Latest News

The transfer of personal data to a country with an inadequate level of data protection based on recognised standard contractual clauses and model contracts

27.08.2021 - In its statement of 27 August 2021, the FDPIC recognises the standard contractual clauses for the transfer of personal data to third countries in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (pursuant to Implementing Decision 2021/914/EU) as the basis for personal data transfers to a country without an adequate level of data protection, provided that the necessary adaptations and amendments are made for use under Swiss data protection law.

The following explanations show which adaptations and amendments must be made.  The standard contractual clauses pursuant to the European Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (2010/87/EU), the Swiss Transborder Data Flow Agreement (for outsourcing of data processing) of November 2013 and Council of Europe model contract to ensure equivalent protection in the context of cross-border data flows can still be notified until 27 September 2021 and continue to be used during a transitional period until 31 December 2022. 

FDPIC comments on the transfer of data to the United States Securities and Exchange Commission

04.08.2021 - The FDPIC has issued the following memorandum to the US Securities and Exchange Commission (SEC) on the question of the lawfulness of the transfer of data from Swiss asset managers to the US supervisory authority:

FDPIC recommends use of COVID Certificate Light at Swiss events

19.07.2021 - Using the latest version of the COVID certificate app, a data protection-friendly Certificate Light can be generated easily. The Certificate Light does not contain any health data. The FDPIC recommends the public to use the Light certificate at events in Switzerland.

While monitoring the development of the COVID certificate, which is primarily intended for travel abroad, the Federal Data Protection and Information Commissioner (FDPIC) lobbied for the federal government to provide a second, data-minimised 'Light' certificate. With the latest version of the COVID certificate app, the Certificate Light can now be generated simply and easily:

Link on FOPH website: COVID certificate (admin.ch)

The FDPIC recommends that the public use the data protection-friendly (i.e. data-minimised) Certificate Light in Switzerland (in particular when attending large events). 

When the Certificate Light is activated in the normal COVID certificate display, a new QR code is created from the available that does not contain health data. The Certificate Light only contains the information required to identify the holder and an electronic signature. This eliminates the risk of health data (such as details of the vaccine used) being read without authorisation when the certificate is checked. This can happen if verification apps other than the COVID Certificate Check app provided by the federal government are used. The Certificate Light, which is also forgery-proof, can only be used in Switzerland and must be regenerated in the app after 48 hours. This short validity period was deliberately chosen so that there is no indication as to whether the certificate was issued based on a test, vaccination or recovery.

New FADP: five new posts from July 2022

13.07.2021 - The Federal Council has approved five new posts for the FDPIC in anticipation of the new Federal Act on Data Protection (FADP) coming into force in the second half of 2022. This is in addition to the three posts previously approved in 2019, which have since been filled. Subject to Parliament’s approval of this expansion, with the federal decree on the 2022 budget in December 2021, the FDPIC will begin recruiting for the five new posts from 1 July 2022. 

In recruiting for these five vacancies, the FDPIC will strive to cover its extended range of tasks and responsibilities. This is particularly relevant for its new duty to deal with all individual complaints that are more than 'of minor importance'.

Covid certificate dispels major data protection concerns

04.06.2021 - At its press conference today, the Federal Council explained the creation and introduction of the COVID-19 certificate. By offering the option of providing certificates in paper form, and creating an additional minimal data QR code for use in Switzerland, the Federal Council has dispelled key concerns raised by the Federal Data Protection and Information Commissioner (FDPIC).

In line with his statutory duties, in recent weeks the FDPIC has been advising the Federal Office of Public Health (FOPH) and the Federal Office of Information Technology, Systems and Telecommunication (FOITT) on the legal and technical development of the COVID-19 certificate.  For the most part, the offices have taken account of the data protection concerns raised by the Commissioner. 

  • The Commissioner firstly welcomes the fact that the certificate can not only be used on electronic devices, but will also be available in paper form – this avoids creating a de facto obligation for everyone to carry a smartphone.

