Latest News

Federal Administration introduces public cloud-based application Microsoft 365

07.03.2023 - The Microsoft Office 2021 applications that are currently still run locally throughout the Federal Administration are to be replaced by the public cloud-based Microsoft 365 application. The FDPIC will provide supervisory support for the outsourcing project.

In a press release dated 15.2.2023, the Federal Council announced that the version of Microsoft Office currently used by the Federal Administration would have to be replaced because important applications had reached the end of their lifecycle and would no longer be supported by Microsoft in a few years' time (probably 2026). The situation regarding the follow-on products is exceptional because the Federal Administration will only be able to use them via a public cloud connection. At present, the Federal Administration is effectively dependent on Microsoft’s Office products. A change of provider and product is currently considered too risky and too costly due to the numerous dependencies on specialised applications. In order to reduce dependency in the medium and long term, the examination of alternatives to Microsoft 365 will continue. As part of an exit strategy, the Federal Chancellery’s Digital Transformation and ICT Steering Sector (DTI) is also examining open-source alternatives. The introduction of Microsoft 365 will have to be accompanied by protective measures; in particular, users will not be allowed to store particularly sensitive data and confidential documents in the Microsoft cloud.

The DTI involved the FDPIC in its preliminary work on the introduction of Microsoft 365, in particular by submitting to it the drafts of an analysis of the legal requirements and the ISDP (information security and data protection) concept. In his comments, the Commissioner stated, among other things, that in his opinion it was uncertain how long it would remain technically feasible to run certain applications in the federal government's own IT centres instead of in the cloud operated by the US company Microsoft, as the DTI project envisages today. In view of this uncertainty, the Commissioner requested that alternatives to Microsoft 365 be put forward that are less problematic from a data protection perspective. He went on to request that a more detailed analysis be made of whether a sufficient legal basis exists for the processing of personal data in the cloud operated by the US company, and whether the principle of proportionality is maintained. Finally, the FDPIC requested that the DTI prepare a comprehensive data protection impact assessment that transparently shows the risks of outsourcing to the cloud. In this context, the Commissioner considered it essential that the problem of possible access by the US security authorities to personal data processed by the Federal Administration in the Microsoft cloud be analysed in depth.

In view of its concerns, the FDPIC welcomes the fact that the Federal Chancellery disclosed in its press release the problem of economic and technological dependence on the US company Microsoft and is continuing to examine alternatives, in particular open-source alternatives as part of an exit strategy. The FDPIC will provide supervisory support for the outsourcing project as well as in analysing the results of the search for alternatives, as well as the data protection impact assessment, which is still outstanding.

Press release of the Federal Council of 15.02.2023 (in German)

Data Protecion Day 2023 - topics: elections and new data protection legislation in the Confederation and cantons

27.01.2023 - Elections and votes at all federal levels in Switzerland now take place in a digitalised world. Those involved in forming political opinion use the potential of digitalisation to specifically target their campaigns at voters. In this, voters’ rights to privacy and self-determination may come under considerable threat.

Anyone who processes data in the context of elections and votes must be aware that information on political and ideological views is classified as sensitive under both the current and the new Federal Data Protection Act. The latter will come into force on 1 September 2023, shortly before the upcoming general election of Parliament.

In updating their guide, the Federal Data Protection and Information Commissioner (FDPIC) and the Conference of Swiss Data Protection Commissioners (privatim) want to emphasise the tremendous importance attached to the principle of transparency under data protection law in the context of elections and votes. Voters have a right to understand which digital processing methods and technologies are being used to target them.

New data protection legislation in the Confederation and cantons

The FDPIC’s preparations for the new Data Protection Act (FADP), which comes into force on 1 September 2023, are going according to plan. There will be three ways of registering:
Federal bodies can register their records of processing activities electronically (https://datareg.edoeb.admin.ch/search).
Data protection advisors can also be registered via an electronic platform.
High-risk data security breaches must in future be reported to the FDPIC. A special portal has also been set up for this purpose. Instructions for data protection officers in both the public and private sectors is provided in the input mask.

Before the new FADP comes into force, the FDPIC will launch a newly designed and completely revised website. All information will then reflect the requirements of the new law. There will also be explanations available on new instruments, such as the data protection impact assessment.

The cantons are also updating their data protection legislation to reflect the new European data protection requirements. An overview of what has been achieved so far is published on the privatim website and periodically updated.

Further information:

Guide to elections and votings

The new FADP from the FDPIC’s perspective

Status of the revisions of data protection laws in the cantons (8 November 2022) - privatim (in German)

Cyber attack on Infopro AG – Status of the FDPIC's ongoing preliminary investigation and list of questions for Winbiz SA

14.12.2022 - The aim of the FDPIC's ongoing preliminary investigation is to supervise the work to regain control over compromised customer data and thus to ensure correct compliance with data protection information obligations. This work is being carried out under great time pressure.

The FDPIC has been in contact with those responsible at Infopro AG, the National Centre for Cybersecurity (NCSC), and the cantonal data protection authorities since the revelation that Infopro, which processes personal data on behalf of the company Winbiz, was the victim of a serious cyberattack.

In this context, the FDPIC has received enquiries from Infopro AG's business clients about this matter, which it is answering on an ongoing basis. Insofar as personal data is concerned, the FDPIC has drawn the attention of these customers to their obligations to provide information and limit damage under data protection law and has noted that the companies concerned are endeavouring to fulfil these obligations within a very narrow timeframe.

Since the beginning of this week, the FDPIC has also received requests from business clients of Fiducial Winbiz SA as they can no longer access their data, which was stored by Winbiz on the Infopro servers affected by the cyberattack. In addition, the FDPIC also received indications on 13 December 2022 that business clients of Fiducial Winbiz SA had allegedly gained access to data of other Winbiz clients. As part of the ongoing preliminary investigation, the FDPIC has today sent Fiducial Winbiz SA a list of questions and asked it to comment within a short time on the reported violation of access restrictions.

Registering a data file - reporting inventories (DataReg)

17.11.2022 - When the new Data Protection Act (FADP) comes into force on 1 September 2023, the procedure for registering data files with the FDPIC will undergo a change. From this date onwards, only federal bodies will have to report their data processing activities to the FDPIC.

Until the new FADP comes into force, the FDPIC will maintain two registers for a short period – the new DataReg for reports from federal bodies in accordance with the new law, and the current register for reports from private individuals and entities in accordance with the law that applies at present.

More information

European Union-U.S. Data Privacy Framework (EU-U.S. DPF)

07.10.2022 - The FDPIC has taken note of the factsheet released by the US regarding the «Data Privacy Framework (DPF)» and is analysing it.

