Data protection law does not protect data as such, but rather the persons about whom data is processed.
It contains legal norms that serve the protection of personality and informational self-determination and regulate the processing of personal data carried out by federal authorities or private individuals or legal entities (e.g. associations or commercial enterprises).
The central data protection law enactment at the federal level is the Federal Data Protection Act, but there are also data protection provisions in many other federal laws that must be observed, e.g. in federal social security or police law.
You can also find introductory information on data protection in the FAQ of the Federal Office of Justice (in German, French, Italian)
Personal data is all information that relates to an identified or identifiable natural person.
Information that relates to legal persons (e.g. to a company in the legal form of a stock corporation) is no longer covered. However, their protection continues to be guaranteed by other provisions of the legal system, e.g. the Civil Code and the Federal Constitution.
You have a right to information from the data controller based on Art. 25 DPA. The controller must provide you with the available information about the origin of the personal data. If a controller refuses to provide information, you can assert your claim before the civil court. You can find further information here.
Companies and other organizations under private law with more than 250 employees as well as federal bodies must keep a register of processing activities.
Smaller companies and organizations under private law as well as natural persons must also keep a processing directory if they process personal data requiring special protection on a large scale or if high-risk profiling is carried out.
Please note: even if a company is exempt from the obligation to keep a processing directory, the other provisions of the Data Protection Act still apply, in particular the obligations to provide information and to supply data.
Processing regulations - not to be confused with the processing directory - must be drawn up by private data processors if they carry out automated processing of personal data requiring special protection on a large scale or carry out high-risk profiling.
The regulations (in the form of a manual or as documentation) provide information on the internal organization, e.g. description of the system architecture; on the data processing procedures, in particular data disclosure and the exercise of information rights; on the control procedures (authorizations) and on the technical and organizational data security measures.
The penal provisions are primarily aimed at the actions (and omissions) of the persons in charge. A data protection advisor's primary task is to control and monitor the data processing processes of her organization. However, she should not have decision-making authority over these processes, nor should she be responsible for an information system. In other words, she is neither the one who decides on data processing nor the one who carries it out. Under these conditions - provided they are strictly observed - it is not a priori exposed to the risk of criminal prosecution. Moreover, it should be emphasized that the FADP only criminalizes intentional violations - as opposed to negligence.
However, the FDPIC points out that it is not a prosecuting authority itself and therefore it will not be its task to decide this issue in a practical case.
Further information on the criminal law aspects of the FADP:
According to Art. 24 FADP, there is a notification obligation if the data breach that has occurred is likely to result in a high risk to the personality or fundamental rights of the data subject. As the person responsible, you can make the notification here:
The GDPR does not apply directly in Switzerland. However, it could specifically apply to Swiss companies if, among other things, they process data of EU residents in order to offer goods or services in the EU, or if the data is used to monitor the behavior of individuals, e.g., analyzing the data of website visitors or app users from the EU. We have published a detailed document on the GDPR and its impact on Switzerland. You can find it under this link:
If you use standard contractual clauses recognized by the FDPIC, e.g. those of the EU Commission (Implementing Decision (EU) 2021/914), you do not have to notify the FDPIC. If you wish to use your own or previously unrecognized standard contractual clauses, these must be approved in advance by the FDPIC. The decision on approval is issued in an appealable ruling; no transfer abroad may take place beforehand.
Ja, der EDÖB hat die Standardvertragsklauseln der Europäischen Kommission (Durchführungsbeschluss (EU) 2021/914 der Kommission vom 4. Juni 2021 über Standardvertragsklauseln für die Übermittlung personenbezogener Daten an Drittländer gemäß der Verordnung (EU) 2016/679 des Europäischen Parlaments und des Rates) in seiner Mitteilung vom 27.08.2021 anerkannt.
Many employers decide to have their employees' personal data processed abroad to save on costs or for organisational reasons. Data are considered to have been transferred abroad when they have been made accessible to a company or unit based abroad or when they are hosted in a cloud located abroad. According to the FDPIC, employers are responsible for ensuring that the transfer of personal data abroad is permitted . They must also provide full internal information on the transfer of data abroad as well as on the specific data processing carried out abroad and its purposes. This information includes which country the data is exported to and which companies it is transmitted to, as well as the evaluations that are carried out and the purpose behind them. A civil court may be required to decide in specific cases whether the transfer of data is lawful and whether appropriate information has been provided to the people whose data is being processed (data subjects).
When recruiting employees, employers are only permitted to ask about the applicant's qualifications or other significant facts relevant to how well they can perform the tasks set out in the employment contract. Employers are not allowed to enquire about an applicant's general health; however, they can ask for a medical report on the applicant's fitness for the job in question. Prior illnesses, surgeries and hospital stays are only relevant in this context if they would have an impact on the applicant's suitability for the position being filled.
