The Swiss Federal Data Protection Act (the “old DPA”), originally dated 19 June 1992, has undergone a complete revision (the “DPA”), which has been passed on 25 September 2020 and is in force since 1 September 2023.
With its revision, the DPA now complies with the revised Council of Europe Convention 108. Its provisions are similar to those of the GDPR , although with a few conceptual differences, for example relating to legal grounds and sanctions. Apart from the DPA, other laws such as the Swiss Unfair Competition Act (UCA), the Swiss Telecommunications Act and the Swiss Penal Code contain further provisions governing data protection in Switzerland.
Entry into force
The DPA has been in force since 1 September 2023 .
Details of the competent national supervisory authority
The Swiss Federal Data Protection and Information Commissioner (the “FDPIC”)
Feldeggweg 1
CH-3003 Berne
Switzerland
www.edoeb.admin.ch
Notification or registration scheme and timing
As opposed to the old DPA, there is no longer an obligati on for private persons to notify or register their data processing activities (i.e. their files) with the FDPIC.
However, foreign controllers may, under certain circumstances, have to appoint a representative in Switzerland (see “Data Protection Officers” below) to serve as a contact point for the FDPIC .
Exemptions to notification
What is the territorial scope of application?
The DPA’s territorial scope depends on whether it is enforced by the FDPIC (in an administrative law proceeding) or by a data subject (in the form of a civil lawsuit).
The FDPIC is competent to enforce the DPA with regard to any activity that is taking place in Switzerland (principle of territoriality). This includes cases where an activity has its effect in Switzerland, even if it is caused by an activity outside of Switzerland, for example a service provider outside of Switzerland that offers its service also to consumers in Switzerland. This has already been the case under the old law but now is expressly stated so in the revised DPA. The concept is, thus, broader than the GDPR .
In the case of civil lawsuits against a person participating in a violation of personality, Swiss courts will in general apply the DPA, upon free choice of the data subject , if either: (i) the data subject is resident in Switzerland, provided this was foreseeable for the controller or processor sued; (ii) the controller or processor sued has its seat of residence or a branch in Switzerland; or (iii) the place of effect of the violation of personality (which usually includes the place of processing of personal data) is in Switzerland, provided this was foreseeable for the controller or processor sued .
Private controllers with their seat outside of Switzerland are required to appoint a representative in Switzerland, if: (i) they process personal data of data subjects in Switzerland; (ii) the data processing is in connection with offering them goods or services or monitoring their behaviour; (iii) the data processing is extensive; (iv) it occurs on a regular basis; and (v) it involves a high risk for such data subjects . In practice, these conditions will rarely be met. It is not entirely clear whether the "high risk" is assessed prior or after measures. Only few companies have so far appointed a representative (e.g., Google Ireland and Google LLC).
Is there a concept of a controller and a processor?
Yes. The DPA adopts the GDPR’ s concept and definitions of controllers and processors.
Nevertheless, everyone who processes personal data should comply with the general data quality principles (which also apply under the DPA), because anybody who “participated” in the processing of personal data may be held jointly liable in the case of a civil claim.
As a consequence, the exposure of a processor may go beyond the liability it would have under the GDPR . The Federal Supreme Court found that a hosting provider is participating in the publications on its server (Decision 5A_792/2011 of January 14, 2013), whereas somebody who merely publishes a link to a publication on a third party website does not participate in such publication (Decision 5A_658/2014 of May 6, 2015).
The revised DPA also contains the concept of joint controllers , but unlike as under the GDPR , there are no special provisions concerning them.
Are both manual and electronic records subject to data protection legislation?
Yes. The DPA applies irrespective of the technology used. The exclusion of unstructured manual records in the GDPR does not apply under Swiss law.
However, the general data security obligations may have to be implemented differently depending on whether manual or electronic records are used. In the case of automated processing of personal data, additional security and documentation requirements apply, for example the obligation to implement audit trails, that must be retained immutable for one year, if (a) a processor (i) processes sensitive personal data on a large scale or (ii) engages in high-risk profiling and (b) there are no measures in place to ensure an adequate level of data protection..
Are there any national derogations?
Cantonal and local authorities are governed by separate, cantonal data protection legislation, not the DPA. Many of them already have been amended to satisfy the requirements of the revised Council of Europe Convention 108 , others will follow over time .
Federal authorities (including private persons entrusted with public tasks, such as those in the field of mandatory health insurance or pension funds) are also subject to the DPA, but: (i) must comply with additional rules (for example, the processing of personal data is normally permitted only on the basis that there is a provision of Swiss law that permits such processing); and (ii) cannot rely on the same reasons for justifying a violation of a data subject’s personality as private persons can do. Also, they are obliged to have a "data protection advisor", which is a role similar to the Data Protection Officer under the GDPR.
The DPA does not apply to personal data processed by an individual solely for personal purposes and not disclosed to third parties; this limitation is narrower than the exclusion of processing for personal or household activities in the GDPR . Another important exception is that the DPA does not apply in civil, criminal, international judicial assistance and administrative recourse proceedings in Switzerland insofar as their procedural laws apply; however, it does apply in international administrative assistance. The DPA is also considered not to apply to national or international arbitration before a tribunal with its seat in Switzerland.
What is personal data?
The definition of personal data in the DPA is closely based on the standard definition of personal data . The term is understood rather broadly. However, Swiss courts and the FDPIC are applying the definition more systematically than many data protection authorities under the GDPR .
For example, website usage data collected by a site operator using "cookies" is not considered personal data as long as the data subject is not and cannot be reasonably identified by the operator of the site or by other people having access to the logs (whether third parties could identify the data subject is not relevant).
