COMPARATIVE GUIDE
1 October 2024
Mondaq Thought Leadership Award Winner

Data Privacy Comparative Guide

Data Privacy Comparative Guide for the jurisdiction of Switzerland, check out our comparative guides section to compare across multiple countries
Switzerland Privacy

1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

In Switzerland, data privacy is regulated by the Federal Act on Data Protection of 25 September 2020 (FADP) and the Ordinances to the Federal Act on Data Protection of 31. August 2022.

Further, every Swiss canton has its own data protection laws and ordinances with respect to data processing by cantonal authorities.

In international contexts, data protection laws, such as the GDPR, may also be applicable.

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

The FADP itself contains special regulations on the processing of data that is considered to be sensitive personal data (eg, data on health – see question 3). There are many more acts that that contain additional provisions for the protection of data, which is why they cannot be listed exhaustively.

With regard to biometric data, additional provisions to the FADP – such as the Federal Act on the Use of DNA Profiles in Criminal Proceedings and for Identifying Unidentified or Missing Persons, the Ordinance on the Processing of Biometric Identification Data and the Swiss Criminal Code – may apply, depending on the purpose for which data is processed.

The Swiss banking secrecy provides for bank-client confidentiality, which aims to safeguard financial privacy of clients. Additionally, the Federal Act on Financial Services (FinSA) contains specific requirements for documentation, information obligations and the handling of customer data by financial service providers. The Swiss Financial Market Supervisory Authority (FINMA) also imposes data protection requirements on financial institutions in its circulars.

Furthermore, Article 321 of the Swiss Criminal Code sets forth secrecy obligations, such as patient secrecy regarding health data and attorney-client privilege, which have an impact on the processing of such data.

In the telecommunications sector, specific regulations apply to data retention and processing.

The Federal Act on the Electronic Patient Record and the associated ordinances governs the privacy and security of patient data in electronic health records.

Moreover, Swiss labour law provides special provisions with respect to the processing of employees data (see question 10).

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

In international contexts, data protection laws, such as the GDPR, may also be applicable.

1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

The Federal Data Protection and Information Commissioner (FDPIC) is in charge of supervising federal and private bodies and advising them on data privacy law. Data processing by communal and cantonal authorities does not fall within the responsibility of the FDPIC, but rather the data protection supervision of the cantons and communes. The FDPIC can also comment on draft federal legislation that may have an impact on data privacy. Furthermore, it interacts and cooperates with data protection authorities in Switzerland and abroad.

To accomplish its tasks, the FDPIC can investigate facts on its own initiative or at the request of a third party. As part of an investigation, the FDPIC may authorise access to all information, documents, lists of processing activities and personal data required for the investigation, access to premises and facilities, witness examinations and expert opinions. The FDPIC can order administrative measures such as the interruption of data processing, the cancellation of personal data or issue a warning. The FDPIC may file a complaint with the competent prosecution authority and exercise the rights of a private claimant in the proceedings. However, the FDPIC does not have the power to impose sanctions. The imposition of fines under the FDPIC remains the responsibility of the ordinary federal and cantonal criminal authorities.

1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

The FDPIC plays a decisive role in establishing industry standards and best practices in all areas of data protection, such as internet and computer, video surveillance, e-commerce and transborder data flows. It also provides model letters and documentation templates. Guidelines and working tools prepared by the FDPIC are not directly enforceable by the courts; however, they form a relevant basis to be considered by controllers and processors of personal data.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

The FADP applies to the processing of data pertaining to natural persons by private persons (individuals and legal entities) and federal bodies.

2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

In accordance with Article 2(2), the FADP does not apply to:

  • personal data that is processed by a natural person exclusively for personal use;
  • personal data that is processed by the Federal Chambers and parliamentary committees in connection with their deliberations;
  • personal data that is processed by institutional beneficiaries according to Article 2 paragraph 1 of the Host State Act of 22 June 2007, which enjoy immunity in Switzerland.

