1 Legal and enforcement framework
1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?
The main data protection legislation in Switzerland is the Federal Act on Data Protection of 25 September 2020 (FADP), which came into force on 1 September 2023 and governs the processing of personal data by:
- private persons (ie, individuals and private-sector legal entities); and
- federal bodies.
The FADP is complemented by:
- the Ordinance on Data Protection; and
- the Ordinance on Data Protection Certification.
In addition to the federal legislation, each canton has its own cantonal data protection legislation, which governs the processing of personal data by cantonal and municipal authorities.
1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?
Several laws containing provisions related to data protection apply to specific sectors or types of data processing. The following enumeration is non-exhaustive and is intended to give an overview of the most important ones.
The Federal Act on Unfair Competition contains regulations regarding direct marketing, while the Telecommunications Act regulates the use of cookies and similar technologies. The Federal Act on Information Security applies to federal and cantonal authorities and to private-sector operators of critical infrastructure and regulates, among other things, the notification obligation for cyberattacks.
Several other sector-specific laws also contain regulations regarding data protection – for example:
- in the medical sector, statutes such as:
-
- the Federal Act on Research Involving Human Beings; and
- the Federal Act on the Electronic Patient Record; and
- in the financial sector:
-
- the Federal Banking Act; and
- the Federal Act on Financial Institutions.
Apart from the provisions of the FADP with respect to the processing of sensitive personal data, the use of biometric data is regulated by other laws for specific uses, such as the Ordinance on the Processing of Biometric Identification Data.
1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?
The Federal Council has issued a number of adequacy decisions for countries that provide an adequate level of data protection, thus allowing the cross-border transfer of personal data without any additional guarantees. In return, the European Union and other countries have recognised Switzerland as a country offering an adequate level of data protection.
In August 2024, the Federal Council further recognised the Swiss-US Data Privacy Framework as offering an adequate level of data protection. Since 15 September 2024, personal data can thus be transferred to certified US companies without any additional safeguards.
1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?
The Federal Data Protection and Information Commissioner (FDPIC) is the federal authority for overseeing and enforcing the application of the FADP. Cantonal data protection laws are overseen by the cantonal data protection authorities.
The FDPIC can open an investigation ex officio or upon a report submitted by data subjects or third parties, if there are sufficient indications that a data processing activity could violate data protection regulations. In case of failure to cooperate, the FDPIC can order:
- access to information, documents, premises and installations;
- the questioning of witnesses; and
- appraisals by experts.
If the FDPIC detects a violation, he can order administrative measures, such as:
- modification, suspension or termination of processing;
- deletion or destruction of personal data;
- delay or prohibition of disclosure abroad;
- implementation of measures to meet data protection by design, data protection by default or data security requirements;
- provision of information to data subjects;
- conduct of a data protection impact assessment (DPIA);
- data security breach notification; or
- grant of the right of information to data subjects.
The FDPIC:
- has the power to approve standard contractual clauses or binding corporate rules for cross-border data transfers; and
- may raise objections to planned processing activities if a DPIA indicates a high residual risk despite the planned security measures.
The FDPIC may file a complaint with the competent prosecution authority and exercise the rights of a private claimant in the proceeding. However, he has no authority to impose administrative sanctions. The imposition of fines under the FADP is the responsibility of the ordinary cantonal and federal prosecution authorities.
1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?
The FDPIC regularly issues guidelines, factsheets, templates and instructions on different topics such as:
- cross-border disclosure of personal data;
- data security breach notification;
- the use of cookies and similar technologies; and
- technical and organisational security measures.
These documents do not have legally binding character, but they are a good indicator for future areas of focus in investigations and should therefore be considered by controllers and processors of personal data.
2 Scope of application
2.1 Which entities are captured by the data privacy regime in your jurisdiction?
The Federal Act on Data Protection (FADP) applies to federal bodies and private persons – that is, individuals and private-sector legal entities that process personal data of natural persons.
