Data Protected - Switzerland
Last updated December 2017
General | Data Protection Laws
National Supervisory Authority
Scope of Application
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Transfer of Personal Data to Third Countries
ePrivacy | Marketing and cookies
General | Data Protection Laws
General data protection laws
The Swiss Federal Data Protection Act (the “DPA”) is dated 19 June 1992. The DPA follows similar concepts as the Data Protection Directive. Accordingly, the European Commission has found Switzerland to provide an adequate level of data protection from an EU perspective (Decision 2000/518/EC).
Entry into force
The DPA came into force on 1 July 1993; a revised version has been in force since 1 January 2008, with some minor revisions since.
The DPA is again being revised in order to comply with the revised Council of Europe Convention 108. The revised DPA is generally expected to come into effect in 2019, with a transition period of two years. On 15 September 2017, the Federal Council proposed a draft legislation, which is currently being discussed in parliament. According to the draft, the revised DPA will in most regards provide provisions similar to those of the GDPR. The draft bill, however, does not provide for a data portability right and is not as strict with regard to obtaining valid consent as the GDPR. The changes as per the current draft are described below, in addition to a description of the current law.
National Supervisory Authority
Details of the competent national supervisory authority
The Swiss Federal Data Protection and Information Commissioner (the “DPIC”)
Notification or registration scheme and timing
Controllers which regularly process sensitive personal data or personality profiles or regularly disclose personal data to third parties must register their data collection with the DPIC. This registration does not require any approval and is, therefore, a mere notification system. The registration must take place before the data collection is established. There are no registration fees. The register is publicly accessible over the internet. By the end of November 2017, 1,480 data collections had been registered by the private sector.
The registration requirement will be likely abolished under the revised DPA.
Exemptions to notification
No registration is required if: (i) the data are processed due to a statutory obligation of Swiss law; (ii) a data protection officer has been appointed who independently monitors internal compliance with data protection regulations and maintains a list of the data collections, and such data protection officer has been notified to the DPIC (and meets the requirements of the DPA); (iii) the controller has acquired a data protection quality mark (regarding the data collection in issue) under a certification procedure in accordance with the DPA and has notified the DPIC of the result of the evaluation. By the end of August 2016, eight such notifications (that are still valid) exist; (iv) the data are used exclusively for publication in the edited section of a periodically published medium and are not passed on to third parties without informing the data subjects; (v) the data are processed by journalists who use the data file exclusively as a personal work aid; or (vi) one of the further exemptions provided for in the Ordinance to the DPA applies (for example, for publicly accessible data collections, for client and supplier files (provided they do not contain any sensitive personal data or personality profiles) and for bookkeeping records).
Scope of Application
What is the territorial scope of application?
The DPA's registration and notification obligations apply to data collections being processed in and exported from Switzerland, respectively.
In the case of civil lawsuits against a person participating in a violation of personality, Swiss courts will in general apply the DPA, upon free choice of the data subject, if either: (i) the data subject is resident in Switzerland (provided this was foreseeable for the controller or processor sued); (ii) the controller or processor sued has its seat of residence or a branch in Switzerland; or (iii) the place of effect of the violation of personality (which usually includes the place of processing of personal data) is in Switzerland (provided this was foreseeable for the controller or processor sued). In the Street View Case, the Federal Supreme Court confirmed the applicability of Swiss data protection law, despite the service being provided from outside of Switzerland (DFC 138 II 346).
The territorial scope of application is not expected to change under the revised DPA.
Is there a concept of a controller and a processor?
Everyone who processes personal data must comply with the DPA. Accordingly, not only controllers but also processors are responsible for compliance. In fact, even persons who are neither controllers nor processors, but otherwise "participate" in the processing of personal data may be held responsible in case of a civil claim. The Federal Supreme Court found that a hosting provider is participating in the publications on its server (Decision 5A_792/2011 of January 14, 2013), whereas somebody who merely publishes a link to a publication on a third party website does not participate in such publication (Decision 5A_658/2014 of May 6, 2015).
Under the revised DPA, this will not change. However, it is expected that the revised DPA will distinguish between controllers and processors much like the GDPR does.
Are both manual and electronic records subject to data protection legislation?
