The processing of personal data is mainly regulated by the Federal Act on Data Protection of 19 June 1992 ("DPA") and its ordinances, i.e. the Ordinance to the Federal Act on Data Protection ("DPO") and the Ordinance on Data Protection Certification ("ODPC").
In addition, the processing of personal data is further restricted by provisions in other laws, mainly with regard to the public sector and regulated markets.
DEFINITION OF PERSONAL DATA
Personal data means all information relating to an identified or identifiable natural or legal person.
DEFINITION OF SENSITIVE PERSONAL DATA
Sensitive personal data is defined as data on:
- religious, ideological, political or trade union related views or activities;
- health, the intimate sphere or racial origin;
- social security measures; and
- administrative or criminal proceedings and sanctions.
"Personality profiles" are protected to the same extent under the DPA as sensitive personal data. Personality profiles are collections of data that allow the appraisal of essential characteristics of the personality of an individual.
NATIONAL DATA PROTECTION AUTHORITY
Federal Data Protection and Information Commissioner ("FDPIC")
The FDPIC supervises federal and private bodies, advises and comments on the legal provisions on data protection and assists federal and cantonal authorities in the field of data protection.
The FDPIC informs the public about his findings and recommendations, and maintains and publishes the register for data files.
The processing of personal data by private persons does not usually have to be notified or registered, respectively. However, private persons must register their data files before the data files are opened, if:
- they regularly process sensitive personal data or personality profiles; or
- they regularly disclose personal data to third parties;
and unless one of following exemptions applies;
- the data is processed pursuant to a statutory obligation;
- the Swiss Federal Council has exempted the particular processing from the registration requirement because it does not prejudice the rights of the data subjects;
- the data controller uses the data exclusively for publication in the edited section of a periodically published medium and does not pass on any data to third parties without informing the data subjects;
- the data is processed by journalists who use the data file exclusively as a personal work aid;
- the data controller has designated a data protection officer who independently monitors internal compliance with data protection regulations and maintains a list of the data files; or
- the data controller has acquired a data protection quality mark under a certification procedure according to Article 11 DPA and has notified the FDPIC of the result of the evaluation.
DATA PROTECTION OFFICERS
There is no requirement under Swiss data protection law to appoint a data protection officer.
However, a data controller can be dispensed from registering its data files if it has designated a data protection officer who:
- carries out his/her duties autonomously and independently, i.e. without being subject to instructions;
- has a certain level of expertise that is appropriate for the relevant data processing at the company (whereas it is not relevant if the respective expertise was not acquired in Switzerland);
- must check and audit the processing of personal data within the company;
- must be in a position to recommend corrective measures when detecting any breaches of applicable data protection rules;
- must have access to all data files and all data processing within the company as well as to all other information that he/she requires to fulfill his/her duties;
- must maintain records of all data files controlled by the company and provide this list to the FDPIC or affected data subjects upon request;
- may not carry out any other activities that are incompatible with his/her duties as data protection officer.
The data controller must notify the FDPIC of the appointment of a data protection officer to be listed on the public list of companies exempted from the requirement to register their data files.
COLLECTION AND PROCESSING
The following principles apply to the collection and processing of personal data (including data of legal entities):
- personal data may only be processed lawfully, in good faith and according to the principle of proportionality;
- the collection of personal data and, in particular, the purpose of its processing must be evident to the data subject;
- personal data should only be processed for a purpose that is indicated or agreed at the time of collection, evident from the circumstances at the time of collection, or provided for by law;
- the data controller and any processor must ensure that the data processed is accurate;
- personal data must not be transferred abroad if the privacy of the data subject may be seriously endangered (see below);
- personal data must be protected from unauthorised processing by appropriate technical and organisational measures;
- personal data must not be processed against the explicit will of the data subject, unless this is justified by:
- the consent of the data subject (which must be given voluntarily and based upon adequate information);
- an overriding private or public interest; or
- sensitive personal data or personality files must not be disclosed to a third party, unless this is justified by:
- the consent of the data subject (which must be given expressly in addition to the voluntariness and adequate information requirement);
- an overriding private or public interest; or
Personal data may be disclosed outside Switzerland if the destination country offers an adequate level of data protection. The FDPIC maintains and publishes a list of such countries.
The FDPIC deems the data protection legislation of all EU and EEA countries to be adequate with regard to personal data of individuals. With regard to personal data of legal entities, only a few EU countries, such as Austria, Italy and Liechtenstein, provide an adequate level of data protection.
