Unless certain exceptions apply, the FADP requires the data controller to inform the data subjects appropriately about the collection of their personal data. Such information obligation also applies when data is not directly collected from the data subjects.
At the time of collection, the data controller must provide the data subjects with all information that is required in order for the data subjects to assert their rights under the FADP and to ensure transparent data processing. In particular, the data controller must provide the data subjects with information on the controller’s identity and contact details, on the purpose of the data processing, as well as, if applicable, on the recipients or the categories of recipients to which personal data is disclosed.
If the data is not collected from the data subjects, the controller must additionally inform the data subjects of the categories of personal data that is processed. When data is not collected directly from the data subjects, the controller must further provide the data subjects with all the information laid out above at the latest one month after reception of the personal data. If the controller decides to disclose the collected data prior to this date, the controller must inform the data subjects at the time of disclosure at the latest.
If personal data is disclosed abroad, the controller additionally informs the data subjects of the name of the state or international body to which the data is disclosed and, if applicable, of the safeguards that guarantee an appropriate level of protection in the absence of a state or international body having been determined by the Federal Council of offering an adequate level of data protection, or the application of an exception (such as explicit consent or the fact that disclosure is necessary in order to safeguard an overriding public interest).
The duty to provide information is restricted or waived through many limitations and exemptions laid out in the FADP. The duty to provide information does not apply if the data subject already has the corresponding information, if the data processing is provided for by law, the data controller is a private person and bound by a legal obligation to secrecy or if the data is exclusively collected for publication in the edited section of a periodically published medium and the information on the data either reveals information about the sources of the information, ensues access to draft publications or if the publication would jeopardise the free formation of public opinion.
In the case of personal data not being collected from the data subjects, the information obligation does also not apply if it is not possible to provide the information or if disproportionate efforts would be required.
Moreover, the controller may restrict, defer or completely waive providing information to the data subjects in the following cases:
- if this is required to protect overriding interests of third parties;
- if the information prevents the processing from fulfilling its purpose;
- if the controller is a private person, and the measure is required by the controller’s overriding interests and the controller does not disclose personal data to third parties;
- if the controller is a federal body and there is either an overriding public interest (in particular the international or national security of Switzerland) or providing the information is susceptible to compromise an inquiry, investigation or an administrative or judicial proceeding.
Controllers also have an obligation to provide information in relation to automated individual decisions based solely on automated data processing that have legal consequences or otherwise significantly affect data subjects. In addition, the data subjects have a right to express their views and ask an individual to review the respective decision. However, the obligation to provide information in such cases does not apply if the decision is directly connected with the conclusion or the performance of a contract between the data controller and the data subject and the access request of the data subject is already fully satisfied or if the data subject expressly consented to the decision being taken in an automated manner.
Intentionally refraining from providing information or intentionally providing false or incomplete information is an offence punishable by a fine of up to CHF 250,000.
Right to access
Data subjects have the right to access their data, but there is no exhaustive list of information that is to be provided – depending on the circumstances, data subjects may have far-reaching rights to ask for information about the processing of their data. In addition, data subjects have rights relating to an automated individual decision-making process, and to have their data provided to them or another controller in a common, machine-readable format.
Each person has the right to submit a request to the data controller for disclosure of whether data about such person is being processed.
The data controller must provide to the data subjects all information that is required for the data subjects to assert their rights under the FADP and to ensure transparent processing of data. In any case, the following information must be provided to the data subjects:
- identity and contact details of the controller;
- the personal data being processed as such;
- the purpose of the data processing;
- the retention period for the personal data or, if this is not possible, the criteria for determining this period;
- the available information on the source of the personal data, if it has not been collected from the data subjects;
- if applicable, whether an automated individual decision has been taken and the logic behind the decision;
- if applicable, the recipients or categories of recipients to which personal data is disclosed, as well as the information on the name of the state or international body or adequate safeguards in cases of cross-border disclosure of data.
As a general rule, the information must be provided free of charge within 30 days of the access request.
The right to access may not be waived in advance.
Personal data on the data subjects’ health may be disclosed to the data subjects, provided their consent is given, by a healthcare professional designated by them.
Where data controllers have assigned data processing to a data processor, the data controller still remains under the obligation to provide information to the data subjects.
The controller may refuse, restrict or defer providing information if:
- permitted by law (in particular to protect a professional secret);
- the overriding interests of a third party require it;
- the access request by a data subject is obviously unjustified, in particular if it pursues a purpose that is contrary to data protection or if it is obviously of a frivolous nature; or
- the controller’s own overriding interests require it and the controller does not disclose personal data to a third party (while companies controlled by the same legal entity are not considered third parties in this context).
Data controllers must indicate the grounds on which they refuse, restrict or defer providing information upon request of the data subjects.
Special rules are applicable to the media (newspapers, radio and television broadcasters, etc.).
Intentionally providing inaccurate or incomplete information is an offence punishable by a fine of up to CHF 250,000.