  • Secondly the Commissioner was successful in ensuring that the FOITT was instructed to develop a second, minimal data QR code for use in Switzerland, in addition to the EU-compatible QR code for cross-border travel. This second code guarantees a minimum of data will be visible when reading the certificate. Persons using this second code prevent unauthorised software being used when scanning certificates to ascertain why a certificate is valid or invalid. This means, for example, that staff checking persons entering a large-scale event will be unable to find out whether a certificate holder is entitled to attend the event because he or she has been vaccinated, has recovered from the disease or has tested negative. 

Given that information on vaccination, testing and recovery are data on a person’s health condition, the Commissioner nevertheless views with some concern that, ahead of the certificate’s introduction, "sufficient evidence" will be accepted at pilot events during a transitional phase. He also regrets that the minimal data QR code can only be made available to the population in a second phase. He will undertake to ensure that these transitional arrangements apply for as short a time as possible.

The new FADP from the FDPIC’s perspective

05.03.2021 - Until the new FADP comes into force, the private sector and federal authorities will have to adapt their processing of personal data to the new provisions. The FDPIC outlines below the most important alterations that they need to take into consideration.

(The integral document is attached below as a pdf)

Breakthrough for up-to-date data protection

25.09.2020 - In its final vote, the Parliament adopted today the total revision of the Federal Act on Data Protection (FADP). It was able to resolve the remaining differences standing in the way of more up-to-date protection of privacy.

The FDPIC welcomes the completion of the total revision of the Data Protection Act that the Federal Council submitted for parliamentary deliberation in a dispatch three years ago. This enhances the Swiss public’s right to privacy and to determine how their data are used, better reflecting today’s digital reality.

The FDPIC will offer a more detailed statement on the revised law once the ongoing referendum period has expired.

 
 

Court of Justice of the European Union (CJEU) ruling on European standard contractual clauses and the EU-US Privacy Shield

16.07.2020 - In its judgment of 16 July 2020 in Case C-311/18 Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems, the Court of Justice annulled Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield. However, the EU Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries remains valid.

The FDPIC has taken note of the CJEU ruling. This ruling is not directly applicable to Switzerland. The FDPIC will examine the judgement in detail and comment on it in due course.

Link to the CJEU press release

Press release of 08.09.2020: FDPIC considers CH-US Privacy Shield does not provide adequate level of data protection 

 
 

Update Proximity Tracing App: technical security of the SwissCovid app confirmed

12.06.2020 - After reviewing the NCSC report on Risk Estimation Proximity Tracing published today, the FDPIC has confirmed his assessment that the Swiss proximity tracing system operated by the Federal Office of Public Health and the SwissCovid app are data protection compliant. 

Report from the National Cyber Security Centre (NCSC) 

The FDPIC is aware of the widespread criticism of Google and Apple’s failure to disclose the API (application programming interface) for the SwissCovid app. The situation, however, is not new. The data protection impact assessment of 1 May 2020 and the report from the National Cyber Security Centre (NCSC) of 28 May 2020, which is published today, also make reference to this lack of disclosure.

The SwissCovid app is based on globally standardised interfaces and their underlying operating systems. The source code for the operating systems and the interfaces is partially available in some cases or not available at all. This issue is known and is not specific to the SwissCovid app.

In the FDPIC’s opinion, when compared to other everyday uses that public makes of the smart devices offered by these two manufacturers, the use of the Google and Apple APIs for the SwissCovid app does not represent a significantly greater risk to their personal data. Anyone who assumes that Google and Apple, regardless of their legal responsibilities and the reputational risks, would disregard the restrictions on use they have promised for the SwissCovid app, should be aware of the following: the use of the SwissCovid app would have to be based on Google or Apple operating systems and their general Bluetooth interfaces even if their proximity tracing API were not used.

In order to be consistent, anyone who mistrusts these manufacturers whatever they may do would have to refrain from using not only the SwissCovid app, whatever its design, but also any other smart devices or operating systems offered by Apple and Google. This option always remains open.

