Overview
Legal framework
The primary laws and regulations governing data protection in Switzerland are the Federal Act on Data Protection (FADP), the Federal Ordinance to the Fderal Act on Data Protection (DPO), the Federal Ordinance on Data Protection Certification (DPCO) and the Guidelines of the Federal Data Protection and Information Commissioner (FDPIC) on the minimum requirements for a data protection management system (DPMS-Guidelines).
The FADP’s revision including the revision of the Data Protection Ordinance and the revision of the Ordinance on Data Protection Certifications has recently been completed. The revised FADP, the revised Data Protection Ordinance and the revised Ordinance on Data Protection will enter into force on 1 September 2023. The revision of the FADP largely follows the European Union’s General Data Protection Regulation’s (GDPR) approach.
Additional information about the revision, the revised FADP, the revised Data Protection Ordinance and the revised Ordinance on Data Protection Certifications is available here. Unless explicitly provided for otherwise, the information provided on www.dataprotection.ch pertains to the legislation currently in force and not to the revised legislation.
Categories of data
Swiss data protection law applies to the personal data of both individuals and legal entities, such as corporations ("data subjects"). Stronger legal protection is provided for sensitive personal data and personality profiles.
Principles of data processing
Swiss data protection law applies equally to electronic and manual data processing. Personal data may only be processed lawfully and in accordance with the following Substantive Requirements: the processing of personal data must be made in good faith and must be proportionate. Personal data may be used only for the purpose specified at the time of its collection and both the fact that personal data is collected and the purpose for processing it must be apparent to the data subjects. The data must be accurate. A lawful justification for data processing may be required. Data security must be ensured.
Formal requirements
Under certain circumstances, data files must be registered with the Federal Data Protection and Information Commissioner. Data subjects have the right to access their data and to have incorrect data corrected (see Formal Requirements).
Data transfers abroad
The transfer of personal data out of Switzerland is restricted. Unless certain exceptions apply, personal data may not be transferred to countries which lack data protection laws which provide an adequate level of data protection. Under certain circumstances, the Federal Data Protection and Information Commissioner needs to be informed before a transfer abroad takes place (see Data Transfers Abroad).