2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?
The FADP does not apply to:
- personal data being processed by a natural person exclusively for personal use;
- personal data being processed by the Federal Assembly and parliamentary committees as part of their deliberations; or
- personal data being processed by institutional beneficiaries who enjoy immunity from jurisdiction in Switzerland.
2.3 Does the data privacy regime have extra-territorial application?
Yes, the FADP applies to circumstances that have an effect in Switzerland, even if they are initiated abroad.
3 Definitions
3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.
(a) Processing
Any handling of personal data, irrespective of the means and procedures used – in particular the collection, storage, keeping, use, modification, disclosure, archiving, deletion or destruction of data.
(b) Processor
A private person or federal body that processes personal data on behalf of the controller.
(c) Controller
A private person who or federal body which, alone or jointly with others, determines the purpose and the means of processing personal data.
(d) Data subject
A natural person whose personal data is processed.
(e) Personal data
Any information relating to an identified or identifiable natural person.
(f) Sensitive personal data
- Data relating to religious, philosophical, political or trade union-related views or activities;
- Data relating to health, the private sphere or affiliation to a race or ethnicity;
- Genetic data;
- Biometric data that uniquely identifies a natural person;
- Data relating to administrative and criminal proceedings or sanctions; and
- Data relating to social assistance measures.
(g) Consent
Not formally defined in the Federal Act on Data Protection (FADP). However, Article 6(6) of the FADP states that consent is valid only if given voluntarily for one or more specific instances of processing based on appropriate information.
3.2 What other key terms are relevant in the data privacy context in your jurisdiction?
- 'Disclosure': Transmitting personal data or making such data accessible.
- 'Profiling': Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person – in particular, to analyse or predict aspects concerning that natural person's:
-
- performance at work;
- economic situation;
- health;
- personal preferences;
- interests;
- reliability;
- behaviour;
- location; or
- movements.
- 'High-risk profiling': Profiling that poses a high risk to the data subject's personality or fundamental rights by matching data that allow an assessment to be made of essential aspects of the personality of a natural person.
- 'Breach of data security': A breach of security that leads to the accidental or unlawful loss, deletion, destruction or modification or unauthorised disclosure or access to personal data.
- 'Federal body': An authority or service of the confederation or a person entrusted to carry out public tasks on behalf of the confederation.
4 Registration
4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?
There is no duty to register for controllers or processors in Switzerland. However, federal bodies must notify their processing activities to the Federal Data Protection and Information Commissioner (FDPIC). The Federal Act on Data Protection does not provide for sanctions for failure to notify processing activities.
4.2 What is the process for registration?
Processing activities must be registered via the dedicated online portal on the FDPIC's website: https://www.datareg.edoeb.admin.ch.
4.3 Is registered information publicly accessible?
The portal of the FDPIC is public and all active registrations of processing activities can be viewed by anyone.
5 Data processing
5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?
With respect to the legal basis for processing personal data, the Federal Act on Data Protection (FADP) differentiates between federal bodies and private persons. Federal bodies always need a statutory basis for processing personal data.
Processing by private persons is generally permitted, unless such processing unlawfully breaches the data subjects' personality rights. This is particularly the case where:
- personal data is processed:
-
- contrary to the principles of Articles 6 and 8 of the FADP; or
- against the express wishes of the data subject; or
- sensitive personal data is disclosed to third parties.
No breach of personality rights arises, however, when the data subject:
- has made the personal data generally accessible; and
- has not explicitly prohibited its processing.
In case of a breach of personality rights, controllers must rely on one of the legal justifications provided for by Article 31 of the FADP for the processing to be permitted – that is:
- the data subject's consent;
- the controller's overriding legitimate interest;
- an overriding public interest; or
- a law.
5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?
The FADP sets out the following key principles for processing personal data, including sensitive personal data:
- Lawfulness: Personal data must be processed lawfully.
