Data processing by the employer

 

 

Data processing by the employer

What are the requirements that employers must meet when processing personal data?

Different phases of the employment relationship

What data are employers allowed to use? What do they have to do?

In employment relationships governed by private law, the employer is required to process a large amount of personal data of his employees, including sensitive data and employee profiles during the various stages of the employer-employee relationship. However, the employer must protect and respect the personality rights of his employees.

While the employer is primarily responsible for data protection in the workplace, employees or future employees can also ensure that their data is processed properly and deleted within the prescribed period. Data processing must be carried out within reasonable limits and be proportionate to the purpose. Since the relationship of trust between employer and employee determines the quality of the work done in the company, it is essential that the employer always informs employees precisely of their rights and of the data processing carried out.

In accordance with Article 328 paragraph 1 of the Swiss Code of Obligations (CO), within the employment relationship, the employer must acknowledge and safeguard the employee's personality rights. This provision entails a general duty of assistance on the part of the employer towards its employees, an obligation which is the counterpart of the duty of loyalty assigned to the employee in Article 321a CO. The employer must avoid any infringement of the employee's personality rights that is not justified by the employment contract. Article 328b CO complements the Data Protection Act (FADP) in that it determines the nature of the information that the employer is entitled to process about its employees. In accordance with Article 328b, an employer may handle data concerning an employee only to the extent that such data concern the employee’s suitability for the job or are necessary for the performance of the employment contract. This article, which applies specifically to employment contracts, specifies the general principles of data processing, including the principle of proportionality. Under no circumstances may Article 328b CO be derogated from to the detriment of the employee, even if the latter consents (Art. 362 CO).

Outside the framework of Article 328b CO, the processing of data by the employer must be justified for other reasons (such as the consent of the employee, by an overriding private or public interest, or by law, see Art. 31 FADP. However, employees are very rarely in a position to freely give, refuse or revoke their consent, given the subordinate nature of the employer/employee relationship). Employers must also comply with the general principles of data protection so as not to violate the personality rights of their employees (Art. 30 FADP) and expose themselves to legal action (Art. 32 FADP) or, in certain circumstances, to an investigation by the FDPIC (Art. 49 FADP), not to mention other legal remedies provided for in specific legislation (Art. 179ss Criminal Code, Art. 59 EmpA). The court decides in the individual case whether or not the data processing is justified. 

Otherwise, the provisions of the Data Protection Act (FADP) apply. The processing of data by private employers is governed mainly by the general principles defined in this area (Art. 6 to 8 FADP), by the provisions on the right to information (Art. 25 and 26 FADP) and by the provisions on the processing of personal data by private persons (Art. 30 et seq. FADP).

The FADP also imposes other obligations on employers in certain circumstances (e.g. Art. 12 FADP: obligation to maintain an inventory of processing activities; Art. 14: obligation to appoint a representative in Switzerland when the private controller has its registered office or domicile abroad; Art. 19 to 21: Duty to provide information when collecting personal data and in the case of automated individual decisions; Art. 22: obligation to carry out a personal data protection impact assessment where the processing operation is likely to result in a high risk to the personality or fundamental rights of the person whose data is processed (the data subject); Art. 24: obligation to report data security breaches).

Employment agencies and service providers are subject to the requirements of the Recruitment Act (RecA) and the related ordinance (RecO), in particular Articles 19 and 47 RecO. 

Frequently asked questions (selected examples)

Access to employees' emails

The question of when employers can have access to employees’ emails raises a number of issues for both employees and employers. It is not always easy to draw a line between the legitimate interests of employers and the privacy of their employees.

Recording conversations

Anyone who unlawfully records a conversation may be in violation of the Data Protection Act (DPA), not to mention the Criminal Code (SCC).

Video surveillance in the workplace

Video surveillance systems can affect the well-being, mental health and productivity of employees, and should therefore only be considered when less invasive measures are genuinely unsuitable.

Telephone monitoring in the workplace

There are many questions about telephone monitoring in the workplace, and in particular when monitoring is allowed.

Questions on data protection

Take a look at our FAQ or call our hotline.

The main provisions

Here you can find out more about changes to the Data Protection Act, which came into force on 1 September 2023.

Infocenter

Here you can download all documents sorted by topics.

Webmaster
Last modification 23.07.2024

Top of page