Part 4 of our series on data protection law in Switzerland
In this part of our series on the revised Swiss Federal Act on Data Protection (FADP), we examine an essential compliance question: when is a legal basis required to process personal data under Swiss law? The answer depends on who is processing the data—federal bodies or private persons—and whether personality rights are affected.
Mandatory legal basis for federal bodies
Under the FADP, federal bodies, such as federal authorities and administrative units, must always have a legal basis to process personal data. This requirement reflects the constitutional principle that public bodies must act within the limits of the law when interfering with fundamental rights.
This marks a clear distinction from the private sector, which is subject to a different legal standard under the FADP.
"Permission subject to prohibition" approach for private persons
Unlike federal bodies, private persons—including companies, organisations, and individuals—do not need a specific legal basis for every data processing activity. Instead, they may generally process personal data if that processing does not unlawfully infringe the data subject's personality rights.
Under this "permission subject to prohibition" model, processing is permitted unless it:
- violates the general processing principles (Art. 6 and 8 FADP), such as proportionality, purpose limitation, or transparency (cf. part 3 of our series);
- goes against the express wishes of the data subject; or
- involves the disclosure of sensitive personal data to third parties.
Importantly, no violation occurs if the data was made publicly accessible by the data subject without restrictions on its use.
Legal justification in case of a breach of personality rights
If the data processing infringes personality rights, it is only lawful if a legal justification is available under Art. 31 FADP. This may include:
- The data subject's consent;
- An overriding private or public interest;
- A specific legal obligation.
Art. 31(2) FADP gives illustrative examples of situations where an overriding interest may exist—for instance, where processing is directly connected to the conclusion or performance of a contract with the data subject. However, these are not absolute rules.
According to the Federal Council Dispatch on the revised FADP, the decisive factor remains a case-by-case balancing of interests, like the previous legal framework.
This interpretation was confirmed by the Federal Data Protection and Information Commissioner (FDPIC) in the final report to his investigation into the Ricardo auction platform1, where the FDPIC clarified that controllers can, in principle, rely on any interest worthy of protection—including economic interests—as long as they can demonstrate that this interest outweighs the data subject's right to informational self-determination.
Practical tip
Before relying on an overriding private interest to justify data processing, companies should carefully assess and document their decision-making. A well-reasoned balancing test can be essential in demonstrating compliance. This test should weigh the nature of the data, the purpose of processing, the potential impact on the individual, and the safeguards in place.
Preview on Part 5
In part 5 of our series, we will examine the internal documentation obligations under the FADP: when must data processing activities be recorded, and what must those records include?
Footnote
1 https://www.newsd.admin.ch/newsd/message/attachments/90124.pdf, only available in German
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.