Likewise, IP addresses may qualify as personal data, as confirmed by the Federal Supreme Court in 2010 (DFC 136 II 508, Logistep). While this may not be the case in all circumstances, if IP addresses are collected for the very purpose of identifying the individuals behind them (such as people illegally sharing pirated content over the internet), and if Swiss law permits such identification (which it does in the case of internet felonies), then IP addresses should be treated as personal data (but in other cases not) . It should be noted that the court found that in the case at hand it was not permissible under the old DPA to collect such personal data for the purpose of identifying individuals illegally sharing pirated content, although the balancing of interests in this case has been heavily criticised.
Swiss law thus follows a "relative" definition of personal data: for data to be considered personal data, the relevant audience must not only be reasonably able to identify the data subjects , but also willing to undertake the efforts for doing so. Accordingly, if personal data is securely encrypted or otherwise pseudonymised, it no longer is considered personal data for those who are not able to decrypt it or re-identify the data subjects . The possibility to "single out" a data subject does, as such, not amount to identification.
Is information about legal entities personal data?
No. Unlike the old DPA, the DPA does not apply to information about legal entities. However, the various professional secrecy obligations that exist under Swiss law still protect information about legal entities.
What are the rules for processing personal data?
Unlike as under the GDPR , the DPA does not require that a private sector controller has a legal ground to process personal data. The DPA rather follows the "opt-out" principle, i.e. the data subject has to object to a processing of their data if they don't want it to be processed (rather than consent if their data is to be processed). Besides, Swiss law requires that a number of processing principles are complied with.
In other words, personal data may be processed if the processing either: (i) does not violate the personality of the data subject ; or (ii) does violate the personality of the data subject , but is justified by the data subject’s consent, an overriding private or public interest or by a provision of Swiss law requiring or permitting the processing at issue.
Any legitimate interest of the controller , the processor , the data subject or any third party can, in principle, qualify as an overriding private interest if it is sufficient to outweigh the violation of the data subject's personality. However, the Federal Supreme Court held that controllers should be cautious before assuming that private interests will justify any such processing (DFC 136 II 508). In another case involving the online service "Street View" (the “Street View Case”), however, the Federal Supreme Court found that the public interest justifies keeping the service alive although the algorithm for blurring faces was not perfect and missed 1 per cent of the visible faces (DFC 138 II 346). The DPA provides a non-exhaustive list of circumstances in which the overriding private interest of the controller must be considered, for example: (i) the conclusion and performance of a contract with the data subject ; (ii) the processing of information on competitors; or (iii) the processing of personal data for non-personal uses under certain conditions.
The personality of the data subject is, by definition, considered violated if his/her personal data: (i) is not processed lawfully (for example, if data has been stolen or extorted from someone else); (ii) is not processed in good faith (which includes the duty to be transparent); (iii) is not processed in a proportionate manner (i.e. is not or is no longer necessary or suitable in view of the purpose of processing, or is for an excessive purpose); (iv) is not deleted or anonymised once it is no longer needed for its purpose (which, in fact, is covered already by the broader concept of proportionality in (iii)); (v) is not used for the specific purpose that has been made transparent to the data subject or is not compatible with such purpose; (vi) has not been verified for its correctness and corrected or deleted (where necessary in view of the purpose); (vii) is being processed without complying with the general data security obligations ; (viii) is processed against the data subject’s express will (i.e. the processing continues following the data subject’s objection or request to have the personal data deleted); (ix) is sensitive personal data disclosed to a third party controller (see below); or (x) is employee personal data and is processed despite being neither necessary for assessing the qualification of the employee for his/her job nor for the performance of his/her employment contract.
In other words, the general data quality principles and any objections of the data subject must also be respected under the DPA, but it is possible to “justify” not doing so with a “good reason”. Hence, the revised DPA follows a different concept than the GDPR . Under the DPA, no legal basis is required upfront, but in essence only if the personality of the data subject is violated. The “legitimate interest” test in the GDPR is comparable to the “overriding private interest” test under the DPA but unlike under the GDPR , it can also be used to justify the processing of sensitive personal data (there is no equivalent to the specific additional restrictions on processing this personal data as there is in the GDPR ) .
Notwithstanding the foregoing, it is presumed that the personality of the data subject is not violated if the data subject has made the personal data generally accessible (e.g., via social media, interviews, a personal blog) and has not expressly prohibited its processing. However, the data subject can challenge this and prove that his/her personality has nevertheless been infringed upon, for example by the abusive use of information published on the data subject's website.
Insofar and only in this case, as the processing of personal data relies on a default setting (i.e. a setting that can be changed by the data subject , e.g., through an app or other online interface), the default setting must be the most “data protection friendly” one (“privacy by default”).
For rules on processing personal data in connection with automated individual decisions, see “Rights of Data Subjects” below.
Are there any formalities to obtain consent to process personal data?
Consent is valid only if given voluntarily following the provision of adequate information ("informed consent"). Furthermore, consent is only effective if given in advance of processing. Consent need not be given in writing; however, the burden of proof is upon the controller or processor , respectively, so this is recommended for evidentiary purposes.
Implicit consent may be sufficient, in certain circumstances, but not in regard to (i) sensitive personal data,(ii) high-risk profiling or (iii) profiling by a federal authority (see below).
The failure of a data subject to object to a particular processing or notice of such processing of his/her personal data is usually not sufficient to presume consent. However, such “deemed” consent may be effective in cases of existing contractual relationships, in particular where general terms and conditions provide for such deemed consent.
