Data Protected - Switzerland
Last updated June 2022
General | Data Protection Laws
National Supervisory Authority
Scope of Application
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Transfer of Personal Data to Third Countries
ePrivacy | Marketing and cookies
General | Data Protection Laws
General data protection laws
The Swiss Federal Data Protection Act (the “old DPA”), originally dated 19 June 1992, has undergone a complete revision (the “revised DPA”), which has been passed on 25 September 2020.
With its revision, the DPA is to comply with the revised Council of Europe Convention 108. Its provisions are similar to those of the GDPR, although with a few conceptual differences, for example relating to legal grounds and sanctions. Apart from the DPA, other laws such as the Swiss Unfair Competition Act, the Swiss Telecommunications Act and the Swiss Penal Code contain further provisions governing data protection in Switzerland.
A summary of the position under the old DPA is available here.
Entry into force
The old DPA came into force on 1 July 1993.
The revised DPA and its revised ordinances are expected to enter into force on 1 September 2023.
National Supervisory Authority
Details of the competent national supervisory authority
The Swiss Federal Data Protection and Information Commissioner (the “DPIC”)
Notification or registration scheme and timing
As opposed to the old DPA, there is no longer an obligation for private persons to notify or register their data processing activities (i.e. their files) with the DPIC.
However, foreign controllers may, under certain circumstances, have to appoint a representative in Switzerland (see “Data Protection Officers” below) to serve as a contact point for the DPIC.
Exemptions to notification
Scope of Application
What is the territorial scope of application?
The revised DPA’s territorial scope depends on whether it is enforced by the DPIC (in an administrative law proceeding) or by a data subject (in the form of a civil lawsuit).
The DPIC is competent to enforce the revised DPA with regard to any activity that is taking place in Switzerland (principle of territoriality). This includes cases where an activity has its effect in Switzerland, even if it is caused by an activity outside of Switzerland, for example a service provider outside of Switzerland that offers its service also to consumers in Switzerland. This has already been the case under the old law but now is expressly stated so in the revised DPA. The concept is, thus, broader than the GDPR.
In the case of civil lawsuits against a person participating in a violation of personality, Swiss courts will in general apply the revised DPA, upon free choice of the data subject, if either: (i) the data subject is resident in Switzerland, provided this was foreseeable for the controller or processor sued; (ii) the controller or processor sued has its seat of residence or a branch in Switzerland; or (iii) the place of effect of the violation of personality (which usually includes the place of processing of personal data) is in Switzerland, provided this was foreseeable for the controller or processor sued.
Private controllers with their seat outside of Switzerland are required to appoint a representative in Switzerland, if: (i) they process personal data of data subjects in Switzerland; (ii) the data processing is in connection with offering them goods or services or monitoring their behaviour; (iii) the data processing is extensive; (iv) it occurs on a regular basis; and (v) it involves a high risk for such data subjects. In practice, these conditions will rarely be met.
Is there a concept of a controller and a processor?
Yes. The revised DPA adopts the GDPR’s concept and definitions of controllers and processors.
Nevertheless, everyone who processes personal data should comply with the general data quality principles (which also apply under the revised DPA), because anybody who “participated” in the processing of personal data may be held jointly liable in the case of a civil claim.
As a consequence, the exposure of a processor may go beyond the liability it would have under the GDPR. The Federal Supreme Court found that a hosting provider is participating in the publications on its server (Decision 5A_792/2011 of January 14, 2013), whereas somebody who merely publishes a link to a publication on a third party website does not participate in such publication (Decision 5A_658/2014 of May 6, 2015).
The revised DPA also contains the concept of joint controllers, but unlike as under the GDPR, there are no special provisions concerning them.
Are both manual and electronic records subject to data protection legislation?
Yes. The revised DPA applies irrespective of the technology used. The exclusion of unstructured manual records in the GDPR does not apply under Swiss law.
However, the general data security obligations may have to be implemented differently depending on whether manual or electronic records are used. In the case of automated processing of personal data, additional security and documentation requirements apply, for example the obligation to implement audit trails, where they are necessary to ensure the data protection of sensitive personal data and personality profiles.
Are there any national derogations?
Cantonal and local authorities are governed by separate, cantonal data protection legislation, not the revised DPA. Many of them already have been amended to satisfy the requirements of the revised Council of Europe Convention 108, others will follow over time.
Federal authorities (including private persons entrusted with public tasks, such as those in the field of mandatory health insurance) are also subject to the revised DPA, but: (i) must comply with additional rules (for example, the processing of personal data is normally permitted only on the basis that there is a provision of Swiss law that permits such processing); and (ii) cannot rely on the same reasons for justifying a violation of a data subject’s personality as private persons can do.
The revised DPA does not apply to personal data processed by an individual solely for personal purposes and not disclosed to third parties; this limitation is narrower than the exclusion of processing for personal or household activities in the GDPR. Another important exception is that the revised DPA does not apply in civil, criminal, international judicial assistance and administrative recourse proceedings in Switzerland insofar as their procedural laws apply; however, it does apply in international administrative assistance. The revised DPA is also considered not to apply to national or international arbitration before a tribunal with its seat in Switzerland.