For further information, we would refer you to the full text of our assessment:

Full text (in German) (PDF, 134 kB, 12.06.2020)

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Coronavirus protection plans

19.05.2020 - The FDPIC supervises the implementation of the protection plans by private companies. He attaches importance to the fact that the procurement and transfer of personal data within the framework of these plans is voluntary.

As part of the easing of measures to contain the corona pandemic, the Federal Council in Ordinance 2 on Measures to Combat the Coronavirus (COVID-19; SR 818.101.24) has made the resumption of activities and the re-opening of businesses and institutions conditional on the introduction of precautionary measures (s. FOPH's recommendations for the workplace and schools).

It is the responsibility of the businesses and institutions concerned to implement their own precautionary measures. Where this requires them to process the personal data of customers, members, employees, etc., this will be carried out under the FDPIC’s oversight. The FDPIC will seek to ensure that businesses and institutions respect the principles of the Federal Data Protection Act, in particular that of proportionality. Depending on the sector and the size of the business or institution, in-house legal and data protection advisers will also help to implement the precautionary measures in accordance with data protection law.

The FDPIC regards it as important the customers, etc., will be under no obligation to provide  their personal data as part of the precautionary measures and that they cannot be indirectly compelled to provide data, e.g. by making the provision of goods and services dependent on doing so.

The FDPIC takes the view that using direct or indirect pressure to obtain and process data relating to customers, etc., constitutes an invasion of privacy and of a person’s autonomy over their own information. This is incompatible with the principle of proportionality, other than in the case of mandatory data processing requirements based on precisely defined principles of federal and cantonal public law.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Measures for the safe use of audio and video conferencing systems 

01.05.2020 - The coronavirus pandemic is showing people all over Switzerland and, indeed, the world how a single event can completely change our surroundings and the way we do things. From one day to the next, it was no longer possible for us to meet friends and family in person, or exchange information with colleagues and hold meetings at our offices. In our work and in our private lives, we have abruptly switched to digital solutions such as audio or video conferencing systems. Despite the rush with which business meetings, children’s ‘visits’ with their grandparents, or even parties have been moved online, we must not forget how important information security and data protection continue to be.

The first part of this information sheet lists measures we recommend you take to ensure that the audio or video conferencing system you are using during this crisis is safe. You should make sure to reassess your choice of service – either immediately or at a later point in time – by carrying out a risk analysis according to data protection criteria. If necessary, choose a different service more suitable to your needs. This information sheet also contains a list of points to observe when setting up and introducing an audio or video conferencing system, to ensure it complies with data protection guidelines 

The information sheet deals with exactly these issues, and is aimed at all user groups – both in business and in private life.

 
 
 
 
 
 
 
 
 
 

Update Libra

20.04.2020 - Libra informs on FINMA's application and intensifies work on the data protection concept.

On 16 April 2020, the Libra Association informed the FDPIC that it had submitted an application to FINMA for authorisation as a payment system (cf. the information published by FINMA). At the same time, it also informed the FDPIC that work on the data protection concept was underway and had been intensified.

 
 
 
 
 
 
 
 
 
 
 
 
 
 

Legal data protection framework for coronavirus containment

17.03.2020 - The authorities, in cooperation with health institutions, are doing everything possible to stem the rapid spread of the coronavirus. Insofar as private individuals (in particular employers) process personal data to combat the pandemic, the principles set out in Article 4 of the Federal Act on Data Protection must be respected.

1. Data processing by health care institutions

Following the declaration of the special situation in accordance with Art. 6 of the Epidemics Act (EpidA) by the Federal Council, the federal, cantonal and communal authorities are continuing to work in conjunction with public health institutions to combat the current coronavirus pandemic.

The Federal Office of Public Health (FOPH), the competent cantonal authorities and the public and private institutions entrusted with tasks in accordance with the EpidA process personal health data in accordance with Section 2 of the EpidA, insofar as this is necessary to identify persons who are ill, suspected of being ill, infected or suspected of being infected, with a view to measures to protect public health. In doing so, they shall also observe the general principles of federal and cantonal data protection legislation. Hospitals and other public or private health care institutions, as well as laboratories and medical personnel, are also subject to special reporting obligations under the EpidA.