Yes. The DPA applies irrespective of the technology used. However, the general data security obligations may have to be implemented differently depending on whether manual or electronic records are used. In the case of automated processing of personal data, additional security and documentation requirements apply (for example, the obligation to implement audit trails, where they are necessary to ensure the data protection of sensitive personal data and personality profiles).
Are there any national derogations?
Cantonal and local authorities are governed by separate, cantonal data protection legislation, not the DPA (however, certain provisions of the DPA apply if the cantonal data protection legislation fails to provide for adequate protection). Federal authorities (including private persons entrusted with public tasks, such as those in the field of mandatory health insurance) are also subject to the DPA, but: (i) must comply with additional rules (for example, the processing of personal data is normally permitted only on the basis that there is a provision of Swiss law that permits such processing); and (ii) cannot rely on the same reasons for justifying a violation of a data subject’s personality as private persons can do.
The DPA does not apply to personal data processed by an individual solely for personal purposes and not disclosed to third parties. Another important exception is that the DPA does not apply to pending civil, criminal, international judicial assistance and administrative recourse proceedings in Switzerland; however, it does apply in international administrative assistance. There will be small changes to this under the revised DPA with regard to the applicability during pending legal proceedings.
What is personal data?
The definition of personal data in the DPA is closely based on the standard definition of personal data. The term is understood rather broadly. Also, website usage data collected by a site operator using "cookies" are not considered personal data as long as the data subject is not and cannot be reasonably identified by the operator of the site or by other people having access to the logs (whether third parties could identify the data subject is not relevant).
IP addresses may qualify as personal data, as confirmed by the Federal Supreme Court in 2010 (DFC 136 II 508, Logistep). While this may not be the case in all circumstances, if IP addresses are collected for the very purpose of identifying the individuals behind them (such as people illegally sharing pirated content over the internet), and if Swiss law permits such identification (which it does in the case of internet felonies), then IP addresses should be treated as personal data (it should be noted that the court found that in the case at hand it was not permissible under the DPA to collect such personal data for the purpose of identifying individuals illegally sharing pirated content, although the balancing of interests in this case has been heavily criticized). Swiss law thus follows a "relative" definition of personal data: for data to be considered personal data, the relevant audience must not only be reasonably able to identify the data subjects, but also willing to undertake the efforts for doing so. Accordingly, if personal data is securely encrypted or otherwise pseudonymized, it no longer is considered personal data for those who are not able to decrypt it or re-identify the data subjects.
The definition of personal data is not expected to change (subject to the following paragraph).
Is information about legal entities personal data?
Yes. The DPA extends to include information not only about individuals, but also about legal entities (this is interpreted broadly to include partnerships and trusts). The processing of personal data of legal entities is subject to the same provisions as the processing of personal data of individuals. Under the revised DPA, personal data of legal entities will likely no longer be protected.
What are the rules for processing personal data?
Personal data may be processed if the processing either: (i) does not violate the personality of the data subject; or (ii) does violate the personality of the data subject, but is justified by the data subject’s consent, an overriding private or public interest or by a provision of Swiss law requiring or permitting the processing at issue. Any legitimate interest of the controller, the processor, the data subject or any third party can, in principle, qualify as an overriding private interest if it is sufficient to outweigh the violation of the data subject's personality. However, the Federal Supreme Court held that controllers should be cautious before assuming that private interests will justify any such processing (DFC 136 II 508). In another case involving the online service "Street View" (the “Street View Case”), however, the Federal Supreme Court found that the public interest justifies keeping the service alive although the algorithm for blurring faces was not perfect and missed 1 percent of the visible faces (DFC 138 II 346). The DPA provides a non-exhaustive list of circumstances in which the overriding private interest of the controller must be considered, for example: (i) the conclusion and performance of a contract with the data subject; (ii) the processing of information on competitors; or (iii) the processing of personal data for non-personal uses.