What is personal data?
The definition of personal data in the revised DPA is closely based on the standard definition of personal data. The term is understood rather broadly. However, Swiss courts and the DPIC are applying the definition more systematically than many data protection authorities under the GDPR.
For example, website usage data collected by a site operator using "cookies" is not considered personal data as long as the data subject is not and cannot be reasonably identified by the operator of the site or by other people having access to the logs (whether third parties could identify the data subject is not relevant).
Likewise, IP addresses may qualify as personal data, as confirmed by the Federal Supreme Court in 2010 (DFC 136 II 508, Logistep). While this may not be the case in all circumstances, if IP addresses are collected for the very purpose of identifying the individuals behind them (such as people illegally sharing pirated content over the internet), and if Swiss law permits such identification (which it does in the case of internet felonies), then IP addresses should be treated as personal data (but in other cases not). It should be noted that the court found that in the case at hand it was not permissible under the old DPA to collect such personal data for the purpose of identifying individuals illegally sharing pirated content, although the balancing of interests in this case has been heavily criticised.
Swiss law thus follows a "relative" definition of personal data: for data to be considered personal data, the relevant audience must not only be reasonably able to identify the data subjects, but also willing to undertake the efforts for doing so. Accordingly, if personal data is securely encrypted or otherwise pseudonymised, it no longer is considered personal data for those who are not able to decrypt it or re-identify the data subjects. The possibility to "single out" a data subject does, as such, not amount to identification.
Is information about legal entities personal data?
No. The revised DPA does not apply to information about legal entities. This was still the case under the old DPA. However, the various professional secrecy obligations that exist under Swiss law still protect information about legal entities.
What are the rules for processing personal data?
Unlike as under the GDPR, the DPA does not require that a private sector controller has a legal ground to process personal data. The DPA rather follows the "opt-out" principle, i.e. the data subject has to object to a processing of their data if they don't want it to be processed (rather than consent if their data is to be processed). Besides, Swiss law requires that a number of processing principles are complied with.
In other words, personal data may be processed if the processing either: (i) does not violate the personality of the data subject; or (ii) does violate the personality of the data subject, but is justified by the data subject’s consent, an overriding private or public interest or by a provision of Swiss law requiring or permitting the processing at issue.
Any legitimate interest of the controller, the processor, the data subject or any third party can, in principle, qualify as an overriding private interest if it is sufficient to outweigh the violation of the data subject's personality. However, the Federal Supreme Court held that controllers should be cautious before assuming that private interests will justify any such processing (DFC 136 II 508). In another case involving the online service "Street View" (the “Street View Case”), however, the Federal Supreme Court found that the public interest justifies keeping the service alive although the algorithm for blurring faces was not perfect and missed 1 per cent of the visible faces (DFC 138 II 346). The revised DPA provides a non-exhaustive list of circumstances in which the overriding private interest of the controller must be considered, for example: (i) the conclusion and performance of a contract with the data subject; (ii) the processing of information on competitors; or (iii) the processing of personal data for non-personal uses under certain conditions.
The personality of the data subject is, by definition, considered violated if his/her personal data: (i) is not processed lawfully (for example, if data has been stolen or extorted from someone else); (ii) is not processed in good faith (which includes the duty to be transparent); (iii) is not processed in a proportionate manner (i.e. are not or are no longer necessary or suitable in view of the purpose of processing, or are for an excessive purpose); (iv) is not deleted or anonymised once it is no longer needed for its purpose (which, in fact, is covered already by the broader concept of proportionality in (iii)); (v) is not used for the specific purpose that has been made transparent to the data subject or that is not compatible with such purpose; (vi) has not been verified for its correctness and corrected or deleted (where necessary in view of the purpose); (vii) is being processed without complying with the general data security obligations; (viii) is processed against the data subject’s express will (i.e. the processing continues following the data subject’s objection or request to have the personal data deleted); (ix) is sensitive personal data disclosed to a third party controller (see below); or (x) are employee personal data and are processed despite being neither necessary for assessing the qualification of the employee for his/her job nor for the performance of his/her employment contract.
In other words, the general data quality principles and any objections of the data subject must also be respected under the revised DPA, but it is possible to “justify” not doing so with a “good reason”. Hence, the revised DPA follows a different concept than the GDPR. Under the revised DPA, no legal basis is required upfront, but in essence only if the personality of the data subject is violated. The “legitimate interest” test in the GDPR is comparable to the “overriding private interest” test under the revised DPA but unlike under the GDPR, it can also be used to justify the processing of sensitive personal data (there is no equivalent to the specific additional restrictions on processing this personal data as there is in the GDPR).
Notwithstanding the foregoing, it is presumed that the personality of the data subject is not violated if the data subject has made the personal data generally accessible (e.g., via social media, interviews, a personal blog) and has not expressly prohibited its processing. However, the data subject can challenge this and prove that his/her personality has nevertheless been infringed upon, for example by the abusive use of information published on the data subject's website.
Insofar as the processing of personal data relies on a default setting (i.e. a setting that can be changed by the data subject, e.g., through an app or other online interface), the default setting must be the most “data protection friendly” one (“privacy by default”).