Right to data portability
Any person may request – usually free of charge – from the controller the disclosure of the personal data that they have disclosed to the controller in a standard electronic format if the following requirements are met:
- the controller processes the data in an automated manner; and
- the data is processed with the consent of the data subject or in direct connection with the conclusion or performance of a contract between the data controller and the data subject.
The data subject may also request the data controller to transfer their personal data to another controller under the same requirements as laid out above and only if such transfer does not involve a disproportionate effort for the initial data controller.
The controller may refuse, restrict or defer the disclosure and transfer of personal data in the following cases and must indicate reasons for such refusal, restriction or deferral:
- if permitted by law (in particular to protect a professional secret);
- if the overriding interests of a third party require it;
- if the access request by a data subject is obviously unjustified, in particular if it pursues a purpose that is contrary to data protection or if it is obviously of a frivolous nature; or
- if the controller’s own overriding interests require it and the controller does not disclose personal data to a third party (while companies controlled by the same legal entity are not considered third parties).
Right to rectification
Data subjects can request that their data be corrected, unless there is a statutory regulation prohibiting the correction or the personal data is being processed for archiving purposes in the public interest. If neither the accuracy nor the inaccuracy of the personal data can be determined, the data subject may request for a note that indicates the objection to be added to the personal data. Furthermore, the data subject may request the correction, deletion or destruction, the prohibition of processing of personal data or of its disclosure to third parties, as well as the note indicating the objection, or the judgment be communicated to third parties or published.
Data protection officer
Private Data controllers may, but are not obliged to, appoint an independent data protection officer as a point of contact for data subjects and authorities responsible for data protection in Switzerland. The tasks of the data protection officer consist of educating and advising the data controller on data protection issues and assisting in the compliance with data protection legislation.
The data protection officer is the contact for the data subjects and for the competent data protection authorities responsible for data protection matters in Switzerland. A data protection officer may, but does not have to be, an employee of the business.
The advantages of appointing a data protection officer are mainly found in the context of data protection impact assessments. If a data protection impact assessment shows that the data processing poses a “high risk” to the data subjects absent further measures, the controller must consult the FDPIC prior to the processing. However, a private controller may dispense with consulting the FDPIC if it has consulted the data protection officer instead. The function of the data protection officer is tied to certain requirements in this regard: the advisor performs their function towards the controller in a professionally independent manner and without being bound by instructions; the advisor does not perform any activities which are incompatible with their tasks as data protection officer; they possess the necessary expertise; the controller publishes the contact details of the data protection officer and notifies the FDPIC thereof.
Record of processing activities
Like the GDPR, the FADP requires keeping a record of processing activities in certain cases. This obligation applies to both data controllers and data processors. The record must, inter alia, include information on the identity of the controller, the purpose of the processing, as well as a description of the categories of data subjects and the categories of the processed personal data. Legal entities that have fewer than 250 employees and whose data processing poses a negligible risk of harm to the personality of the data subjects are exempt from the obligation to keep a record of processing activities. If companies have established processing records in accordance with the GDPR, in most cases these also comply with the requirements under the FADP.
Data protection impact assessment
Data controllers must carry out a data protection impact assessment in advance if data processing is likely to lead to a high risk for the data subjects’ personality/privacy or fundamental rights. In general, the existence of a high risk depends on the nature, the extent and circumstances, as well as the purpose of the processing. A high risk is particularly assumed in cases of broad-scale processing of sensitive personal data or systematic surveillance of extensive public areas.
The data protection impact assessment must contain a description of the intended processing, an evaluation of the risks with regards to the data subjects’ personality/privacy or fundamental rights, as well as the intended measures to protect the data subjects’ personality/privacy and fundamental rights.
If the data protection impact assessment shows that the planned processing will still result in a high risk to the personality/privacy or fundamental rights of the data subjects despite the measures envisaged by the controller, the data controller shall obtain the FDPIC’s opinion in advance.
Private data controllers may be exempted from the obligation to conduct a data protection impact assessment in cases where they are legally bound to perform the processing. Further, private data controllers may abstain from conducting a data protection impact assessment if they use a system, product or service that is certified for the envisaged use or if it complies with a code of conduct which is based on another data protection impact assessment, that provides for measures to protect the personality/privacy or fundamental rights of the data subjects and has been submitted to the FDPIC. A private controller may also dispense with consulting the FDPIC if it has consulted the data protection officer, if any.
Notification obligation of data security breaches
The data controller must notify the FDPIC of any data security breach that is likely to result in a high risk for the data subjects. Only cases involving breaches of privacy or fundamental rights have to be reported to the FDPIC. However, even if the data controller does not assess the risk to be high, this does not prevent it from submitting a voluntary notification of a data security breach to the FDPIC.
The notification must be made as soon as possible, but there is no fixed maximum time limit. In addition, where necessary for the protection of the data subjects or upon instruction by the FDPIC, the controller must inform the data subjects of the breach.