The same applies to any benefits or pensions that the applicant has received due to illness, provided that the associated illness does not affect the applicant's ability to perform their new job. The employer can require a medical examination under certain circumstances, for example in occupations where health problems may present significant safety or other risks. In such cases, the doctor is responsible for determining whether the applicant's current or prior illnesses, including any treatments they are currently receiving or have received in the past, are compatible with the job they are applying for. The doctor performing the medical examination is bound by doctor–patient confidentiality. This means that they are only allowed to inform the employer of results that are relevant to the candidate's suitability for the position being filled. They cannot disclose any other information about the candidate's medical history. This rule also applies when the medical examination is carried out by the company's in-house doctor. The doctor's opinion on fitness for work, including any reservations they may have, is then given to the employer for inclusion in the employee's personal file. The medical file, however, remains with the doctor.
Biometric systems to record working time and to control system access are becoming increasingly common in some sectors. Sensitive data such as fingerprints should only be used after careful consideration and in an appropriately restricted fashion. Some widely used biometric systems that record working time, control system access and manage tills require employees to identify themselves using their fingerprints. Employees are sometimes required to consent to their fingerprints being recorded in order to conclude or continue an employment contract. Fingerprints and other biometric data are inherently tied to a person and cannot simply be changed if lost. Heightened security requirements therefore apply to the processing of these sensitive personal data. In particular, they may only be processed if the processing is necessary for the intended purpose. In order to prevent unauthorised third-party access to employees' biometric data, the data must not be stored centrally on a server. Instead, it should only be stored on a local medium, e.g. a badge, which must be read at the same time as the fingerprints. It is recommended that only a single fingerprint be processed (rather than the complete set of fingerprints) in line with the principle of proportionality. It would be advisable to offer employees alternatives to biometric methods of recording working time, in order to preserve their freedom of choice. It is primarily a matter of employment law whether an employer is allowed to require an employee to provide fingerprints in order to be hired. Individual employees can go to court to challenge the introduction of biometric time recording systems.
Employment law defines the conditions that allow for employees to work remotely. Remote working nevertheless raises a number of important issues relating to data protection, for example regarding the use of digital communication technologies for conference calls and videoconferencing, as well as the use of data exchange platforms. Employee obligations may change occasionally, but the employer remains responsible for information security and data protection, even in times of crisis, and is therefore bound by the data processing principles set out in the FADP. This includes the obligation to choose software that adequately guarantees the security of the personal data being processed. The Commissioner is aware that there are IT solutions that enable employers to constantly monitor the behaviour of employees who are working remotely. However, this is generally not permitted under the FADP and furthermore is expressly forbidden under employment law. Finally, the question arises as to whether there is disclosure of data abroad if the employee is working remotely from outside of the country and accesses the company's server in Switzerland from their location abroad, for example in holiday accommodation or, in the case of cross-border commuters, at home. This does not constitute transborder data disclosure within the meaning of the FADP as long as the employee uses a virtual private network (VPN) to access the company's server while abroad, processes the personal data only to the extent that they would normally do so in the company's offices and, most importantly, does not make the data accessible to anyone abroad. The confidentiality of personal data must always be guaranteed, whether employees are working remotely from abroad or in Switzerland.
In line with the data protection principles, employers can request extracts from the debt enforcement register and the criminal records register only if the employee will be working in a position of trust, or carrying out duties such as managing customer accounts or operating tills or safes. This includes roles in which employees are in contact with or responsible for valuable goods or large sums of money. In these cases, the security of the company takes precedence over the interest in protecting privacy.There is no legitimate interest worthy of protection that would justify a systematic review of an employee’s credit rating or whether they have a criminal record.
If extracts from the debt enforcement or criminal records registers contain sensitive data, the data protection principles must be followed strictly. Employers must provide the person concerned with clear and complete information about the data that has been collected and grant them the right to access the data. There must be effective protection from unauthorised data access, the number of parties given authorised access must be restricted as much as possible, and the data must be destroyed as soon as it is no longer required.
Publishing photos of employees on the company's intranet or on the internet requires the consent of the persons concerned, as a photograph can in some cases be used to determine information about the subject, such as a person’s religion or race, or whether they have a physical impairment. Often the publication of photographs serves no practical purpose, especially photos taken at events organised by the employer such as drinks receptions and excursions. It is advisable to first consider whether there is any benefit in publishing employee photos.
Recruitment processes increasingly involve artificial intelligence. For example, artificial intelligence helps to select applications, while job interviews are recorded on video and then analysed by software. Similarly, in today's workplace automated behaviour and voice analyses are increasingly used in online application processes to draw up detailed profiles. This requires a higher level of data protection. Candidates and recruiters alike have questions about the permitted use of behaviour and voice analysis and the associated legal requirements. The data protection framework that applies to traditional recruitment procedures also applies to these new instruments. Employers may only collect and process the data that is necessary to determine a person's suitability for a particular job, and they must always respect the principles set out in the legislation on data protection. In addition, the vast possibilities of AI-based analyses generally allow for more serious violations of personality rights than conventional job interviews. The principles of recognisability and proportionality must be given particular attention in this context.
