the Swiss Federal Data Protection Act?
Definition of personal data
The Swiss Federal Data Protection Act (DPA) defines personal data as "all information relating to an identified or identifiable person".
"Person" refers not only to a natural person (individual), but also to a legal entity. The legal form of the entity is not relevant. Accordingly, personal data under the DPA can mean data relating to individuals as well as to partnerships, corporations, associations, cooperatives or any other legal entity. The extension of protection for data relating to legal entities can create difficulties in the context of cross-border data transfers because few other countries provide adequate protection for data relating to legal entities.
A person is "identified" or "identifiable" if the information permits the identification of the person concerned. A person can be identifiable even if the data are stored in an anonymous form, e.g., under a code number, but separate information allows a link to be made between the code and the identity of the person. A person will be deemed not to be identifiable only if the information is anonymous and no link can be established between the anonymous information and the person concerned.
Sensitive personal dataThe DPA classifies personal data as "sensitive personal data" if it relates to:
- religious, philosophical, political or trade union-related views or activities;
- health, the intimate sphere of the person or racial origin;
- social assistance measures; or
- criminal or administrative proceedings and penalties.
Personal data within this definition will almost always relate to a natural person rather than a legal entity.
Financial data are not sensitive personal data under the DPA. Switzerland's banking secrecy law, however, protects the confidentiality of the existence of the banking relationship, the identity of the bank's customer and any other information related to the banking relationship.
Sensitive personal data are subject to enhanced legal protection under the DPA.
Personality profiles
A personality profile is a collection of data which allows the assessment of essential characteristics of the personality of a natural person. Accordingly, legal entities do not benefit from this protection. Personality profiles are subject to the same enhanced legal protection as sensitive personal data.
The law does not provide a clear definition of "personality profiles". Innocuous data may constitute a personality profile and the data collected from the use of credit cards and marketing loyalty cards will often create personality profiles.
Structuring personal data in a data file
The DPA defines a "data file" as a collection of personal data structured to permit it to be searched by data subjects. Typically, records in alphabetical order will qualify as a data file and electronically stored data also are likely to constitute a data file because the data can be readily searched. The name of the data subject is not the only criterion which results in a collection of personal data constituting a data file if other criteria allow data relating to a single person to be retrieved.