SCOPE OF DATA PROTECTION LAWS RELEVANT TO CROSS-BORDER INVESTIGATIONS
1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?
In Switzerland, the collection and processing of personal data are primarily regulated by the Federal Act on Data Protection (FADP) and Swiss Federal Data Protection Ordinance (FDPO). The FADP was extensively revised to comply with the level of data protection established by the EU General Data Protection Regulation (2016/679) (GDPR) and came into effect on 1 September 2023. The FADP applies to the processing of personal data of natural persons by private persons and federal bodies and covers both automated and manual processing of personal data. It covers any information directly or indirectly relating to an identified or identifiable natural person. Fully anonymised personal data does not fall within the scope of the FADP. The FADP outlines several key principles for data processing, including lawfulness, good faith and proportionality, purpose limitation, data accuracy and data security. In contrast to the GDPR, where data processing must always be justified with a legal basis pursuant to article 6 GDPR, data processing under the FADP only requires a justification if the personality rights of the data subject are violated, such as when personal data is processed in violation of the aforementioned processing principles.
For cross-border investigations, the following aspects of the FADP are particularly relevant: Switzerland recognises certain countries as providing an adequate level of data protection. Transfers to these countries are generally permitted without additional safeguards (the aforementioned processing principles must, however, always be complied with). For instance, EEA member states and the United Kingdom are recognised as such adequate jurisdictions. However, if personal data is to be transferred to a country that does not provide adequate protection from a Swiss data protection perspective (such as the United States, unless the recipient is certified under the Swiss–US Data Privacy Framework, China or India), additional safeguards (eg, the EU Standard Contractual Clauses with a "Swiss Finish", ie, including certain amendments as required under Swiss law) must be put in place. If personal data is wilfully disclosed to such an inadequate jurisdiction without additional safeguards, this may have consequences under criminal law (article 61 lit. a FADP), unless a statutory exception can be relied upon (eg, if the data subject explicitly consents to the transfer or if the disclosure is necessary for the establishment, exercise or enforcement of legal claims before a foreign court or other authority).
Overall, the Federal Data Protection and Information Commissioner (FDPIC) oversees compliance with the FADP in Switzerland.
2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?
There are several laws and regulations that may prevent or restrict data sharing in the context of an investigation. These include, in particular the following.
Swiss banking secrecy
Article 47 of the Swiss Federal Act on Banks and Savings Banks (BankA) imposes stringent confidentiality obligations on banks, which may limit the sharing of their customers' data. Article 47 BankA provides broad protections for customer data but does not explicitly define the scope of information safeguarded from disclosure. The provision generally prohibits the release of any confidential information entrusted to individuals or entities covered by the BankA. This encompasses all direct and indirect customer identifying data (CID) arising from the business relationship between the bank and its customer, such as any personal details of the customer, information on deposits and withdrawals or loan-related data. However, in accordance with the FADP and the GDPR, fully anonymised customer data does not fall within the scope of article 47 BankA.
The BankA provides for certain exceptions to disclose otherwise protected customer data, for example, if requested to do so under a Swiss statute requiring disclosure of information to a government authority. In criminal proceedings abroad, mutual legal or administrative assistance may be granted to foreign states in accordance with international treaties, in particular, the Swiss Federal Act on International Mutual Assistance in Criminal Matters. Swiss authorities generally only lift bank customer secrecy if the conduct under investigation is also considered a criminal offence under Swiss law. Unlike many international bank secrecy laws, the BankA does not explicitly state that a customer's consent permits disclosure. However, it is generally recognised that such consent constitutes a valid waiver of Swiss bank secrecy, and Swiss banks routinely obtain it when no statutory exception under the BankA applies.
In addition to article 47 BankA, comparable secrecy obligations apply to other financial institutions under the Swiss Federal Act on Financial Institutions (FinIA). Article 69 FinIA prohibits the unauthorised disclosure of any CID by directors, officers, employees, agents or liquidators, imposing criminal penalties for violations. Financial institutions within the meaning of the FinIA include portfolio managers, trustees, managers of collective assets, fund management companies and securities firms.