The controller, i.e. the private person or federal body that, alone or jointly with others, determines the purposes and means of processing personal data. When several data controllers jointly process personal data, you can exercise your right to information with any one of them.
Furthermore, if the controller delegates the processing of personal data to someone else, it is still the controller who is required to provide the information requested. The delegated assistant must help the controller in providing the information, unless the assistant responds to the request on behalf of the controller.
In the case of personal data about your health, you can designate a health professional to whom the data may be disclosed, so that he or she can explain the data to you.
The request must be made in writing (or verbally if the controller agrees). The information is provided in writing or in the form in which the data are presented. By agreement with the controller, you can consult your data on the spot. If you agree, the information may be provided verbally. The information may be requested and provided online. It must be provided in a comprehensible form. The controller must take adequate measures to identify you, and you are required to cooperate with this.The controller must also ensure that your data are protected from access by unauthorised third parties when providing you with the information.
In principle, the controller should provide the requested information free of charge. Exceptions are possible, in particular if providing the information requires disproportionate efforts; a suitable contribution to the costs may be requested (maximum CHF 300). If a contribution is required, you must be informed of the amount before the information is provided so that you can withdraw the request within ten days.
As a general rule, the information must be provided within 30 days of receipt of the request. If the information cannot be provided within 30 days, the controller must inform you of this and tell you when the information will be provided.
If the controller refuses to give you the information, restricts the information given or delays giving you the information, he or she must communicate this within the same period.
As a general rule, the information must be provided within 30 days of receipt of the request. If the information cannot be provided within 30 days, the controller must inform you of this and tell you when the information will be provided. If the controller refuses to give you the information, restricts the information given or delays giving you the information, he or she must communicate this within the same period.
In principle, you have the right to be fully informed about all the data contained in the file which concern you. If the data controller refuses, restricts or postpones the disclosure of the requested information, he or she must inform you of the reasons for this.
Please note that if a federal body refuses you access or grants only limited access to information, it must issue a formal decision to you.
If you are of the opinion that the controller has not complied with his or her obligation to provide information or has only done so in part, you can take the following steps:If the controller is a federal body, you can file an appeal against the decision with the Federal Administrative Court within 30 days.
If the data controller is a private individual, you can take legal action (civil action) to assert your right to information. The court in the place of residence or business of one of the parties is competent to rule on actions and requests based on the FADP. The judge will decide under a simplified procedure. No court fees are charged for disputes relating to the right of access under the FADP. You may apply to the court in person or be represented by a lawyer. You will need to include copies of your correspondence with the controller.
As a general rule, you have the right to be fully and correctly informed about the data that is being processed about you. Providing this information can only be refused, restricted or postponed if permitted by a formal law or if required by the overriding interest of a third party.
Private controllers may also refuse, restrict or defer the disclosure of information if their own overriding interests so require and provided that they do not disclose the data to third parties.
If the controller is a federal body, it may also refuse, restrict or defer the disclosure of information if an overriding public interest, in particular relating to Switzerland’s internal or external security, so requires, or if the disclosure of the information could jeopardise a criminal investigation or other investigative procedure.
If controllers refuse, restrict or postpone the disclosure of information for any of the above reasons, they must inform the data subject. Controllers are obliged to state the reasons for the decision.
Under the Federal Act on Data Protection, you have a right to access your complete medical file compiled by your doctor. The medical file includes all documents relating to treatment, including X-rays and laboratory tests.The medical file also includes information that is relevant for medical staff who will provide further treatment or for an insurer, for example. The doctor is not obliged to submit personal notes, such as brief remarks or reminders intended exclusively for the doctor. However, handwritten notes and documents also form part of the medical file, unless they are the doctor's personal notes.
If a doctor suggests you consult your file in his or her office instead of providing you with a copy, you are not obliged to accept. The consultation of the file at the doctor’s surgery is only possible with your consent.
The Federal Act on Data Protection allows a doctor to send data regarding your health to a health professional that you have designated, provided you have consented to this. The purpose of this rule, which also applies to medical files, is to prevent negative information being disclosed to a patient without the presence of a doctor. You are nevertheless entitled to a copy of your file after your appointment.
The Federal Act on Data Protection does not give patients the right to obtain the original of their medical records. Whether this right can be derived from other legal provisions or from the contractual relationship between doctor and patient remains undecided. Indeed, legislation in some cantons expressly requires the doctor to keep the original medical records. If this is the case, only copies can be provided to patients during the prescribed archiving period, which is usually ten or twenty years. The file may not be completely destroyed during this period. The law does not allow a patient to exempt a doctor from this obligation (e.g. by being given the original medical record in return for an acknowledgement of receipt), even if the patient declares that he or she waives any claims for medical negligence or any other legal rights.
In principle, the doctor will give you a copy of your file free of charge. Depending on the size of the file, the doctor may exceptionally ask you to contribute to the costs, which must not exceed CHF 300. If the doctor wants to charge for the copy, he or she must inform you before making it. In this case, you have ten days to withdraw your request.
Further useful information on the new data protection law can be found here: