Unless certain exceptions apply, the DPA requires the controller of the data file (i.e., the person deciding on the purpose and the content of a data file) to inform data subjects of the collection of sensitive personal data or personality profiles. In principle, this notice needs to be given when the data are collected. Data subjects must be informed, at a minimum, of the identity of the controller of the data file, the purpose of the data processing and the categories of recipients of the data if the disclosure of the personal data to third parties is anticipated.
Intentionally refraining from either informing the data subjects of the collection of data or providing the minimum information required by law is an offence punishable by a fine of up to CHF 10'000.–. If the fine is not paid, it can be replaced by imprisonment for up to 3 months.
Registration of data files
As a general rule, if a private person or legal entity regularly processes sensitive personal data or personality profiles or regularly discloses personal data to a third party, then the data files must be registered, before they are created, with the Federal Data Protection and Information Commissioner. The DPA and the Swiss Federal Data Protection Ordinance (DPO) provide exceptions to the registration obligation, including if
- a private person processes personal data under a legal obligation to do so;
- the controller of the data file has appointed a person responsible for data protection who complies with the requirements set out in the Swiss Federal Ordinance on Data Protection Certification (DPCO) and who independently monitors internal compliance with data protection regulations and maintains an index of the data files. Such appointment has to be notified to the Federal Data Protection and Information Commissioner;
- the controller of the data file has obtained a quality certification as specified in the DPA and the DPCO and has notified the result of the certification process to the Federal Data Protection and Information Commissioner;
- the data file contains exclusively supplier or customer data and does not contain sensitive personal data or personality profiles;
- it is an auxiliary data file for employee administration which does not contain sensitive personal data or personality profiles.
Under prior law, no registration of data files was required if the data subjects had knowledge of the processing of their sensitive personal data, personality profiles or the disclosure to third parties. This exception is no longer available and therefore many data files may now require registration.
Failure to register a data file when required to do so by law is an offence punishable by a fine of up to CHF 10'000.–. If the fine is not paid, it can be replaced by imprisonment for up to 3 months. The same applies if, when registering the data file, willfully false information is provided.
Right to access
Each person has the right to submit a written request to the controller of a data file, with evidence of the person's identity, for disclosure of whether data about such person is being processed.
The controller of the data file must inform the data subject about all data stored with respect to the data subject (including the available information on the source of the data) and also the purpose and, if applicable, the legal basis for the data processing, the categories of processed data, the participants in the data processing and the recipients of the data.
The reply must be complete and provided in writing within 30 days and without charge.
The controller of a data file may refuse, restrict or defer the provision of information only if:
- permitted by law;
- the overriding interests of a third party require it; or
- the controller's own overriding interests require it and the controller does not disclose personal data to third parties.
Special rules are applicable to the media (newspapers, radio and television broadcasters, etc.).
Intentionally providing inaccurate or incomplete information is an offence punishable by a fine of up to CHF 10'000.–. If the fine is not paid, it can be replaced by imprisonment for up to 3 months.
Right to rectification
Data subjects can request that their data be corrected or deleted. If it cannot be established whether the data are accurate, then the data subject can ask to have such dispute noted in the data record.