A data subject may, in principle, withdraw his/her consent at any time, although such withdrawal will not usually be applied retrospectively and there may be even more limitations. Even if a data subject has withdrawn his/her consent, depending on the circumstances, it may still be possible to justify a particular processing of personal data under the argument of an overriding private interest of the controller , the data subject or other party.
Employees can, in principle, validly consent to the use of their personal data by the employer. However, if such consent is provided for in an agreement (for example, the employment contract), it shall be considered null and void if: (i) the employee is asked to consent to the processing of personal data which is required neither for assessing the qualification of the employee for his/her job nor for the performance of his/her employment contract; and (ii) the processing of such data is, from an overall perspective, to the employee's detriment. It may also be hard for an employer to demonstrate that the consent of an employee has been given voluntarily due to the latter's dependence on the former.
The DPA’s conditions for consent are not as strict as under the GDPR . It is in principle still possible to have tick-boxes pre-ticked and to include consent declarations in contracts even where the processing activity is not necessary for the performance of the contract, at least as long as there is a factual connection to the contract.
Are there any special rules when processing personal data about children?
The DPA does not provide for any particular provisions on the processing of personal data about children. In fact, the Swiss Civil Code grants children capable of judgement (which is usually considered to be the case when they turn 13) more rights to decide their own data protection rights than under the GDPR .
Are there any special rules when processing personal data about employees?
The personality of the data subject is considered to be violated if employee personal data is processed despite not being necessary for assessing the qualification of the employee for his/her job or for the performance of his/her employment contract. However, such violations can be "justified" as described above (Decision of the Federal Tribunal 4A_518/2020).
In principle, employees can validly consent to the use of their personal data by the employer. However, if such consent is provided for in an agreement such as an employment contract, it shall be considered null and void if: the above condition is violated and the processing of such data is to the employee's detriment. As stated above, it may be hard to demonstrate that the consent of an employee has been given voluntarily .
What is sensitive personal data?
Under the DPA, sensitive personal data include: (i) affiliation to a race or ethnicity; (ii) trade union membership; (iii) health data, but only to the extent it reveals handicap or illness of the data subject ; (iii) religious, ideological or political activities (not only related beliefs); (iv) the intimate sphere as such (not only sex life); (v) genetic data; (vi) biometric data allowing the unique identification of a person; (vii) social welfare measures; and (viii) administrative and criminal proceedings or sanctions. Hence, under the DPA, the term “sensitive personal data” includes more than the standard types of sensitive personal data .
The DPA no longer uses the term “personality profiles”, which in the past had to be treated in the same way as sensitive personal data. The concept has been replaced by the concept of “profiling”, which is defined in a manner comparable with the GDPR . Furthermore, the DPA includes a definition for “high-risk” profiling , which in essence is a profiling that results in a personality profile and thus bears a high-risk of negative consequences for the data subject . For the private industry, the relevance of both terms is minimal - there is a limitation for credit rating agencies using high-risk profiling and insofar as a controller relies on consent in order to conduct a high risk profiling, the consent must be explicit. However, high-risk profiling involving a high risk as such does not require consent per se.
Are there additional rules for processing sensitive personal data?
Sensitive personal data may not be disclosed to third parties (in their capacity as controllers ) without sufficient justification such as: (i) the data subject’s consent; (ii) any overriding private or public interest; or (iii) a provision of Swiss law requiring or permitting such disclosure. If one of the conditions for processing sensitive personal data is met, this is usually a sufficient justification, but the “legitimate interest test” can also be relied upon.
In general, the DPA has always followed a “risk-based approach”, meaning that the higher the risks for data subjects , the stricter the general data quality principles that have to be applied. This way, the processing of sensitive personal data has to generally satisfy higher standards than personal data that involves lower risks.
There are no rules for processing for private persons that expressly refer to profiling, not even in the context of automated individual decisions. In particular, it is not necessary to obtain consent or any other justification for profiling. The only explicit limitation for private persons is related to the processing of personal data for credit checks by credit rating agencies.
Additional restrictions on the processing of sensitive personal data and with regard to profiling exist for public bodies.
Are there additional rules for processing information about criminal offences?
No, as this type of personal data is already included in the definition of sensitive personal data. There is no provision comparable to the separate prohibition on processing information about criminal offences in the GDPR .
Are there any formalities to obtain consent to process sensitive personal data?
In the case of sensitive personal data, the data subject’s consent may be relied upon only if it has been given explicitly.
Consent need not be given in writing; but, as with non-sensitive personal data, this is recommended (see above). The same restriction applies to consent to be obtained for high-risk profiling. Note that the DPA does in principle not require a controller to obtain consent for processing sensitive personal data or for profiling.
When must a data protection officer be appointed?
There is no formal obligation to appoint a data protection officer (except for federal authorities). Nevertheless, the DPA does provide for the voluntary appointment of a data protection officer (referred to as “data protection advisor”) by private controllers . If such data protection advisor satisfies the requirements of the DPA (see below), the controllers may consult him or her instead of the FDPIC in the case of a data protection impact assessment resulting in a high risk for data subjects .
What are the duties of a data protection officer?
The duties of the data protection advisor are: (i) to serve as a contact point for data protection inquiries of data subjects and the FDPIC; (ii) to advise and train the controller with regard to data protection compliance; and (iii) to participate in the implementation of the controller’s data protection compliance activities. The data protection advisor must have the necessary skills, independence to perform his or her role and shall not have any other duties that could result in a conflict of interest.