The personality of the data subject is, by definition, considered violated if its personal data: (i) are not processed lawfully (for example, if data have been stolen or extorted from someone else); (ii) are not processed in good faith; (iii) are processed for purposes neither indicated at the time of collection, nor evident from the circumstances, nor provided for by (Swiss) law; (iv) are not processed in a proportionate manner (are not or are no longer necessary or suitable in view of the purpose of processing, or are for an excessive purpose); (v) have been collected without such collection and in particular the purpose of their processing being made, depending on the circumstances, noticeable or evident to the data subject (even if such processing is provided for by law); (vi) have not been verified for their correctness (where necessary); (vii) are being processed without complying with the general data security obligations; (viii) are processed against the data subject’s express will; (ix) are sensitive personal data or personality profiles and are disclosed to a third party (see below); or (x) are employee personal data and are processed despite being neither necessary for assessing the qualification of the employee for his/her job nor for the performance of his/her employment contract. In other words, the general data quality principles must be respected also under the DPA.
Notwithstanding the foregoing, it is presumed that the personality of the data subject is not violated if the data subject has made the data generally accessible and has not expressly prohibited their processing. However, the data subject can challenge this and prove that its personality has nevertheless been infringed upon, for example by the abusive use of information published on the data subject's website.
These basic rules, including the general data quality principles, are not expected to change under the revised DPA. In particular, the DPA is not expected to require a legal basis for the processing of personal data. Such a legal basis will be necessary only if one of the basic principles of data processing is not complied with.
Are there any formalities to obtain consent to process personal data?
Consent is valid only if given voluntarily following the provision of adequate information ("informed consent"). Furthermore, consent is only effective if given in advance of processing. Consent need not be given in writing; however, the burden of proof is upon the controller or processor, respectively, so this would be recommended for evidentiary purposes. Implicit consent may be sufficient, in certain circumstances, but not in regards to sensitive personal data or personality profiles (see below).
The failure of a data subject to object to a particular processing or notice of such processing of his/her personal data is usually not sufficient to presume consent. However, such "deemed" consent may be effective in cases of existing contractual relationships, in particular where general terms & conditions provide for such deemed consent.
A data subject may withdraw his/her consent at any time, although such withdrawal will not usually be applied retrospectively. Even if a data subject has withdrawn his/her consent, depending on the circumstances, it may still be possible to justify a particular processing of personal data under the argument of an overriding private interest of the controller, the data subject or other party.
Employees can, in principle, validly consent to the use of their personal data by the employer. However, if such consent is provided for in an agreement (for example, the employment contract), it shall be considered null and void if: (i) the employee is asked to consent to the processing of personal data which is neither required for assessing the qualification of the employee for his/her job nor for the performance of his/her employment contract; and (ii) the processing of such data is, from an overall perspective, to the employee's detriment. It may also be hard to demonstrate that the consent of an employee has been given voluntarily.
Unlike in the GDPR, the provisions concerning the data subject's consent are not expected to change in any material way. It will continue to be possible to have tick-boxes pre-ticked and to include consent declarations in contracts even where the processing activity is not necessary for the performance of the contract.
Are there any special rules when processing personal data about children?
The DPA does not provide for any particular provisions on the processing of personal data about children. In fact, the Swiss Civil Code grants children capable of judgement (which is usually considered to be the case when they turn 13) more rights to decide their own data protection rights than under the GDPR.
Sensitive Personal Data
What is sensitive personal data?
Under the DPA, sensitive personal data include: (i) racial origin; (ii) trade union membership; (iii) health data, but only to the extent it reveals handicap or illness of the data subject; (iii) personal data on religious, ideological or political activities (not only related beliefs); (iv) the intimate sphere as such (not only sex life); (v) social security measures; and (vi) administrative or criminal proceedings and sanctions.
Biometric data do not uniformly qualify as sensitive personal data and must be assessed as to whether they fall under one of the categories defined above. The question of whether a photograph of a data subject qualifies as sensitive personal data (as it reveals the racial origin of the data subject) has not yet been decided under Swiss law; however, there has not been much support in favour of such a broad interpretation of the term.
It should be noted that, under the DPA, the rules for sensitive data also apply to personality profiles. These are combinations of data that allow the assessment of fundamental characteristics of the personality of an individual (for instance, the personnel file of an employee or data on the purchasing pattern of a credit card holder will, in practice, often amount to a personality profile).
Under the revised DPA, the definition of sensitive personal data is expected to remain more or less the same, with the exception that genetic data and biometric data that identifies a person shall become sensitive personal data, as well. The concept of "personality profiles" is to be abolished, and replaced by the term "profiling", which is defined similarly, but not identically as under the GDPR. The term "profiling" is broader than "personality profile".
Are there additional rules for processing sensitive personal data?