- Good faith and proportionality: The processing must:
-
- be carried out in good faith; and
- be proportionate.
- Purpose limitation: Personal data:
-
- may only be collected for a specific purpose that the data subject can recognise; and
- must be further processed in a manner that is compatible with this purpose.
- Storage limitation: Personal data must be destroyed or anonymised as soon it is no longer required for the purpose of processing.
- Accuracy: Whoever processes personal data must:
-
- ensure that the data is accurate; and
- take all appropriate measures to correct, delete or destroy data that is incorrect or incomplete with respect to the purpose of processing;
- Data security: Controllers and processors must guarantee a level of data security appropriate to the risk by taking suitable technical and organisational measures.
- Transparency: When collecting personal data, the controller must provide data subjects with adequate information to exercise their rights and ensure transparent data processing, at least the following:
-
- the controller's identity and contact details;
- the purpose of the processing;
- if applicable, the recipients or categories of recipients of the personal data;
- if the data is not collected from the data subject, the categories of processed personal data; and
- if the personal data is disclosed abroad, the state or international body to which it is disclosed and the applicable guarantees or exception.
These principles must be complied with, whether the processing is outsourced or not. Pursuant to Article 8 of the FADP, the principle of data security must explicitly be complied with by controllers and processors. With respect to the other processing principles, it is the controller's responsibility to ensure that the processor complies with the legal requirements.
5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?
Processing by processors: The processing of personal data may be assigned to a processor by contract or by the legislation if:
- no statutory or contractual duty of confidentiality prohibits the assignment; and
- the processor only processes the data in the manner in which the controller itself is permitted to.
The controller must ensure that the processor:
- can guarantee data security; and
- only assigns processing to a third party with the controller's prior approval.
Data protection impact assessment (DPIA): If processing is likely to result in a high risk to the data subject's personality or fundamental rights, the controller must carry out a DPIA beforehand. If the DPIA reveals a high residual risk despite the security measures planned, the controller must seek the Federal Data Protection and Information Commissioner's opinion.
Data protection by design and by default: Controllers must:
- from the planning stage, arrange the data processing in technical and organisational terms so that the data protection regulations are respected; and
- ensure by means of suitable default settings that the processing of personal data is limited to the minimum required for the purpose intended, unless the data subject specifies otherwise.
Automated individual decisions: Data subjects must:
- be informed about any decision based exclusively on automated processing that has a legal consequence for or a considerable adverse effect on them; and
- be given the right to:
-
- express their point of view; and
- request that the automated individual decision be reviewed by a natural person.
6 Data transfers
6.1 What requirements and restrictions apply to the transfer of data to third parties?
When personal data is disclosed to third parties, the data subjects must be informed:
- about the recipients or categories of recipients; and
- when it is disclosed cross-border, also about the state or international body to which it is disclosed and the applicable guarantees or exceptions (see question 5.2).
The disclosure of sensitive personal data to third parties (processors are not considered third parties in this context) is considered a breach of the data subjects' personality rights and therefore needs a legal justification – that is:
- the data subject's consent;
- the controller's overriding legitimate interest;
- an overriding public interest; or
- a law.
Federal bodies may disclose personal data only if:
- there is a statutory basis for doing so; or
- one of the exceptions provided for by the Federal Act on Data Protection (FADP) applies – for example:
-
- fulfilment of a statutory duty;
- the data subject's consent;
- protection of the life or physical integrity of the data subject or a third party; or
- the data subject having made the data generally accessible and not having explicitly prohibited its processing.
6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?
Personal data may be disclosed cross border if the Federal Council has decided that the legislation of the respective state or international body guarantees an adequate level of protection. The list of adequate countries can be found in Annex 1 to the Ordinance on Data Protection.