2.3 Does the data privacy regime have extra-territorial application?

Due to the principle of territoriality, the data protection legislation is generally applicable to situations that take place in Switzerland. An extra-territorial application may occur, for example, in the case of outsourcing to a foreign company. In addition, the principle of impact must be observed if circumstances abroad have an impact on Switzerland, such as through websites that can be accessed for business transactions in Switzerland.

3 Definitions

3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.

(a) Data processing

Any operation with personal data, irrespective of the means applied and the procedure, and in particular the collection, recording, storage, use, revision, modification, disclosure, archiving, deletion or destruction of data.

(b) Data processor

A private person or federal body that processes personal data on behalf of the controller.

(c) Data controller

A private person or federal body that alone or jointly with others decides on the purpose and the means of the processing.

(d) Data subject

A natural person whose personal data is processed.

(e) Personal data

All information relating to an identified or identifiable natural person.

(f) Sensitive personal data

Sensitive personal data:

  • data on religious, ideological, political or trade union-related views or activities;
  • data on health, the intimate sphere or the racial or ethnic origin;
  • genetic data;
  • biometric data which unequivocally identifies a natural person;
  • data on administrative or criminal proceedings and sanctions; and
  • data on social security measures.

(g) Consent

There is no statutory definition in the FADP. But in general consent must be given voluntarily, based on the provision of adequate information. Additionally, consent must be given expressly in the case of processing of sensitive personal data, high-risk profiling by a private person or profiling by a federal body.

3.2 What other key terms are relevant in the data privacy context in your jurisdiction?

"Disclosure": Transmitting or making personal data accessible.

"Profiling": Any form of automated processing of personal data consisting of using such data to assess certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or whereabouts.

"High-risk profiling": Profiling which involves a high risk to the personality or fundamental rights of the data subject, as it creates a pairing between data that enables an assessment of essential aspects of the personality of a natural person.

"Data security breach": A security breach which leads to an unintentional or unlawful loss, deletion, destruction or modification of personal data or to personal data being disclosed or made accessible to unauthorised persons.

"Federal Body": Federal authority or service or person that is entrusted with federal public tasks.

4 Registration

4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?

In Switzerland, there is no registration of data controllers and processors.

4.2 What is the process for registration?

No answer submitted for this question.

4.3 Is registered information publicly accessible?

No answer submitted for this question.

5 Data processing

5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?

In Switzerland, the meaning of the principle of legality is different for federal bodies and private persons. In the public law sector, the legality of state action is the basic principle and therefore the processing of personal data always requires a legal basis.

With respect to data processing by private persons, the legal situation is more differentiated. Data processing by private persons does not per se constitute a breach of the privacy rights of the data subjects concerned. Consequently, data processing requires a justification – that is, the consent of the data subject, a legal basis or an overriding private or public interest – only if it unlawfully breaches the privacy of the data subject. As a general rule, no justification for processing personal data is required if the data subject has made the data generally available and has not expressly restricted the data processing.

On the other hand, justification is required if:

  • the data processing violates one of the general data protection principles of the FADP outlined in question 5.2;
  • the personal data is processed against the data subject's express will; or
  • sensitive personal data are disclosed to third parties.

5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?

The FADP provides for the following key principles:

  • Transparency: The collection of personal data, and in particular the purpose of its processing, must be evident to the data subject.
  • Lawful basis: Personal data must be processed lawfully.
  • Principle of good faith and proportionality: Data processing must be carried out in good faith and must be proportionate.
  • Accuracy of data: The processed personal data must be accurate and, where necessary, kept up to date. Incorrect or outdated data must be corrected or deleted as soon as they are identified.
  • Data security: Personal data must be safeguarded through appropriate technical and organizational measures against unauthorized access, misuse, loss, or destruction.
  • Purpose limitation: Personal data may be processed only for the purpose indicated at the time of collection, which is evident from the circumstances or which is provided for by law.