Professional secrecy (Swiss Criminal Code)
Article 321 of the Swiss Criminal Code (SCC) imposes professional secrecy obligations on certain professionals, including lawyers, doctors and auditors. Subject to a duty of confidentiality under the Swiss Code of Obligations (CO), these professionals are prohibited from disclosing confidential information obtained in the course of their duties, except under specific circumstances. These may be, among others, the explicit consent of the client or on the basis of written authorisation issued in response to the professional's application by a supervisory authority.
Telecommunications secrecy (Swiss Telecommunications Act)
The Swiss Telecommunications Act (TCA) mandates that telecommunications service providers maintain the confidentiality of their subscribers' communications (article 43 TCA). Disclosure of telecommunications data is generally restricted and can only take place under specific legal conditions, such as a court order or for national security reasons.
Employment law
Article 328b CO complements the FADP by stipulating that the employer may only process an employee's personal data to the extent that it relates to their ability to perform their job or if it is necessary for the performance of the employment contract (this includes investigating possible misconduct on the part of an employee). The employee's consent to data processing that goes beyond the scope of article 328b CO is only permissible if it is in the employee's favour (article 362 CO). As the Swiss Federal Supreme Court has ruled, article 328b CO is not a prohibition rule, but a processing principle with the effect that violations of article 328b CO may be justified by an overriding private interest of the employer or another justification reason set out in article 31 FADP.
Swiss Blocking Statute – article 271 SCC
Article 271 SCC prohibits the disclosure of information or documents obtained in Switzerland for use in foreign proceedings if such disclosure would ordinarily require the involvement of Swiss public authorities. Accordingly, the disclosure falls within the scope of article 271 SCC if the information or documents cannot be freely disposed of, or if failure to comply with the disclosure request may result in sanctions extending beyond mere procedural penalties (eg, the criminal offence of contempt of court). Information that cannot be freely disposed of includes, in particular, non-public information relating to third parties. In the absence of an authorisation under article 271 SCC, such information may only be disclosed through the official formal mutual legal assistance channels. Swiss authorities typically do not grant authorisation solely for obtaining information or evidence located within Switzerland, as mutual legal assistance procedures are available.
Economic espionage – article 273 SCC
Article 273 SCC prohibits any attempt to retrieve manufacturing, trade or business secrets and the disclosure of such secrets to a foreign authority or private person, provided that these secrets have a sufficient nexus with Switzerland (eg, business secrets of Swiss-based entities or located on Swiss-based servers). Information covered by Swiss banking secrecy (article 47 BankA) and, due to its functional similarity with the Swiss banking secrecy, information covered by the professional secrecy set out in article 69 FinIA falls under article 273 SCC. The consent to disclosure (ie, a secrecy waiver) of the "owner" of the secret may remedy a breach of article 273 SCC only if the consenting third party alone has an interest in maintaining secrecy and can thus freely dispose of it. However, if there is a public interest of Switzerland in protecting information it is not left to the parties (including the parties who "own" the secret) to waive their secrecy rights. This creates a residual risk that Swiss courts deem a violation of article 273 SCC in cases of cross-border disclosures to foreign authorities or private companies, even if all affected parties have validly waived their professional secrecy rights.
Manufacturing and trade secrecy – article 162 SCC
Article 162 SCC protects manufacturing and trade secrets of entities and individuals against unauthorised disclosure by persons bound to confidentiality through contract or law. It prohibits any disclosure of a secret by rendering it accessible to a third party, regardless of how such disclosure is made. A manufacturing or trade secret is a fact that is neither publicly known nor readily accessible, is subject to the owner's legitimate interest in maintaining confidentiality, and that holds economic value (ie, disclosure to third parties must have the potential to impact business operations, such as by increasing competition or harming the owner's company). Unlike article 273 SCC, the owner's waiver and consent to disclosure effectively eliminates the risk of prosecution under article 162 SCC.
