Constitutional right to privacy
The Swiss Constitution of April 18, 1999, guarantees the right to privacy in Article 13:
Right to Privacy
- Each person has the right to respect for his or her private and family life, his or her home, and his or her written communications, mail and telecommunications.
- Each person has the right to protection against the misuse of his or her personal data.
Federal Data Protection Act
The Swiss Federal Data Protection Act (DPA) was adopted by the Swiss Parliament on June 19, 1992, and entered into force on July 1, 1993. Various amendments have been made since the enactment of the law. The most recent amendments entered into force on January 1, 2011. The official German, French and Italian versions of the DPA are available online on the website of the Federal Authorities of the Swiss Confederation.
An unofficial English translation of the DPA can be found on the same website.
The DPA is structured as follows:
- Purpose, Scope of Application and Definitions
- General Data Protection Provisions
- Processing of Personal Data by Private Persons
- Processing of Personal Data by Federal Authorities
- Federal Data Protection and Information Commissioner
- Legal Protection
- Criminal Provisions
- Final Provisions
Federal Data Protection Ordinance
The Swiss Federal Data Protection Ordinance (DPO) was adopted on June 14, 1993 by the Swiss Federal Council in order to implement the DPA. It entered into force on July 1, 1993. The latest amendments entered into force on December 1, 2010.
An unofficial English translation of the DPO can be found on the same website.
Federal Ordinance on Data Protection Certification
The Swiss Federal Ordinance on Data Protection Certification (DPCO) was adopted on September 27, 2007 by the Swiss Federal Council in order to implement certain provisions of the DPO. The DPCO entered into force on January 1, 2008.
An unofficial English translation of the DPCO can be found on the same website.
Guidelines on the minimum requirements for a data protection management system (Guidelines for the certification of organisation and procedure)
Based on the DPCO, the Federal Data Protection and Information Commissioner has adopted on July 16, 2008, the Guidelines on the minimum requirements for a data protection management system (Guidelines for the certification of organisation and procedures, DPMS-Guidelines). The DPMS-Guidelines are based on the international standards for management systems, in particular ISO/IEC 27001:2005. The DPMS-Guidelines entered into force on September 1, 2008.
Specific data protection provisions in other laws
Various laws contain provisions relating to data
protection in specific fields of application. Most of these provisions
relate to data processing by federal government agencies, but there are
some that apply to data processing by private entities.
The most noteworthy of these are provisions in the Swiss Code of Obligations regarding the processing of employee data, which is discussed in more detail in the section on the processing of employee data.
Certain professions and businesses are subject to
special secrecy obligations and, if breached, may result in penal
sanctions. The most significant of these are the secrecy obligations of
physicians, lawyers, auditors, members of the clergy, telecommunications
businesses and banks.
Codes of conduct
Some industries in Switzerland have adopted codes of conduct for data processing and data protection, such as for example the market research and direct marketing industries.
The DPA applies to data processing by both private entities and federal bodies. All Swiss cantons have their own laws regulating data processing by cantonal and municipal bodies. Each canton also appoints a cantonal data protection commissioner to supervise compliance by the authorities with the applicable cantonal laws.