For rules on processing personal data in connection with automated individual decisions, see “Rights of Data Subjects” below.
Are there any formalities to obtain consent to process personal data?
Consent is valid only if given voluntarily following the provision of adequate information ("informed consent"). Furthermore, consent is only effective if given in advance of processing. Consent need not be given in writing; however, the burden of proof is upon the controller or processor, respectively, so this would be recommended for evidentiary purposes.
Implicit consent may be sufficient, in certain circumstances, but not in regard to sensitive personal data or profiling (see below).
The failure of a data subject to object to a particular processing or notice of such processing of his/her personal data is usually not sufficient to presume consent. However, such “deemed” consent may be effective in cases of existing contractual relationships, in particular where general terms and conditions provide for such deemed consent.
A data subject may withdraw his/her consent at any time, although such withdrawal will not usually be applied retrospectively. Even if a data subject has withdrawn his/her consent, depending on the circumstances, it may still be possible to justify a particular processing of personal data under the argument of an overriding private interest of the controller, the data subject or other party.
Employees can, in principle, validly consent to the use of their personal data by the employer. However, if such consent is provided for in an agreement (for example, the employment contract), it shall be considered null and void if: (i) the employee is asked to consent to the processing of personal data which is required neither for assessing the qualification of the employee for his/her job nor for the performance of his/her employment contract; and (ii) the processing of such data is, from an overall perspective, to the employee's detriment. It may also be hard to demonstrate that the consent of an employee has been given voluntarily.
The revised DPA’s conditions for consent are not as strict as under the GDPR. It is in principle still possible to have tick-boxes pre-ticked and to include consent declarations in contracts even where the processing activity is not necessary for the performance of the contract.
Are there any special rules when processing personal data about children?
The revised DPA does not provide for any particular provisions on the processing of personal data about children. In fact, the Swiss Civil Code grants children capable of judgement (which is usually considered to be the case when they turn 13) more rights to decide their own data protection rights than under the GDPR.
Are there any special rules when processing personal data about employees?
The personality of the data subject is considered to be violated if employee personal data is processed despite not being necessary for assessing the qualification of the employee for his/her job or for the performance of his/her employment contract. However, such violations can be "justified" as described above (Decision of the Federal Tribunal 4A_518/2020).
In principle, employees can validly consent to the use of their personal data by the employer. However, if such consent is provided for in an agreement such as an employment contract, it shall be considered null and void if: the above condition is violated and the processing of such data is to the employee's detriment. Further, it may be hard to demonstrate that the consent of an employee has been given voluntarily.
Sensitive Personal Data
What is sensitive personal data?
Under the revised DPA, sensitive personal data include: (i) racial origin; (ii) trade union membership; (iii) health data, but only to the extent it reveals handicap or illness of the data subject; (iii) religious, ideological or political activities (not only related beliefs); (iv) the intimate sphere as such (not only sex life); (v) genetic data; (vi) biometric data allowing the unique identification of a person; (vii) social security measures; and (viii) administrative or criminal proceedings and sanctions. Hence, under the revised DPA, the term “sensitive personal data” includes more than the standard types of sensitive personal data.
The revised DPA will no longer use the term “personality profiles”, which in the past had to be treated in the same way as sensitive personal data. The concept has been replaced by the concept of “profiling”, which is defined in a manner comparable with the GDPR. Furthermore, the revised DPA includes a definition for profiling “involving a high risk”, which in essence is a profiling that results in a personality profile and thus bears a high risk of negative consequences for the data subject. For the private industry, the relevance of both terms is minimal - there is a limitation for credit rating agencies using profiling involving a high risk and insofar as a controller relies on consent in order to conduct a profiling involving a high risk, the consent must be explicit. However, profiling involving a high risk as such does not require consent.
Are there additional rules for processing sensitive personal data?
Sensitive personal data may not be disclosed to third parties (in their capacity as controllers) without sufficient justification such as: (i) the data subject’s consent; (ii) any overriding private or public interest; or (iii) a provision of Swiss law requiring or permitting such disclosure. If one of the conditions for processing sensitive personal data is met, this is usually a sufficient justification, but the “legitimate interest test” can also be relied upon.
In general, the DPA has always followed a “risk-based approach”, meaning that the higher the risks for data subjects, the stricter the general data quality principles that have to be applied. This way, the processing of sensitive personal data has to generally satisfy higher standards than personal data that involves lower risks.
There are no rules for processing for private persons that expressly refer to profiling, not even in the context of automated individual decisions. In particular, it is not necessary to obtain consent or any other justification for profiling. The only explicit limitation for private persons is related to the processing of personal data for credit checks by credit rating agencies.
Additional restrictions on the processing of sensitive personal data and with regard to profiling exist for public bodies.
Are there additional rules for processing information about criminal offences?
No, as this type of personal data is already included in the definition of sensitive personal data. There is no provision comparable to the separate prohibition on processing information about criminal offences in the GDPR.
Are there any formalities to obtain consent to process sensitive personal data?
In the case of sensitive personal data, the data subject’s consent may be relied upon only if it has been given explicitly.