3. What constitutes personal data for the purposes of data protection laws?
According to the FADP, "personal data" refers to any information relating to an identified or identifiable natural person. This includes any data that can be linked to a specific individual, either directly (eg, name, address, social security number) or indirectly (eg, IP address, cookie identifiers or other unique identifiers).
This can include a wide range of information such as:
- basic identification information (name, date of birth, gender);
- contact information (address, email, phone number);
- financial information (bank account details, credit card numbers);
- health information (medical records, health insurance details);
- online identifiers (IP addresses, cookies); or
- employment details (job title, salary, performance reviews).
The FADP also makes a distinction for sensitive personal data, which is slightly broader than the special categories of personal data under article 9 GDPR, and includes:
- data on religious, ideological, political or trade union-related views or activities;
- data on health, the intimate sphere or the racial or ethnic origin;
- genetic data, biometric data that uniquely identifies a person; or
- data on administrative or criminal proceedings and sanctions.
Under the revised FADP, information about legal entities or deceased natural persons is no longer considered personal data.
Additionally, fully anonymised data is not classified as personal data for the purposes of the FADP, since it cannot be used to identify an individual. Anonymisation must be irreversible, meaning that if there are any reasonable means by which the data could be relinked to the individuals it originally pertained to, the data is not considered truly anonymised and would still be considered personal data. On the contrary, pseudonymised data – where identifying information has been replaced with a pseudonym or code, but where re-identification is possible if the pseudonym is linked back to the individual using separate, securely stored information (the "key") – remains within the scope of the FADP. Even though the direct identification is obscured, the potential for re-identification means that such data is still considered personal data for anyone who has access to the key. By contrast, for anyone who does not have access to the key, pseudonymised data does, therefore, not constitute personal data.
4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?
The FADP applies to the processing of personal data of natural persons by both private persons and federal bodies. Processing means any handling of personal data, irrespective of the means and procedures used, in particular the collection, storage, keeping, use, modification, disclosure, archiving, deletion or destruction of data. Primarily, the obligations under the FADP are imposed on data controllers (ie, private persons who or federal bodies that determine the purpose and the means of processing personal data, either alone or jointly with others). However, certain obligations also apply to processors. A processor is a private person or federal body that processes personal data on behalf of a controller.
The FADP has extraterritorial reach. It applies not only to data processing activities carried out within Switzerland but also to activities conducted outside Switzerland if they have an effect in Switzerland. The prevailing view is that the effect in Switzerland must reach a certain level of intensity. This is the case, for example, if a foreign company (also) directs its commercial data processing activity to Switzerland (ie, deliberately addresses persons in Switzerland or processes their data) or processes data from a greater number of data subjects in Switzerland. In such cases, the foreign company must comply with the FADP.
5. What are the principal requirements under data protection laws that are relevant in the context of investigations?
The general principal requirements under the FADP that are relevant in the context of investigations can be summarised as follows:
- Lawfulness: Personal data may only be processed lawfully. However, unlike the GDPR, only the processing of personal data by federal bodies requires a legal basis. Private persons, on the other hand, may generally process personal data without justification, as long as they comply with the general principles of data processing.
- Transparency and information duty: Data subjects must be informed about the collection and processing of their personal data. This includes providing clear information about the purpose of the data processing, the identity of the data controller, and any third parties to whom the data may be disclosed. In view of possible investigations against employees, we therefore recommend that employees be informed in their employment contract or an employee handbook that their e-mails and other correspondence may be examined more closely if misconduct is suspected. If there is no such advance information, informing the employees concerned at the start of the investigation can be postponed to a later date so as not to jeopardise the investigation.
- Purpose limitation: Personal data must be collected for specific purposes and not further processed in a manner that is incompatible with such purpose. In the context of investigations, this means that data collected should only be used for the specific investigation and not for unrelated purposes.