Sensitive personal data (and personality profiles) may not be disclosed to third parties (in their capacity as controllers) without sufficient justification such as: (i) the data subject’s consent; (ii) any overriding private or public interest; or (iii) a provision of Swiss law requiring or permitting such disclosure. If one of the conditions for processing sensitive personal data is met, this is usually a sufficient justification.
Furthermore, if sensitive personal data or personality profiles are (systematically) collected for a data collection, the data subject has to be expressly informed about the collection of such data, and regular processing of such data may require a registration with the DPIC (see the section "Notification or registration scheme and timing" above).
Under the revised DPA, the disclosure to of sensitive personal data to a third party controller will continue to be considered a violation of personality, thus requiring a sufficient justification.
Are there additional rules for processing information about criminal offences?
No. This is treated in the same way as other sensitive personal data.
Are there any formalities to obtain consent to process sensitive personal data?
In the case of sensitive personal data (or personality profiles), the data subject’s consent may be relied upon only if it has been given explicitly. However, consent need not be given in writing; but, as with non-sensitive personal data, this is recommended (see above). This is not expected to change under the revised DPA. Consent will also have to be given explicitly in the case of profiling.
Data Protection Officers
When must a data protection officer be appointed?
There is no legal requirement to appoint a data protection officer. However, doing so can exempt a controller from the requirement to register (see above). By the end of November 2017, over 1,000 companies in the private sector have appointed a data protection officer and notified the appointment to the DPIC (in order to be exempted). Under the revised DPA, appointing a data protection officer (referred to as "data protection counsel") is unlikely to become mandatory.
What are the duties of a data protection officer?
The data protection officer has to have the necessary skills and independence to perform his role. The duties of the data protection officer are to assess the processing of personal data by the company at issue and manage a list of data files. The revised DPA is not expected to provide for any particular duties of the data protection officer (at least the proposed bill does not provide for any mandatory activities of the data protection officer).
Accountability and Privacy Impact Assessments
Is there a general accountability obligation?
There is no accountability obligation as expressly set forth in the GDPR. However, the controller has to undertake the necessary technical and organisational measures to ensure that personal data is not processed in violation of the DPA. This de facto requires that the necessary policies and training must already be in place and compliance to be verified from time to time. This is not expected to change under the revised DPA.
Are privacy impact assessments mandatory?
There is today no formal requirement to conduct a privacy impact assessment, but under the revised DPA, a provision comparable to the one in the GDPR is expected to be introduced in the DPA. It will require a formal privacy impact assessment only in high risk cases, and should a high risk remain following the measures determined, the data protection authority has to be consulted beforehand.
Rights of Data Subjects
The collection of personal data and in particular the purpose of their processing has to be, depending on the circumstances, noticeable or evident to the data subject, unless there is a sufficient justification not to comply with this requirement (such as the data subject’s consent, an overriding private or public interest or a provision of Swiss law).
Notwithstanding this, the controller has to expressly inform data subjects about any (systematic) collection of sensitive personal data or personality profiles for a data collection. The information has to identify the controller, the purpose of the processing of the data and the categories of recipients (in case it is planned to disclose such data). This obligation to inform also applies when such data are obtained through/from a third party, provided the data subjects have not yet been informed. Only a few exceptions apply. The controller may, for instance, limit, defer or deny the information in the case of an overriding self-interest, provided, however, that the data will not be shared with third parties (which term also includes group companies).
Under the revised DPA, a much broader information obligation is to be introduced. It will apply to each and every collection of personal data, and it is comparable to the corresponding provision of the GDPR. The list of minimum information items to be provided to the data subject is narrower than the transparency information under the GDPR (with the exception that the controller has to inform about the individual countries to which personal data is being transferred).
In addition, there will be an obligation to inform about decisions based solely on automatic processing of personal data, much like the GDPR. However, the DPA is expected to be somewhat less restrictive than the GDPR. It will not require human intervention if the data subject has agreed to be subject to such a decision or if it is used in connection with a contract insofar the data subject's contractual request has been fulfilled.
Rights to access information
Data subjects may request from controllers (and in specific cases also the processor): (i) confirmation as to whether they process personal data relating to them; (ii) information as to all personal data relating to them that are contained in the controller’s data collection (including any available information on the source of the data); (iii) the purposes of the processing and, where applicable, the legal basis for the processing; (iv) the categories of personal data concerned; (v) the persons involved in the processing of the data collection; and (vi) the recipients to whom the data are disclosed.
