Disclosing Personal Data to Third Parties
Definition of "third parties"
A third party is any entity other than the disclosing entity. The economic links between the disclosing party/entity and the recipient entities are not relevant. Therefore, companies within the same group as the disclosing entity, i.e., the parent, sister companies or subsidiaries are considered third parties and the sharing of personal data within a group is deemed to be a disclosure to third parties for the purposes of the Swiss Federal Data Protection Act (DPA).
Restrictions on disclosure
The DPA does not permit the disclosure of sensitive data or personality profiles to third parties without lawful justification. The consent of the data subject can constitute a lawful justification. Breach of this prohibition is an offence if knowledge of the sensitive data has been gathered in the course of a professional activity requiring knowledge of such data and can be punished by a fine of up to CHF 10'000.–. If the fine is not paid, it can be replaced by imprisonment for up to 3 months.