Last summer, two cantons introduced a new practice for their commercial registers in order to comply with the transparency principle. Any person who requests information will immediately be sent an automatic email that includes all the relevant documentation. This seamless transition from a public inspection system requiring a visit to the commercial registry, or at the very least a personal contact, to an internet-based system introduced to ensure greater transparency, raises a number of fundamental issues in terms of data and personality protection.
Since July 2012, the commercial registers of Zurich and Basel-Town have made their records accessible by email. Our attention was drawn to this new situation by some of the citizens concerned as well as by the police authorities. According to the information that we have been given, the documents that can be automatically communicated to members of the public contain signatures, dates of birth, private addresses, numbers of passports, ID cards and credit cards, as well as other sensitive security-related information.
Although the transparency principle that is embodied in the law is essential for the smooth conduct of business, the means implemented to achieve this should not be detached from data protection considerations. There is a problem when such personal information is made available online, particularly as it may give rise to uncontrollable risks (fraud, document forgery, data combination, etc.). For the persons concerned, this signifies a loss of control over their own data and the right to informational self-determination which is guaranteed under the Constitution. Thus, companies that specialize in the acquisition and exploitation of personal data have no difficulty in combining various data sources, as is the case of credit reference agencies. The companies in question then process the data, for example in order to produce personality profiles. This is done without the knowledge of the person concerned. In addition, there is an international aspect that exacerbates the problem. This should not been downplayed, because once data are published on the internet, there is no geographical limit to their possible use. They then fall outside the scope of application of Swiss law and may be processed in countries that do not have a sufficient level of data protection.
From the perspective of our supervisory activities, we must make it clear that our powers of intervention in the present case are limited. The fact is that public registers that concern private legal transactions are expressly excluded from the scope of the Data Protection Act. However, as part of our advisory and supporting tasks, we have initiated a discussion with the competent supervisory body, the Federal Commercial Registry Office, and have drawn their attention to the risks we outlined above. Furthermore, during the consultation process concerning the revision of the Code of Obligations (contract law) and the Commercial Register Ordinance, we set out our position quite clearly with a view to raising the legislator's awareness of the issues.
In the light of the situation described above, our advice would be for all notaries who are entrusted with the task of registering companies to inform persons in advance of the current practices in the cantons of Zurich and Basel-Town. Armed with this information, the latter will be able to use all available means to ensure that the content of the records is kept to the absolute minimum required by law. More detailed information about impending changes to the law can be found in this year's Report on activity under section 1.8.4.