Access may only be limited, deferred or denied under limited circumstances defined by the DPA, such as overriding third party interests, professional secrecy and other statutory obligations and, in limited circumstances, own overriding private interests. While it is, in principle, possible that an access request can be denied also on the basis of abuse of law, the Federal Supreme Court has set the bar relatively high for such denials. A client of a Swiss bank tried to use an access request to obtain a copy of internal client notes of the bank to evaluate the chances of a civil liability claim. The court did not consider this an abusive request; as it was not made solely for the purposes of a fishing expedition, but also for allowing the data subject to verify whether the personal data on record was correct (DFC 138 III 425). As a consequence of the decision, there has been a surge in what would generally be considered abusive access requests for either pre-trial discovery or nuisance purposes. Such requests generally are successful in court as long as the data subjects can at least pretend that the access request has been also for data protection purposes, which is usually easily possible.
Requests are usually to be made and responded to in writing, but, under certain conditions, electronic requests and responses are also admissible, as may be other forms (such as on-site reviews). However, a data subject typically has the right to receive a response in writing (DFC 141 III 119). Requests are usually free of charge and the data subjects making such requests must identify themselves (for example, by providing a photocopy of an ID).
Under the revised DPA, the foregoing is not expected to change significantly. Some additional information, for example on the duration for which personal data is retained, has to be provided.
Rights to data portability
There is no such provision under Swiss law, and it is currently not expected to be introduced under the revised DPA.
Right to be forgotten
The DPA already today provides for a "right to be forgotten" in the form of a broad right of objection. The data subject can object to any aspect of a particular processing of personal data, including asking the processing to be restricted or personal data to be erased. Such request will have to be complied with unless there is a sufficient justification not to do so, for instance an overriding private or public interest.
Objection to direct marketing and profiling
The DPA provides for a general right of a data subject to object against the further processing of its personal data, but does not specifically address the issue of direct marketing.
The data subject may request the personal data to be rectified, marked as being disputed or deleted. The data subject may request that no personal data be disclosed to third parties or processed further. The DPA does not include any specific provision with regard to decisions being taken based solely on automatic processing of personal data; as laid out above, under the revised DPA, a provision concerning such decisions will be introduced.
In addition to the requests for compensation described above, if necessary, a data subject can request a (civil) court to issue: (i) a restraining order (on a permanent or temporary basis); or (ii) declaratory relief or another appropriate order against a controller or processor to prevent or remedy an illegal violation of a data subject's personality.
Security requirements in order to protect personal data
Controllers and processors must implement appropriate technical and organisational measures to protect personal data having regard to the state of the art, the risks represented by the processing and the nature of the data to be protected. This is not expected to change under the revised DPA. It is expected, though, that the revised DPA will require a controller to provide "privacy by design" and "privacy by default".
Specific rules governing processing by third party agents (processors)
Processing of personal data may be outsourced to a third party: (i) if the controller ensures that the data are only processed in the way that the controller would be entitled to; and (ii) if no statutory or contractual confidentiality obligations prohibit the outsourcing. The controller must ensure that the third party complies with the relevant security obligations. To the extent that certain data processing requires a particular justification, the third party may rely on the same justifications as the controller. In practice, these rules usually require the controller to enter into a contract with the processor. Under the revised DPA, it is expected that any subcontracting to a sub-processor will require the controller's consent. It is not expected that the revised DPA will formally require the enhanced processor clauses, but they will likely become standard also under Swiss law.
Notice of breach laws
The DPA does not contain any notification obligation in case of data breaches. However, the basic requirement to process personal data in good faith may require notices to be given to data subjects or third parties (such as a credit card company in the case of a loss of credit card information) or that other steps be taken. It is not necessary to inform the DPIC; however, in cases of serious breaches (especially breaches involving a large number of data subjects or that may cause media attention), it may be advisable to inform the DPIC.
Moreover, controllers in certain sectors may be required to inform sector regulators of relevant breaches (for example, financial service providers may be required to inform the Swiss Financial Markets Supervisory Authority). Public companies may in very rare cases be required to make ad-hoc disclosures under the applicable listing rules.
