The primary laws and regulations governing data
protection in Switzerland are the Swiss Federal Data Protection Act
(DPA), the Swiss Federal Data Protection Ordinance (DPO), the Swiss
Federal Ordinance on Data Protection Certification (DPCO) and the
Guidelines of the Federal Data Protection and Information Commissioner
on the minimum requirements for a data protection management system
The DPA is currently under revision. A preliminary draft of the new DPA was published on 21 December 2016. Additional information about the revision is available here.
Categories of data
Swiss data protection law applies to the personal
data of both individuals and legal entities, such as corporations ("data
subjects"). Stronger legal protection is provided for sensitive
personal data and personality profiles.
Principles of data processing
Swiss data protection law applies equally to
electronic and manual data processing. Personal data may only be
processed lawfully and in accordance with the following Substative Requirements:
The processing of personal data must be made in good faith and must be
proportionate. Personal data may be used only for the purpose specified
at the time of its collection and both the fact that personal data are
collected and the purpose for processing it must be apparent to the data
subjects. The data must be accurate. A lawful justification for data
processing may be required. Data security must be ensured.
Under certain circumstances, data files must be registered with the Federal Data Protection and Information Commissioner. Data subjects have the right to access their data and to have incorrect data corrected (see Formal Requirements).
Data transfers abroad
The transfer of personal data out of Switzerland is restricted. Unless certain exceptions apply, personal data may not be transferred to countries which lack data protection laws which provide an adequate level of data protection. Under certain circumstances, the Federal Data Protection and Information Commissioner needs to be informed before a transfer abroad takes place (see Data Transfers Abroad).