EU-U.S. DPF

U.S. Executive Order

U.S. Depertment of Justice (DOJ) regulations

Questions & Answers: EU-U.S. DPF (European Commission)

FDPIC's Press release on 8.9.2020

Oracle: Tracking technologies encroach on internet users' privacy rights

27.09.2022 - In a lawsuit filed in the US on 19 August 2022 against Oracle America Inc., plaintiffs raise serious allegations of unlawful tracking of internet users. Specifically, the lawsuit accuses Oracle of using tracking technologies to collect detailed data on 5 billion internet users, and compiling it in a database. Oracle also allegedly analysed and evaluated the information it collected in order to create a dossier on each of the data subjects. In addition to names and addresses, all types of internet activity are recorded, for example purchasing behaviour, GPS data and health information – even across devices. The lawsuit claims that Oracle tracks internet users by means of various technologies, in particular cookies and pixels, as well as JavaScript code integrated in websites and apps.

Implications for Switzerland

The FDPIC is currently analysing the allegations made in the lawsuit with regard to possible breaches of privacy against the Swiss population. It is known that Oracle provides cookies, pixels and JavaScript code for website operators and applications. By embedding these elements in websites, Oracle receives the information on internet users that is collected across websites and mobile apps. The FDPIC's initial investigations have shown that the tracking technologies listed in the lawsuit are also widely used in Switzerland. Persons from Switzerland are therefore also affected by Oracle's tracking.

Clarifications are now underway to determine the extent to which Swiss website operators and app providers are in violation of the data protection principles under the Swiss Data Protection Act by integrating the tracking technologies. The focus here is on the principles of transparency and proportionality, as well as the need to grant explicit consent to create personality profiles and process sensitive personal data.

Protective measures against unwanted tracking in the digital space

Website operators and app providers have a duty to check in advance which technologies they are using and whether these technologies may be tracking website visitors or mobile app users. If they are in fact tracking users, either the technology must be removed or the users must be provided with transparent and understandable information about how the data is processed, its purpose and their ability to object, as well as the possibility that their data will be transferred abroad. Furthermore, website operators and app providers must offer an easy way for users to deny consent to use their data (opt-outs or using default settings such as ‘Do not track’). Since tracking violates the personal privacy of data subjects, users must explicitly consent to tracking (opt in) when personality profiles are created or sensitive personal data is processed.

Internet users can protect themselves against unwanted tracking on the internet by deliberately selecting a private internet browser and adjusting their settings accordingly. They can also use ad blockers and add-ons or extensions to prevent the collection of their data.

In addition to complying with data protection principles, operators of databases containing personal data must always ensure the rights of data subjects. This means that any person can request information from the data controller (in this case the website or app operator) about what personal data is being processed about them, why it is being processed, and who can access it. Anyone who does not agree to the further processing of their data can request that it be deleted.

For the time being, the FDPIC has taken note of the serious allegations made in the lawsuit, is analysing them and their possible implications for Switzerland. He wrote to Oracle Software (Switzerland) GmbH on 2 September 2022 and reserves the right to take further steps if necessary.

08.07.2022 - Credential stuffing: report and guidelines

08.07.2022 - In its latest report, the Global Privacy Assembly identifies credential stuffing as a growing threat to personal data. The related guidelines provide users with information on security measures that can be taken to protect against this threat.

Credential stuffing is a form of cyberattack that exploits people’s tendency to use the same user name and password combinations for multiple online accounts. These attacks are automated and often perpetrated on a large scale. The stolen login data are used to gain access to accounts on various internet platforms.

The report, published by the International Enforcement Working Group (IEWG) as part of the Global Privacy Assembly (GPA), includes contributions from the Federal Data Protection and Information Commissioner as well as data protection authorities from the UK, Canada, Gibraltar, Jersey and Turkey. It emphasises the growing trend of credential stuffing attacks and provides information on how organisations and individuals can prevent, recognise and minimise their risk.

The Global Privacy Assembly considered the multi-factor authentication for online accounts as the most effective protection against credential stuffing.

Bringing together more than 130 data protection authorities from around the world, the Global Privacy Assembly is one of the leading organisations globally for data protection and privacy authorities.

The report and guidelines can be found at the following links:

International Enforcement Cooperation Working Group: Credential Stuffing Awareness Raising for individuals

International Enforcement Cooperation Working Group: Credential Stuffing Guidelines for commercial organisations

13.06.2022 - Outsourcing of personal data processing by Suva to a Microsoft cloud service

13.06.2022 - In view of certain differences of legal opinion, the FDPIC is advising Suva to reconsider the decision to outsource its personal data processing to a cloud service operated by the US company Microsoft.

On 10 December 2021 Suva voluntarily sent the FDPIC a document entitled Risk Assessment Project Digital Workplace M365. This project concerns the outsourcing – imminent at the time – of Suva's personal data processing from an on-premises solution, i.e. on its own infrastructure, to a data centre operated on Swiss territory by the US company Microsoft.

After studying the documentation voluntarily submitted to him, the Commissioner welcomes the fact that Suva presented its outsourcing project for an independent data protection review. However, he advises Suva to reassess the outsourcing forthwith.

In view of the widespread use of Microsoft products and services throughout the private and public sectors in Switzerland, this outsourcing project is of interest to a broad public, which is why the Commissioner is publishing his summary statement in this regard.

As there is not yet any legal precedent in Switzerland on the outsourcing issue raised, the FDPIC, with Suva's approval, is also publishing Suva's written response, which reveals differences of opinion in certain respects.

Depending on the evolution of the situation and the legal position, the Commissioner reserves the right to take supervisory action ex officio at a later stage.

Stellungnahme des EDÖB Risikobeurteilung Suva Projekt Digital Workplace M365 (PDF, 1 MB, 13.06.2022)

Antwort Suva zur Stellungnahme des EDÖB zum Projekt Digital Workplace M365 (PDF, 987 kB, 13.06.2022)

Rencontre du PFPDT avec la délégation tunisienne à Berne

12.05.2022 - Le Préposé fédéral à la protection des données et à la transparence, M. Adrian Lobsiger, a rencontré le 11 mai 2022, à Berne, ses homologues tunisiens.
Leurs échanges ont principalement porté sur les différents cadres législatifs et sur les enjeux liés à la numérisation croissante de la société. La coopération internationale joue un rôle incontournable dans les activités du PFPDT et cette rencontre montre l'importance qui lui est accordéedifférents cadres législatifs et sur les enjeux liés à la numérisation croissante de la société.

de gauche à droite: Chawki Gaddes, Président de l'INPDP (Instance nationale de protection des données personnelles) et de l'AFAPDP (Association francophone des autorités de protection des données personnelles); Adrian Lobsiger, Préposé fédéral à la protection des données et à la transparence (PFPDT); Adnen Lassoued, Président de l'INAI (Instance nationale d'accès à l'information)

Update Mitto AG

23.12.2021 - In the preliminary investigation now opened, the FDPIC has contacted Mitto AG and the mobile phone operators in Switzerland.