Under the revised DPA, a formal data breach notification obligation is to be introduced. It appears that the threshold for notifying the DPIC will be higher than under the GDPR (the likelihood of a "high risk" is required). The DPA is also expected to require the controller to inform the data subject if this is necessary to protect its interests.
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
In principle, personal data may only be transferred to countries with legislation providing for an adequate level of protection of personal data. According to a (non-binding and non-concluding) list of countries with adequate data protection published by the DPIC, EU Member States are, among others, considered to provide an adequate level of data protection (with regard to personal data related to individuals), as well as the whitelisted countries. This includes the U.S. insofar the recipient is self-certified under the "Privacy Shield" framework also for Switzerland. The Swiss version of Privacy Shield effectively mirrors the original Privacy Shield framework established between the EU and the U.S.
If data are to be transferred to a foreign country that does not have legislation providing an adequate level of data protection, one of the following conditions must be fulfilled: (i) the existence of a transborder dataflow contract or other “sufficient safeguards” to ensure an adequate level of data protection abroad; (ii) sufficient binding corporate rules concerning data protection in case data are transferred within a company or a group of companies (however, there is no need to have such rules approved by the DPIC); (iii) the data subject’s consent to the data export in the specific case at issue; (iv) the export of the personal data at issue is required for the conclusion or performance of a contract with the data subject; (v) the export of the personal data is, in the specific case at issue, necessary for maintaining overriding public interests or establishing, exercising or enforcing legal claims or rights in court proceedings; (vi) the export of the personal data is, in the specific case at issue, necessary to protect the life or physical integrity of the data subject; or (vii) the data subject itself has made the personal data publicly available and not expressly prohibited the processing of such data.
The DPIC offers a simple (controller-processor) model contract on its website specifically designed for Swiss law; however, the more complicated Model Contracts are also considered acceptable in most respects. What is essential is that they cover data transfers out of Switzerland (the same issue needs to be addressed when adapting binding corporate rules for use in Switzerland. Whether contractual safeguards have to be extended to cover personal data of legal entities is somewhat controversial, but in practice not normally an issue and often not done.
Accordingly, as a rule of thumb, data exports undertaken in compliance with the GDPR are usually and generally speaking also in compliance with the DPA.
Under the revised DPA, exports can largely continue as they are today. It is expected that the Federal Council will authoritatively set forth the whitelisted countries (in the past, the exporter had to self-assess the adequacy), and the aforementioned exemption in the case of exporting personal data for establishing, exercising or enforcing legal claims or rights will also apply in the case of proceedings before other competent foreign authorities, not only courts.
Notification and approval of national regulator (including notification of use of Model Contracts)
Controllers have to notify the DPIC if they rely on transborder dataflow contracts, on binding corporate rules, or on other safeguards for ensuring an adequate level of data protection abroad for data collections being exported. There is no obligation to obtain any approval from the DPIC. However, the DPIC will usually comment, within 30 days, on whether it considers the safeguard notified to be a sufficient safeguard.
A simplified notification procedure applies if controllers are using a safeguard which has been officially recognised by the DPIC (so far, the official Swiss model contract, the Model Contracts, the Council of Europe model contract). It should be noted that no notification is required if an export to the U.S. is based on the U.S.-Swiss “Safe Harbor” framework.
From January 2008 (when the aforementioned duty to notify was first introduced in the DPA) to the end of November 2017, 1203 notifications were made to the DPIC.
Under the revised DPA, the notification obligation for Model Contracts will be abolished, and in the case of binding corporate rules, a formal approval will become necessary.
Use of binding corporate rules
The use of binding corporate rules is generally recognised by the DPA as a method for achieving an adequate level of data protection abroad. There are no specific formal requirements. No DPIC approval is required or possible (however, as mentioned in the foregoing section, the binding corporate rules have to be notified to the DPIC). Under the revised DPA, it is expected that binding corporate rules have to be formally approved.
Individuals who are in breach of their obligations of information (in the case of the collection of sensitive personal data or personality profiles for a data collection), subject access right, registration, notification and co-operation with the DPIC may be fined up to CHF 10,000.