The representative has to maintain a copy of the records of processing activities, is obliged to share it with the FDPIC upon request and shall inform data subjects upon request about how they can exercise their rights.
The controller shall publish the contact information of its data protection advisor and the name and contact information of its representative.
Is there a general accountability obligation?
There is no accountability obligation as set forth in the GDPR . Introducing a broad documentation obligation has been considered, but not implemented.
The only basic documentation obligation expressly set forth in the DPA is the obligation of both a controller and a processor to maintain a record of processing activities, comparable to the record keeping obligations in the GDPR .
However, any controller has to undertake the necessary technical and organisational measures to ensure that personal data is not processed in violation of the DPA. This de facto requires that the necessary policies and training must already be in place and compliance must be verified from time to time. This has been the case already prior to the revision; in the DPA, this is now referred to as a “privacy by design” obligation.
Are privacy impact assessments mandatory?
Yes, under certain circumstances. The revised DPA introduced an obligation upon controllers to perform and document a data protection impact assessment if their intended processing may result in a high risk for data subjects. This is in any event considered to be the case if the processing involves a large amount of sensitive data or if public areas are systematically monitored on a large scale. Limited exemptions exist for private controllers , for instance where they are processing personal data due to a legal obligation under Swiss law or in the case of certain codes of conduct being followed.
The data protection impact assessment has to include a description of the processing, an evaluation of the risks involved for the data subject's personality (or, in the case of a federal authority, the fundamental rights) and the measures undertaken or planned to protect the data subject .
The obligation is comparable to the corresponding obligation under the GDPR . Should the data protection impact assessment show that, despite the measures taken or to be taken, the risks for data subjects will remain high, the FDPIC has to be consulted (unless such consultation is done with the controller’s own data protection advisor appointed as described above).
Privacy notices
The controller is required to “adequately” inform the data subject of the collection of his or her personal data, including if such personal data is collected from a third party. It has to provide the data subject with any information that is necessary to enable him or her to exercise the rights under the DPA and ensure a transparent processing of his or her personal data.
At least, the following information has to be provided: (i) the identity and contact details of the controller ; (ii) the categories of personal data collected, unless the data is collected directly from the data subject ; (iii) the purposes of processing; (iv) the recipients or categories of recipients of the personal data, if any; (v) the list of rights of data subjects ; (vi) the countries or international organisations to which personal data is disclosed, if any; (vii) the safeguards or exemptions relied on for disclosures to non- whitelisted countries ; and (viii) automated individual decisions that have legal consequences for, or otherwise materially and negatively impact, him or her.
This minimum information required under the DPA does not go as far as the enhanced transparency information required under the GDPR , with the exception of (vi) and (vii). Note that the rights of data subjects are not exactly the same as those available under the GDPR. As a consequence, GDPR -compliance privacy notices have to be reviewed and amended for compliance with the DPA. The DPA does not require data subjects to be informed of the fact that they may withdraw their consent at any point in time.
Pursuant to other provisions of the DPA, the controller is also required to publish the contact information of its data protection advisor and the name and contact information of its representative, if any.
The DPA does define a number of cases in which no or only limited information is required by private controllers , specifically: (i) insofar as the data subject already has the information; (ii) insofar as the processing is required under Swiss law (which will result in many collections for standard employment purposes not requiring any notice) ; (iii) insofar as the controller is a private person bound by a statutory confidentiality obligation; (iv) where the controller can rely on certain media privileges; (v) in cases of indirect data collection if informing the data subject is not possible or would require a disproportionate effort; (vi) in the case of an overriding third party interest; (vii) in the case of an overriding private interest of the controller , provided no data is shared with third party controllers (except for group companies); and (viii) in the case that providing the information defeats the purpose of the processing.
No information on automated individual decisions has to be given in the cases in which the decision: (i) is taken with the explicit consent of the data subject ; or (ii) occurs directly in connection with the conclusion or performance of an agreement with the data subject with the decision actually approving the data subject’s request.
In addition to the obligation to provide a privacy notice, the general data quality principles applicable under the DPA require that in principle any processing is undertaken in a transparent manner, including with regard to the purpose of the processing.
There is no requirement for privacy notices to be in one or all of the official languages of Switzerland, but the notice has to be in a language that the data subjects can understand, to be effective. Hence, on an English language website, the “privacy policy” has to be in English, and on a website also targeting a German-speaking audience, the notice also has to be in German .
Rights to access information
Any individual may request from controllers any information that is necessary to enable him or her to exercise the rights under the DPA and ensure a transparent processing of his or her personal data. At least, the following information has to be provided: (i) the identity and contact details of the controller ; (ii) the personal data processed; (iii) the purposes of processing; (iv) the period for which the personal data is retained or, if not possible, the criteria for determining such retention period; (v) the available information on the source of the personal data, unless the data has been obtained from the data subject itself; (vi) the existence of automated individual decisions and the logic on which they are based; (vii) the recipients or categories of recipients of the personal data, if any; (viii) the list of rights of data subjects ; (ix) the countries or international organizations to which personal data is disclosed, if any; and (x) the safeguards or exemptions relied on for disclosures to non- whitelisted countries .
Access may only be limited, deferred or denied under limited circumstances defined by the DPA. Private controllers may do so: (i) if a formal act of Swiss law provides so (example: a professional secrecy obligation); (ii) if there is an overriding third party interest (which may include interests of own employees); (iii) the access request is evidently of frivolous nature or evidently unfounded, namely because it is made to pursue a purpose “contrary to data protection”; (iv) in the case of an overriding private interest of the controller , provided no data is shared with third party controllers (except for group companies).
