In addition to the provisions of the Federal Act on Data Protection (FADP), the processing of employee data by an employer is governed by Article 328b of the Swiss Code of Obligations (CO). This provision allows an employer to process data concerning its employees only to the extent that the data relate to the employee's suitability for employment or are necessary for the performance of the employment contract (see below). The employee cannot validly consent to more extensive processing of their data. The law does not define more precisely the scope of lawful processing of employee data. In addition to data processing strictly necessary for the performance of the employment contract, such as data relating to compensation and social security benefits, data processing within the scope of widely practiced human resources management may also be permitted. The processing of data which are outside the scope of the employer-employee relationship, however, is clearly prohibited.

The employer must – within the employment relationship – acknowledge and safeguard the employee’s personality rights, have due regard for their health and ensure that proper moral standards are maintained. The employer must refrain from any interference with the personality of the employee that is not justified by the employment contract and, within the framework of the employment relationship, prevent any such interference by superiors, employees or third parties.

These provisions of the CO and the FADP are closely intertwined and the employer may only process data on employees in two cases and only to a rather limited extent.

• Before the conclusion of an employment contract and during its implementation, data on job applicants may be processed in order to clarify whether they are suitable for the job in question.
• During the employment, data on employees may be processed that is necessary for the performance of the employment relationship.

However, recent Swiss Supreme Court case law adds some flexibility and leaves some room for employer private interest justifications. This approach is comparable to the GDPR in the sense that an overriding private interest could justify the processing of employee data that the employment law and the SCO would otherwise not cover.