In the absence of an adequacy decision, data protection must be guaranteed by a transfer mechanism such as:
- a treaty under international law;
- data protection clauses notified beforehand to the Federal Data Protection and Information Commissioner (FDPIC);
- specific guarantees drawn up by the competent federal body and notified to the FDPIC;
- standard data protection clauses approved, issued or recognised by the FDPIC;
- binding corporate rules approved by the FDPIC or by the data protection authority of an adequate country; or
- a code of conduct or certification approved by the FDPIC.
The FADP further provides for the following exceptions to legitimise cross-border transfers:
- the data subject's explicit consent;
- disclosure directly connected with the conclusion or performance of a contract with or in the interest of the data subject;
- safeguarding of an overriding public interest;
- establishment, exercise or enforcement of legal rights before a foreign court or other competent authority;
- protection of the life or physical integrity of the data subject or a third party;
- the data subject having made the data generally accessible and not having explicitly prohibited its processing; or
- the data originating from a statutory register that is public or accessible to persons with a legitimate interest.
6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?
According to the FDPIC's guide to checking the admissibility of data transfers to foreign countries, a transfer impact assessment (TIA) is necessary for transfers based on one of the legal mechanisms for transfers to non-adequate countries. The guide also lists:
- four guarantees that should be evaluated in the course of a TIA; and
- mandatory supplemental measures if these guarantees are not met.
When using EU standard contractual clauses that are recognised by the FDPIC as a valid transfer mechanism, such clauses must be supplemented by specific additional clauses for transfers from Switzerland.
7 Rights of data subjects
7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?
Right of access/information: Any person has the right to:
- request information from the controller on whether personal data relating to them is being processed; and
- receive the information required to:
-
- be able to exercise their rights under the Federal Act on Data Protection (FADP); and
- guarantee transparent data processing.
Article 25(2) of the FADP lists the minimum information that must be provided. In general, access requests must be answered within 30 days and free of charge, unless providing the information involves a disproportionate cost. The controller may refuse requests:
- if a formal law so provides;
- to safeguard overriding third-party interests; or
- if the request is obviously unjustified or frivolous.
Right to rectification: Data subjects may request that incorrect personal data be corrected, unless:
- a statutory provision prohibits the correction; or
- the personal data is processed for archiving purposes in the public interest.
If neither the accuracy nor the inaccuracy of the relevant personal data can be established, the data subject may request that the data be marked as being disputed.
Right to object to processing: Data subjects have the right to object to the processing of their personal data, unless processing is justified by:
- an overriding private or public interest; or
- the law.
Right to request prohibition of processing: Data subjects may request that a specific data processing activity be prohibited.
Right to withdraw consent: Data subjects have the right to withdraw their consent at any time.
Right to data portability: Data subjects may request the controller to deliver to them or, if no disproportionate effort is required, to another controller personal data they have disclosed to it and that is processed based on:
- the data subject's consent; or
- a contract between the controller and the data subject.
The data must be delivered in a conventional electronic format and, as a rule, free of charge.
Right to object to the disclosure to third parties: Data subjects may request that a specific disclosure of personal data to third parties be prohibited.
Rights with respect to automated individual decisions: Data subjects have the right to:
- express their point of view; and
- request that the decision be reviewed by a natural person.
Right to deletion/right to be forgotten: Data subjects may request that their personal data be deleted or destroyed.
Right to lodge a complaint: Data subjects have the right to file a report on possible data protection violations with the competent data protection authority.
7.2 How can data subjects seek to exercise their rights in your jurisdiction?
The individual data subject rights granted by Articles 25–29 of the FADP – that is, the right of access/information and the right to data portability – can be asserted directly against the controller. The legal rights granted under Article 32 of the FADP – such as the right to rectification or deletion of personal data and the right to object to processing or to disclosure to third parties – can be asserted in civil proceedings under civil law to protect personality rights (Article 28–28l of the Civil Code).
7.3 What remedies are available to data subjects in case of breach of their rights?
Data subjects can report possible violations of data protection regulations to the Federal Data Protection and Information Commissioner via a dedicated online reporting portal: https://www.edoeb.admin.ch/en/report-form-data-subjects.