While it is, in principle, possible that an access request be denied also on the basis of abuse of law, the Federal Supreme Court under the old DPA has set the bar relatively high for such denials. With new exemption for “evidently unfounded” requests under (iii) above, it is expected that it will be easier to push back on access requests that are pursued for reasons other than data protection, such as for obtaining evidence for other legal claims.
Requests are usually to be made and responded to in writing, but, under certain conditions, electronic requests and responses are also admissible, as may be other forms (such as on-site reviews). However, a data subject typically has the right to receive a response in writing (DFC 141 III 119). Requests are usually free of charge and the data subjects making such requests must identify themselves (for example, by providing a photocopy of an ID). Responses to requests must usually be given within 30 days, and a refusal to provide access has to be reasoned . If a response cannot be given within 30 days, the controller has to inform the data subject and provide information as to then a response will be provided.
Right to data portability
Originally, the revised DPA was not to provide a right to data portability, but the Federal Parliament decided to include it in the bill, essentially copying the corresponding provision of the GDPR . Any data subject can ask a controller to hand over in a standard electronic format any personal data: (i) that has been processed automatically by the controller ; (ii) with the consent of the data subject or in connection with the conclusion or performance of a contract with the data subject . If those prerequisites are met, data subjects may also ask for the direct transfer of the data to a third party controller , unless this involves a disproportionate effort.
A controller may partially or fully refuse to hand over personal data on the same grounds as for access requests (see above). Controllers may charge a fee of up to CHF 300 if the fulfilment of the request would involve a disproportionate effort. In this case, the controller has to inform the data subjec t of the amount of the fee before complying with the request and the data subject has to accept this offer within 10 days. The same applies also for access requests.
Right to be forgotten
The DPA provides for a “right to be forgotten” in the form of a broad right of objection. The data subject can object to any aspect of a particular processing of personal data, including asking for the processing to be restricted or personal data to be erased. Such requests will have to be complied with unless there is a sufficient justification not to do so, for instance an overriding private or public interest.
Objection to direct marketing
The DPA provides for a general right of a data subject to object against the further processing of his/her personal data, but does not specifically address the issue of direct marketing or objections to profiling. Unlike the GDPR , the DPA provision on automated individual decisions does not refer to profiling.
Other rights
The data subject may request the personal data to be rectified, marked as being disputed or deleted. The data subject may request that no personal data be disclosed to third parties or processed further.
In the case of an automated individual decision that has a legal consequence for or otherwise materially and negatively impacts a data subject , he or she can request to present his or her case to a natural person, who has to review the decision. This is not necessary for a private controller where the decision has: (i) been taken with the explicit consent of the data subject ; or (ii) occurred directly in connection with the conclusion or performance of an agreement with the data subject and where the decision actually approved the data subject’s request. With this, the DPA is less strict than the GDPR , in particular in unproblematic cases.
In addition to the requests for compensation described above, if necessary, a data subject can request a (civil) court to issue: (i) a restraining order (on a permanent or temporary basis); or (ii) declaratory relief or another appropriate order against a controller or processor to prevent or remedy an illegal violation of a data subject's personality.
Security requirements in order to protect personal data
Controllers and processors must ensure a level of data security that is adequate in view of the risks by implementing suitable technical and organisational measures. This is comparable to the obligations under the GDPR , although the DPA does not prescribe particular methods of data security, such as pseudonymisation. Rather, the Swiss Ordinance on Data Protection ("DPO") goes further in defining the expectations with regard to data security. These include, in particular, the following measures: (i) access control, (ii) user control, (iii) storage control, (iv) transport control, (v) data integrity, (vi) system security, (vii) input control as well as (viii) measures to detect and eliminate consequences arising from data breaches. Notably, data security under the DPA is not only understood to cover confidentiality, integrity and availability of personal data, but also the traceability of its processing, thus requiring the implementation of audit trails and the like.
Specific rules governing processing by third party agents (processors)
Processing of personal data may be outsourced to a processor : (i) if the controller ensures that the data is only processed in a way that the controller would be permitted to; and (ii) if no statutory or contractual confidentiality obligations prohibit the outsourcing. The controller must ensure that the processor provides for an adequate level of data security. These requirements have not changed from the old DPA.
In addition, the DPA permits the use of a sub-processor only upon prior approval of the controller , which duplicates the concept known already under the GDPR . The approval may be specific or generic, provided that in the latter case, the controller is informed about a new sub-processor and has the right to object.
In practice, these rules usually require the controller to enter into a contract with the processor . The enhanced processor clauses are not required in their entirety, but it is a common practice to use them also for Switzerland, in which case they should be adjusted to make proper references to the DPA.
To the extent that certain data processing requires a particular justification, the third party may rely on the same justifications as the controller .
Notice of breach laws
The DPA provides for a data breach notification obligation that is comparable with the breach notification obligation under the GDPR , but with higher and different thresholds.
Whereas a data breach is defined in the same manner as under the GDPR , essentially being a breach of data security (i.e. a breach of confidentiality, integrity, availability), a private controller is required to notify it to the FDPIC only if the breach is likely to lead to a high risk for the personality (or, in the case of a federal authority, fundamental rights) of the data subject . The notification is to be made “as quickly as possible”, with no fixed maximum time.
As is the case under the GDPR , processors are, in turn, required to inform controllers of data breaches (of any severity) as soon as possible.
The notification to the FDPIC has to include information on the type of breach, its consequences and the measures taken or planned. The notification may not be used in a criminal proceeding against the controller without its consent; yet this provision is expected to be of limited use given that criminal sanctions are usually not against the controller itself, but its employees.
