Personal data must be processed in good faith. Personal data must not be collected by misrepresentation or deception.
The processing of personal data must be proportionate. This means the data processing must be necessary for the intended purpose and reasonable in relation to the infringement of privacy. Subject to regulations on the safekeeping of records, personal data should not be retained longer than necessary.
Accuracy of the data
The data processor must ensure that the personal data are accurate.
Purpose of the processing
Personal data may only be used for the purpose intended at the time of collection. It is therefore very important to disclose all anticipated purposes for which the data will be used when they are collected. Because of this restriction, the legality of data mining is doubtful because it inherently involves the use of data for a range of purposes, some of which may not have been disclosed when the data were collected.
The collection of personal data, and in particular the purposes for which the personal data is processed, must be evident to the person or entity from whom personal data are collected. This requirement does not always lead to a specific disclosure obligation, but it will be necessary to give notice of any use of personal data which is not apparent to the data subject from the circumstances. For example, if personal data are collected in the course of concluding or performing a contract, but the recipient of the personal data intends to use the data for purposes outside the scope of the contract or for the benefit of third parties, then such uses of the personal data must be disclosed to the data subject.
Anyone who processes personal data must not breach the privacy of the data subjects unlawfully.
As a rule, no justification for processing personal data is required if the data subjects have made the data generally available and have not expressly restricted the data processing. Generally available data may include data published in phone books without a restriction on their use or data distributed on business cards.
A lawful justification for data processing exists if the data subject has consented to it, the law provides for it, or the data processor has an overriding interest in the data processing. The Swiss Federal Data Protection Act (DPA) provides that the interest of the data processor in processing personal data shall, in particular, be taken into account when:
- the data processing occurs directly in connection with the conclusion of a contract or its performance;
- the data processor competes for business with, or wants to compete for business with, another person and processes personal data for this purpose without disclosing the data to third parties;
- the data processor, for the purpose of evaluating the creditworthiness of another person, processes neither sensitive personal data nor personality profiles and discloses only data to third parties which are necessary for the conclusion of a contract with the data subject or the performance of such contract;
- the data processor processes data professionally for publication in the editorial part of a medium which is published periodically;
- the data processing is for purposes that are not related to a specific person, in particular research, planning or statistics, and the results are published in a manner that does not permit the identification of the data subjects;
- the data processor collects data about a person who is a public figure to the extent that the data relate to the role of the person as a public figure.
The fact that a data processor has one of the above-listed interests in processing personal data does not mean that the data processor has an overriding interest in processing the data. The interest of the data processor in processing the data must nevertheless be weighed against the interest of the data subject in being protected against an infringement of his or her privacy.
If the data processor does have an overriding interest in processing the data, the processing of personal data can be performed despite the objection of the data subject.
The data processing must comply with technical and organizational security requirements, especially when processed electronically. Personal data must be protected against intentional or accidental deletion, accidental loss, technical errors, falsification, theft and unlawful use, unauthorized access, changes, copying, or other unauthorized processing.
Detailed technical requirements for data processing are set out in the Swiss Data Protection Ordinance (DPO).
Processing by a third party (outsourcing)
Data processing may be delegated to a third party under an agreement, provided that the third party data processor processes data only to the same extent as the person employing the third party data processor was authorised to do and that no legal or contractual confidentiality obligation prohibits the outsourcing.
The employer of the third party data processor must ensure that the data processor can ensure the security of the data.
Under certain circumstances consent of the data subjects may be required for the processing of personal data. The DPA now requires such consent to be given expressly for the processing of sensitive personal data or personality profiles. Implied consent is no longer sufficient.