Furthermore the controller has an obligation to inform the data subject appropriately about the collection of personal data. These notification requirements also apply where data is outsourced to third parties for processing (see question 7.1 "right to information").

In any case, the data subject generally has the right to request information about the processing of his or her personal data, and may inspect and correct false, incomplete or erroneous data. This right may be restricted only if there is an overriding public or private interest in doing so. In any case the data subject has the right to receive or transfer a copy of their personal data in a commonly used format and to object to the processing of their personal data. In addition, the data subject may withdraw consent to the processing of their personal data.

With respect to the data processing by processors the FADP states the following requirements:

  • A contract must be concluded between the controller and the processor or the legislation provides for order processing.
  • The data must be processed only in the manner permitted for the controller itself.
  • The transfer of data to third parties must not be prohibited by a statutory or contractual duty of confidentiality.
  • The instructing party must ensure that the third party guarantees data security. Hence, the data controller is responsible for ensuring the security of the data and must prohibit unauthorised access.

Furthermore, the third parties must observe the key principles as set forth above. The processor may only assign the processing to a third party with the prior authorisation of the controller. If the processor is located outside Switzerland, the provisions on the disclosure of personal data abroad must also be complied with (see question 6.2).

Federal bodies may disclose personal data only if a statutory basis in accordance with Art. 34 (1 – 3) FADP provides it or if one of the following requirements is fulfilled:

  • Disclosure of the data is indispensable to the controller or the recipient for the fulfilment of a statutory task;
  • The data subject has consented to the disclosure;
  • Disclosure of the data is required in order to protect the life or the physical integrity of the data subject or a third party and it is not possible to obtain the consent of the data subject within a reasonable period of time;
  • The data subject has made its data generally accessible and has not expressly prohibited disclosure;
  • The recipient credibly demonstrates that the data subject is withholding consent or objects to disclosure in order to prevent the enforcement of legal claims or the safeguarding of other legitimate interests; the data subject must be given the opportunity to comment beforehand, unless this is impossible or involves a disproportionate effort.

Federal bodies may also disclose personal data in the context of official information disclosed to the general public, either ex officio or pursuant to the Freedom of Information Act of 17 December 2004 , if the data pertains to the fulfilment of a public duty and there is an overriding public interest in its disclosure (for more exceptions see Art. 36 FADP).

5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?

The data processor and controller are advised to monitor the processing of personal data. If irregularities or non-compliance with data protection regulations is detected, corrective measures must be implemented. The processor shall notify the controller as soon as possible of any data security breach. Both the controller and the processor must keep a record of their processing activities, unless they are affected by the exception under Art. 12 (5) FADP.

In the case of exclusively automated individual decisions that are associated with a legal consequence for the data subject or significantly affect them, the controller is obliged to provide information. The data subject can request that the decision be reviewed by a natural person. The duty of information in the case of an automated individual decision does not apply if the decision is directly connected with the conclusion or the performance of a contract between the controller and the data subject and the request of the latter is satisfied, or the data subject explicitly consented to the decision being taken in an automated manner.

6 Data transfers

6.1 What requirements and restrictions apply to the transfer of data to third parties?

When personal data is transferred to third parties, the data subjects must be informed about the transfer and if the data is transferred internationally. In addition, the requirements set out in section 5.2 above must be met.

6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?

Article 16 FADP stipulates that personal data may be disclosed abroad if the of legislation of the relevant State or international body guarantees an adequate level of protection. Accordingly, either adequate protection must be guaranteed in the country of destination or other safeguards must be in place to protect the data subject's privacy, such as:

  • an international treaty;
  • data protection provisions of a contract between the controller or the processor and its contracting partner, which were communicated beforehand to the FDPIC;
  • specific safeguards prepared by the competent federal body and communicated beforehand to the FDPIC;
  • standard data protection clauses previously approved, established or recognised by the FDPIC;
  • binding corporate rules on data protection which were previously approved by the FDPIC, or by a foreign authority which is responsible for data protection and belongs to a state which guarantees adequate protection.