Consent need not be given in writing; but, as with non-sensitive personal data, this is recommended (see above). The same restriction applies to consent to be obtained for profiling “involving high risks”. Note that the revised DPA does in principle not require a controller to obtain consent for processing sensitive personal data or for profiling.
Data Protection Officers
When must a data protection officer be appointed?
There is no formal obligation to appoint a data protection officer. Nevertheless, the revised DPA does provide for the voluntary appointment of a data protection officer (referred to as “data protection advisor”) by private controllers. If such a data protection advisor satisfies the requirements of the revised DPA, the controllers may consult him or her instead of the DPIC in the case of a data protection impact assessment resulting in a high risk for data subjects.
What are the duties of a data protection officer?
The duties of the data protection advisor are: (i) to serve as a contact address for data protection inquiries of data subjects and the DPIC; (ii) to advise and train the controller with regard to data protection compliance; and (iii) to participate in the implementation of the controller’s data protection compliance activities. The data protection advisor has to have the necessary skills, independence to perform his or her role and shall not have any other duties that could result in a conflict of interest.
The representative has to maintain a copy of the records of processing activities, is obliged to share it with the DPIC upon request and shall inform data subjects upon request about how they can exercise their rights.
The controller shall publish the contact information of its data protection advisor and the name and contact information of its representative.
Accountability and Privacy Impact Assessments
Is there a general accountability obligation?
There is no accountability obligation as set forth in the GDPR. Introducing a broad documentation obligation has been considered, but not implemented.
The only basic documentation obligation expressly set forth in the revised DPA is the obligation of both a controller and a processor to maintain a record of processing activities, comparable to the record keeping obligations in the GDPR.
However, any controller has to undertake the necessary technical and organisational measures to ensure that personal data is not processed in violation of the revised DPA. This de facto requires that the necessary policies and training must already be in place and compliance must be verified from time to time. This has been the case already prior to the revision; in the revised DPA, this is now referred to as a “privacy by design” obligation.
Are privacy impact assessments mandatory?
Yes, under certain circumstances. The revised DPA will introduce an obligation upon controllers to perform and document a data protection impact assessment if their intended processing may result in a high risk for data subjects. This is in any event considered to be the case if the processing involves a large amount of sensitive data or if public areas are systematically monitored. Limited exemptions exist for private controllers, for instance where they are processing personal data due to a legal obligation under Swiss law or in the case of certain codes of conduct being followed.
The data protection impact assessment has to include a description of the processing, an assessment of the risks involved for the data subject and the measures undertaken or planned to protect the data subject.
The obligation is comparable to the corresponding obligation under the GDPR. Should the data protection impact assessment show that, despite the measures taken or to be taken, the risks for data subjects will remain high, the DPIC has to be consulted (unless such consultation is done with the controller’s own data protection advisor appointed as described above).
Rights of Data Subjects
The controller is required to “adequately” inform the data subject of the collection of his or her personal data, including if such personal data is collected from a third party. It has to provide the data subject with any information that is necessary to enable him or her to exercise the rights under the revised DPA and ensure a transparent processing of his or her personal data.
At least, the following information has to be provided: (i) the identity and contact details of the controller; (ii) the categories of personal data collected, unless the data is collected directly from the data subject; (iii) the purposes of processing; (iv) the recipients or categories of recipients of the personal data, if any; (v) the list of rights of data subjects; (vi) the countries or international organisation to which personal data is disclosed, if any; (vii) the safeguards or exemptions relied on for disclosures to non-whitelisted countries; and (viii) automated individual decisions that have legal consequences for, or otherwise materially and negatively impact, him or her.
This minimum information required under the revised DPA does not go as far as the enhanced transparency information required under the GDPR, with the exception of (vi) and (vii). Note that the rights of data subjects are not exactly the same as those available under the GDPR. As a consequence, GDPR-compliance privacy notices have to be reviewed and amended for compliance with the revised DPA. The revised DPA does not require data subjects to be informed of the fact that they may withdraw their consent at any point in time.
Pursuant to other provisions of the revised DPA, the controller is also required to publish the contact information of its data protection advisor and the name and contact information of its representative, if any.
The revised DPA does define a number of cases in which no or only limited information is required by private controllers, specifically: (i) insofar as the data subject already has the information; (ii) insofar as the processing is required under Swiss law (which will result in many collections for standard employment purposes not requiring any notice); (iii) insofar as the controller is a private person bound by a statutory confidentiality obligation; (iv) where the controller can rely on certain media privileges; (v) in cases of indirect data collection if informing the data subject is not possible or would require a disproportionate effort; (vi) in the case of an overriding third party interest; and (vii) in the case of an overriding private interest of the controller, provided no data is shared with third party controllers (except for group companies).
No information on automated individual decisions has to be given in the cases in which the decision: (i) is taken with the explicit consent of the data subject; or (ii) occurs in connection with the conclusion or performance of an agreement with the data subject with the decision actually approving the data subject’s request.
In addition to the obligation to provide a privacy notice, the general data quality principles applicable under the revised DPA require that in principle any processing is undertaken in a transparent manner, including with regard to the purpose of the processing.