2. Data processing by private parties

Insofar as private parties, in particular employers, process personal data to combat the pandemic, the processing must be carried out in compliance with the principles set out in Article 4 of the Federal Data Protection Act:

  • Health data are particularly worthy of protection and, as a matter of principle, may not be obtained by private parties against the will of the persons concerned.
  • Moreover, processing of health data by private parties must be purpose-related and proportionate. This means that they must be necessary and suitable with a view to preventing further infections and must not go beyond what is necessary to achieve this goal.
  • Wherever possible, appropriate data on flu symptoms such as fever should be collected and passed on by those affected themselves.
  • The collection and further processing of health data by private third parties must be disclosed to the data subjects so that the latter understand the purpose and scope of the processing as well as its content and time frame.

3. Body temperature and tracking

Insofar as private individuals collect medical data such as body temperature before entering buildings or workplaces for the purpose of preventing infection, the processing of this data is to be limited to the minimum necessary to achieve the purpose in terms of its content and time. The information and self-determination of the persons concerned must be respected when collecting data. In this context, answering extensive questions about the state of health to non-medical persons proves to be inappropriate and disproportionate.

The same applies to personal data processed by private individuals in connection with operational and organizational measures to prevent infection. At the latest when the pandemic threat has ceased to exist, these data must be deleted as a whole.

If the use of digital methods for the collection and analysis of mobility and proximity data is considered, they must prove to be proportionate to the purpose of preventing infection. They are only so if they are epidemiologically justified and suitable to have an effect justifying the intervention in the personal rights of the persons affected in order to contain the pandemic in the its current stage.

 
 
 
 
 

What impact does Brexit have on cross-border data flows?

31.01.2020 - Following the referendum held in the United Kingdom in June 2016, the British government announced its decision to withdraw from the European Union (Brexit). The United Kingdom will leave the EU on 31 January 2020.

Cross-border transmission of personal data under the Federal Act on Data Protection (FADP)
Cross-border data transmission must comply with the provisions of Article 6 of the Data Protection Act (FADP). According to this article data may only be disclosed abroad if the receiving country has legislation guaranteeing an adequate level of data protection (Art. 6 para. 1 FADP) or if, in the absence of such legislation, it has other provisions or safeguards for ensuring an adequate level of protection (Art. 6 para. 2 letters a and g FADP). Under Article 31 para. 1 let. d FADP, the Federal Data Protection and Information Commissioner (FDPIC) provides an opinion on whether a country’s level of protection is adequate to allow all data transfers to that country. This requires that the data receiver is subject to legislation ensuring a level of protection that is comparable with Swiss law, i.e. legislation that guarantees the rights of the data subjects, that respects the main principles of data protection and that provides for an independent supervisory authority. A list of countries complying with these requirements is published on the FDPIC website (Art. 7 DPO). This list is updated on a regular basis.

United Kingdom and Gibraltar
The UK and Gibraltar currently have an adequate level of data protection; for the moment the FDPIC has no grounds for changing their status on the country list. As regards the legal consequences of Brexit on the protection of personal data as of 1 February 2020, the British authority responsible for protecting personal data, the Information Commissioner’s Office (ICO), states on its website that the UK will continue to guarantee a high level of personal data protection.

However, if the FDPIC decides to change the status of the UK or Gibraltar on its country list, businesses will be notified in due course so that they can prepare themselves, in particular by using standard contracts. 

The EU will decide by the end of 2020 whether the UK has an adequate level of data protection. The FDPIC is monitoring developments closely.

Further information:

FDPIC, Transfer of personal data abroad

FDFA, Directorate for European Affairs DEA: FAQ Brexit

ICO, Statement on data Protection and Brexit implementation

ICO, Data Protection and Brexit

European Commission, UKTF, Task Force for Relations with the United Kingdom

 
 
 
 

Second chamber concludes consultation on Data Protection Act (DPA)

18.12.2019 - The FDPIC welcomes the fact that the Council of States has debatted the totally revised DPA and has adopted most of the improvements proposed by its Commission in comparison to the National Council version.