Furthermore, personal data may be disclosed abroad if:

  • the data subject has explicitly consented to the disclosure;
  • the disclosure is directly connected with the conclusion or the performance of a contract:
    1. between the controller and the data subject, or
    2. between the controller and its contracting partner in the interest of the data subject;
  • disclosure is necessary:
    1. in order to safeguard an overriding public interest, or
    2. for the establishment, exercise or enforcement of legal claims before a court or another competent foreign authority;
  • disclosure is necessary in order to protect the life or the physical integrity of the data subject or a third party and it is not possible to obtain the consent of the data subject within a reasonable period of time;
  • the data subject has made the data generally accessible and has not expressly prohibited its processing;
  • the data originates from a register provided for by law which is accessible to the public or to persons with a legitimate interest, provided that the legal conditions for the consultation are met in the specific case.

The controller has to inform the data subject of the name of the State or the international body and as the case may be, the safeguards if personal data is disclosed abroad. All European countries governed by the General Data Protection Regulation guarantee more than adequate protection and therefore the transfer of data to such countries is of no concern.

6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?

The general principles of data processing remain applicable (eg, transparency, purpose limitation, data minimisation, proportionality).

7 Rights of data subjects

7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?

  • Right of access to data: Any person may request information from the controller as to whether personal data concerning him is being processed. The information must be provided within 30 days in the form of a printout or copy, and free of charge. According to Art. 26 FADP there are some limitations to the access right.
  • Right to rectification of errors: Data subjects may request that incorrect data be corrected.
  • Right to deletion: Data subjects may request that incorrect data be deleted.
  • Right to object to processing / right to withdrawal of consent: Data subjects may request that data processing be stopped and/or that data not be disclosed to third parties.
  • Right to information: If personal data is collected, the controller must inform the data subject transparently, in particular about the identity of the controller, the purpose of the processing, the recipients of the data if personal data is disclosed abroad, the controller also informs the data subject of the name of the State or international body and, as the case may be, the safeguards according to Art. 16 (2) FADP or the applicability of one of the exceptions provided for in Art. 17 FADP. If the personal data is not collected from the data subject, the controller additionally informs the data subject of the categories of personal data which is processed.
  • Right of data portability: Any person may request from the controller, free of charge, the disclosure of the personal data that he has disclosed to him in a standard electronic format if the controller processes the data in an automated manner and the data is processed with the consent of the data subject or in direct connection with the conclusion or performance of a contract between the controller and the data subject. In addition, the data subject may request the controller to transfer his personal data to another controller if the aforementioned conditions are met and this does not involve a disproportionate effort.
  • Right to lodge a complaint: If data subjects believe that their rights have been violated, they can lodge a complaint with the competent data protection supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC).
  • Right to be forgotten: Although the right to be forgotten is not explicitly stated in the FADP, the Federal Data Protection and Information Commissioner and case law consider that the right to be forgotten results from the general principle of proportionality.

7.2 How can data subjects seek to exercise their rights in your jurisdiction?

In order to assert the rights of the data subject, the data subject must contact the controller. Furthermore the data subjects can file a complaint with the FDPIC.

In addition, data subjects have the ordinary judicial remedies available under civil law to protect their personality rights (Art. 28–28l of the Swiss Civil Code). In particular, the data subject may request that the data processing be stopped, that data not be disclosed to third parties and that personal data be corrected or deleted.

7.3 What remedies are available to data subjects in case of breach of their rights?

The data subject may further claim compensation for moral suffering and payment of damages or the handing over of profits, provided that he or she can prove actual damage based on privacy infringements, which is difficult in practice.

8 Compliance

8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?

The FADP does not stipulate an obligation for companies to appoint a data protection officer; thus, this appointment is optional and no consequences of failure apply.

