What privacy rights to individuals have under the Federal Act on Data Protection (FADP)?
Part 6 of our series on data protection law in Switzerland
In this part of our series, we explore the privacy rights that individuals have under the Swiss Federal Act on Data Protection (FADP).
The FADP grants data subjects rights that can be asserted directly against the controller, i.e. the right of access and the right to data portability, and rights that can be asserted in court when personal data is processed in violation of the principles, such as the right to request the rectification, deletion or destruction of personal data, and the right to request prohibition of processing or disclosure to a third party.
Right of access
Any data subject (or a person authorised by them) has the right to request information from the controller on whether personal data relating to them is being processed and to receive the information required to be able to exercise their rights under the FADP and to guarantee transparent data processing. The following information must be provided at a minimum:
- the identity and contact details of the controller;
- the personal data being processed as such;
- the purpose of the processing;
- the retention period of the personal data or, if this is not possible, the criteria used to determine this period;
- any available information on the source of the personal data, insofar as the data was not obtained directly from the data subject;
- where applicable, the existence of an automated individual decision, as well as the logic on which the decision is based;
- where applicable, the recipients or categories of recipients to whom personal data is disclosed (see upcoming part 8 of our series for more information), as well as,
- the countries or international bodies abroad (including those that ensure an adequate level of data protection, such as EU member states) to which personal data has been disclosed, and, if applicable, the safeguards in place for such data transfers (see upcoming part 11 of our series for more information).
The request must always be made in writing, for example by e-mail. Only in exceptional cases can a request be communicated verbally. Art. 25(2) FADP lists the minimum information that must be provided. In general, access requests must be answered within 30 days and free of charge, unless providing the information involves a disproportionate cost.
Right to data portability
Data subjects may request the controller to deliver their personal data, or transfer it to another controller, in a conventional electronic format, and free of charge. However, this right only applies to personal data provided to the controller by the data subjects themselves and processed by automated means, based on the data subject's consent or on a contract between the controller and the data subject.
Rights with respect to automated individual decisions
Data subjects must be informed about automated individual decisions and have the right to express their point of view with respect to an automated individual decision concerning them and to request that the decision be reviewed by a natural person.
Right to withdraw consent
Data subjects have the right to withdraw their previously given consent as a justification for data processing at any time with effect in the future.
Right to lodge a complaint
Data subjects have the right to lodge a complaint with the competent supervisory authority, i.e. the Federal Data Protection and Information Commissioner (FDPIC) if they believe that the processing of personal data concerning them is in breach of the FADP.
Right to object to processing
The FADP does not provide an explicit right to object, but the controller may not process personal data against the explicit wishes of the data subject without a legal justification. Accordingly, any data subject may express the wish that their personal data may not be processed. In this case, the controller may no longer process the personal data unless it bases the data processing on a justification, such as an overriding private or public interest or a law.
The rights listed above are not absolute but must be balanced against the legitimate interests of the controller to use certain personal data for legitimate business purposes, to fulfil a contract or to comply with a legal obligation to which the controller is subject.
In addition to the above-mentioned privacy rights, data subjects have legal claims pursuant to Art. 32 FADP. In particular, the data subject may file a claim for the protection of their privacy with the competent civil court and request:
- that incorrect personal data be corrected, unless:
-
- there is a statutory regulation prohibiting the correction,
- the personal data is being processed for archiving purposes in the public interest, or
- neither the accuracy nor the inaccuracy of the relevant personal data can be established, in which case the data subject may request that the data be marked as being disputed;
- that a specific data processing be prohibited;
- that a specific disclosure of personal data to third parties be prohibited;
- that personal data be deleted or destroyed;
- that the correction, the deletion or the destruction, the prohibition of processing or of disclosure to third parties, the note indicating the objection or the judgement be communicated to third parties or published.
Preview on Part 7
In part 7 of our series, we will examine if and under what circumstances the appointment of a DPO is mandatory under the FADP.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.