 
 
 

The Data Protection Act goes to the Council of States in the winter session

20.11.2019 - The FDPIC welcomes the fact that, within the short time available up to the end of the session, the Political Institutions Committees of the Council of States (PIC-S) has succeeded in adopting a legislative text for the attention of the Plenum of the Council of States that is ready for consultation and significantly improved on the version of the National Council.

Press Release of the PIC-S (in German)

see also:

30.08.2019 - Draft of new Data Protection Act to be debated in the National Council

 
 

Facebook to introduce special features in Switzerland for the elections

17.10.2019 – On the eve of the federal parliamentary elections on 20 October, Facebook is set to introduce features aimed to appeal to Swiss users of its social media platform. The company confirmed the plans following an enquiry made by the Federal Data Protection and Information Commissioner. The FDPIC welcomes the company’s transparency.

After the Federal Data Protection and Information Commissioner (FDPIC) learned through various reports that Facebook was planning to introduce features on its social media platform in connection with Switzerland’s 2019 parliamentary elections such as a ‘voter button’, he wrote to the company requesting further information.

In his letter, the FDPIC, referring to sections 5.3 and 7 of the FDPIC’s Guide, pointed out that operators of social media networks are called on to provide fair and full information about how the feature should work and how the resulting data is to be processed. Only if such transparency exists can voters gauge whether and to what extent the way in which the data gleaned from the applications in question are processed could have an influence on opinion forming or voter behaviour.

Facebook Ireland Ltd subsequently confirmed that the functions will be introduced on its social media platform one day before the elections and on election day itself. The features are to be displayed on the profiles of all Swiss voters and Facebook users. Facebook is not going to select certain users or user groups.

According to the written assurances given by Facebook, the features are solely intended to raise the awareness of users for the upcoming elections, and ultimately to encourage voter participation by allowing users to show on their profiles that they have cast their vote in the elections. Facebook stresses that the company will not process data relating to the political views of users in this context.

Furthermore, Facebook has demonstrated that the company has taken heed of the transparency requirements set out in our Guide. Facebook users can read about the various functions and features it employs by clicking on the links to the multi-level information pages (See the following links: Facebook Data Policy; Control who can see what you share; Why am I seeing a reminder about an election and voting on Facebook?; What information does Facebook use to show information about elections and government?)

 
 

Complete Revision of the Federal Act on Data Protection (FADP) goes to the Commission of the Council of States

25.09.2019 – Now that the National Council has treated the complete revision of the Federal Act on Data Protection (FADP) as first chamber of parliament, the FDPIC hopes that the second chamber will be able to schedule the debate in its winter session and improve the protection of the Swiss population by aligning it with European standards.
 

 

Draft of new Data Protection Act to be debated in the National Council

30.08.2019 - Following its discussion of the Federal Council dispatch of 15 September 2017, the National Council’s political institutions committee decided on 16 August 2019 based on the casting vote of its president to remit the draft of the totally revised Data Protection Act to the plenary session of the National Council for debate.

The proposal made to the National Council contains several provisions which, in the version approved by a majority of the committee, would lead to a lower level of data protection for the Swiss population than in neighbouring European countries and to a partial reduction in the level of data protection afforded by the current Data Protection Act of 1992.

In its public debate on 24 and 25 September, the National Council will have the opportunity to compare the respective drafts of the committee’s majority and minority and to decide whether it wishes to improve the level of protection given to the Swiss population and adapt to European standards.

The summary with the requests of the Political Institutions Committee of the National Council for the revision of the Federal Data Protection Act has been published.

 
33
 
 
 
 

Postfinance: no equal treatment for customers under the current law

30.08.2019 - In a letter dated 13 June 2019 in response to an enquiry from the FDPIC, Postfinance AG confirmed that their Swiss customers will still require to register an express objection if they do not wish their identity to be authenticated by voiceprint. In contrast, Postfinance makes authentication by voiceprint for foreign customers subject to their express consent. This unequal treatment, which the FDPIC has publicly criticised, (see the report on SRF’s 10vor10 programme on 20.5.2019) is set to continue.