8.2 What qualifications or other criteria must the data protection officer meet?

If a company intends to appoint a data protection officer, such person should be adequately skilled, with expert knowledge of data protection law and practices, in order to be able to assist the company in monitoring internal compliance with the legal framework and training employees in the field of data protection. The necessary level of expert knowledge should be connected to the specific data processing operations carried out and the protection required for the personal data processed by the company. It is equally important that the data protection officer is in a position to perform his duties in an independent manner.

8.3 What are the key responsibilities of the data protection officer?

The data protection officer is the contact point for the data subjects and for the competent data protection authorities responsible for data protection matters in Switzerland. The data protection officer's key responsibilities include the following:

  • to train and advise the private controller in matters of data protection;
  • the participation in the enforcement of data protection regulations.

8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?

In principle, no special rules apply. The outsourcing company must ensure that the external data protection officer has the necessary skills and is able and empowered to conduct his role in an independent manner.

8.5 What record-keeping and documentation requirements apply in the data privacy context?

The controllers and the processors each must keep an inventory of their processing activities unless an exception under Art. 12 (5) FADP applies.

If the intended data processing may lead to a high risk for the data subjects personality or fundamental rights, the controller must conduct beforehand a data protection impact assessment. The controller must retain the data protection impact assessment for at least two years after termination of the data processing activity.

If sensitive personal data is processed automatically on a broad scale or if high-risk profiling is carried out and the preventive measures cannot guarantee data protection, the private controller and its private processor must at least record the storage, alteration, reading, disclosure, deletion and destruction of the data. The records must be kept in particular if it is otherwise not possible to establish retroactively whether the data was processed for the purposes for which it was collected or disclosed. In the case of personal data that is generally accessible to the public, the storage, alteration, deletion and destruction of the data must at least be recorded. The records must provide information on the identity of the person who carried out the processing, the nature, date and time of the processing and, if applicable, the identity of the recipient of the data and must be kept for at least one year.

Furthermore the private controller and its private processor must draw up a processing policy for automated processing if they process sensitive personal data on a broad scale or carry out high-risk profiling. The processing policy must in particular contain information on the internal organisation, the data processing and control procedure and the measures taken to ensure data security.

The general provisions on the archiving of business documents apply; unless otherwise stipulated, all records and documents in relation to personal data must be kept for 10 years.

8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?

Not applicable.

9 Data security and data breaches

9.1 What obligations apply to data controllers and processors to preserve the security of personal data?

Article 8 FADP states the general rule that the controller and the processor must ensure, through adequate technical and organisational measures, the security of the personal data that appropriately addresses the risk. They must ensure the confidentiality, availability, traceability and integrity of the data in order to ensure an appropriate level of data protection. In particular, hey have to protect systems against the following risks:

  • unauthorised or accidental destruction;
  • accidental loss;
  • technical faults;
  • forgery, theft or unlawful use; and
  • unauthorised alteration, copying, access or other unauthorised processing.

The technical and organisational measures must be adequate and reviewed periodically. In particular, they must take account of the following criteria:

  • the purpose of the data processing;
  • the nature and extent and circumstances of the data processing;
  • an assessment of the possible risks to data subjects; and
  • the current state of the art and the costs of implementation.

Additionally, Art. 3 of the Ordinance to the Federal Act on Data Protection contains additional detailed provisions on the technical and organisational measures for data security:

In order to ensure confidentiality, the controller and the processor must take appropriate measures to guarantee that:

  • access by authorised persons is limited to the personal data that they require to fulfil their tasks (access control);
  • unauthorised persons are denied access to the premises and installations in which personal data is being processed (entrance control);
  • unauthorised persons may not use automated data processing systems by means of devices for data transmission (usage control).

In order to ensure availability and integrity, the controller and the processor must take appropriate measures to guarantee that:

  • unauthorised persons may not read, copy, alter, move, delete or destroy data carriers (data carrier control);
  • unauthorised persons may not store, read, change, delete or destroy personal data in storage (storage control);
  • when disclosing personal data and during the transport of data carriers, unauthorised persons may not read, copy, alter, delete or destroy personal data (transport control);
  • the availability of and access to personal data can be rapidly restored in the event of a physical or technical incident (recovery);
  • all functions of the automated data processing system are available (availability), that malfunctions are reported (reliability) and that stored personal data cannot be damaged by system malfunctions (data integrity);
  • operating systems and application software are always kept up to date and known critical gaps are closed (system security).