Rights to access information
Any individual may request from controllers any information that is necessary to enable him or her to exercise the rights under the revised DPA and ensure a transparent processing of his or her personal data. At least, the following information has to be provided: (i) the identity and contact details of the controller; (ii) the personal data processed; (iii) the purposes of processing; (iv) the period for which the personal data is retained or, if not possible, the criteria for determining such retention period; (v) the available information on the source of the personal data, unless the data has been obtained from the data subject itself; (vi) the existence of automated individual decisions and the logic on which they are based; (vii) the recipients or categories of recipients of the personal data, if any; (viii) the list of rights of data subjects; (ix) the countries or international organization to which personal data is disclosed, if any; and (x) the safeguards or exemptions relied on for disclosures to non-whitelisted countries.
Access may only be limited, deferred or denied under limited circumstances defined by the revised DPA. Private controllers may do so: (i) if a formal act of Swiss law provides so (example: a professional secrecy obligation); (ii) if there is an overriding third party interest (which may include interests of own employees); (iii) the access request is evidently of querulatory nature or evidently unfounded, namely because it is made to pursue a purpose “contrary to data protection”; (iv) in the case of an overriding private interest of the controller, provided no data is shared with third party controllers (except for group companies).
While it is, in principle, possible that an access request be denied also on the basis of abuse of law, the Federal Supreme Court under the old DPA has set the bar relatively high for such denials. A client of a Swiss bank tried to use an access request to obtain a copy of internal client notes of the bank to evaluate the chances of a civil liability claim. The court did not consider this an abusive request; as it was not made solely for the purposes of a fishing expedition, but also for allowing the data subject to verify whether the personal data on record was correct (DFC 138 III 425). As a consequence of the decision, there has been a surge in what would generally be considered abusive access requests for either pre-trial discovery or nuisance purposes. Such requests generally are successful in court as long as the data subjects can at least pretend that the access request has been also for data protection purposes, which is usually easily possible. It remains to be seen whether the above exemption for “evidently unfounded” requests will manage to limit such “discovery” requests.
Requests are usually to be made and responded to in writing, but, under certain conditions, electronic requests and responses are also admissible, as may be other forms (such as on-site reviews). However, a data subject typically has the right to receive a response in writing (DFC 141 III 119). Requests are usually free of charge and the data subjects making such requests must identify themselves (for example, by providing a photocopy of an ID). Responses to requests must usually be given within 30 days, and a refusal to provide access has to be reasoned.
Right to data portability
Originally, the revised DPA did not provide a right to data portability, but the Federal Parliament decided to include it in the bill, essentially copying the corresponding provision of the GDPR. Any data subject can ask a controller to handover in a standard electronic format any personal data: (i) that has been processed automatically by the controller; (ii) with the consent of the data subject or in connection with the conclusion or performance of a contract with the data subject. Data subjects may also ask for the direct transfer of the data to a third party controller, unless this involves a disproportionate effort.
A controller may partially or fully refuse to hand-over personal data on the same grounds as for access requests (see above). It is possible that further provisions in the ordinances to the revised DPA will define cases in which controllers may charge a fee.
Right to be forgotten
The revised DPA provides for a “right to be forgotten” in the form of a broad right of objection. The data subject can object to any aspect of a particular processing of personal data, including asking for the processing to be restricted or personal data to be erased. Such requests will have to be complied with unless there is a sufficient justification not to do so, for instance an overriding private or public interest.
Objection to direct marketing
The revised DPA provides for a general right of a data subject to object against the further processing of his/her personal data, but does not specifically address the issue of direct marketing or objections to profiling. Unlike the GDPR, the revised DPA provision on automated individual decisions does not refer to profiling.
The data subject may request the personal data to be rectified, marked as being disputed or deleted. The data subject may request that no personal data be disclosed to third parties or processed further.
In the case of an automated individual decision that has a legal consequence for or otherwise materially and negatively impacts a data subject, he or she can request to present his or her case to a human being, who has to review the decision. This is not necessary for a private controller where the decision has: (i) been taken with the explicit consent of the data subject; or (ii) occurred in connection with the conclusion or performance of an agreement with the data subject and where the decision actually approved the data subject’s request. With this, the revised DPA is less strict than the GDPR, in particular in unproblematic cases.
In addition to the requests for compensation described above, if necessary, a data subject can request a (civil) court to issue: (i) a restraining order (on a permanent or temporary basis); or (ii) declaratory relief or another appropriate order against a controller or processor to prevent or remedy an illegal violation of a data subject's personality.
Security requirements in order to protect personal data
Controllers and processors must ensure a level of data security that is adequate in view of the risks by implementing suitable technical and organisational measures. This is comparable to the obligations under the GDPR, although the revised DPA does not prescribe particular methods of data security, such as pseudonymisation.
Specific rules governing processing by third party agents (processors)
Processing of personal data may be outsourced to a processor: (i) if the controller ensures that the data is only processed in a way that the controller would be entitled to; and (ii) if no statutory or contractual confidentiality obligations prohibit the outsourcing. The controller must ensure that the processor provides for an adequate level of data security. These requirements have not changed from the old DPA.