Furthermore, a controller has to inform the data subject , “if this is required for their protection” (e.g., because the notification enables the data subject to take precautionary steps such as changing its password or watching out for incorrect credit card charges) or if the FDPIC requires so. Under certain conditions, such as a statutory obligation of confidentiality, the data subject notification may be delayed, limited or not made.
Restrictions on transfers to third countries
The restrictions on transfers to third countries is comparable to those under the GDPR . It is only permitted to make available personal data to a recipient in a country without an adequate level of statutory data protection if there are either sufficient safeguards to compensate for such lack of protection, or if one of the exemptions defined by law applies. It should be noted, though, that Switzerland itself is considered a “third country” under the GDPR , and that, vice versa, Switzerland considers the EEA countries to be third countries (even though these are countries providing an adequate level of data protection).
With the DPA, there has been a conceptual change in how exports are governed. Prior to the revision of the DPA, each controller and processor had to itself determine whether the destination of the transfer provided an adequate level of data protection. Under the DPA, the Federal Council maintains a binding list of such countries. This Annex to the DPA contains a list of all the whitelisted jurisdictions. The Swiss list is comparable to the list of adequacy decisions of the European Commission, but currently the Swiss list,does not include Japan and South Korea. Transfers to U.S. companies certified under the CH-US Data Privacy Framework are expected to be included in the list soon (spring 2024).
If a country has not been found to provide an adequate level of statutory data protection by the Federal Council, the DPA nevertheless permits a restricted transfer of personal data to private controllers and processors if one of the following safeguards has been put in place: (i) an international treaty providing sufficient protection; (ii) adequate (individual) contractual clauses entered into by the controller or processor , provided they have been notified to the FDPIC beforehand; (iii) specific guarantees drawn up by the competent federal body, notice of which has been given to the FDPIC beforehand; (iv) standard contractual clauses approved, recognised or issued by the FDPIC (such as the Standard Contractual Clauses with a Swiss amendment); or ( v ) binding corporate rules approved by the FDPIC or the data protection authority of another country that provides for an adequate level of statutory data protection (e.g., EU data protection authorities). The Federal Council may provide for further safeguards (e.g., codes of conducts).
Note that although the "Schrems II" decision of the European Court of Justice never was and still is not binding upon Switzerland, the FDPIC considers it applicable to transfers of data to third countries not being whitelisted countries in the same manner as it is applied under the GDPR. The general view in Switzerland is that the "risk-based" approach applies under Swiss law. Yet, the FDPIC has publicly raised "doubts" whether this is the case. The general view is that this was done by the FDPIC for purely opportunistic and political reasons and that its view is generally not followed in practice. It is also by no means binding, and it is not enforced.
If none of above safeguards can or are to be used, it is nevertheless permissible to make available personal data to a recipient in a country without an adequate level of statutory data protection if one of the following exemptions apply: (i) the data subject has explicitly consented to the data export; (ii) the export of the personal data at issue is to happen in direct connection with the conclusion or performance of a contract with the data subject or in the interest of the data subject ; (iii) the export of the personal data is necessary for maintaining overriding public interests; (iv) the export of personal data is necessary for establishing, exercising or enforcing legal claims or rights before a court or other competent foreign authority (note that such exports may be in conflict with other Swiss laws, such as professional secrecy obligations or article 271 of the Swiss Penal Code); (v) the export of the personal data is necessary to protect the life or physical integrity of the data subject , and it is not possible to obtain consent; (vi) the data subject itself has made the personal data publicly available and has not expressly prohibited the processing of such data, or (vii) the data originates from an official registry, which is either public or accessible to persons with a legitimate interest, insofar as the statutory conditions of access are fulfilled.
The publication of personal data through automated information or communications services (e.g., websites) is not considered an export even if the data becomes available outside of Switzerland.
Finally, the old DPA has followed similar concepts as the Data Protection Directive . Accordingly, the European Commission has found Switzerland to provide an adequate level of data protection from an EU perspective (Decision 2000/518/EC). This finding has been reconfirmed from an EU perspective in the report on the first review of the functioning of the adequacy decisions adopted pursuant to Article 25(6) of Directive 95/46/EC on 15 January 2024.
Notification and approval of national regulator (including notification of use of Model Contracts)
Under the old DPA, the use of standard contractual clauses, including the Standard Contractual Clauses had to be notified to the FDPIC. This is no longer necessary under the revised DPA. Notification is necessary only for contractual clauses not already recognised, approved or issued by the FDPIC (i.e. individually drafted contractual clauses).
Since the revision of the DPA, binding corporate rules formally also need to be approved (see above).
Use of binding corporate rules
See above. Note that despite the possibility to have binding corporate rules approved by a foreign data protection authority, they must be drafted in a manner to cover Switzerland, as well (even though the foreign data protection authority will not cover this aspect). So far, binding corporate rules have not been used widely in Switzerland.
Fines
Under the DPA, individuals acting for private controllers may be fined for up to CHF 250,000 if they: (i) breach their privacy notice obligations or right of access obligations by intentionally providing wrong or incomplete information; (ii) intentionally fail to provide certain information required under their privacy notice obligations or provide wrong information; (iii) intentionally refuse to cooperate with the FDPIC or intentionally provide him or her wrong information; (iv) intentionally make available personal data to a foreign recipient in violation of the restrictions on such data exports; (v) in their capacity as controllers delegate the processing of data processing to a processor intentionally in violation of the DPA’s preconditions (except for the obligation to maintain control over the appointment of sub-processors); (vi) intentionally fail to comply with the minimum data security requirements defined by the Federal Council (whereas the DPO defines a number of requirements, the majority view is that, they are too generic to serve as a legal basis for fining responsible person's non-compliance with them); or (vii) intentionally fail to comply with an order of the FDPIC.