In order to ensure traceability, the controller and the processor must take appropriate measures to guarantee that:

  • it can be checked what personal data is entered or altered in the automated data processing system, at what time and by which person (input control);
  • it can be checked to whom personal data has been disclosed by means of devices for data transmission (disclosure control);
  • data security breaches can be quickly detected (detection), and measures can be taken to mitigate or eliminate their impact (elimination).

9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

The controller shall notify the FDPIC as soon as possible of a data security breach that is probable to result in a high risk to the personality rights or the fundamental rights of the data subject. The notification must at least contain the nature of the data security breach, the impact, including any risks, for the data subjects, the measures taken or foreseen and the name and contact details of a contact person and additionally, as far as possible the time and duration of the data security breach, the categories and the approximate number of personal data concerned and the categories and the approximate number of data subjects.

9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

The controller shall also inform the data subject if this is necessary for the protection of the data subject or if the FDPIC so requests. The controller can restrict the information to the data subject, defer it or refrains from providing information if there are grounds pursuant to Art. 26 (1) lit. b or (2) lit. b FADP or a statutory duty of secrecy prohibits it, information is impossible or requires disproportionate efforts or the information of the data subject is ensured in an equivalent manner by a public announcement. The notification must at least contain the nature of the data security breach, the impact, including any risks, for the data subjects, what measures have been taken or are envisaged to remedy the defect and mitigate the impact, including any risks and the name and contact details of a contact person.

9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?

Furthermore the controller has to document data security breach. The documentation must contain all facts relating to the incidents, their effects and the measures taken. It has to be retained for at least two years from the date of notification to the FDPIC.

10 Employment issues

10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?

Article 328b of the Swiss Code of Obligations governs the obligations of employers in respect of the protection of employees' personality rights while handling personal data. It states that an employer may process data concerning employees only to the extent that such data:

  • concern the employee's suitability for his or her job; or
  • is necessary for the performance of the employment contract.

In all other respects, the provisions of the Federal Act on Data Protection shall apply. It is not possible to derogate from these provisions to the detriment of the employee by individual agreement, standard employment contract or collective employment contract, or even with the consent of the employee, due to the relationship of subordination between the parties.

10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?

A distinction must be drawn between surveillance of internet use, email and telephone, as well as surveillance by video. The surveillance of employees is permitted only to a very limited extent. In general, employees must be informed of the planned surveillance in advance and in a transparent way, and in most cases must give their consent. The employer should ideally specify in an internal directive, based on its right to issue instructions, how employees may use the Internet and email for private purposes. Such rules create transparency and legal certainty for such use, and for the establishment of control and surveillance instruments. Video surveillance systems designed to specifically monitor the behaviour of employees are prohibited. Where video surveillance is necessary for other reasons (eg, security), it must be implemented in such a way that the health and freedom of movement of employees are not unduly affected. The surveillance of employees may be considered illegal and a violation of personality rights unless it is justified by the consent of the injured party, by an overriding private or public interest or by law. The principles of proportionality, good faith and transparency must also be taken into account.

10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context

Consent in the employment relationship is valid only to a limited extent, as the voluntary nature is restricted by the subordination relationship between employer and employee. It is therefore advisable to refer to another legal basis to process the personal data of employees.

11 Online issues

11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?

Cookies are governed by Article 45c of the Telecommunications Act, which provides that the processing of data on external equipment by means of transmission using telecommunications techniques is permitted only if, among other things, users are informed of the processing and its purpose, and are informed that they may refuse to allow such processing. Swiss companies commonly inform internet users of the data protection policy on their websites regarding the use and deactivation of cookies. An opt-in process is not mandatory.

11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?