- Proportionality: Only data necessary for the investigation should be collected and processed. This principle requires that investigators limit the scope of data collection to what is strictly necessary for the investigation. For example, an email review should begin by defining a specific time period and specific keywords to determine a potentially relevant data set, which is then manually reviewed.
- Storage limitation: Personal data should not be kept in a form that allows identification of data subjects for longer than is necessary to fulfil the purposes for which the data was collected. This means that once an investigation is concluded, any personal data that is no longer needed should be securely deleted or anonymised.
- Data security: Appropriate technical and organisational measures must be taken to ensure the security of personal data. This includes protecting data against the unintentional or unlawful loss, deletion, destruction or alteration of personal data, or the unauthorised disclosure or access of such data.
- Data subject rights: Individuals have rights to access, rectify and delete their personal data. During an investigation, procedures should be in place to address such requests promptly, unless legal exceptions apply (see questions 6, 7 and 11 below).
- Cross-border data transfers: Transferring personal data abroad is restricted (see questions 15 and 16 below) and requires that the destination country provides an adequate level of data protection. If not, additional safeguards are necessary, unless a statutory exception can be relied upon.
6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.
Both the company conducting an internal investigation and any external party assisting must follow data protection requirements under the FADP. While the company retains primary responsibility, external service providers must also ensure secure and compliant data processing to be compliant. The key obligations are outlined below.
Company conducting an internal investigation
In line with the general data protection principles laid down in the FADP (see question 5), companies should collect only the data necessary for the investigation, avoiding excessive or irrelevant data collection, and use the data solely for the purposes of the investigation and not for any other unrelated activities. If the GDPR applies, a lawful basis for processing personal data must be identified, such as legitimate interests or compliance with legal obligations.
Data security measures must be in place to prevent unauthorised access. Access to personal data should be limited to those directly involved in the investigation (need-to-know principle). Anonymisation or pseudonymisation should be considered where possible.
Additionally, there are requirements concerning data subject rights. Initially, individuals have the right to be informed about the investigation and how their data will be used. This right may however be refused, restricted, or delayed if a formal law or overriding interest allows it (eg, due to professional secrecy obligations or if disclosure would compromise the investigation). Second, employees or other affected individuals retain their rights to access, correct, and delete their personal data unless an exemption applies. The company should be prepared to address such requests promptly.
Data should only be retained as long as necessary for the investigation. Non-essential personal data should be securely deleted or anonymised once the investigation concludes.
Cross-border data transfers must comply with Swiss data protection rules. If personal data is transferred abroad, additional safeguards (such as EU Standard Contractual Clauses with the necessary "Swiss Finish") may be required, unless the company conducting the investigation can rely on a statutory exception (see questions 15 and 16).
Party assisting with an investigation
The assisting party (such as a forensic services provider) typically acts as a data processor under the instructions of the company conducting the investigation. Therefore, a data processing agreement (DPA) must be in place, outlining, for example, the purpose and scope of processing, required security measures, confidentiality obligations, and conditions for data deletion or return. If an assisting party acts as an independent data controller (such as typically a law firm), no DPA is required.
The assisting party must implement data security standards to protect personal data. Access to the data should be limited to authorised personnel, and secure channels should be used for data transfers.
In the event of data subject requests, such as access or deletion requests, the assisting party must coordinate with the company to determine the appropriate response, taking into account any legal privileges or ongoing investigations that may exempt disclosure.
Cross-border data transfers must comply with Swiss data protection rules. If personal data is transferred abroad, additional safeguards (such as EU Standard Contractual Clauses with the necessary "Swiss Finish") may be required, unless the party assisting with the investigation can rely on a statutory exception (see questions 15 and 16).
Personal data should be deleted or returned once the assisting party's involvement concludes, unless retention is legally required. Unauthorised data retention is not permitted.