In addition, the revised DPA permits the use of a sub-processor only upon prior approval of the controller, which duplicates the concept known already under the GDPR. The approval may be specific or generic, provided that in the latter case, the controller is informed about a new sub-processor and has the right to object.
In practice, these rules usually require the controller to enter into a contract with the processor. The enhanced processor clauses are not required in their entirety, but it is a common practice to use them also for Switzerland, in which case they should be adjusted to make proper references to the revised DPA.
To the extent that certain data processing requires a particular justification, the third party may rely on the same justifications as the controller.
Notice of breach laws
The revised DPA provides for a data breach notification obligation that is comparable with the breach notification obligation under the GDPR, but with higher and different thresholds.
Whereas a data breach is defined in the same manner as under the GDPR, essentially being a breach of data security (i.e. a breach of confidentiality, integrity, availability), a private controller is required to notify it to the DPIC only if the breach is likely to lead to a high risk for the personality of the data subject. The notification is to be made “as soon as possible”, with no fixed maximum time.
As is the case under the GDPR, processors are, in turn, required to inform controllers of data breaches (of any severity) as soon as possible.
The notification to the DPIC has to include information on the type of breach, its consequences and the measures taken or envisaged. The notification may not be used in a criminal proceeding against the controller without its consent; yet this provision is expected to be of limited use given that criminal sanctions are usually not against the controller itself, but its employees.
Furthermore, a controller has to inform the data subject, “if this is necessary for its protection” (e.g., because the notification enables the data subject to take precautionary steps such as changing its password or watching out for incorrect credit card charges) or if the DPIC requires so. Under certain conditions, such as a statutory obligation of confidentiality, the data subject notification may be delayed, limited or not made.
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
The restrictions on transfers to third countries is comparable to those under the GDPR. It is only permitted to make available personal data to a recipient in a country without an adequate level of statutory data protection if there are either sufficient safeguards to compensate for such lack of protection, or if one of the exemptions defined by law applies. It should be noted, though, that Switzerland itself is considered a “third country” under the GDPR, and that, vice versa, Switzerland considers the EEA countries to be third countries (even though these are countries providing an adequate level of data protection).
With the revised DPA, there has been a conceptual change in how exports are governed. Prior to the revision of the DPA, each controller and processor had to itself determine whether the destination of the transfer provided an adequate level of data protection. Under the revised DPA, the Federal Council maintains a binding list of such countries. It is expected that this list will contain most of the whitelisted countries as per the European Commission’s adequacy findings (although the list may not be identical; e.g., Japan is currently missing on the list, because Japan does not provide for the same protections for Swiss data as it does for EEA data).
If a country has not been found to provide an adequate level of statutory data protection by the Federal Council, the revised DPA nevertheless permits transfer of personal data to private controllers and processors if one of the following safeguards has been put in place: (i) an international treaty providing sufficient protection; (ii) adequate (individual) contractual clauses entered into by the controller or processor, provided they have been notified to the DPIC beforehand; (iii) standard contractual clauses approved, recognised or issued by the DPIC (such as the Standard Contractual Clauses with a Swiss amendment); or (iv) binding corporate rules approved by the DPIC or the data protection authority of another country that provides for an adequate level of statutory data protection (e.g., EU data protection authorities). The Federal Council may provide for further safeguards (e.g., codes of conducts).
Note that although the "Schrems II" decision of the European Court of Justice is not binding upon Switzerland, the DPIC is considering it applicable to transfers of data to third countries not being whitelisted countries in the same manner as it is applied under the GDPR. The general view in Switzerland is that the "risk-based" approach applies under Swiss law. Yet, the DPIC has publicly raised "doubts" whether this is the case. The general view is that this was done by the DPIC for purely opportunistic and political reasons and that its view is generally not followed in practice. It is also by no means binding, and it is not enforced.
If none of above safeguards can or are to be used, it is nevertheless permissible to make available personal data to a recipient in a country without an adequate level of statutory data protection if one of the following exemptions apply: (i) the data subject has explicitly consented to the data export; (ii) the export of the personal data at issue is to happen in direct connection with the conclusion or performance of a contract with the data subject or in the interest of the data subject; (iii) the export of the personal data is necessary for maintaining overriding public interests; (iv) the export of personal data is necessary for establishing, exercising or enforcing legal claims or rights before a court or other competent foreign authority (note that such exports may be in conflict with other Swiss laws, such as professional secrecy obligations or article 271 of the Swiss Penal Code); (v) the export of the personal data is necessary to protect the life or physical integrity of the data subject, and it is not possible to obtain consent; (vi) the data subject itself has made the personal data publicly available and has not expressly prohibited the processing of such data, or (vii) the data originates from an official registry, which is either public or accessible to persons with a legitimate interest, insofar as the statutory conditions of access are fulfilled.
The publication of personal data through automated information or communications services (e.g., websites) is not considered an export even if the data becomes available outside of Switzerland.
Finally, the old DPA has followed similar concepts as the Data Protection Directive. Accordingly, the European Commission has found Switzerland to provide an adequate level of data protection from an EU perspective (Decision 2000/518/EC). This finding is currently under review and is likely to factor in the provisions of the revised DPA.
