Criminal law

In order to increase the effectiveness of the obligations it imposes, the FADP contains several criminal law provisions to sanction infringements.

The new Federal Act on Data Protection significantly increases the criminal penalties for breaching the obligations it imposes. It establishes four separate offences, set out in Articles 60–63. These offences have three features in common:

• They are intentional offences only. There are no criminal penalties for negligent breaches of data protection obligations.
• They primarily sanction individuals. If the offences are committed within a company, Article 64 paragraph 1 allows for the conviction of persons with a managerial function by making reference to the Federal Act on Administrative Criminal Law. However, it should be noted that if the fine under consideration does not exceed CHF 50,000 and the measures required to investigate an individual would be disproportionately great, the prosecuting authority may decide not to pursue the person and instead fine the company.
• The maximum penalty is CHF 250,000.

NB : In all cases, the cantonal prosecution authorities have the authority to prosecute these offences.

NB: These elements only concern the criminal aspect of infringing the FADP provisions. However, it should be remembered that criminal sanctions are only one of the consequences of an infringement. There may well be other consequences under public or private law, in particular claims for damages. The three limitations set out above do not apply to these other areas. For example, a company could be sued under private law for a negligent breach of the law and for an amount in excess of CHF 250,000. However, this liability has be assessed specifically in each case and is in principle governed by law of contract.

Obligations to provide access and information or to cooperate (Art. 60 FADP)

Article 60 FADP addresses the obligations to provide access and information and to cooperate. The first two obligations relate essentially to the direct or indirect relationship between the data controller and the data subject (the person whose data is processed). The obligation to inform at the time the data is collected (Art. 19 FADP), or when it is processed automatically (Art. 21 FADP), is intended to ensure that data subjects can understand what will be done with their data and can make an informed decision on this basis. The obligation to inform (Arts 25 to 27 FADP), meanwhile, allows data subjects to demand transparency with regard to data being processed at the time. If necessary, they can then exercise their right to have any incorrect data corrected or to put a stop to unjustified processing. These provisions play a central role in the data protection system, knowledge being the prerequisite for any other action. For these reasons, any violation of these provisions is a criminal offence.

The obligation to cooperate, a breach of which is also an offence under Article 60 FADP, relates to the investigations conducted by the FDPIC when it is suspected that a data processing activity has taken place in violation of the provisions of the FADP (Art. 49ff FADP). It thus assures the effectiveness of this procedure.

Duty of care (Art. 61 FADP)

Holding the data of private individuals also means assuming responsibility for these data. The data controller must ensure the data are held securely by technical and organisational means designed in particular to protect against unauthorised access and the risk of data loss (Art. 8 para. 3 FADP). It must also comply with the regulations governing data transmission, whether to subcontractors or abroad (Art. 9 and 16ff FADP). In order to reinforce the effectiveness of these obligations, Art. 61 FADP imposes criminal sanctions for violation of them.

Professional duty of confidentiality 

Article 62 FADP deals with the duty of confidentiality, whose function is similar to that of the professional confidentiality addressed in Article 321 of the Swiss Criminal Code (SCC), but to a less absolute extent. For example, rules on criminal procedure often provide for exemptions from the obligation to testify for persons subject to professional secrecy; these exemptions do not, in principle, cover persons subject to the FADP's duty of confidentiality. However, the circle of persons subject to the duty of confidentiality is much wider than that covered by Article 321 SCC. Any person who meets the legal requirement, i.e. anyone who has acquired knowledge of personal data in the exercise of an activity that requires knowledge of such data is potentially subject to this duty of confidentiality. In the field of healthcare, this might include naturopaths and acupuncturists, who are not subject to Article 321 SCC. Besides this, the concepts of secrecy and disclosure are to be understood in the same way as in the context of Article 321 SCC, as is the concept of auxiliaries subject to the duty of confidentiality (Art. 62 para. 2 FADP). The professional person may be released from the duty of confidentiality if the data subject gives their consent or if the law so requires (e.g. duty to testify in proceedings or duty to notify, as in Art. 314d of the Swiss Civil Code).

Failure to comply with a decision of the FDPIC

Article 63 FADP is a general provision, reinforcing the effectiveness of decisions made by the FDPIC, such as when he orders the termination of processing under Article 51 FADP. The FDPIC may thus provide that failure to comply with his decision could result in a fine under Article 63 FADP. This provision is therefore similar to Article 292 of the Swiss Criminal Code.

Criminal provisions outside the DPA

Finally, it should be noted that there are also criminal provisions aimed - in particular - at strengthening data protection outside the DPA. The most important of these are Articles 179novies and 179decies of the Swiss Criminal Code. The former covers the unauthorised obtaining of sensitive personal data that is not freely accessible. It covers both physical (taking a file) and digital obtaining. As for art. 179decies of the Swiss Criminal Code, it punishes anyone who usurps the identity of another person, i.e. who impersonates that person in order to harm him or her or to gain an advantage.