The latter have confirmed that they cooperate with Mitto AG, but have pointed out that technical measures are in place to prevent unauthorised access to personal data. On the basis of this initial feedback, the FDPIC has no indications for the time being that any misconduct has occurred to the detriment of people in Switzerland.

In the coming weeks, the FDPIC will receive further and more detailed information on the facts of the case. After evaluating this information, we will decide on the further course of action and inform the public.

Press release (07.12.2021)

The transfer of personal data to a country with an inadequate level of data protection based on recognised standard contractual clauses and model contracts

27.08.2021 - In its statement of 27 August 2021, the FDPIC recognises the standard contractual clauses for the transfer of personal data to third countries in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (pursuant to Implementing Decision 2021/914/EU) as the basis for personal data transfers to a country without an adequate level of data protection, provided that the necessary adaptations and amendments are made for use under Swiss data protection law.

The following explanations show which adaptations and amendments must be made. The standard contractual clauses pursuant to the European Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (2010/87/EU), the Swiss Transborder Data Flow Agreement (for outsourcing of data processing) of November 2013 and Council of Europe model contract to ensure equivalent protection in the context of cross-border data flows can still be notified until 27 September 2021 and continue to be used during a transitional period until 31 December 2022.

The transfer of personal data to a country with an inadequate level of data protection based on recognised standard contractual clauses and model contracts (PDF, 277 kB, 27.08.2021)

More information about transborder data flows

FDPIC comments on the transfer of data to the United States Securities and Exchange Commission

04.08.2021 - The FDPIC has issued the following memorandum to the US Securities and Exchange Commission (SEC) on the question of the lawfulness of the transfer of data from Swiss asset managers to the US supervisory authority:

Memorandum SEC (PDF, 1 MB, 04.08.2021)

FDPIC recommends use of COVID Certificate Light at Swiss events

19.07.2021 - Using the latest version of the COVID certificate app, a data protection-friendly Certificate Light can be generated easily. The Certificate Light does not contain any health data. The FDPIC recommends the public to use the Light certificate at events in Switzerland.

While monitoring the development of the COVID certificate, which is primarily intended for travel abroad, the Federal Data Protection and Information Commissioner (FDPIC) lobbied for the federal government to provide a second, data-minimised 'Light' certificate. With the latest version of the COVID certificate app, the Certificate Light can now be generated simply and easily:

Link on FOPH website: COVID certificate (admin.ch)

The FDPIC recommends that the public use the data protection-friendly (i.e. data-minimised) Certificate Light in Switzerland (in particular when attending large events).

When the Certificate Light is activated in the normal COVID certificate display, a new QR code is created from the available that does not contain health data. The Certificate Light only contains the information required to identify the holder and an electronic signature. This eliminates the risk of health data (such as details of the vaccine used) being read without authorisation when the certificate is checked. This can happen if verification apps other than the COVID Certificate Check app provided by the federal government are used. The Certificate Light, which is also forgery-proof, can only be used in Switzerland and must be regenerated in the app after 48 hours. This short validity period was deliberately chosen so that there is no indication as to whether the certificate was issued based on a test, vaccination or recovery.

New FADP: five new posts from July 2022

13.07.2021 - The Federal Council has approved five new posts for the FDPIC in anticipation of the new Federal Act on Data Protection (FADP) coming into force in the second half of 2022. This is in addition to the three posts previously approved in 2019, which have since been filled. Subject to Parliament’s approval of this expansion, with the federal decree on the 2022 budget in December 2021, the FDPIC will begin recruiting for the five new posts from 1 July 2022.

In recruiting for these five vacancies, the FDPIC will strive to cover its extended range of tasks and responsibilities. This is particularly relevant for its new duty to deal with all individual complaints that are more than 'of minor importance'.

Covid certificate dispels major data protection concerns

04.06.2021 - At its press conference today, the Federal Council explained the creation and introduction of the COVID-19 certificate. By offering the option of providing certificates in paper form, and creating an additional minimal data QR code for use in Switzerland, the Federal Council has dispelled key concerns raised by the Federal Data Protection and Information Commissioner (FDPIC).

In line with his statutory duties, in recent weeks the FDPIC has been advising the Federal Office of Public Health (FOPH) and the Federal Office of Information Technology, Systems and Telecommunication (FOITT) on the legal and technical development of the COVID-19 certificate. For the most part, the offices have taken account of the data protection concerns raised by the Commissioner.

The Commissioner firstly welcomes the fact that the certificate can not only be used on electronic devices, but will also be available in paper form – this avoids creating a de facto obligation for everyone to carry a smartphone.
Secondly the Commissioner was successful in ensuring that the FOITT was instructed to develop a second, minimal data QR code for use in Switzerland, in addition to the EU-compatible QR code for cross-border travel. This second code guarantees a minimum of data will be visible when reading the certificate. Persons using this second code prevent unauthorised software being used when scanning certificates to ascertain why a certificate is valid or invalid. This means, for example, that staff checking persons entering a large-scale event will be unable to find out whether a certificate holder is entitled to attend the event because he or she has been vaccinated, has recovered from the disease or has tested negative.

Given that information on vaccination, testing and recovery are data on a person’s health condition, the Commissioner nevertheless views with some concern that, ahead of the certificate’s introduction, "sufficient evidence" will be accepted at pilot events during a transitional phase. He also regrets that the minimal data QR code can only be made available to the population in a second phase. He will undertake to ensure that these transitional arrangements apply for as short a time as possible.

FDPIC takes on advisory role in the FOPH project for a data protection compliant COVID-19 vaccination certificate

13.04.2021 - The FDPIC is advising the COVID-19 certificate project group set up by the Federal Office of Public Health (FOPH) on compliance with data protection requirements. The FDPIC advice is essentially in line with that given by the European Data Protection Board and the European Data Protection Supervisor in connection with the EU’s draft regulation on a ‘digital green certificate’.

The FOPH has set up a project group with a view to introducing a standardised, forgery-proof, internationally recognised COVID-19 vaccination certificate. The FDPIC is participating in this project group as the statutory advisory body on data protection to ensure the compliant implementation of Article 6a of the COVID-19 Act, which sets out the requirements for vaccination, test and recovery certificates. The certificates must be personalised, forgery-proof, verifiable while complying with data protection requirements, and designed so that only decentralised or local verification of their authenticity and validity is possible. It should also be possible for the certificates to be used when entering or leaving other countries.

As part of its advisory role in the project, the FDPIC will also work to ensure that the future use of the certificates meets the requirements of data protection law – in particular if they are used in the private sector in order to systematically obtain vaccination data or other personal data with a view to allowing access to goods or services. The FDPIC takes the view that not only must public-law requirements be set out in the associated ordinances, but private individuals must also be required to guarantee compliance with the Data Protection Act. In particular, data processing by private individuals must be proportionate, reasonable and transparent. In addition, the FDPIC has already publicly stated on several occasions that the planned use of the certificates should not mean everyone is required to carry a smartphone (see our news briefing from 22.01.2021 (not in English)). For this reason, the FDPIC welcomes the decision to make the vaccination certificate available on paper as well as in digital form.