Unlike with the GDPR , these fines are all directed at individuals (i.e., those who intentionally act in violation of the relevant provisions, or those who should prevent a violation and have the authority to do so, but do not do so), not companies. Although it is possible that companies can be fined in lieu of individuals if the responsible individuals cannot reasonably be determined and the fine would not exceed CHF 50,000, the focus of the criminal provisions of the DPA remains on punishing individuals for their decisions to breach the DPA. The fines are not issued by the FDPIC, but by the cantonal criminal authorities.
The DPA also introduces a broad obligation of professional secrecy and a new provision sanctioning identity theft .
Violations of the processing principles of the DPA, on the other hand, continue to be exempt from punishment – an important difference to the GDPR. The same applies to the failure to make a data breach notification, to undertake a data protection impact assessment or to maintain a record of processing activities.Imprisonment
More severe criminal sanctions may apply for breaches of professional secrecy provided for in the Swiss Penal Code and other Swiss laws (e.g., Banking Act). Furthermore, the Swiss Penal Code provides that a person who obtains sensitive personal data from a non-public data collection without authorisation shall be punished by imprisonment or fined .
Compensation
Data subjects may claim for damages, satisfaction and/or surrender of profits if their personality has been violated without sufficient justification. Damages and satisfaction may only be claimed in cases of negligence or wilful intent. The prerequisites for claims for surrender of profits are not entirely clear for violations of personality though it is likely a claim will only be possible in the case of bad-faith behaviour .
Other powers
Under the DPA, the FDPIC is in principle obliged to investigate (ex officio) a data processing activity if there are sufficient indications that it is performed in violation of the revised DPA or upon complaint. Exceptions exist if the violation appears to be of minor relevance. He has wide-ranging powers to investigate cases and to issue orders with regard to how personal data is to be processed by a particular controller or processor . Those orders become binding if they are not successfully appealed by the addressee.
The FDPIC can also order the processing to be suspended or closed-down, and he can order compliance with various provisions of the DPA. The FDPIC may issue a “warning” if the person targeted takes the necessary measures to restore compliance with the DPA during the investigation. If necessary, the FDPIC can issue temporary restraining orders. Recourse is possible to the Federal Administrative Court.
Practice
Fines : The number of old DPA-related cases decided by criminal courts is not known. It is known, however, that since coming into force in 1993 and as of December 2009, the criminal provisions of the old DPA have resulted in only one conviction (a five-day term plus a fine of CHF 750 in 1996). Another conviction (a fine of CHF 500 for an intentionally wrong response to an access request) has been reported for December 2014. According to the data provided by the Federal Statistical Office, there have been no further DPA-related cases as of 2022. Later data is not available. It is, however, to be expected that the number of cases will rise under the revised DPA since the revised DPA provides for much higher and more fines than the old DPA did in the past.
So far, it is not known that any fines have been issued against controllers or processors in Switzerland for breaches of the GDPR . Note that fines issued under the GDPR are so far not enforceable in Switzerland.
Other enforcement action: There are no official statistics on the number of investigations and prosecutions concerning violations of the old DPA. Under the old DPA, the FDPIC usually started a handful to a dozen official investigations per year, with only very few being completed with specific requests to the controller or processor targeted.
Since the revised DPA expanded the FDPIC's enforcement powers, he will intensify his supervisory activities and gradually increase the number of formal investigations (according to the activity report 2022/2023). The FDPIC is equipped with additional staff for the implementation of the revised DPA and was able to successfully complete the corresponding recruitment at the beginning of 2023.
As of September 1, 2023, the FDPIC has started two formal investigations according to the revised DPA, which are still pending. Furthermore, since the revised DPA has entered into force, the FDPIC receives formal complaints on a daily basis. As under the old DPA, the FDPIC continues to pursue a solution-oriented and resource-conserving approach when processing complaints. He usually undertakes an informal "preliminary" investigation, during which he points out possible misconduct to the person responsible. If this informal exchange does not lead to a satisfactory and legally compliant solution, the FDPIC reserves the right to open a formal investigation at any time, during which he will examine the facts of the case and the legality of the processing in detail in application of the Federal Act on Administrative Procedure and, after hearing those responsible who are obliged to cooperate, will impose administrative measures, if necessary.
It should also be noted that not all complaints received by the FDPIC meet the requirements of Art. 49 FADP, i.e. sufficient indications of a data protection breach and it not being of minor relevance. In such cases, the FDPIC does not further investigate the case at hand.
The number of old DPA-related cases decided by civil courts is not known. So far, there have been only few civil lawsuits on the basis of the old DPA. Most cases that involve the protection of a data subject's personality are mass-media-related, employee-related, cases concerning the “right to be forgotten” and insurance surveillance cases. As a “one-time” exception of the foregoing, there have been several hundred court cases involving the disclosure of employee-related personal data to U.S. authorities as part of the Swiss-U.S. tax dispute (its settlement required disclosure of employee names, among other information).
ePrivacy laws
Switzerland has implemented a provision that is similar to article 13 of the Privacy and Electronic Communications Directive . The provision is part of the UCA and has been in effect since 1 April 2007.