In the absence of legislation that guarantees adequate protection, personal data may be disclosed abroad only if:
- sufficient safeguards, such as data transfer agreements or other contractual clauses, ensure an adequate level of protection abroad. These agreements or other safeguards must be notified to the FDPIC; to the extent that model clauses recognised by the FDPIC are used, mere information is sufficient;
- there are binding corporate rules that ensure an adequate level of data protection in cross border data flows within a single legal entity or a group of companies, e.g. the US Swiss Safe Harbor Framework (which mirrors the US EU Safe Harbor Framework). Such rules must be notified to the FDPIC;
- the data subject consents to the particular data export (consent must be given for each individual case, a generic consent is not sufficient);
- the processing is directly connected with the conclusion or performance of a contract with the data subject;
- disclosure is essential in order to safeguard an overriding public interest or for the establishment, exercise or enforcement of legal rights before the courts;
- disclosure is required in order to protect the life or the physical integrity of the data subject; or
- the data subject has made the personal data publicly accessible and has not expressly prohibited its processing.
The data controller and any processor must take adequate technical and organisational measures to protect personal data against unauthorised processing and ensure its confidentiality, availability and integrity. In particular, personal data shall be protected against the following risks:
- unauthorised or accidental destruction;
- accidental loss;
- technical errors;
- forgery, theft or unlawful use; and
- unauthorised altering, copying, accessing or other unauthorised processing.
The technical and organisational measures must be appropriate, in particular with regard to the purposes of the data processing, the scope and manner of the data processing, the risks for the data subjects and the current technological standards.
There is no mandatory requirement to notify the FDPIC of any breach of the obligations under the DPA.
The FDPIC does not have specific direct powers to enforce the DPA. He may investigate cases on his own initiative or at the request of a third party and may issue recommendations that the method of processing be changed or abandoned. If the FDPIC's recommendation is not complied with, he may refer the matter to the Swiss Federal Administrative Court for a decision.
Furthermore, the DPA provides for criminal liability and fines of up to CHF 10,000 if a private person intentionally fails to comply with the following obligations under the DPA:
- duty to provide information when collecting sensitive data and personality profiles;
- duty to safeguard the data subject's right to information;
- obligation to notify the FDPIC with regard to contractual clauses or binding corporate rules in connection with the data transfer abroad;
- obligation to register data files; or
- duty to cooperate in an FDPIC investigation.
Criminal proceedings must be initiated by the competent cantonal prosecution authority.
Finally, under Swiss civil law the data subject may apply for injunctive relief and may file a claim for damages as well as satisfaction and/or surrender of profits based on the infringement of its privacy.
Electronic marketing practices must comply with the provisions of the Swiss Federal Act against Unfair Competition ("UCA").
With regard to the sending of unsolicited automated mass advertisement (which, in addition to emails, includes SMS, automated calls and fax messages) the UCA generally requires prior consent by the recipient, i.e. opt-in. As an exception, mass advertisings may be sent without the consent of the recipient if the sender received the contact information in the course of a sale of his products or services, the recipient was given the opportunity to refuse the use of his/ her contact information upon collection and the mass advertising relates to similar products or services of the sender.
In addition, mass advertising emails must contain the sender's correct name, address and email contact and must provide for an easy-access and free of charge opt-out.
The UCA generally applies to business-consumer relationships as well as to business-business relationships, i.e., mass advertisements sent to individuals and to corporations are subject to the same rules.
In principle, direct marketing by telephone is lawful in Switzerland as long as it is not done in an aggressive way (e.g. by repeatedly calling the same person). Moreover, art. 3 para. 1 lit. u UCA prohibits direct marketing by telephone to people who wish to not receive commercial communication and expressed that wish (i.e. opted-out) by marking their entry in the telephone book (e.g. through an asterisk next to a person's entry).
In addition to the rules of the UCA, the general data protection principles under the DTA also apply with regard to electronic marketing activities, e.g. the collection and maintenance of email addresses or processing of any other personal data.
ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)
In addition, the general rules under the DPA apply where cookies collect data related to identified or identifiable persons, i.e., personal data. The collection of personal data through cookies as well as the purpose of such a collection must be evident to the data subject. Further, the personal data collected may only be processed for the purpose (i) indicated at the time of collection, (ii) that is evident from the circumstances, or (iii) that is provided for by law.
Where the personal data collected through a cookie is (i) considered sensitive data, e.g. data regarding religious, ideological, political views or activities, or (ii) is so comprehensive that it forms a personality profile, i.e. permits an assessment of essential characteristics of the personality of a person, the stricter rules pertaining to the processing of sensitive personal data are applicable. These stricter rules provide, inter alia, that the data subject must be informed of (i) the identity of the data controller, (ii) the purpose of data processing and (iii) the categories of data recipients if the data shall be disclosed to third parties. Further, in relation to the processing of sensitive personal data implied consent is not sufficient; consent must be given expressly.
© DLA Piper
This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.
DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com