The FDPIC’s demands essentially correspond with the joint opinion of the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) of 31 March 2021 relating to the EU Commission’s draft regulation on a ‘digital green certificate’. In its joint opinion, the EDPB and the EDPS state that the digital green certificate must have an adequate statutory basis and in particular must respect the principles of effectiveness, necessity, reasonableness and non-discrimination. In line with the FDPIC’s demands, the joint opinion also states that the digital green certificate must be made available in paper form.

The new FADP from the FDPIC’s perspective

05.03.2021 - Until the new FADP comes into force, the private sector and federal authorities will have to adapt their processing of personal data to the new provisions. The FDPIC outlines below the most important alterations that they need to take into consideration.

(The integral document is attached below as a pdf)

Only data of natural persons

The revised FADP only intends to protect the privacy of natural persons, about whom personal data is processed. The data of legal persons, such as commercial organisations, associations and foundations, is no longer included in the new FADP, and on this point the scope of application of the revised legislation coincides with that of the GDPR. Businesses can continue to invoke the protection of privacy provided for under Art. 28 Swiss Civil Code, the protection of manufacturing and trade secrecy as set out under Art. 162 The revised FADP only intends to protect the privacy of natural persons, about whom personal data is processed. The data of legal persons, such as commercial organisations, associations and foundations, is no longer included in the new FADP, and on this point the scope of application of the revised legislation coincides with that of the GDPR. Businesses can continue to invoke the protection of privacy provided for under Art. 28 Swiss Civil Code, the protection of manufacturing and trade secrecy as set out under Art. 162 Swiss Criminal Code, as well as the relevant provisions of federal law on unfair competition and cartels.

Sensitive personal data

The current definition of sensitive personal data has been extended to include genetic and biometric data provided it cannot uniquely identify a natural person.

Privacy by design and by default (new: Art. 7. FADP)

The revised FADP enshrines the principles of privacy by design (data protection through technology design) and privacy by default (only data that is absolutely necessary to a specific purpose is processed, and this should be set out before data processing starts). These principles require authorities and businesses to implement the processing principles of the FADP from the planning stage by putting in place appropriate technical and organisational measures. Privacy by design requires that their applications and similar are designed in such a way that data is anonymised or deleted by default. Privacy by default protects users of private online offerings who have not looked into the terms of use or the associated right of objection as only the data that is absolutely necessary for the intended purpose is processed, as long as users do not take action and allow further processing. To comply with the new law, Swiss businesses need to review their offerings in a timely fashion and make adjustments where necessary through the use of customer-friendly programs that are conducive to data protection.

Data protection officers (new: Art. 10 FADP)

Private companies may appoint a data protection adviser. This adviser may be an employee of the company, but does not have to be. In either case, the advice on data protection should be provided independently and not be influenced by other activities of the company. It is also recommended not to mix the provision of advice on data protection with that of other legal advice and representation. In addition, data protection advisers should be allowed to bring their concerns to the attention of the company management where there are differences of opinion (Art. 23 letter c Data Protection Ordinance (O-FADP)). In contrast to the European GDPR, the appointment of advisers is always optional for private entities - only federal authorities are legally required to appoint advisers. They are not only an internal contact point, but also a link to the data protection authorities and the first point of contact for the FDPIC. Besides providing general advice and training to company employees on data protection issues, their tasks include helping to draw up and apply terms of use and data protection regulations. Provided the internal data protection advisory service is professionally independent and not bound the management's instructions, and the service does not carry out any tasks that are incompatible with its responsibilities, a company can rely solely on its internal advisory service after carrying out a data protection impact assessment, even in cases of persistent high risk; the company is not required to consult the FDPIC as well (see "Data protection impact assessments" below).

Data protection impact assessment (new: Art. 22 et seq. FADP)

Data protection impact assessments are nothing new in Swiss data protection law - federal bodies are already required to carry them out. If a planned processing operation is likely to entail a serious risk to the data subject's personality or fundamental rights, private data controllers must now also prepare a data protection impact assessment in advance. Serious risks arise, especially when new technologies are used, from the nature, extent, circumstances and purpose of the processing. In particular, a serious risk arises from high-risk profiling or extensive processing of sensitive personal data. Impact assessments of a general nature cannot absolve organisations of responsibility for recognisable risks that they fail to mention. If a product, system or service is certified in accordance with the Data Protection Act or if a code of conduct is adhered to that is based on a data protection impact assessment, an impact assessment is not required. If it is apparent from a data protection impact assessment that the planned processing would still result in a high risk to the personality or fundamental rights of the data subjects despite the measures envisaged by the data controller, the controller must obtain the opinion of the FDPIC beforehand. If the FDPIC has objections to the impact assessment itself, he will suggest to the controller what needs to be clarified or added. This is likely to be the case primarily where the text is so general that it does not adequately describe foreseeable risks or measures. If the objections under data protection law are directed against the planned processing operations as such, the FDPIC will propose suitable ways of modifying the operations to the controller (see "Consultations" below). Unlike the codes of conduct, the FDPIC's opinions do not have to be published. As official documents, however, they are subject to the Freedom of Information Act. There is no requirement to consult the FDPIC if the internal data protection adviser has been consulted (see "Data protection advisers" above).

Codes of conduct (new: Art. 11 FADP)

Art. 11 of the new FADP provides incentives for professional, trade and business associations to develop their own codes of conduct and to submit them to the FDPIC for an opinion. The FDPIC’s opinions are then published. They may contain objections and recommend relevant modifications or clarifications. Positive opinions from the FDPIC justify the legal assumption that the conduct set out in the code compiles with data protection laws. However, codes of a general nature cannot absolve organisations of responsibility for any risks that the text fails to describe in detail. By subjecting themselves to a code of conduct, members of associations can be relieved of the task of developing their own support and guidelines for the application of the new FADP. This form of self-regulation has the advantage that data controllers do not need to conduct their own data protection impact assessment if they comply with a code of conduct that is based on a previous data protection impact assessment that is still relevant, provides for measures to protect privacy and fundamental rights, and has been approved by the FDPIC.

Certifications (new: Art. 13 FADP)

In addition to management systems and products, services and processes can now also be certified. Certification provides companies, for example, with evidence that they comply with the principle of privacy by default and have an appropriate data protection management system. Private data processing controllers that use a system, product or service that is certified are not required to prepare a data protection impact assessment. Further regulations on the certification procedure and quality marks have been introduced by the Federal Council by ordinance (Data Protection Certification Ordinance, in German)

List of data processing activities (new: Art. 12 FADP)

The data controller and the data processor are now each required to keep an inventory of all data processing activities. The new FADP lays down the information that the inventory must contain as a minimum. The inventory must be kept up to date at all times. In the Ordinance, the Federal Council has provided exceptions for companies that employ fewer than 250 people and whose data processing carries a low risk of violating the personality of data subjects (Art. 24 FADP). While federal bodies must submit their inventories to the FDPIC, the new law no longer provides for a reporting obligation for private entities that process data.