Under the revised DPA, fines of up to CHF 250,000 will be possible for individuals who intentionally breach certain information, subject access, notification and co-operation obligations, as well as for non-compliant data exports, failures to comply with the rules on processors and violation of the data security requirements to be set forth by the Federal Council. Furthermore, non-compliance with orders of the DPIC can be punished with a fine of up to CHF 250,000 as well as the intentional violation of a new professional secrecy to be introduced under the new DPA that applies to any confidential personal data obtained for and in connection with the profession of an individual (e.g. client data). The fines are not issued by the DPIC, but by the cantonal criminal authorities.
More severe criminal sanctions may apply for breaches of professional secrecy. However, in practice, there are hardly any cases in which criminal sanctions have been imposed on controllers.
Under the revised DPA, a new provision sanctioning identity theft will be introduced.
Data subjects may claim for damages, satisfaction and/or surrender of profits if their personality has been violated without sufficient justification. Damages and/or satisfaction may only be claimed in cases of negligence or wilful intent. The prerequisites for claims for surrender of profits are not entirely clear for violations of personality (one may assume, though, that a claim will be possible only in the case of bad-faith behaviour). So far, there have been hardly any civil lawsuits on the basis of the DPA. Most cases that involve the protection of a data subject's personality are mass-media-related, employee-related and insurance surveillance cases.
The foregoing is not expected to change under the revised DPA. However, there shall be not court fees for a data subject to pursue claims for privacy violations.
The DPIC can investigate cases and issue "recommendations" where he believes that the processing of personal data investigated should be changed. If the target of the investigation (e.g. the controller) is not willing to comply or does not comply, the DPIC has the right to sue it and ask the Federal Administrative Court to decide over the case and convert the recommendation into an order.
Under the revised DPA, this system will change. The DPIC will receive the right to directly issue orders to any private person involved in the processing of personal data. The DPIC will get wide-ranging powers to investigate cases (and has an obligation to do so) and to issue orders with regard to how personal data is to be processed by a particular controller or processor. The DPIC can also order the processing to be suspended or closed-down, and he can order compliance with various provisions of the revised DPA. If necessary, the DPIC can issue temporary restraining orders.
There are no official statistics on the number of investigations and prosecutions concerning violations of the DPA. Between January 2016 and December 2016, the DPIC conducted 4 official investigations concerning the processing of personal data in the private sector; none of them resulted in a "recommendation" (see Other powers above), and one was submitted to the Federal Administration Court.
The number of DPA-related cases decided by civil or criminal courts is not known. Normally, Swiss courts have to deal with DPA-related cases only rarely; in connection with the US-Swiss tax dispute, though, there recently have been several hundred courts cases surrounding the disclosure of employee data to US authorities by Swiss banks. It is known, however, that since coming into force in 1993 and as of December 2009, the criminal provisions of the DPA have resulted in only one conviction (a five-day term plus a fine of CHF 750 in 1996). Another conviction (a fine of CHF 500 for an intentionally wrong response to an access request) has been reported for December 2014. Later data is not available.
In addition to the criminal provisions of the DPA, the Swiss Penal Code provides that a person who obtains sensitive data or personality profiles from a non-public data collection without authorisation shall be punished by imprisonment or fined. Since 1993 and as of December 2016, the foregoing provision has led to a total of 28 recorded criminal convictions (on average 1.17 per year).
ePrivacy | Marketing and cookies
Switzerland has implemented a provision that is similar to Article 13 of the Privacy and Electronic Communications Directive. The provision is part of the Swiss Unfair Competition Act and has been in effect since 1 April 2007.
Also, since 1 April 2012, the Swiss Unfair Competition Act has introduced a kind of an official Swiss “Robinson List” requiring businesses to comply with generic opt-out marks in the telephone directory for the purposes of commercial communications and the disclosure of data for the purposes of direct marketing. The term "telephone directory" refers only to the official directories of subscribers maintained by the registered telecom service providers in Switzerland pursuant to the Telecommunications Act. The opt-out marks currently apply to individual phone and fax numbers, not the postal address or entire record. Whether the marks also have to be checked in connection with e-mail addresses is controversial because e-mail addresses do not officially form part of the directories referred to in the provision. In any event, the provision does not prevent direct marketing to current or recent customers and to people who have requested or consented to receiving the marketing materials.