Data subjects may further claim for damages, satisfaction and/or surrender of profits in case of an unjustified violation of their personality. However, the claimant in this case must establish and quantify the economic loss suffered as a result of the violation, which is usually difficult in practice.
8 Compliance
8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?
The appointment of a data protection officer (DPO) is only mandatory for federal bodies. Private controllers may appoint a DPO on a voluntary basis. The Federal Act on Data Protection does not provide for any sanctions for failure to appoint a DPO.
8.2 What qualifications or other criteria must the data protection officer meet?
The DPO must:
- have the required expert knowledge;
- exercise their functions towards the controller in a professionally independent manner without being bound by instructions; and
- not carry out any activities that are incompatible with their tasks as a DPO.
8.3 What are the key responsibilities of the data protection officer?
The DPO acts as contact point for the data subjects and for the competent data protection authorities in Switzerland. Their main duties include:
- training and advising the controller in matters of data protection; and
- providing support on the application of the data protection regulations.
8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?
Yes, the DPO can be an external person or company. There are no particular requirements or restrictions that apply only when the role is outsourced; the general requirements (see questions 8.2 and 8.3) must in any case be complied with.
8.5 What record-keeping and documentation requirements apply in the data privacy context?
Both controllers and processors must maintain a record of their processing activities.
The controller's record must, at minimum, include:
- the controller's identity;
- the purpose of the processing;
- the categories of data subjects and of processed personal data;
- the categories of recipients;
- if possible, the retention period for the personal data or the criteria for determining such period;
- if possible, a general description of the data security measures taken; and
- if the data is disclosed abroad, the state and the applicable guarantee.
The processor's record must contain:
- the processor's and controller's identity;
- the categories of processing carried out on behalf of the controller;
- if possible, a general description of the data security measures taken; and
- if the data is disclosed abroad, the state and the applicable guarantee.
Private sector organisations with fewer than 250 employees on 1 January of any year are exempt from the obligation to keep a record of processing activities if their data processing poses a negligible risk of harm to the personality of the data subjects – that is, if they do not:
- process large volumes of sensitive personal data; or
- carry out high-risk profiling.
8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?
The principles of privacy by design and privacy by default apply to any data processing.
For processing activities that are likely to result in a high risk to the data subject's personality or fundamental rights, the controller must:
- carry out a data protection impact assessment (DPIA) beforehand; and
- keep it for at least two years after the data processing has ended.
If the DPIA reveals a high residual risk despite the security measures planned, the controller must seek the Federal Data Protection and Information Commissioner's (FDPIC) opinion. Private controllers who have appointed a DPO that satisfies the statutory requirements (see question 8.2) are exempt from the duty of consultation of the FDPIC if they consult their DPO.
9 Data security and data breaches
9.1 What obligations apply to data controllers and processors to preserve the security of personal data?
Article 8 of the Federal Act on Data Protection stipulates that controllers and processors must take suitable technical and organisational measures (TOMs) to:
- ensure a level of data security appropriate to the risk; and
- prevent data security breaches.
The Ordinance on Data Protection regulates the data security requirements in more detail.
To assess the risk level and thus the need for protection, criteria such as the following will be taken into account:
- the type of data being processed;
- the purpose, nature, extent and circumstances of the processing; and
- the risk for the data subjects' personality or fundamental rights.
To determine the appropriate TOMs, the state of the art and the implementation costs will also be considered.
The TOMs must ensure the following attributes of the processed personal data:
- confidentiality (by data access control, premises and facilities access control and user control);
- availability and integrity (by data carrier control, storage control, transport control, restoration, availability, reliability, data integrity and system security); and
- traceability (by entry control, disclosure control, data breach recognition and elimination).