Cross-border disclosure of personal data (new: Art. 16 FADP)

Under Article 16, the revised FADP stipulates that data may be disclosed abroad if the Federal Council has ascertained that the legislation in the country concerned guarantees adequate protection. The list that the FDPIC previously published is now part of the O-FADP. If the relevant export country does not feature on the Federal Council’s list, data may still be transmitted there (as under the previous law) if adequate data protection can be guaranteed by other means. This may, for example, be through international treaties, data protection clauses that must first be communicated to the FDPIC, or binding corporate rules. Standard contractual clauses that have already been approved by the European Commission under the GDPR will be recognised by the FDPIC.

If cross-border disclosure of personal data is planned - which also includes storage on foreign systems (cloud) - the data subjects must be notified of the countries concerned, regardless of whether they offer adequate data protection. In this point, the FADP goes further than the GDPR. It must also be stated which data protection guarantees, if any, are used (e.g., EU standard contractual clauses) or which exceptions, if any, the controller refers to; here, too, the FADP deviates from the GDPR.

Extended duties to provide information (new: Art. 19 et seq. FADP)

In line with the revision’s objective of promoting transparency, the new FADP extends the duty of businesses to provide information. Under the new legislation, a private data controller must appropriately inform the data subjects in advance every time personal data is collected, even if the data is not collected by them directly. In the current FADP, this duty to provide information is only stipulated for sensitive personal data and personality profiles. This means in concrete terms that the identity and contact details of the data controller, the purpose of the processing, and where applicable the recipients of personal data should be disclosed. In contrast to the GDPR, information should also be provided on the receiving state and any guarantees of an appropriate level of data protection (see above, Cross-border disclosure of personal data). Businesses will have to review and update their privacy policies accordingly. Personal data that is only collected incidentally or by chance is exempt from the duty to provide information. The duty to provide information is restricted or waived through the many limitations and exemptions. This is the case, for example, if data subjects already have the information, or if the processing of the data is required by law. If the data processing results in automated individual decision-making, data controllers have new duties to provide information to complainants, and to grant them the consultation and inspection rights to which they are entitled.

Right of data subjects to information (new: Art. 25 et seq. FADP)

The right of data subjects to request information about whether data about them is being processed has been extended in the new FADP. The new Article 25 contains an extended list of the minimum information that data controllers must disclose, such as how long processed personal data is stored. The Article stipulates that a data subject should in general be provided with all the information that is necessary for them to assert their rights under the new FADP and to ensure transparent data processing. As in the previous legislation, the controller may refuse, restrict or defer the provision of information under certain conditions.

Obligation to report data security breaches (new: Art. 24 FADP)

Under the new Article 24, the controller must now report data security breaches to the FDPIC if there is a high risk to the personality or fundamental rights of data subjects. This provision applies to controllers both in the private sector and in federal bodies. The FDPIC should be notified of such breaches as soon as possible. Controllers should have previously drawn up a prediction of the potential implications of the breach and carried out an initial assessment as to whether there could be an imminent danger, whether data subjects need to be notified and how this could be done. If the controller does not assess the risk to be high, this does not prevent them from submitting a voluntary report to the FDPIC. Only cases involving breaches of personality rights or fundamental rights have to be reported to the FDPIC, but not successfully foiled or ineffective cyberattacks. The GDPR also features a reporting obligation and stipulates specific timings for incidents to be reported to EU data protection authorities. In addition, the threshold for the reporting obligation is lower under European law, as it merely stipulates that the data breach must entail a risk.

Right to data portability (new: Art. 28 FADP)

The right to data disclosure and transmission means that a data subject now has the option of receiving the personal data that they have provided to a private controller in a commonly-used and machine-readable format, or having it transmitted to a third party. The conditions for this are that the controller processes the data in an automated manner and with the consent of the data subject or directly relating to a contract. This right can be exercised free of charge, except where disclosure or transmission are associated with disproportionate cost or effort. An example of the latter may be communication data where time-consuming triage is necessary to separate the subject’s own statements from those of third parties.

Investigation of all violations of data protection regulations (new: Art. 49 FADP)

The FDPIC will in future have to automatically investigate all violations of the new FADP by federal bodies or private persons. In the current FADP, the restriction applies that the FDPIC only investigates cases (including clarifications of the facts) on its own initiative in cases where the methods of processing are capable of breaching the personality rights of larger numbers of persons. These ‘system errors’ will no longer exist in future. However, as is the case under the current law, an investigation will not need to be opened for minor breaches of data protection rules. As is currently the case, the FDPIC will also be able to dispense with formal steps if an initial contact with the data controller reveals that the deficiency to which its attention was drawn was recognised and rectified in a timely manner. Owing to its limited resources, it can generally be assumed that in handling reports even after the new Act has come into force, the FDPIC will prioritise according to the principle of discretionary prosecution.

Authority and decisions of the FDPIC (new: Art. 51 FADP)

The FDPIC may now conduct proceedings under the Administrative Procedure Act and formally rule against federal bodies or private data processors and controllers, adapt data processing in full or in part, suspend or even discontinue data processing, and delete personal data or have it destroyed. For example, the FDPIC can rule that a business must notify data subjects about a reported data security breach. Up to now, the FDPIC only had the authority to make recommendations and if they were not complied with, to refer the matter to the Federal Administrative Court. An addressee may appeal against the FDPIC’s decisions to the Federal Administrative Court and subsequently to the Federal Supreme Court. The FDPIC may also contest appeal decisions of the Federal Administrative Court before the Federal Supreme Court.

Consultations

The FDPIC is not an authorising authority or an approval body for applications, products, regulations and products. However, the new legislation sets out in various places that data controllers must consult the FDPIC before concluding relevant work and implementing their projects. For example, codes of conduct and – where there are significant residual risks – data protection impact assessments must be submitted to the FDPIC for an opinion. Given the abstract nature of these consultation matters, as a rule the FDPIC’s opinions are not of a dispositive nature and do not offer any possibilities to appeal the recommended measures and requirements. If these measures and requirements remain unheeded, data controllers must assume that concrete data processing related to the FDPIC’s recommendations will subsequently be the subject of decisions. These may go so far as to prohibit the data processing in its entirety, against which data controllers then have recourse to the ordinary legal remedies of administrative procedure.

Unprompted opinions and information for the public

Aside from the opinions published as part of formal consultation procedures, the FDPIC is still free, without having to be requested, to express opinions on new technologies, digitalisation phenomena and the processing practices of certain sectors, and to publish its opinions and assessments. In cases of general interest, the FDPIC will also inform the public – as is the case under current law – of its observations and measures. This also applies to observations and decisions made as part of formal investigations by the FDPIC.