In its response to the FDPIC, Postfinance AG maintained that this difference in treatment is due to differences in the requirements of Swiss and foreign law, and that the adoption of foreign law to cover domestic circumstances is a political matter reserved to parliament. Postfinance AG will therefore continue to treat Swiss customers differently for as long as Swiss data protection law is not brought in line with EU law.

 
33
 
 
 

26th Annual Report: Switzerland must maintain its level of data protection

18.06.2019 - The FDPIC expects that the Federal Council and Parliament will continue to guarantee the Swiss population a level of data protection that is in line with its European neighbours by signing the Council of Europe Convention 108 in the near future and swiftly bringing to a close the complete revision of the Data Protection Act.

Link to the media release

 
 
 
 

Data Protection Day 2019 - 3 priorities for the Confederation and cantons: elections, police, OASI number 

28.01.2019 - Federal and cantonal data protection authorities' press release:

 
 

25th Annual Report: Freedom before security

25.06.2018 - Monitoring major digital projects has once again been the focus activity for the FDPIC. The E-ID Act as the basis for using a SwissID, the risk report on using the OASI number as a univer-sal personal identifier or the conditions that must be met by e-ticketing or public transport apps underline this prioritisation. As a supervisory authority, the Commissioner had to intervene to prevent the processing of data on compulsory health insurance and had to deal with data leaks at several large companies. As the Freedom of Information Commissioner, the FDPIC succeeded in achieving a substantial increase in the efficiency of his arbitration procedures and welcomed the National Council’s unanimous commitment to guaranteeing transparency in connection with public procurement – thus ensuring that the principle of freedom of information does not become a farce.

Continue...

Selection of arbitrators for the Data Protection Arbitration Panel under the Swiss-U.S. Privacy Shield - First call for Interest

Deadline: April 30, 2018

06.04.2018 - According to Swiss law, personal data transmitted to the USA must be subject to an appropriate level of data protection. The Swiss-U.S. Privacy Shield serves this purpose. Thanks to this new legal framework, personal data can be transferred from Switzerland to a company in the USA, provided that the US company complies with a set of data protection rules and safeguards. This protection that is given to personal data applies to everyone who is resident in Switzerland. For this mechanism to become operational, a list up to five arbitrators must be agreed between the Swiss administration and the DOC. In the event of a dispute, the parties may select the arbitral tribunal from the arbitration pool developed under the EU-U.S. Privacy Shield which has been supplemented by the pool developed under the Swiss-U.S. Privacy Shield. The call for interest has been published in the U.S. Federal Register and can be accessed under the following link: https://www.federalregister.gov/documents/2018/04/02/2018-06737/swiss-us-privacy-shield-invitation-for-applications-for-inclusion-on-the-supplemental-list-of

The deadline for applications is April 30, 2018. They must be submitted to David Ritchie at the U.S. Department of Commerce, either by email at david.ritchie@trade.gov or by fax at: 202-482-5522.

Dispatch concerning the revision of the Data Protection Act: the FDPIC's general assessment

15.09.2017 - The rapid development of information and telecommunications technology and the related digitalisation of society have required the Council of Europe and the European Union to further develop their data protection legislation, and have now necessitated the complete revision of the Federal Data Protection Act, which originally came into force in 1993. The draft act prepared by the Federal Council has the aim of increasing the protection of data by improving the transparency of data processing and increasing the options that data subjects have to control their own data. In addition, the revision of the Act should ensure consistency between the level of data protection in Switzerland and that in the EU. Having a level of data protection that is comparable with that in EU states is particularly important for Swiss businesses, especially because the new EU General Data Protection Regulation (EU-GDPR), which comes into force at the end of May 2018, will have a direct effect on many Swiss enterprises.

Continue...

Webmaster
Last modification 07.12.2021

Top of page