Private controllers and processors that process a large volume of sensitive personal data by automated means or carry out high-risk profiling must:
- keep a log file that records at least the storage, alteration, reading, disclosure, deletion and destruction of the data; and
- issue processing regulations, including in particular details of:
-
- the internal organisational structure;
- data processing and control procedures; and
- the measures that guarantee data security.
Federal bodies must:
- keep a log file whenever they process personal data by automated means; and
- issue processing regulations when they process sensitive personal data by automated means or carry out profiling.
9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
Controllers must notify the Federal Data Protection and Information Commissioner (FDPIC) as quickly as possible of any breach of data security that is likely to lead to a high risk to the data subject's personality or fundamental rights. To determine the risk level, controllers must assess:
- the severity of the consequences; and
- the likelihood that they will occur.
Notifications to the FDPIC must be made via the dedicated online reporting portal (https://databreach.edoeb.admin.ch/report) and must include the following information:
- information on the breach;
- the time and duration, if possible;
- the categories and approximate amount of personal data concerned, if possible;
- the categories and approximate number of data subjects, if possible;
- the consequences, including any risks, for the data subjects;
- the measures that have been taken or are planned to remedy the breach and mitigate the consequences, including any risks; and
- the name and contact details of a contact person.
The FDPIC also accepts voluntary reports of data security breaches. According to the FDPIC's guidelines on reporting data security breaches, voluntary reports have proven to be useful, especially in cases where the risk analysis indicates a low risk because of the data involved, but where media interest may arise, for example, due to the large number of persons affected. Voluntary reports are to be submitted outside the reporting portal.
9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
The controller must inform the data subjects if this is required for their protection – that is, if:
- they can or must take action to mitigate or minimise the damage resulting from the data security breach; or
- the FDPIC so requests.
The following information must be provided:
- the form of breach;
- the consequences, including any risks, for the data subjects;
- the measures that have been taken or are planned to remedy the breach and mitigate the consequences, including any risks; and
- the name and contact details of a contact person.
The controller may limit, delay or refrain from notification of data subjects if:
- this is required to safeguard overriding third-party interests;
- the controller is a federal body and the measure is required to satisfy overriding public interests, or notification may compromise an enquiry, an investigation or administrative or judicial proceedings;
- notification is impossible or requires disproportionate effort; or
- notification of data subjects is equally guaranteed by a public announcement.
9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?
Processors must notify the controller of any breach of data security as quickly as possible.
Controllers must document breaches of data security. The documentation must:
- contain a summary of the circumstances of the incidents, their effects and the measures taken; and
- be retained for at least two years.
10 Employment issues
10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?
Article 328b of the Code of Obligations stipulates that employers may handle personal data concerning employees only to the extent that such data:
- concerns the employees' suitability for their job; or
- is necessary for the performance of the employment contract.
In all other respects, the provisions of the Federal Act on Data Protection apply.
10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?
Article 26 of Ordinance 3 to the Employment Act prohibits the use of monitoring or control systems to monitor the behaviour of employees in the workplace. If it is necessary to use a monitoring or control system for any other reason (eg, to monitor performance, production or safety control), it must be done in such a way that it does not affect employees' health or their freedom to move around normally without being under constant surveillance. Moreover:
- the system chosen must be proportionate to the aim pursued; and
- the employees must be informed in advance.
For the use of a monitoring or control system to be permissible, the following conditions must be met:
- the existence of an interest that clearly outweighs the interest in monitoring behaviour (eg, safety of personnel, operations or production optimisation);
- proportionality between the employer's interest in monitoring areas that are of existential importance to the company and the employees' interest in not being monitored; and
- employee participation (eg, via the works council or employee representation) in:
-
- the planning, installation and operating times of the monitoring and control systems; and
- the storage period of the recorded data.
10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context
Pursuant to Article 362 of the Code of Obligations, it is not permissible to derogate from the provisions of Article 328b (handling of employees' personal data; see question 10.1) to the detriment of the employee, even if the latter consents. Any processing of employee data outside the framework of Article 328b must be justified for other reasons – for example:
- with the consent of the employee;
- due to an overriding private or public interest; or
- by law.