Fees (new: art. 59 FADP)

The new FADP regulates the services for which the FDPIC will in future charge to private persons fees. A fee is incurred for opinions on a code of conduct or data protection impact assessment, or to approve standard data protection clauses and binding corporate regulations. The FDPIC will also charge private persons fees for general consulting services. The details are regulated in the O-FADP (Art. 44 O-FADP).

Sanctions (new: Art. 50 et seq. FADP)

The new FADP sets out fines for private persons of up to CHF 250,000. Only wilful acts or omissions are offences, not cases of negligence. Violation of duties to provide information and to report, and breaches of professional confidentiality are only prosecuted on complaint. However, failure to comply with FDPIC decisions are prosecuted ex officio. In principle, the responsible natural person is fined. But legal entities can now also be fined up to CHF 50,000 if an investigation to determine the actual person responsible within the company or organisation would entail disproportionate effort. In contrast to the European data protection authorities, the FDPIC is not assigned powers to impose sanctions under the new legislation. Offenders are fined by the cantonal prosecution authorities. While the FDPIC may report an offence and enjoy the status of a private claimant in proceedings, it does not have the right to file a criminal complaint. Unlike in the new FADP, the administrative sanctions under the GDPR are only applicable to legal entities. The EU data protection authorities can impose fines on offending companies of up to EUR 20 million, or 4% of annual global turnover.

The new Data Protection Act from the FDPIC's perspective (PDF, 220 kB, 31.10.2022)

Breakthrough for up-to-date data protection

25.09.2020 - In its final vote, the Parliament adopted today the total revision of the Federal Act on Data Protection (FADP). It was able to resolve the remaining differences standing in the way of more up-to-date protection of privacy.

The FDPIC welcomes the completion of the total revision of the Data Protection Act that the Federal Council submitted for parliamentary deliberation in a dispatch three years ago. This enhances the Swiss public’s right to privacy and to determine how their data are used, better reflecting today’s digital reality.

The FDPIC will offer a more detailed statement on the revised law once the ongoing referendum period has expired.

Court of Justice of the European Union (CJEU) ruling on European standard contractual clauses and the EU-US Privacy Shield

16.07.2020 - In its judgment of 16 July 2020 in Case C-311/18 Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems, the Court of Justice annulled Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield. However, the EU Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries remains valid.

The FDPIC has taken note of the CJEU ruling. This ruling is not directly applicable to Switzerland. The FDPIC will examine the judgement in detail and comment on it in due course.

Link to the CJEU press release

Press release of 08.09.2020: FDPIC considers CH-US Privacy Shield does not provide adequate level of data protection

Update Proximity Tracing App: technical security of the SwissCovid app confirmed

12.06.2020 - After reviewing the NCSC report on Risk Estimation Proximity Tracing published today, the FDPIC has confirmed his assessment that the Swiss proximity tracing system operated by the Federal Office of Public Health and the SwissCovid app are data protection compliant.

Report from the National Cyber Security Centre (NCSC)

The FDPIC is aware of the widespread criticism of Google and Apple’s failure to disclose the API (application programming interface) for the SwissCovid app. The situation, however, is not new. The data protection impact assessment of 1 May 2020 and the report from the National Cyber Security Centre (NCSC) of 28 May 2020, which is published today, also make reference to this lack of disclosure.

The SwissCovid app is based on globally standardised interfaces and their underlying operating systems. The source code for the operating systems and the interfaces is partially available in some cases or not available at all. This issue is known and is not specific to the SwissCovid app.

In the FDPIC’s opinion, when compared to other everyday uses that public makes of the smart devices offered by these two manufacturers, the use of the Google and Apple APIs for the SwissCovid app does not represent a significantly greater risk to their personal data. Anyone who assumes that Google and Apple, regardless of their legal responsibilities and the reputational risks, would disregard the restrictions on use they have promised for the SwissCovid app, should be aware of the following: the use of the SwissCovid app would have to be based on Google or Apple operating systems and their general Bluetooth interfaces even if their proximity tracing API were not used.

In order to be consistent, anyone who mistrusts these manufacturers whatever they may do would have to refrain from using not only the SwissCovid app, whatever its design, but also any other smart devices or operating systems offered by Apple and Google. This option always remains open.

For further information, we would refer you to the full text of our assessment:

Full text (in German) (PDF, 134 kB, 12.06.2020)

Further news on proximity tracing

Update Proximity Tracing App

13.05.2020 - Proximity Tracing App meets data protection requirements – statement under Art. 17a FADP on the trials of the Swiss Proximity Tracing System (SPTS).

The Commissioner regards the trials of the SPTS approved today by the Federal Council as permissible under data protection law. Documents that are still required must be submitted to the FDPIC before the app becomes fully operational.

Supervisory measures may be taken and recommendations issued during the trials and following transition to full operation.

Position statement according to Article 17a FADP re the pilot trial with the Swiss Proximity (PDF, 255 kB, 09.10.2020)

Press release of the Federal Council

Update Proximity Tracing App

30.04.2020 - Data processing in the back end of the «Proximity Tracing-Application (PTAPP)» is proportionate from the perspective of the FDPIC.

In Switzerland, a proximity tracing app based on the decentralised approach of "DP-3T" is to be introduced. Even though far less information is stored centrally than with a centralised approach, the system architecture needs a so-called back end with server.

The Corona Task Force of the FDPIC has examined the technical implementation in the back end of the planned «Proximity Tracing-Application (PTAPP)». In its assessment, the FDPIC comes to the conclusion that the data processing taking place there, is proportionate. He is currently examining the draft of an Ordinance of the Federal Council on the PTAPP and the legal basis on which it is based.

In addition, the FDPIC is preparing an overall assessment for the PTAPP in the form of a report, which combines the previous partial assessments and supplements them with further aspects.

Report (in German) (PDF, 177 kB, 04.06.2020)

Update «Covid proximity tracing App»

23.04.2020 - FDPIC examines system architecture and demands proof of sufficient legal basis.

The FDPIC and his Corona Task Force were involved in the implementation work of the Federal Administration for a "Covid proximity tracing app". The implementation is based on the "DP-3T" model developed by the EPFL, which follows a decentralised approach, and is independent of the developments within the European "PEPP-PT" project. The FDPIC’s Task Force is currently examining data protection aspects of the system architecture developed by the authorities. In principle, the FDPIC also demands, in particular, the proof of a sufficient legal basis in accordance with Art. 17 of the Federal Act on Data Protection.

For previous updates concerning proximity tracing see German, French or Italian version

Coronavirus protection plans

19.05.2020 - The FDPIC supervises the implementation of the protection plans by private companies. He attaches importance to the fact that the procurement and transfer of personal data within the framework of these plans is voluntary.