Cloud computing services are basically regarded as data processing by third parties. Such outsourcing is allowed if personal data is processed only in the manner in which the cloud user itself would be allowed to process it, and if no legal or contractual obligation of secrecy prohibits it. It must be ensured that the third-party cloud service provider guarantees data security through appropriate technical and organisational measures. The cloud service provider must also be obliged to fully comply with the data protection regulations applicable in Switzerland (see question 5.2). If personal data is transmitted abroad through outsourcing, Article 16 FADP applies (see question 6.2).

11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?

It is important to have a legal basis for the use of personal data for marketing purposes. Article 3(1)(o) of the Unfair Competition Act stipulates that it is considered unlawful to send mass advertising without a direct connection to the requested content by means of telecommunications technology, or to arrange for such broadcasts, and in doing so fail to:

  • obtain the prior consent of the customers;
  • specify the correct sender; or
  • point out the possibility of refusal without consequence and free of charge (opt-out).

However, a company which receives contact information from customers when selling goods, works or services and, in doing so, points out the possibility of refusal (again: opt-out) does not act unfairly if it sends those customers mass advertising for its own similar goods, works or services without their consent. It is recommended that the underlying contract or the applicable general terms and conditions also govern data protection and the use of contact information for own marketing purposes.

12 Disputes

12.1 In which forums are data privacy disputes typically heard in your jurisdiction?

As set forth in question 7.2, data subjects have ordinary judicial remedies available under civil law to protect their personality rights.

The FDPIC regularly investigates cases that involve potential privacy issues. If the investigation reveals a data protection breach, the FDPIC may make recommendations as to how the method of data processing should be changed or that the data processing activity be stopped (see question 1.4). If this recommendation is not complied with, the FDPIC may initiate proceedings leading to a formal decision on the matter. In the case of recommendations to federal bodies, the FDPIC may refer the case to the competent department or the Swiss Federal Chancellery for a formal decision. Both the FDPIC and any persons concerned by such a decision may appeal this decision to the Swiss Federal Administrative Court. The appeal decision may be further appealed to the Swiss Federal Supreme Court. In the case of recommendations to private persons, the FDPIC may refer the case to the Swiss Federal Administrative Court for a decision. The decision of the Swiss Federal Administrative Court is subject to an appeal before the Swiss Federal Supreme Court.

12.2 What issues do such disputes typically involve? How are they typically resolved?

Disputes between private individuals, which include data protection issues, often relate to labour disputes.

12.3 Have there been any recent cases of note?

In 2015 the Swiss Federal Supreme Court issued a noteworthy decision on the right of access in connection with a tax dispute between certain Swiss banks and the United States. Based on the right of access set forth in Article 8 of the Federal Act on Data Protection, the court obliged a Swiss bank to provide its employees with copies of all documents transferred to the US Department of Justice in April 2012 containing their personal data. With respect to the processing of employee personal data, the Swiss Federal Supreme Court held that the monitoring of an employee's use of email and Internet that lasted for three months and included the taking of regular screenshots was illegal and disproportionate. Furthermore, there was no internal policy that permitted monitoring under specific, transparently disclosed circumstances, which would have been required.

13 Trends and predictions

13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

Yes, the current data privacy landscape in Switzerland is undergoing significant transformation, driven by recent legislative updates, regulatory trends, and the broader impact of international frameworks like the European Union's General Data Protection Regulation (GDPR). Switzerland, like the rest of Europe, is seeing rapid developments in emerging technologies such as artificial intelligence (AI), big data, and blockchain. As these technologies become more prevalent, there is a growing focus on ensuring that they are deployed in a privacy-compliant manner.

14 Tips and traps

14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?

Every company should implement a data protection programme which reasonably reflects its size, business, markets and the associated risks. This programme should start with an overview of the data flows resulting in the record and documentation of processing activities. Based on this, companies would be well advised to take care of internal and external communication regarding the use of data. Communication ensures transparency and trust, which again are vital for success.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More