Notification and approval of national regulator (including notification of use of Model Contracts)
Prior to the revision, the use of standard contractual clauses, including the Standard Contractual Clauses had to be notified to the DPIC. This is no longer necessary under the revised DPA. Notification is necessary only for contractual clauses not already recognised, approved or issued by the DPIC (i.e. individually drafted contractual clauses).
Since the revision of the DPA, binding corporate rules formally need to be approved. Such approval does not necessarily need to be made by the DPIC. It is sufficient that binding corporate rules have been approved by a competent data protection authority in an EEA country or other country with an adequate level of statutory data protection. It is not yet clear whether such approvals nevertheless have to be notified to the DPIC.
Use of binding corporate rules
See above. Note that despite the possibility to have binding corporate rules approved by a foreign data protection authority, they must be drafted in a manner to cover Switzerland, as well (even though the foreign data protection authority will not cover this aspect). In the past, binding corporate rules have not been used widely in Switzerland.
Under the revised DPA, individuals acting for private controllers may be fined for up to CHF 250,000 if they: (i) breach their privacy notice obligations or right of access obligations by intentionally providing wrong or incomplete information; (ii) intentionally fail to provide certain information required under their privacy notice obligations; (iii) intentionally refuse to cooperate with the DPIC or intentionally provide him or her wrong information; (iv) intentionally make available personal data to a foreign recipient in violation of the restrictions on such data exports; (v) in their capacity as controllers delegate the processing of data processing to a processor intentionally in violation of the revised DPA’s preconditions (except for the obligation to maintain control over the appointment of sub-processors); (vi) intentionally fail to comply with the minimum data security requirements defined by the Federal Council (so far, they are not yet known); or (vii) intentionally fail to comply with an order of the DPIC.
Unlike with the GDPR, these fines are all directed at individuals (e.g., management, employees responsible for data protection tasks), not companies. Although it is possible that companies can be fined in lieu of individuals if the responsible individuals cannot reasonably be determined and the fine would not exceed CHF 50,000, the focus of the criminal provisions of the revised DPA remains on punishing individuals for their decisions to breach the revised DPA. The fines are not issued by the DPIC, but by the cantonal criminal authorities.
The revised DPA also introduces a broad obligation of professional secrecy and a new provision sanctioning identity theft.
More severe criminal sanctions may apply for breaches of professional secrecy provided for in the Swiss Penal Code and other Swiss laws (e.g., Banking Act). Furthermore, the Swiss Penal Code provides that a person who obtains sensitive personal data from a non-public data collection without authorisation shall be punished by imprisonment or fined.
Data subjects may claim for damages, satisfaction and/or surrender of profits if their personality has been violated without sufficient justification. Damages and satisfaction may only be claimed in cases of negligence or wilful intent. The prerequisites for claims for surrender of profits are not entirely clear for violations of personality though it is likely a claim will only be possible in the case of bad-faith behaviour.
Under the revised DPA, the DPIC is in principle obliged to investigate a data processing activity if there are sufficient indications that it is performed in violation of the revised DPA. Exceptions exist if the violation appears to be of minor relevance. He has wide-ranging powers to investigate cases and to issue orders with regard to how personal data is to be processed by a particular controller or processor.
The DPIC can also order the processing to be suspended or closed-down, and he can order compliance with various provisions of the revised DPA. The DPIC may issue a “warning” if the person targeted takes the necessary measures to restore compliance with the DPA during the investigation. If necessary, the DPIC can issue temporary restraining orders. Recourse is possible to the Federal Administrative Court.
Fines: The number of old DPA-related cases decided by criminal courts is not known. It is known, however, that since coming into force in 1993 and as of December 2009, the criminal provisions of the old DPA have resulted in only one conviction (a five-day term plus a fine of CHF 750 in 1996). Another conviction (a fine of CHF 500 for an intentionally wrong response to an access request) has been reported for December 2014. Later data is not available. The numbers may rise under the revised DPA since the revised DPA provides for much higher and more fines than the old DPA did in the past.
So far, it is not known that any fines have been issued against controllers or processors in Switzerland for breaches of the GDPR. Note that fines issued under the GDPR are so far not enforceable in Switzerland.
Other enforcement action: There are no official statistics on the number of investigations and prosecutions concerning violations of the old DPA. By way of experience, the DPIC usually starts a handful to a dozen official investigations per year, with only very few being completed with specific requests to the controller or processor targeted. It is unlikely that the number of official investigations will increase under the revised DPA, due to the limited resources available to the DPIC. Most likely, the DPIC will try to resolve issues informally, which has a long tradition in Switzerland.
The number of old DPA-related cases decided by civil courts is not known. So far, there have been only few civil lawsuits on the basis of the old DPA. Most cases that involve the protection of a data subject's personality are mass-media-related, employee-related, cases concerning the “right to be forgotten” and insurance surveillance cases. As a “one-time” exception of the foregoing, there have been several hundred court cases involving the disclosure of employee-related personal data to U.S. authorities as part of the Swiss-U.S. tax dispute (its settlement required disclosure of employee names, among other information).
ePrivacy | Marketing and cookies
Switzerland has implemented a provision that is similar to article 13 of the Privacy and Electronic Communications Directive. The provision is part of the Swiss Unfair Competition Act and has been in effect since 1 April 2007.
