Constitutional right to privacy
The Swiss Constitution of 18 April 1999 guarantees the Right to Privacy in Article 13:
Right to Privacy
- Every person has the right to privacy in their private and family life and in their home, and in relation to their mail and telecommunications.
- Every person has the right to be protected against the misuse of their personal data.
Federal Act on Data Protection
The Federal Act on Data Protection (FADP) was adopted by Swiss Parliament on 19 June 1992 and entered into force on 1 July 1993. Various amendments have been made since the enactment of the law. The Swiss Parliament recently adopted the totally revised FADP. The entry into force of the new FADP will occur on 1 September 2023. The official current German, French and Italian versions of the FADP are still in force and available online on the website of the Federal Authorities of the Swiss Confederation.
An unofficial English translation of the FADP can be found on the same website.
The revised FADP is structured as follows:
- Purpose, Scope of Application and Supervisory Authority of the Confederation
- General Provisions
- Duties of the Controller and the Processor
- Rights of the Data Subject
- Special Provisions for Data Processing by Private Persons
- Special Provisions for Data Processing by Federal Bodies
- Federal Data Protection and Information Commissioner
- Criminal Provisions
- Conclusion of International Treaties
- Final Provisions
Federal Ordinance to the Federal Act on Data Protection
The Federal Ordinance to the Federal Act on Data Protection (DPO) was adopted on June 14, 1993 by the Swiss Federal Council in order to implement the FADP. It entered into force on July 1, 1993. The latest amendments entered into force on October 16, 2012. The Federal administration is currently still in the process of drafting the new DPO relating to the revised FADP.
An unofficial English translation of the DPO can be found on the same website.
Federal Ordinance on Data Protection Certification
The Federal Ordinance on Data Protection Certification (DPCO) was adopted on 28 September 2007 by the Swiss Federal Council in order to implement the possibility of data protection certification and therefore overall improve data protection and data security. The latest amendments entered into force on 1 November 2016. In the course of the revision of the FADP, the Federal administration is currently still in the process of drafting the new DPCO.
An unofficial English translation of the DPCO can be found on the same website.
Guidelines on the minimum requirements for a data protection management system (Guidelines for the certification of organisation and procedure)
Based on the DPCO, the Federal Data Protection and Information Commissioner (FDPIC) adopted on 16 July 2008, the Guidelines on the minimum requirements for a data protection management system (Guidelines for the certification of organisation and procedures, DPMS Guidelines). The DPMS Guidelines are based on the international standards for management systems, in particular ISO/IEC 27001:2013. The DPMS Guidelines entered into force on 1 September 2008 and were last amended in March 2014.
Specific data protection provisions in other laws
Various laws contain provisions relating to data protection in specific fields of application. Most of these provisions relate to data processing by federal government agencies, but there are some that apply to data processing by private entities.
The most noteworthy of these are provisions in the Swiss Code of Obligations regarding the processing of employee data, which is discussed in more detail in the section on the processing of employee data.
Certain professions and businesses are subject to special secrecy obligations, which, if breached, may result in criminal sanctions. The most significant of these are the secrecy obligations of physicians, lawyers, auditors, members of the clergy, telecommunications businesses and banks.
Codes of conduct
Some industries in Switzerland have adopted codes of conduct for data processing and data protection, such as for example the market research and direct marketing industries.
Article 11 of the revised FADP provides incentives for professional, trade and business associations to develop their own codes of conduct. They may submit the codes of conduct to the FDPIC for an opinion which will be published thereafter. The FDPIC’s opinions may contain objections and recommend relevant modifications or clarifications. If the FDPIC’s opinion on the submitted code of conduct is favorable, it can be assumed that the code of conduct complies with the applicable data protection laws. This form of self-regulation offers the advantage that data controllers do not need to conduct their own data protection impact assessment if they comply with a code of conduct that is based on a previous data protection impact assessment (that is still relevant), provides for measures to protect privacy and fundamental rights and has been approved by the FDPIC.
The FADP applies to data processing by both private entities and federal bodies. All Swiss cantons have their own laws regulating data processing by cantonal and municipal bodies. Each canton also appoints a cantonal data protection commissioner to supervise compliance by the authorities with the applicable cantonal laws. The cantonal and municipal data protection authorities have joined together to form the association “privatim – the Conference of Swiss Data Protection Commissioners”.