dataprotection.ch

 
Collecting Personal Data
Disclosing Personal Data
Processing Personal Data

Substantive Requirements

Good faith

Personal data must be processed in good faith. Personal data must not be collected by misrepresentation or deception, i.e., the processing shall be apparent to data subjects.

Proportionality

The processing of personal data must be proportionate. Proportionate means that data processing may only go as far as it is necessary and appropriate for the purpose pursued. In other words, data processing must be necessary for the intended purpose and reasonable in relation to the infringement of the privacy of data subjects. Subject to regulations on the safekeeping of records, personal data should not be retained longer than necessary.

Accuracy of the data

It must be ensured that the data is up-to-date and that it is possible to correct incorrect data.

Purpose of the processing

Personal data may only be processed for the purpose that was stated when it was obtained, that is evident from the circumstances or that is provided for by law. If the purpose of the processing changes, the consent of the data subjects must be obtained or there must be otherwise overriding interests. Personal data must be destroyed or anonymized as soon as it is no longer required with regard to the purpose of the processing. Fulfilment of this obligation requires that the controller determines retention periods in advance.

Transparency

The processing of personal data, and in particular the purposes for which the personal data is processed, must be evident to the person whose personal data is processed. The controller must inform the data subjects appropriately about the collection of their personal data, typically via a privacy notice. Such information obligation also applies when data is not collected directly from the data subjects.

Among other things, the controller must inform data subjects about its identity, contact details, the purpose of the processing, and the recipients or categories of recipients of the data, including the countries to which personal data is disclosed and, if applicable, guarantees (e.g., standard contractual clauses), or the application of an exception (e.g., disclosure is necessary in order to establish, exercise or enforce legal rights before a court). However, the FADP does not provide an exhaustive list of the necessary information to be provided and, depending on the circumstances, additional information may be required. Failure to provide the required information may result in criminal sanctions.

Lawful justification

Under Swiss data protection law, data processing in the private sector is generally permitted as long as the data processing principles of the FADP are observed, and a justification is only required in certain situations. In concrete terms, for data processing activities carried out by private persons, a justification is required in particular if the data processing principles are not followed, the data subject has objected to the processing, for having personal health data communicated by a health professional, or if sensitive personal data is to be disclosed to a third party (however, processors are not considered third parties in this context).

A lawful justification for data processing exists if the data subject has consented thereto, Swiss law provides for it, or there exists an overriding Swiss public interest or overriding private interest in the data processing. The FADP provides that the interest of the data controller in processing personal data shall, in particular, be taken into account when:

  • the data controller processes personal data of the contractual party in direct connection with the conclusion or the performance of a contract;
  • the data controller is or will be in commercial competition with another person and for this purpose processes personal data that is not disclosed to third parties, except in the case of disclosure that takes place between companies controlled by the same legal entity;
  • the data controller processes personal data in order to verify the data subject’s creditworthiness, provided that (i) the processing does neither involve sensitive personal data nor high-risk profiling, (ii) the data is disclosed to third parties only if the data is required by such third parties for the conclusion or the performance of a contract with the data subject, (iii) the data is not older than ten years and (iv) the data subject is of age;
  • the data controller processes the personal data on a professional basis and exclusively for publication in the edited section of a periodically published medium or the data serves the data controller exclusively as a personal working instrument, given that no publication takes place;
  • the data controller processes personal data for purposes not relating to a specific person, in particular for the purposes of research, planning and statistics, provided that (i) the data controller anonymizes the data as soon as the purpose of the processing allows for it or the data controller takes reasonable measures to prevent the identification of the data subjects if anonymization is impossible or requires a disproportionate effort, (ii) sensitive personal data is disclosed to third parties in such a manner that the data subjects may not be identified or, if this is not possible, measures are taken to ensure that third parties only process the data for non-personal related purposes and (iii) the results are published in such a manner that the data subjects may not be identified;
  • the data controller collects personal data on a person of public interest which relates to the public activities of that person.

The fact that a data controller has one of the above-listed interests in processing personal data does not necessarily mean that a data processor has an overriding interest in processing the data. The interest of the data processor in processing the data must be weighed against the interest of the data subject in being protected against an infringement of their privacy regardless.

If the data controller does indeed have an overriding interest in processing the data, the processing of personal data can be performed lawfully despite the data subject’s objection.

Data security

The data processing must comply with technical and organisational security requirements, especially when processed electronically. Through adequate technical and organisational measures, data security breaches shall be avoided. Personal data must be protected against intentional or accidental deletion, accidental loss, technical errors, falsification, theft and unlawful use, unauthorised access, changes, copying, or other unauthorised processing.

Detailed technical requirements for data processing are set out in the revised Federal Ordinance to the Federal Act on Data Protection. If a private data controller fails to comply with the minimum data security requirements, it may be punished with a fine of up to CHF 250,000.

Processing by third parties (outsourcing)

The data controller may assign data processing to a third party under an agreement or by law, provided that the third-party data processor processes data only to the same extent and in the same manner as the data controller was authorised to do and that no statutory or contractual confidentiality obligation prohibits the outsourcing. Failure to enter into a processing agreement may result in criminal sanctions.

The data controller must ensure that the data processor can guarantee data security. The data processor itself may only assign the data processing to another third party with prior authorisation of the data controller.

Consent

Under certain circumstances consent of the data subjects may be required for the processing of personal data. If consent of the data subjects is required, such consent is only valid if it has been given freely and for one or several specific processing activities and only after adequate prior information. If consent is required – which is not generally the case but has to be determined in each instance – the FADP requires such consent to be given expressly for the processing of sensitive personal data, high-risk profiling by a private person or profiling by a federal body.