Finally, the Telecommunications Act contains a provision on cookies roughly in line with Article 5(3) of the (original) Privacy and Electronic Communications Directive. The violation of the provision can result in civil claims and, upon the request of a person affected, in criminal charges.
Even though the Privacy and Electronic Communications Directive is being revised in the EU, there are currently no plans in Switzerland to revise its own corresponding provisions.
Cookies that do not contain or relate to personal data (i.e. that are not connected to persons identified or identifiable from the perspective of the person using the cookies) are not restricted (e.g., typical session cookies). If cookies (or similar techniques such as clear GIFs or web-beacons) are related to identified or identifiable persons or otherwise connected to personal data, then they may be used only if: (i) the they are required for the provision of telecommunications services or invoicing of such services; or (ii) the user has been informed about their processing, their purpose and that the user can decline the processing of related data. However, there is so far no requirement under Swiss law to obtain the user's consent for using cookies.
No. The DPIC may not issue binding rules on the interpretation of the DPA.
Conditions for direct marketing by e-mail to individual subscribers
Pursuant to the Swiss Unfair Competition Act, sending unsolicited mass direct marketing e-mails is only allowed if the recipient has provided his prior consent. The recipient's consent does not necessarily have to be in writing. However, it is not permissible to obtain consent by sending out unsolicited mass e-mails asking for such consent.
Since 1 April 2012, a new provision in the Swiss Unfair Competition Act requires businesses performing direct marketing to consult the official Swiss phone directories for numbers that have been marked with a standardized telemarketing opt-out declaration, unless the person has otherwise consented in receiving e-mail marketing or has a customer relationship. Certain commentators believe that this provision also extends to e-mail addresses registered in the phone directories at issue, but the relevant phone directories officially do not provide for e-mail addresses. It is, thus, more likely than not that this new provision does not apply to them. However, given the aforementioned opt-in requirement for unsolicited mass direct marketing e-mails under the same act, this issue usually does not become relevant in practice.
Furthermore, according to case law under the DPA, e-mail marketing is admissible only with the prior express consent of the intended recipients. It has been ruled that sending unsolicited e-mails to unknown recipients using e-mail addresses indiscriminately collected on the internet (e.g. by use of a web crawler) violates the DPA, regardless of whether such e-mails provide for an opt-out.
Conditions for direct marketing by e-mail to corporate subscribers
The same conditions apply as for direct marketing by e-mail to individual subscribers.
Exemptions and other issues
The similar products and services exemption applies under the revised Unfair Competition Act ("opt-out"). However, pursuant to the prevailing legal doctrine in Switzerland, the exemption only applies if indeed a contract has been formed; it is not sufficient that the contact details have been collected in connection with a contract negotiation (which did not result in a contract). Furthermore, according to the prevailing legal doctrine, the exemption only applies if the recipient has been informed of the possibility to refuse e-mails at the time when the contract has been formed or during follow-up interactions related to the contract (e.g. deliveries, invoices). Conversely, the exemption would not apply if a business were to collect contact information in the context of a product sale, but provide the "opt-out" information only later on by separate e-mail without such context. Consequently, there is in practice only a very narrow field of application for the similar products and services exemption under Swiss law. In most cases, businesses will find it easier and safer to obtain prior consent (e.g., by use of an appropriate provision in the general terms and conditions), which should also help compliance with the Swiss Robinson List (see above).
The Swiss Unfair Competition Act also prohibits direct marketing e-mails from being sent if: (i) the identity of the sender is disguised or concealed; or (ii) a simple means for refusing further e-mails free of charge (e.g., a link to click on for opting out) is not provided with each e-mail.
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
It is, in principle, not permitted to make direct marketing calls to individual subscribers who: (i) have previously objected to such calls; or (ii) are listed in the telephone directory with the corresponding phone number as not wishing any communications to such number for the purpose of direct marketing (since 1 April 2012, this is expressly regulated by the Swiss Unfair Competition Act, which introduced the concept of an official Robinson List, see above). The necessary contact information may be obtained and used only in compliance with the DPA, for example, if the subscriber made it publicly available (e.g. by having it listed in the telephone directory), or has provided it and implicitly or explicitly agreed to its use for marketing purposes.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
The same conditions apply as for direct marketing by telephone to individual subscribers.
Exemptions and other issues
Calls can be made to a subscriber who has consented to receiving such calls.