However, it must be considered that employees are very rarely in a position to freely give, refuse or revoke their consent, given the subordinate nature of the employer/employee relationship.
11 Online issues
11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?
The use of cookies and similar technologies in Switzerland is regulated by:
- the Telecommunications Act (TCA); and
- the Federal Act on Data Protection (FADP), where the processing of personal data is involved.
Pursuant to Article 45c of the TCA, the use of cookies and similar technologies is allowed, provided that the users have been informed about:
- the related data processing and its purpose; and
- the possibility to refuse consent to such processing.
Where the use of cookies and similar technologies involves the processing of personal data, the requirements of the FADP must be complied with. As private controllers do not need a legal justification as long as the processing has a lawful purpose, is proportionate and is carried out in good faith according to the statutory principles, consent is generally not required.
However, in his guidelines on data processing by means of cookies and similar technologies, the Federal Data Protection and Information Commissioner (FDPIC) has stated that any use of non-essential cookies – that is, cookies that are not technically necessary for the website to function correctly – violates the principle of proportionality and therefore needs a legal justification (ie, an overriding legitimate interest or consent). The FDPIC recommends obtaining consent for any use of non-essential cookies that is not generally expected by users and/or leads to profiling, such as:
- web analysis; or
- personalised advertising.
Explicit consent is required, according to the FDPIC:
- when sensitive personal data is processed; or
- in case of high-risk profiling (eg, cross-site tracking).
These recommendations are not legally binding, but they can be an indicator for possible future areas of focus in investigations.
11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?
Cloud computing services are generally considered as third-party processing and must thus comply with the regulations regarding processing by processors stipulated in Article 9 of the FADP.
The processing may only be assigned to a processor (ie, cloud service provider) if:
- no statutory or contractual duty of confidentiality prohibits the assignment; and
- the cloud service provider only processes the data in the manner in which the controller itself is permitted to do.
The controller must:
- conclude a contract with the cloud service provider; and
- ensure that the cloud service provider:
-
- can guarantee data security; and
- engages sub-processors only with the controller's prior approval.
Cloud computing services often involve the cross-border transfer of personal data. If this is the case:
- the regulations on cross-border disclosure of personal data set out in Articles 16 and 17 of the FADP must be complied with; and
- depending on the destination country, a transfer impact assessment may be necessary (see question 6).
11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?
Electronic direct marketing in Switzerland is regulated by the Federal Act on Unfair Competition (UCA). Pursuant to Article 3(1):
- mass advertising without direct connection with any requested content may be sent only with the prior consent of the recipients; and
- each communication must:
-
- indicate the correct sender; and
- offer a simple and free of charge option of refusal (opt-out).
The UCA provides for an exception under which mass advertising can be sent without prior consent. It applies if the sender:
- has received the contact details directly from the recipient in connection with the sale of goods, works or services;
- has indicated the option of rejecting marketing communications at the time of this transaction; and
- only sends advertising for its own goods, works or services similar to those acquired in the course of this transaction.
If all these conditions are fulfilled, electronic direct marketing is allowed without the recipient's consent. However, an opt-out option must still be offered in each communication.
12 Disputes
12.1 In which forums are data privacy disputes typically heard in your jurisdiction?
If the Federal Data Protection and Information Commissioner (FDPIC) detects a violation of data protection regulations, he can order administrative measures pursuant to Article 51 of the Federal Act on Data Protection (FADP) to enforce compliance. These administrative measures, issued in the form of a ruling, can be contested before the Federal Administrative Court.
The criminal provisions provided for by Articles 60–63 of the FADP are prosecuted and adjudicated by the cantonal prosecution authorities. The FDPIC may file a complaint with the competent prosecution authority and exercise the rights of a private claimant in the proceedings.
Furthermore, data subjects can enforce their legal rights under Article 32 of the FADP in ordinary civil proceedings before the competent civil courts.