7. Is the consent of the data subject mandatory for the processing of personal data as part of an investigation?
Under the FADP, obtaining the data subject's consent is not mandatory to process their business-related data (eg, email in a business emailbox or other business correspondence), provided that the processing principles are adhered to, no sensitive personal data (see question 3) is disclosed to third parties (processors are not considered third parties) and the data subjects have not expressly objected to the processing. If the principle of proportionality is violated (eg, by processing an unnecessarily large amount of personal data), the consent of the data subject is required if the company conducting the investigation cannot rely on overriding private interests as a justification, which is the case in particular when the business-related personal data of the person against whom the investigation is being conducted on suspicion of misconduct is involved.
On the other hand, the company conducting the investigation has no such overriding interests if the investigation involves the data subject's private data. The data subject's consent is required for this. However, it is permissible to triage the data material (eg, to filter out private emails from the business emailbox, which in itself constitutes processing).
8. If not mandatory, should consent still be considered when planning and carrying out an investigation?
In investigations, obtaining consent from data subjects carries both advantages and disadvantages. On the positive side, consent can justify data processing in violation of processing principles and may foster an atmosphere of respect and transparency with those involved. This might enhance trust and cooperation, potentially leading to more effective and efficient investigations. However, obtaining consent may jeopardise the investigation and introduces a significant degree of uncertainty since data subjects have the right to withdraw their consent at any time, which may complicate ongoing investigations. Although such withdrawal does not apply retrospectively and thus does not affect the legality of data processing conducted prior to the withdrawal, it can still disrupt the investigation moving forward. In practice, we rarely see the consent of the data subject being obtained, unless the investigating company seeks to include data that can only be obtained with the consent of the data subject (eg, correspondence or pictures on a private mobile phone of the data subject).
9. Is consent given by employees likely to be valid in an investigation carried out by their employer?
Under Swiss law, while employees are generally obliged to cooperate with internal investigations due to their duty of loyalty, the validity of consent given by employees for processing their personal data during such investigations is complex. To be valid, consent must be given freely and on an informed basis for one or more specific processing activities (article 6 FADP). For consent to be considered given freely, the data subject must have a "free choice" (ie, an alternative option that does not entail unreasonable disadvantages). Given the inherent power imbalance in the employer-employee relationship, consent obtained from employees may not always be considered freely given and, therefore, might lack validity under the FADP. Additionally, employers must balance their investigative needs with their duty of care towards employees, ensuring that the investigation methods do not unduly infringe upon personal rights. However, provided that higher requirements regarding voluntariness are met, the employee's consent may still be considered valid (eg, by ensuring that a reasonable alternative option to decline is available to employees, free from any adverse consequences). Therefore, when obtaining the consent of employees for investigation purposes, employers should be careful not to make their employees feel pressured or restricted in their freedom of choice.
Since the employee's consent is generally not mandatory to conduct an investigation (see question 7), we generally recommend, to the extent possible, not to obtain and rely on the employee's consent, but, if the FADP applies, to comply with the processing principles and, if the GDPR applies (and therefore any processing activity must be justified), to ensure that any data processing during an investigation is justified by legal bases other than consent, such as the necessity for compliance with legal obligations or the pursuit of legitimate interests.
10. How can consent be given by a data subject? Is it possible for data subjects to give their consent to processing in advance?
For consent to be valid, it must be given freely and on an informed basis for one or more specific processing activities (article 6 FADP). In principle, consent under the FADP can be given without observing a specific form (ie, it can also be implied). However, from the point of view of the company obtaining consent, it is advisable to obtain consent in writing for evidentiary purposes. Only in certain exceptional cases must consent be obtained explicitly (eg, for high-risk profiling, or if the processing of sensitive personal data shall be justified with consent, such consent must be given explicitly, article 6(7) FADP; for the cross-border transfer of personal data to a country without an adequate level of data protection, article 17(1)(a) FADP).
Consent can be obtained through various means, such as standard business terms and conditions. However, it must be sufficiently specific. Written consent requests should be presented separately from other matters, in a clear, accessible, transparent and easily understandable language. Consent must be obtained either prior to or at the time of data collection.
11. What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?
Under the FADP, data subjects have several rights, including during an investigation. These rights include the following.
