www.dataprotection.ch
Copyright Walder Wyss & Partners Ltd., Zurich
Legal Framework

National
Constitutional right to privacy
The Swiss Constitution of April 18, 1999, guarantees the right to privacy in Article 13:

Right to Privacy

  1. Each person has the right to respect for his or her private and family life, his or her home, and his or her written communications, mail and telecommunications.
  2. Each person has the right to protection against the misuse of his or her personal data.

Federal Data Protection Act
The Swiss Federal Data Protection Act (DPA) was adopted by the Swiss Parliament on June 19, 1992, and entered into force on July 1, 1993. Various amendments have been made since the enactment of the law. The most recent amendments entered into force on January 1, 2008. The official German, French and Italian versions of the DPA are available online on the website of the Federal Authorities of the Swiss Confederation.

An unofficial English translation of the DPA can be found on the same website.

The DPA is structured as follows:

  • Purpose, Scope of Application and Definitions
  • General Data Protection Provisions
  • Processing of Personal Data by Private Persons
  • Processing of Personal Data by Federal Authorities
  • Federal Data Protection and Information Commissioner
  • Legal Protection
  • Criminal Provisions
  • Final Provisions

Federal Data Protection Ordinance
The Swiss Federal Data Protection Ordinance (DPO) was adopted on June 14, 1993 by the Swiss Federal Council in order to implement the DPA. It entered into force on July 1, 1993. The latest amendments entered into force on January 1, 2008.

The official German, French and Italian versions of the DPO are available online on the website of the Federal Authorities of the Swiss Confederation.

An unofficial English translation of the DPO can be found on the same website.

Federal Ordinance on Data Protection Certification
The Swiss Federal Ordinance on Data Protection Certification (DPCO) was adopted on September 27, 2007 by the Swiss Federal Council in order to implement certain provisions of the DPO. The DPCO entered into force on January 1, 2008.

The official German, French and Italian versions of the DPCO are available online on the website of the Federal Authorities of the Swiss Confederation.

An unofficial English translation of the DPCO can be found on the same website.

Guidelines on the minimum requirements for a data protection management system (Guidelines for the certification of organisation and procedure)

Based on the DPCO, the Federal Data Protection and Information Commissioner has adopted on July 16, 2008, the Guidelines on the minimum requirements for a data protection management system (Guidelines for the certification of organisation and procedures, DPMS-Guidelines). The DPMS-Guidelines are based on the international standards for management systems, in particular ISO/IEC 27001:2005. The DPMS-Guidelines entered into force on September 1, 2008.

The official German, French and Italian versions of the DPMS-Guidelines are available online on the website of the Federal Authorities of the Swiss Confederation.

Specific data protection provisions in other laws
Various laws contain provisions relating to data protection in specific fields of application. Most of these provisions relate to data processing by federal government agencies, but there are some that apply to data processing by private entities.

The most noteworthy of these are provisions in the Swiss Code of Obligations regarding the processing of employee data, which is discussed in more detail in the section on processing of employee data.

Professional secrecy
Certain professions and businesses are subject to special secrecy obligations and, if breached, may result in penal sanctions. The most significant of these are the secrecy obligations of physicians, lawyers, auditors, members of the clergy, telecommunications businesses and banks.

Codes of conduct
Some industries in Switzerland have adopted codes of conduct for data processing and data protection, such as for example the market research and direct marketing industries.

Cantonal
The DPA applies to data processing by both private entities and federal bodies. Most Swiss cantons have their own laws regulating data processing by cantonal and municipal bodies. The majority of the cantons also have appointed a cantonal data protection commissioner to supervise compliance by the authorities with the applicable cantonal laws.

International
EU directive on data protection
Switzerland is neither a member of the European Union nor of the European Economic Area. Accordingly, the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (EU Directive) is not applicable in Switzerland.

The European Commission decided on July 26, 2000 in Commission Decision 2000/518/EC (Official Journal L 215/1 of 25.8.2000) that Swiss law provides adequate protection of personal data and therefore data transfers from Member States to Switzerland are, in principle, permitted under Art. 25(1) of the EU Directive, without limiting the effect of other laws of the European Union.

European Council (Convention 108)
Switzerland ratified the Council of Europe Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention No 108) on October 2, 1997 and its Additional Protocol on December 20, 2007. The Convention entered into force for Switzerland on February 1, 1998 and its Additional Protocol on April 1, 2008.