The UCA also introduced a kind of an official Swiss “Robinson List” requiring businesses to comply with generic opt-out marks in the telephone directory for the purposes of commercial communications and the disclosure of data for the purposes of direct marketing. This is not to be confused with the "Robinson List" maintained by the Swiss Dialog Marketing Association, which has no legal binding effect. Furthermore, unlisted phone numbers are deemed to be marked. The term "mark" means a so-called star entry (*Does not wish advertising) in the telephone directory. The term "telephone directory" refers only to the official directories of subscribers maintained by the registered telecom service providers in Switzerland pursuant to the Telecommunications Act. The opt-out marks currently apply to individual phone and fax numbers, not the postal address or entire record. Whether the marks also have to be checked in connection with e-mail addresses is controversial because e-mail addresses do not officially form part of the directories referred to in the provision. In any event, the provision does not prevent direct marketing to current or recent customers and to people who have requested or consented to receiving the marketing materials. UCA, marketing calls must also be made with a caller ID number that is correct, visible and registered in the Swiss telephone directory. Any information obtained in violation of these rules and thus in an unlawful matter may not be used; such use is a criminal act of its own.
Finally, the Telecommunications Act contains a provision on cookies roughly in line with the (original) Privacy and Electronic Communications Directive. The violation of the provision can result in civil claims and, upon the request of a person affected, in criminal charges.
Even though there have been (or still are) plans to revise the Privacy and Electronic Communications Directive in the EU, there are currently no plans in Switzerland to revise its own corresponding provisions.
Conditions for use of cookies
Cookies that do not contain or relate to personal data (i.e. that are not connected to identified or identifiable persons from the perspective of the person using the cookies) are not restricted (e.g., typical session cookies). If cookies (or similar techniques such as clear GIFs or web-beacons) are related to identified or identifiable persons or otherwise connected to personal data, then they may be used only if: (i) they are required for the provision of telecommunications services or invoicing for such services; or (ii) the user has been informed about their processing, their purpose and that the user can decline the processing of related data. However, there is so far no requirement under Swiss law to obtain the user's consent for using cookies.
Regulatory guidance on the use of cookies
In his guide (no legal binding effect) regarding the technical and organizational measures of data protection (TOM), the FDPIC argues that due to the principle of proportionality, only cookies necessary for the access to a website may be activated by default. He further states that users have to give their active consent for the activation of additional cookies.
This view is heavily disputed amongst the legal doctrine in Switzerland, as such requirements of user consent are generally not a requirement for data processing under neither the old nor the revised DPA, in contrast to the European legislation.
Conditions for direct marketing by e-mail to individual subscribers
Pursuant to the UCA, sending unsolicited mass direct marketing e-mails is only allowed if the recipient has provided his or her prior consent. The recipient's consent does not necessarily have to be in writing. However, it is not permissible to obtain consent by sending out unsolicited mass e-mails asking for such consent.
The UCA requires businesses performing direct marketing to consult the official Swiss phone directories for numbers that have been marked with a standardised telemarketing opt-out declaration, unless the person has otherwise consented to receiving e-mail marketing or has a customer relationship. Certain commentators believe that this provision also extends to e-mail addresses registered in the phone directories at issue, but the relevant phone directories officially do not provide for e-mail addresses. It is, thus, more likely than not that this provision does not apply to them. However, given the aforementioned opt-in requirement for unsolicited mass direct marketing e-mails under the same act, this issue usually does not become relevant in practice.
Furthermore, according to case law under the old DPA, e-mail marketing is admissible only with the prior express consent of the intended recipients. It has been ruled that sending unsolicited e-mails to unknown recipients using e-mail addresses indiscriminately collected on the internet (e.g. by use of a web crawler) violates the DPA, regardless of whether such e-mails provide for an opt-out.
Conditions for direct marketing by e-mail to corporate subscribers
The same conditions apply as for direct marketing by e-mail to individual subscribers.
Exemptions and other issues
The similar products and services exemption applies under the UCA ("opt-out"). However, pursuant to the prevailing legal doctrine in Switzerland, the exemption only applies if indeed a contract has been formed; it is not sufficient that the contact details have been collected in connection with a contract negotiation (which did not result in a contract). Furthermore, according to the prevailing legal doctrine, the exemption only applies if the recipient has been informed of the possibility to refuse e-mails at the time when the contract has been formed or during follow-up interactions related to the contract (e.g. deliveries, invoices). Conversely, the exemption would not apply if a business were to collect contact information in the context of a product sale, but provide the "opt-out" information only later on by separate e-mail without such context. Consequently, there is in practice only a very narrow field of application for the similar products and services exemption under Swiss law. In most cases, businesses will find it easier and safer to obtain prior consent (e.g., by use of an appropriate provision in the general terms and conditions), which should also help compliance with the Swiss "Robinson List" (see above).
The UCA also prohibits direct marketing e-mails from being sent if: (i) the identity of the sender is disguised or concealed; or (ii) a simple means for refusing further e-mails free of charge (e.g., a link to click on for opting out) is not provided with each e-mail.
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
It is, in principle, not permitted to make direct marketing calls to individual subscribers who: (i) have previously objected to such calls; (ii) are listed in the Swiss "Robinson List" (see above) or (iii) are unlisted , see above. The necessary contact information may be obtained and used only in compliance with the DPA, for example, if the subscriber made it publicly available (e.g. by having it listed in the telephone directory), or has provided it and implicitly or explicitly agreed to its use for marketing purposes. Calls must be made using caller ID number that is correct, visible and registered in the Swiss telephone directory.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
The same conditions apply as for direct marketing by telephone to individual subscribers.
Exemptions and other issues
Calls can be made to a subscriber who has consented to receiving such calls.