Right to access
Data subjects have the right to request access to their personal data being processed. This includes, among others, confirmation as to whether their data is being processed, information about the purposes of processing, categories of personal data concerned, recipients or categories of recipients to whom the data has been disclosed, and the envisaged period for which the personal data will be stored. This right extends to receiving a copy of their personal data, typically free of charge.
However, a company may refuse, restrict or delay the provision of information, among others, to protect its own overriding interests (here, not to jeopardise the investigation), provided that the personal data is not disclosed to third parties, to protect overriding interests of third parties or if necessary to comply with Swiss legal obligations, such as professional secrecy obligations.
Against this background, in practice, companies generally delay the provision of information until the investigation is concluded, unless the provision of information does not compromise the integrity or objectives of the investigation.
Right to rectification
Data subjects may also request the correction of inaccurate or incomplete personal data. This is particularly relevant if the data being used in an investigation is incorrect or misleading.
Right to erasure/right to restriction of processing
Under certain conditions, data subjects may request the deletion or the restriction of processing, for instance, where their personal data is no longer needed for the investigation. However, these rights are not absolute and may be limited in the context of an investigation if the data is necessary for compliance with a legal obligation, or if the controller has an overriding interest in retaining the data (eg, for the purpose of establishing, exercising or defending legal claims).
EXTRACTION, LEGAL REVIEW AND ANALYSIS BY THIRD PARTIES, INTERNATIONAL TRANSFER
12. Are there specific requirements to consider where third parties are appointed to process personal data in connection with an investigation?
There may be specific requirements that need to be considered depending on the third parties' role. Where the third party acts as data processor under the instructions of the company conducting the investigation (such as typically a forensic service provider), the parties must enter into a DPA that outlines, for example, the purpose and scope of processing, required security measures, confidentiality obligations, and conditions for data deletion or return. This written agreement specifies the purpose and scope of processing, security measures, confidentiality obligations, conditions for data deletion and return, and compliance obligations. Access to the data should be limited to authorised personnel, and secure channels should be used for data transfers (see question 6).
If the third party processes personal data outside Switzerland, additional requirements come into play to ensure adequate protection of the personal data abroad. Under article 16 FADP, personal data can only be transferred abroad if the receiving country guarantees an adequate level of data protection. If not, additional safeguards must be implemented (such as EU Standard Contractual Clauses with the necessary "Swiss Finish"), unless the company conducting the investigation and exporting the data to the third party can rely on a statutory exception (see questions 15 and 16).
13. Is it permitted to share personal data with law firms or legal process outsourcing firms for the purpose of providing legal advice?
Yes. Under the FADP, companies may generally process personal data without justification, as long as they comply with the FADP's general data processing principles, such as purpose limitation and proportionality. Sharing of personal data with law firms or legal process outsourcing firms, like any other disclosure of data, constitutes an act of processing. Law firms assisting companies in investigations are typically considered independent data controllers. Therefore, they are not required to enter into DPAs.
If the law firm processes personal data outside Switzerland, the company conducting the investigation and exporting the data must ensure an adequate level of data protection. Under article 16 FADP, data can only be transferred abroad if the recipient country guarantees adequate protection; otherwise, additional safeguards must be implemented (such as EU Standard Contractual Clauses with the necessary "Swiss Finish"), unless the company conducting the investigation and exporting the data to the third party can rely on a statutory exception (see questions 15 and 16).
As one of these exceptions, the FADP recognises that personal data may be transferred abroad if such disclosure is necessary for the establishment, exercise or enforcement of legal claims before a court or another competent foreign authority. This exception is of high practical relevance, for example, in connection with civil litigation proceedings before US courts involving Swiss companies or criminal proceedings conducted by the US Department of Justice (DoJ) against Swiss companies.
14. Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?
No, the requirements are specified above.
