Constitutional right to privacy
The Swiss Constitution of 18 April 1999 guarantees the right to privacy in Article 13:
Right to Privacy
- Each person has the right to respect for his or her private and family life, his or her home, and his or her written communications, mail and telecommunications.
- Each person has the right to protection against the misuse of his or her personal data.
Federal Data Protection Act
The Swiss Federal Data Protection Act (DPA) was adopted by Swiss Parliament on 19 June 1992 and entered into force on 1 July 1993. Various amendments have been made since the enactment of the law. The most recent amendments entered into force on 1 January 2011. The official German, French and Italian versions of the DPA are available online on the website of the Federal Authorities of the Swiss Confederation.
An unofficial English translation of the DPA can be found on the same website.
The DPA is structured as follows:
- Purpose, Scope of Application and Definitions
- General Data Protection Provisions
- Processing of Personal Data by Private Persons
- Processing of Personal Data by Federal Authorities
- Federal Data Protection and Information Commissioner
- Legal Protection
- Criminal Provisions
- Final Provisions
Federal Data Protection Ordinance
The Swiss Federal Data Protection Ordinance (DPO) was adopted on June 14, 1993 by the Swiss Federal Council in order to implement the DPA. It entered into force on July 1, 1993. The latest amendments entered into force on December 1, 2010.
An unofficial English translation of the DPO can be found on the same website.
Federal Ordinance on Data Protection Certification
The Swiss Federal Data Protection Ordinance (DPO) was adopted on 14 June 1993 by the Swiss Federal Council in order to implement the DPA. It entered into force on 1 July 1993. The latest amendments entered into force on 16 October 2012.
An unofficial English translation of the DPCO can be found on the same website.
Guidelines on the minimum requirements for a data protection management system (Guidelines for the certification of organisation and procedure)
Based on the DPCO, the Federal Data Protection and Information Commissioner adopted on 16 July 2008, the Guidelines on the minimum requirements for a data protection management system (Guidelines for the certification of organisation and procedures, DPMS Guidelines). The DPMS Guidelines are based on the international standards for management systems, in particular ISO/IEC 27001:2005. The DPMS Guidelines entered into force on 1 September 2008 and were last amended in March 2014.
Specific data protection provisions in other laws
Various laws contain provisions relating to data protection in specific fields of application. Most of these provisions relate to data processing by federal government agencies, but there are some that apply to data processing by private entities.
The most noteworthy of these are provisions in the Swiss Code of Obligations regarding the processing of employee data, which is discussed in more detail in the section on the processing of employee data.
Certain professions and businesses are subject to special secrecy obligations and, if breached, may result in penal sanctions. The most significant of these are the secrecy obligations of physicians, lawyers, auditors, members of the clergy, telecommunications businesses and banks.
Codes of conduct
Some industries in Switzerland have adopted codes of conduct for data processing and data protection, such as for example the market research and direct marketing industries.
The DPA applies to data processing by both private entities and federal bodies. All Swiss cantons have their own laws regulating data processing by cantonal and municipal bodies. Each canton also appoints a cantonal data protection commissioner to supervise compliance by the authorities with the applicable cantonal laws.