As part of the easing of measures to contain the corona pandemic, the Federal Council in Ordinance 2 on Measures to Combat the Coronavirus (COVID-19; SR 818.101.24) has made the resumption of activities and the re-opening of businesses and institutions conditional on the introduction of precautionary measures (s. FOPH's recommendations for the workplace and schools).

It is the responsibility of the businesses and institutions concerned to implement their own precautionary measures. Where this requires them to process the personal data of customers, members, employees, etc., this will be carried out under the FDPIC’s oversight. The FDPIC will seek to ensure that businesses and institutions respect the principles of the Federal Data Protection Act, in particular that of proportionality. Depending on the sector and the size of the business or institution, in-house legal and data protection advisers will also help to implement the precautionary measures in accordance with data protection law.

The FDPIC regards it as important the customers, etc., will be under no obligation to provide their personal data as part of the precautionary measures and that they cannot be indirectly compelled to provide data, e.g. by making the provision of goods and services dependent on doing so.

The FDPIC takes the view that using direct or indirect pressure to obtain and process data relating to customers, etc., constitutes an invasion of privacy and of a person’s autonomy over their own information. This is incompatible with the principle of proportionality, other than in the case of mandatory data processing requirements based on precisely defined principles of federal and cantonal public law.

Statement (in German) (PDF, 4 MB, 13.05.2020)

Measures for the safe use of audio and video conferencing systems

01.05.2020 - The coronavirus pandemic is showing people all over Switzerland and, indeed, the world how a single event can completely change our surroundings and the way we do things. From one day to the next, it was no longer possible for us to meet friends and family in person, or exchange information with colleagues and hold meetings at our offices. In our work and in our private lives, we have abruptly switched to digital solutions such as audio or video conferencing systems. Despite the rush with which business meetings, children’s ‘visits’ with their grandparents, or even parties have been moved online, we must not forget how important information security and data protection continue to be.

The first part of this information sheet lists measures we recommend you take to ensure that the audio or video conferencing system you are using during this crisis is safe. You should make sure to reassess your choice of service – either immediately or at a later point in time – by carrying out a risk analysis according to data protection criteria. If necessary, choose a different service more suitable to your needs. This information sheet also contains a list of points to observe when setting up and introducing an audio or video conferencing system, to ensure it complies with data protection guidelines

The information sheet deals with exactly these issues, and is aimed at all user groups – both in business and in private life.

Information sheet: Measures for the safe use of audio and video conferencing systems (PDF, 127 kB, 01.05.2020)

Update Libra

20.04.2020 - Libra informs on FINMA's application and intensifies work on the data protection concept.

On 16 April 2020, the Libra Association informed the FDPIC that it had submitted an application to FINMA for authorisation as a payment system (cf. the information published by FINMA). At the same time, it also informed the FDPIC that work on the data protection concept was underway and had been intensified.

Further updates concerning Libra

4^th Update concerning the Libra project

19.09.2019 - At a meeting with the FDPIC in Berne, Libra Association reiterates its commitment to develop a consistent data protection standard for the system. The association will involve the FDPIC in its ongoing development work at an early stage in order to comply with data protection requirements from the outset.

After the Libra Association had provided supplementary information on the Libra project in due time, a personal meeting between the FDPIC and representatives of the Libra Association took place in Berne on 17 September 2019.

The Libra Association reiterated its commitment to develop a consistent data protection standard for the system. This is in line with the position of the FDPIC, who thereby wants to achieve a high level of protection for the personal data of the users.

The Libra Association will involve the FDPIC in its ongoing development work at an early stage in order to comply with data protection requirements from the outset (privacy by design). The association will carry out a risk impact assessment and implement measures necessary for a consistent data protection standard, including necessary organizational measures like the creation of a data protection office.

Previous updates...

3^rd Update concerning the Libra project

23.08.2019 -The Libra Association sent the first part of the requested documents to the FDPIC on time. Further documents and explanatory information will follow in the coming weeks.

These submissions will serve as a basis for the FDPIC's determination of its competences and the planning of future activities. In due course, the FDPIC will inform the public of the outcome of his examination of competence and of any further steps he may take.

The FDPIC will attend the forthcoming meeting with the U.S. House Committee on Financial Services and personally serve it with this information.

2^nd Update concerning the Libra project

06./08.08.2019 - The British and other data protection authorities have published a joint statement demanding more openness from Libra promoters about the project. The FDPIC stays in contact with the European Data Protection Board (EDPB) and the International Conference of Data Protection and Privacy Commissioners (ICDPPC).

The FDPIC is affected as all other Data Protection Authorities (DPAs) by the Libra project and its global network and therefore eager to support the global community of DPAs in their joint efforts to protect the people. The FDPIC thus stays in contact with the EDPB and the ICDPPC.

On the other hand, the FDPIC as the DPA at the Swiss headquarters of the Geneva based Libra Association has to exercise his legal tasks. In this latter role the FDPIC initiated an official proceeding focused on the evaluation of his competence with regard to the Geneva based association, which in the meantime appointed a Swiss law firm and declared its readiness to deliver more detailed information on the project, as requested in the FDPIC’s letter of 17 July 2019. The FDPIC will thus first analyse upon receipt the promised information and assess the extent to which his advisory competences and supervisory powers would apply, before joining any statements or commenting on the Libra project and its network as a whole.

Joint Statement of DPA's (PDF, 306 kB, 06.08.2019)

1^st Update concerning the Libra project

29.07.2019 - The Libra Association has replied to the FDPIC's letter of 17 July and promised a prompt response to issues raised. It plans to meet the FDPIC in the coming weeks for talks. The FDPIC will issue a press release on the next steps as soon as he has analysed the information received and gained an overview of the current status of the project.

Link to the media release of 23 July 2019

Letter of 17 July 2019 (in French) (PDF, 1 MB, 29.07.2019)

Legal data protection framework for coronavirus containment

17.03.2020 - The authorities, in cooperation with health institutions, are doing everything possible to stem the rapid spread of the coronavirus. Insofar as private individuals (in particular employers) process personal data to combat the pandemic, the principles set out in Article 4 of the Federal Act on Data Protection must be respected.

1. Data processing by health care institutions

Following the declaration of the special situation in accordance with Art. 6 of the Epidemics Act (EpidA) by the Federal Council, the federal, cantonal and communal authorities are continuing to work in conjunction with public health institutions to combat the current coronavirus pandemic.

The Federal Office of Public Health (FOPH), the competent cantonal authorities and the public and private institutions entrusted with tasks in accordance with the EpidA process personal health data in accordance with Section 2 of the EpidA, insofar as this is necessary to identify persons who are ill, suspected of being ill, infected or suspected of being infected, with a view to measures to protect public health. In doing so, they shall also observe the general principles of federal and cantonal data protection legislation. Hospitals and other public or private health care institutions, as well as laboratories and medical personnel, are also subject to special reporting obligations under the EpidA.