15. What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?
According to article 16 FADP, personal data may only be transferred abroad if the receiving country has been recognised by the Swiss Federal Council to provide an adequate level of data protection. Recognised countries, including the member states of the European Economic Area, United Kingdom, are listed in Annex I of the Swiss FDPO. The Swiss-US Data Privacy Framework (DPF), which was approved in August 2024 after the EU-US DPF entered into force in July 2023, allows for the transfer of personal data to certified US companies without the need for additional guarantees. However, given the current practical concerns regarding a potential invalidation of the DPF, in practice, organisations often still implement backup solutions, such as the EU Standard Contractual Clauses (SCCs) with the necessary Swiss Finish, to ensure compliance in case the DPF will be invalidated with immediate effect in the future.
In the absence of recognition by the Swiss Federal Council personal data may only be disclosed abroad if additional safeguards are in place, such as the EU SCCs with the necessary Swiss Finish or binding corporate rules.
16. Are there specific exemptions, derogations or mechanisms to enable international transfers of personal data in connection with investigations?
The FADP (article 17) sets out exceptions to the prohibition of cross-border transfers to countries that do not provide an adequate level of data protection. Exceptions that are relevant in connection with internal investigations include the data subject's explicit consent to the disclosure, the disclosure is directly connected with the conclusion or performance of a contract between the controller and the data subject or between the controller and its contracting partner in the interest of the data subject, or the disclosure is necessary to safeguard an overriding public interest (such as cooperation in criminal investigations or regulatory compliance) or for the establishment, exercise or enforcement of legal claims before a court or another competent foreign authority (see question 13), or the data subject has made the data generally accessible and has not expressly prohibited its processing.
TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES
17. Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?
The transfer of personal data to regulators and enforcement authorities within Switzerland must adhere to the FADP's data processing principles in the same way as any other processing. In Switzerland, there are various enforcement authorities, which have different but overall extensive investigating powers: As outlined in the Swiss Criminal Procedure Code, prosecutors in Switzerland have far-reaching powers to investigate criminal activities, including inspecting premises, seizing documents and interviewing individuals. Regulatory authorities such as the Swiss Financial Market Supervisory Authority (FINMA) and the Competition Commission (COMCO) also have specific powers to conduct on-site inspections and enforce compliance with regulatory requirements. For instance, FINMA's supervisory powers under the FINMASA include the authority to request extensive information from supervised entities. Similarly, COMCO is empowered by the Swiss Cartel Act to investigate anticompetitive practices and request relevant data.
In certain circumstances, such as criminal investigations, data transfers may be required to fulfil legal obligations, including court orders or subpoenas, or for public interest reasons, such as the prevention or investigation of serious crimes. Disclosures may also be necessary for supervisory investigations or administrative proceedings to ensure adherence to relevant regulations.
18. Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?
When producing data to a foreign authority outside the framework of mutual legal and administrative assistance proceedings, the Swiss blocking statute (article 271 SCC) must be considered, as they prohibit unauthorised acts on behalf of a foreign state within Switzerland's territory (see question 2). Furthermore, if the data to be transferred contains third-party business secrets, article 162 and 273 SCC must be considered (see question 2).
While the FADP does not apply to disclosures within the framework of mutual legal assistance proceedings (article 2(3) FADP), all other disclosures to foreign regulators and law enforcement agencies must adhere to the FADP and its principles just like any other data processing activity, in particular the rules governing cross-border data transfers (see questions 15 and 16).
In derogation from the FADP's general rule that data may only be disclosed if the receiving country guarantees an adequate level of data protection, the FADP allows for the disclosure abroad when such disclosure is necessary to establish, exercise or enforce legal rights before a court or another competent foreign authority (article 17(1)(c)(2)). The terms "court" and "authority" are to be interpreted broadly. While the previous version of the FADP allowed for disclosure solely before a court, the revised FADP now includes competent foreign authorities, encompassing supervisory, tax or criminal prosecution authorities. For example, this revision is significant for data transfers from Swiss companies to the US DoJ (see question 13). Additionally, the FADP allows for the disclosure of personal data to foreign third parties assisting the disclosing party in these foreign proceedings, including foreign law firms or experts, under this legal exception.