The Swiss Unfair Competition Act also introduced a kind of an official Swiss “Robinson List” requiring businesses to comply with generic opt-out marks in the telephone directory for the purposes of commercial communications and the disclosure of data for the purposes of direct marketing. Furthermore, unlisted phone numbers are deemed to be marked. The term "telephone directory" refers only to the official directories of subscribers maintained by the registered telecom service providers in Switzerland pursuant to the Telecommunications Act. The opt-out marks currently apply to individual phone and fax numbers, not the postal address or entire record. Whether the marks also have to be checked in connection with e-mail addresses is controversial because e-mail addresses do not officially form part of the directories referred to in the provision. In any event, the provision does not prevent direct marketing to current or recent customers and to people who have requested or consented to receiving the marketing materials. Under the Swiss Unfair Competition Act, marketing calls must also be made with caller ID number that is correct, visible and registered in the Swiss telephone directory.
Finally, the Telecommunications Act contains a provision on cookies roughly in line with the (original) Privacy and Electronic Communications Directive. The violation of the provision can result in civil claims and, upon the request of a person affected, in criminal charges.
Even though there have been (or still are) plans to revise the Privacy and Electronic Communications Directive in the EU, there are currently no plans in Switzerland to revise its own corresponding provisions.
Cookies that do not contain or relate to personal data (i.e. that are not connected to identified or identifiable persons from the perspective of the person using the cookies) are not restricted (e.g., typical session cookies). If cookies (or similar techniques such as clear GIFs or web-beacons) are related to identified or identifiable persons or otherwise connected to personal data, then they may be used only if: (i) they are required for the provision of telecommunications services or invoicing for such services; or (ii) the user has been informed about their processing, their purpose and that the user can decline the processing of related data. However, there is so far no requirement under Swiss law to obtain the user's consent for using cookies.
Conditions for direct marketing by e-mail to individual subscribers
Pursuant to the Swiss Unfair Competition Act, sending unsolicited mass direct marketing e-mails is only allowed if the recipient has provided his or her prior consent. The recipient's consent does not necessarily have to be in writing. However, it is not permissible to obtain consent by sending out unsolicited mass e-mails asking for such consent.
The Swiss Unfair Competition Act requires businesses performing direct marketing to consult the official Swiss phone directories for numbers that have been marked with a standardised telemarketing opt-out declaration, unless the person has otherwise consented to receiving e-mail marketing or has a customer relationship. Certain commentators believe that this provision also extends to e-mail addresses registered in the phone directories at issue, but the relevant phone directories officially do not provide for e-mail addresses. It is, thus, more likely than not that this new provision does not apply to them. However, given the aforementioned opt-in requirement for unsolicited mass direct marketing e-mails under the same act, this issue usually does not become relevant in practice.
Furthermore, according to case law under the old DPA, e-mail marketing is admissible only with the prior express consent of the intended recipients. It has been ruled that sending unsolicited e-mails to unknown recipients using e-mail addresses indiscriminately collected on the internet (e.g. by use of a web crawler) violates the old DPA, regardless of whether such e-mails provide for an opt-out.
Conditions for direct marketing by e-mail to corporate subscribers
The same conditions apply as for direct marketing by e-mail to individual subscribers.
Exemptions and other issues
The similar products and services exemption applies under the revised Unfair Competition Act ("opt-out"). However, pursuant to the prevailing legal doctrine in Switzerland, the exemption only applies if indeed a contract has been formed; it is not sufficient that the contact details have been collected in connection with a contract negotiation (which did not result in a contract). Furthermore, according to the prevailing legal doctrine, the exemption only applies if the recipient has been informed of the possibility to refuse e-mails at the time when the contract has been formed or during follow-up interactions related to the contract (e.g. deliveries, invoices). Conversely, the exemption would not apply if a business were to collect contact information in the context of a product sale, but provide the "opt-out" information only later on by separate e-mail without such context. Consequently, there is in practice only a very narrow field of application for the similar products and services exemption under Swiss law. In most cases, businesses will find it easier and safer to obtain prior consent (e.g., by use of an appropriate provision in the general terms and conditions), which should also help compliance with the Swiss "Robinson List" (see above).
The Swiss Unfair Competition Act also prohibits direct marketing e-mails from being sent if: (i) the identity of the sender is disguised or concealed; or (ii) a simple means for refusing further e-mails free of charge (e.g., a link to click on for opting out) is not provided with each e-mail.
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
It is, in principle, not permitted to make direct marketing calls to individual subscribers who: (i) have previously objected to such calls; (ii) are listed in the Swiss "Robinson List" or (iii) are unlisted, see above. The necessary contact information may be obtained and used only in compliance with the revised DPA, for example, if the subscriber made it publicly available (e.g. by having it listed in the telephone directory), or has provided it and implicitly or explicitly agreed to its use for marketing purposes. Calls must be made using caller ID number that is correct, visible and registered in the Swiss telephone directory.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
The same conditions apply as for direct marketing by telephone to individual subscribers.
Exemptions and other issues
Calls can be made to a subscriber who has consented to receiving such calls.