent that such data:
- concern the employee's suitability for his or her job; or
- is necessary for the performance of the employment contract.
In all other respects, the provisions of the Federal Act on Data Protection shall apply. It is not possible to derogate from these provisions to the detriment of the employee by individual agreement, standard employment contract or collective employment contract, or even with the consent of the employee, due to the relationship of subordination between the parties.
10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?
A distinction must be drawn between surveillance of internet use, email and telephone, as well as surveillance by video. The surveillance of employees is permitted only to a very limited extent. In general, employees must be informed of the planned surveillance in advance and in a transparent way, and in most cases must give their consent. The employer should ideally specify in an internal directive, based on its right to issue instructions, how employees may use the Internet and email for private purposes. Such rules create transparency and legal certainty for such use, and for the establishment of control and surveillance instruments. Video surveillance systems designed to specifically monitor the behaviour of employees are prohibited. Where video surveillance is necessary for other reasons (eg, security), it must be implemented in such a way that the health and freedom of movement of employees are not unduly affected. The surveillance of employees may be considered illegal and a violation of personality rights unless it is justified by the consent of the injured party, by an overriding private or public interest or by law. The principles of proportionality, good faith and transparency must also be taken into account.
10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context
Consent in the employment relationship is valid only to a limited extent, as the voluntary nature is restricted by the subordination relationship between employer and employee. It is therefore advisable to refer to another legal basis to process the personal data of employees.
11 Online issues
Cookies are governed by Article 45c of the Telecommunications Act, which provides that the processing of data on external equipment by means of transmission using telecommunications techniques is permitted only if, among other things, users are informed of the processing and its purpose, and are informed that they may refuse to allow such processing. Swiss companies commonly inform internet users of the data protection policy on their websites regarding the use and deactivation of cookies. An opt-in process is not mandatory.
11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?
Cloud computing services are basically regarded as data processing by third parties. Such outsourcing is allowed if personal data is processed only in the manner in which the cloud user itself would be allowed to process it, and if no legal or contractual obligation of secrecy prohibits it. It must be ensured that the third-party cloud service provider guarantees data security through appropriate technical and organisational measures. The cloud service provider must also be obliged to fully comply with the data protection regulations applicable in Switzerland. If personal data is transmitted abroad through outsourcing, Article 6 of the Federal Act on Data Protection applies (see question 6).
11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?
It is important to have a legal basis for the use of personal data for marketing purposes. Article 3(1)(o) of the Unfair Competition Act stipulates that it is considered unlawful to send mass advertising without a direct connection to the requested content by means of telecommunications technology, or to arrange for such broadcasts, and in doing so fail to:
- obtain the prior consent of the customers;
- specify the correct sender; or
- point out the possibility of refusal without consequence and free of charge (opt-out).
However, a company which receives contact information from customers when selling goods, works or services and, in doing so, points out the possibility of refusal (again: opt-out) does not act unfairly if it sends those customers mass advertising for its own similar goods, works or services without their consent. It is recommended that the underlying contract or the applicable general terms and conditions also govern data protection and the use of contact information for own marketing purposes.
12.1 In which forums are data privacy disputes typically heard in your jurisdiction?
As set forth in question 7.2, data subjects have ordinary judicial remedies available under civil law to protect their personality rights. However, private law disputes in connection with data privacy issues are rare in Switzerland.
The Federal Data Protection and Information Commissioner (FDPIC) – that is, the supervising authority of both federal bodies and private persons regarding data privacy – regularly investigates cases that involve potential privacy issues. If the investigation reveals a data protection breach, the FDPIC may make recommendations as to how the method of data processing should be changed or that the data processing activity be stopped. If this recommendation is not complied with, the FDPIC may initiate proceedings leading to a formal decision on the matter. In the case of recommendations to federal bodies, the FDPIC may refer the case to the competent department or the Swiss Federal Chancellery for a formal decision. Both the FDPIC and any persons concerned by such a decision may appeal this decision to the Swiss Federal Administrative Court. The appeal decision may be further appealed to the Swiss Federal Supreme Court. In the case of recommendations to private persons, the FDPIC may refer the case to the Swiss Federal Administrative Court for a decision. The decision of the Swiss Federal Administrative Court is subject to an appeal before the Swiss Federal Supreme Court.
12.2 What issues do such disputes typically involve? How are they typically resolved?
Disputes between private individuals, which include data protection issues, often relate to labour disputes.
12.3 Have there been any recent cases of note?
In 2015 the Swiss Federal Supreme Court issued a noteworthy decision on the right of access in connection with a tax dispute between certain Swiss banks and the United States. Based on the right of access set forth in Article 8 of the Federal Act on Data Protection, the court obliged a Swiss bank to provide its employees with copies of all documents transferred to the US Department of Justice in April 2012 containing their personal data. With respect to the processing of employee personal data, the Swiss Federal Supreme Court held that the monitoring of an employee's use of email and Internet that lasted for three months and included the taking of regular screenshots was illegal and disproportionate. Furthermore, there was no internal policy that permitted monitoring under specific, transparently disclosed circumstances, which would have been required.
13 Trends and predictions
13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
Yes, the Federal Act on Data Protection is currently under revision and should be replaced shortly by a new act, based largely on the European data protection regime. According to the official message of the Federal Council, the new act aims to strengthen data protection by improving the transparency of data processing and data subjects' ability to control their data. At the same time, the general awareness of those responsible for processing data is increasing. Switzerland's competitiveness should be further enhanced, in particular, by facilitating the disclosure of data abroad and by promoting the development of new economic sectors in the field of digitisation of society, on the basis of a high, internationally recognised standard of protection. It will be crucial to balance the legislative proposal with the Swiss specifics and avoid regulations which exceed European standards and provisions.
14 Tips and traps
14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?
Every company should implement a data protection programme which reasonably reflects its size, business, markets and the associated risks. This programme should start with an overview of the data flows resulting in the record and documentation of processing activities. Based on this, companies would be well advised to take care of internal and external communication regarding the use of data. Communication ensures transparency and trust, which again are vital for success.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.