However, this exception is not a free pass to transfer any data to foreign authorities. Data may only be disclosed on the basis of this exception if this is "necessary" with regard to the establishment, exercise or enforcement of legal rights, which means that before disclosing the data, the exporting company must assess whether the disclosure of the personal data in question is appropriate and necessary for the establishment, exercise or enforcement of the specific legal rights. This requires a case-by-case assessment, taking into account in particular the consequences of non-disclosure: if there is a risk of disadvantage, disclosure will generally be considered necessary. The exception also allows the disclosure of personal data in the context of participation in pretrialdiscovery in the US or other countries with a common law system. In such cases, protective or confidentiality orders are usually agreed between the parties and confirmed by the court.
Article 42c(1) of the FINMASA allows supervised parties to transmit non-public information to the foreign financial market supervisory authorities responsible for them and to other foreign entities responsible for supervision provided that (i) the information is used exclusively to implement financial market law (or is forwarded to other authorities, courts or bodies for this purpose), (ii) the requesting authorities are bound by official or professional secrecy (notwithstanding provisions on the public nature of proceedings and the notification of the general public about such proceedings), and (iii) that the rights of clients and third parties are preserved.
19. What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?
These are recommended general steps the recipient of such a request may consider taking, among others:
- Acknowledge and Understand Receipt: Promptly acknowledge receipt of the request to the regulator. Carefully review the request to understand what specific data is being requested. If the request is unclear, seek clarification from the regulator.
- Assess Legal Obligations: Review relevant data protection, secrecy and other laws to ensure that the disclosure complies with legal requirements. Check any confidentiality agreements or obligations that may affect the disclosure of the requested data.
- Conduct a Data Review: Identify and locate the data (including personal data) requested. Ensure that you have a comprehensive inventory of all relevant data. Assess whether the data requested is relevant and necessary for the purpose stated by the regulator. Based on the review, if possible, negotiate the scope of the request to the specific purpose of the investigation.
- Prepare the Data for Disclosure: Ensure that only the minimum amount of personal data necessary for the purpose is disclosed. Where possible, anonymise or pseudonymise data to protect individuals' identities.
- Inform Affected Individuals: If required, and no exception applies, inform individuals whose data will be disclosed about the request and, if necessary, obtain their consent.
- Document the Process: Maintain records of all steps taken in response to the request, including communications with the regulator, legal advice received and data disclosed. Ensure there is a clear audit trail to demonstrate compliance with legal and regulatory requirements.
ENFORCEMENT AND SANCTIONS
20. What are the sanctions and penalties for non-compliance with data protection laws?
In Switzerland, non-compliance with data protection laws can result in a range of sanctions and penalties.
The revised FADP introduced fines for certain wilful violations (eg, with relevance to investigations, a breach of the obligations to provide access or to cooperate, of the cross-border data transfer rules or if no or a non-compliant data processing agreement is concluded). Contrary to the GDPR, these fines are generally imposed on the individuals responsible for data protection within an organisation, such as data protection officers or members of the management. The fines can (theoretically) go up to 250,000 Swiss francs.
In addition, the FDPIC has the authority to issue orders to ensure compliance with data protection laws. This can include ordering the cessation of data processing activities, mandating corrective actions or requiring the deletion of unlawfully processed data.
RELEVANT MATERIALS
21. Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.
Federal Act of 25 September 2020 on Data Protection (SR 235.1)
Ordinance of 31 August 2022 on Data Protection (SR 235.11)
Website of the Federal Data Protection and Information Commissioner (FDPIC)
Guidance from the FDPIC on cross-border transfers of personal data (published on 23 July 2024)
Swiss Criminal Code of 21 December 1937 (Status as of 1 January 2025) (SR 311.0)
Swiss Banking Act as of 8 November 1934 (Status as of 1 January 2024) (SR 952.0) (no official English translation available)
Federal Act on Financial Institutions of 15 June 2018 (Status as of 1 March 2024) (SR 954.1)
Originally published by Global Investigations Review.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.