The duty to provide information ensures that data processing is transparent and that the data subject’s rights are respected. Without information, the data subject is not necessarily aware that their personal data is being processed and cannot therefore exercise their rights under the FADP. The FADP therefore requires the data controller to inform the data subject that their data is being gathered, no matter the type of data concerned.
Duty to provide information
Whenever personal data is gathered, the data controller must inform the data subject in advance and in an adequate manner that their data is to be gathered, even if the data are not gathered directly from the data subject concerned.
The data controller should inform the data subjects in a concise, transparent, clear and readily accessible manner. Where the FADP does not require the information to be communicated in a specific form, the data controller should nonetheless ensure that the principle of data transparency is respected and that all elements necessary are contained (e.g. privacy notice, general terms and conditions, information on website, pictogram, separate email, consent form etc.).
The information should be readily accessible, complete and easily identifiable. In cases where data are not gathered directly from the data subject, the data controller must ensure that the latter is nonetheless effectively informed.
The data controller must provide the data subject with all information necessary for them to exercise their rights and for transparency in data processing to be guaranteed. This includes the data controller’s identity and details, what the data are to be used for, and, if applicable, the data recipient (e.g. data sub-processor). The degree of detail in the information depends on the type of personal data and the nature and scope of the processing. For example, it may be that information must be given about the duration of data processing and data anonymisation. Unlike in the GDPR, information must also be provided on the destination state and regarding an adequate level of data protection. Data controllers should thus check and update their data protection declaration.
Moreover, the exceptions mentioned in Article 20 FADP limit or remove the duty to provide information, for example if a data subject already has the information (because they previously consented to their data being processed) or if the processing of personal data is required by law. If personal data are not gathered directly from the data subject, the duty to provide information to the latter does not apply if it is not possible to provide the information or if the effort involved is disproportionate. These exceptions must be narrowly interpreted: the data controller should not assume that they will apply. The data controller must make every possible effort to fulfil the duty to provide information.
Furthermore, where there is an overriding public or private interest (e.g. court proceedings or a third-party interest), the data controller may restrict, delay or dispense with providing the information.
The FADP also contains a specific requirement to provide information when an individual decision regarding a data subject is generated automatically, i.e. when data is processed without human intervention (e.g. using an algorithm). Areas in which individual decisions may be automated include profiling, taxation, provision of healthcare services and credit ratings. Under Article 21 FADP, the data controller must inform the data subject and allow them to express their point of view on the result of the decision, and to request that the decision be reviewed by a natural person.
The duty to provide information does not apply if the automated individual decision is directly connected to the conclusion or processing of a contract between the data controller and the data subject and the data subject's request is granted (e.g. a contract is concluded on the desired terms), or if the data subject has explicitly consented to the decision being automated.
Federal bodies are required to clearly state when an individual decision is automated in this way.If the data subject has a means of appeal against this decision, they have the right to express their point of view and to have the decision reviewed by a natural person.
Last modification 24.03.2023