12.2 What issues do such disputes typically involve? How are they typically resolved?
Disputes may involve the granting of privacy rights – in particular, the right of access, correction and deletion of personal data, typically in labour disputes. They are judged:
- by the competent cantonal courts; or
- where the defendant is a federal authority, by the Federal Administrative Court.
12.3 Have there been any recent cases of note?
As the revised FADP, granting the FDPIC additional powers and introducing more stringent penal provisions, only entered into force in September 2023, there are no notable cases as yet that have been judged under the new legislation.
One notable recent decision is the ruling of Zurich Commercial Court HG220030-O of 21 August 2024 in Fédération Internationale de Football Association (FIFA) vs. Google Ireland Limited and Google LLC. The dispute involved highly critical articles about FIFA published on a third-party website, which appeared as search results on Google. FIFA argued that:
- these articles violated its personality rights and damaged its reputation; and
- by indexing and linking to such content, Google increased its dissemination and thus contributed to the violation of FIFA's personality rights.
FIFA therefore demanded that Google be prohibited from listing these articles in the search results. The court rejected FIFA's request on the grounds of passive legitimacy. A decisive factor was that FIFA was unable to demonstrate that the simple search term 'FIFA' led to the articles in question. The court therefore ruled that Google could not be considered as contributing to the violation of personality rights and thus could not be held responsible.
This ruling could be important for future similar cases, as it clarifies the liability of search engines regarding the violation of personality rights. However, the decision can still be appealed to the Federal Supreme Court and may therefore not be the final word in this case.
13 Trends and predictions
13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
Since the entry into force of the revised Federal Act on Data Protection in September 2023, the Federal Data Protection and Information Commissioner (FDPIC) has issued a number of guides, factsheets and templates and updated existing documents to reflect the new legislation. Particular emphasis has been placed on technical issues such as:
- technical and organisational measures;
- the use of cookies; and
- data security breaches.
Investigations initiated by the FDPIC have concerned, among other things:
- data security breaches;
- processing by processors; and
- the principles of transparency and proportionality.
New legislation is anticipated in the field of AI regulation. On 27 March 2025, Switzerland signed the Council of Europe Convention on AI and thus committed itself to making the necessary amendments to Swiss law. The objective is to regulate AI in such a way that its potential can be used to strengthen Switzerland as a location for business and innovation while keeping the risks to society as low as possible. To achieve this goal, the Federal Council has decided to focus on the following parameters:
- The Council of Europe's AI Convention will be incorporated into Swiss law, applying primarily to state actors.
- Where legislative amendments are necessary, these should be sector-specific as far as possible, with only key areas relevant to fundamental rights – such as data protection – being subject to general, cross-sectoral regulation.
- Additional, legally non-binding measures will be developed, such as:
-
- self-declaration agreements; or
- industry solutions.
A draft bill and a plan for non-legally binding measures are expected by the end of 2026.
14 Tips and traps
14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?
In order to comply with data protection requirements, each company should not only know the statutory requirements, but also have an overview of matters such as:
- the personal data it processes;
- where this data is stored and transferred to; and
- how long this data is kept for.
It is therefore strongly recommended to keep a register of processing activities, even for small-sized businesses that may fall within the exemption granted under the Federal Act on Data Protection. Furthermore, companies should:
- implement privacy policies and procedures;
- regularly train their employees on data protection; and
- ensure the ongoing monitoring of privacy compliance.
Special attention is required when it comes to granting access rights and providing information to data subjects about the processing of their personal data. Also, it is recommended to be particularly attentive when engaging processors within and outside Switzerland, as the controller remains liable for any breaches of data protection regulations. It is therefore essential to:
- have the appropriate contracts in place;
- carefully select and assess vendors; and
- continuously monitor their compliance with data security and data protection requirements.
Another area of focus is data security, which has become increasingly important due to the rapid pace of technological development.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.