2. Data processing by private parties

Insofar as private parties, in particular employers, process personal data to combat the pandemic, the processing must be carried out in compliance with the principles set out in Article 4 of the Federal Data Protection Act:

Health data are particularly worthy of protection and, as a matter of principle, may not be obtained by private parties against the will of the persons concerned.
Moreover, processing of health data by private parties must be purpose-related and proportionate. This means that they must be necessary and suitable with a view to preventing further infections and must not go beyond what is necessary to achieve this goal.
Wherever possible, appropriate data on flu symptoms such as fever should be collected and passed on by those affected themselves.
The collection and further processing of health data by private third parties must be disclosed to the data subjects so that the latter understand the purpose and scope of the processing as well as its content and time frame.

3. Body temperature and tracking

Insofar as private individuals collect medical data such as body temperature before entering buildings or workplaces for the purpose of preventing infection, the processing of this data is to be limited to the minimum necessary to achieve the purpose in terms of its content and time. The information and self-determination of the persons concerned must be respected when collecting data. In this context, answering extensive questions about the state of health to non-medical persons proves to be inappropriate and disproportionate.

The same applies to personal data processed by private individuals in connection with operational and organizational measures to prevent infection. At the latest when the pandemic threat has ceased to exist, these data must be deleted as a whole.

If the use of digital methods for the collection and analysis of mobility and proximity data is considered, they must prove to be proportionate to the purpose of preventing infection. They are only so if they are epidemiologically justified and suitable to have an effect justifying the intervention in the personal rights of the persons affected in order to contain the pandemic in the its current stage.

What impact does Brexit have on cross-border data flows?

31.01.2020 - Following the referendum held in the United Kingdom in June 2016, the British government announced its decision to withdraw from the European Union (Brexit). The United Kingdom will leave the EU on 31 January 2020.

Cross-border transmission of personal data under the Federal Act on Data Protection (FADP)
Cross-border data transmission must comply with the provisions of Article 6 of the Data Protection Act (FADP). According to this article data may only be disclosed abroad if the receiving country has legislation guaranteeing an adequate level of data protection (Art. 6 para. 1 FADP) or if, in the absence of such legislation, it has other provisions or safeguards for ensuring an adequate level of protection (Art. 6 para. 2 letters a and g FADP). Under Article 31 para. 1 let. d FADP, the Federal Data Protection and Information Commissioner (FDPIC) provides an opinion on whether a country’s level of protection is adequate to allow all data transfers to that country. This requires that the data receiver is subject to legislation ensuring a level of protection that is comparable with Swiss law, i.e. legislation that guarantees the rights of the data subjects, that respects the main principles of data protection and that provides for an independent supervisory authority. A list of countries complying with these requirements is published on the FDPIC website (Art. 7 DPO). This list is updated on a regular basis.

United Kingdom and Gibraltar
The UK and Gibraltar currently have an adequate level of data protection; for the moment the FDPIC has no grounds for changing their status on the country list. As regards the legal consequences of Brexit on the protection of personal data as of 1 February 2020, the British authority responsible for protecting personal data, the Information Commissioner’s Office (ICO), states on its website that the UK will continue to guarantee a high level of personal data protection.

However, if the FDPIC decides to change the status of the UK or Gibraltar on its country list, businesses will be notified in due course so that they can prepare themselves, in particular by using standard contracts.

The EU will decide by the end of 2020 whether the UK has an adequate level of data protection. The FDPIC is monitoring developments closely.

Further information:

FDPIC, Transfer of personal data abroad

FDFA, Directorate for European Affairs DEA: FAQ Brexit

ICO, Statement on data Protection and Brexit implementation

ICO, Data Protection and Brexit

European Commission, UKTF, Task Force for Relations with the United Kingdom

Second chamber concludes consultation on Data Protection Act (DPA)

18.12.2019 - The FDPIC welcomes the fact that the Council of States has debatted the totally revised DPA and has adopted most of the improvements proposed by its Commission in comparison to the National Council version.

The Data Protection Act goes to the Council of States in the winter session

20.11.2019 - The FDPIC welcomes the fact that, within the short time available up to the end of the session, the Political Institutions Committees of the Council of States (PIC-S) has succeeded in adopting a legislative text for the attention of the Plenum of the Council of States that is ready for consultation and significantly improved on the version of the National Council.

Press Release of the PIC-S (in German)

Facebook to introduce special features in Switzerland for the elections

17.10.2019 – On the eve of the federal parliamentary elections on 20 October, Facebook is set to introduce features aimed to appeal to Swiss users of its social media platform. The company confirmed the plans following an enquiry made by the Federal Data Protection and Information Commissioner. The FDPIC welcomes the company’s transparency.

After the Federal Data Protection and Information Commissioner (FDPIC) learned through various reports that Facebook was planning to introduce features on its social media platform in connection with Switzerland’s 2019 parliamentary elections such as a ‘voter button’, he wrote to the company requesting further information.

In his letter, the FDPIC, referring to sections 5.3 and 7 of the FDPIC’s Guide, pointed out that operators of social media networks are called on to provide fair and full information about how the feature should work and how the resulting data is to be processed. Only if such transparency exists can voters gauge whether and to what extent the way in which the data gleaned from the applications in question are processed could have an influence on opinion forming or voter behaviour.

Facebook Ireland Ltd subsequently confirmed that the functions will be introduced on its social media platform one day before the elections and on election day itself. The features are to be displayed on the profiles of all Swiss voters and Facebook users. Facebook is not going to select certain users or user groups.

According to the written assurances given by Facebook, the features are solely intended to raise the awareness of users for the upcoming elections, and ultimately to encourage voter participation by allowing users to show on their profiles that they have cast their vote in the elections. Facebook stresses that the company will not process data relating to the political views of users in this context.

Furthermore, Facebook has demonstrated that the company has taken heed of the transparency requirements set out in our Guide. Facebook users can read about the various functions and features it employs by clicking on the links to the multi-level information pages (See the following links: Facebook Data Policy; Control who can see what you share; Why am I seeing a reminder about an election and voting on Facebook?; What information does Facebook use to show information about elections and government?)

Complete Revision of the Federal Act on Data Protection (FADP) goes to the Commission of the Council of States

25.09.2019 – Now that the National Council has treated the complete revision of the Federal Act on Data Protection (FADP) as first chamber of parliament, the FDPIC hopes that the second chamber will be able to schedule the debate in its winter session and improve the protection of the Swiss population by aligning it with European standards.

Draft of new Data Protection Act to be debated in the National Council

30.08.2019 - Following its discussion of the Federal Council dispatch of 15 September 2017, the National Council’s political institutions committee decided on 16 August 2019 based on the casting vote of its president to remit the draft of the totally revised Data Protection Act to the plenary session of the National Council for debate.

The proposal made to the National Council contains several provisions which, in the version approved by a majority of the committee, would lead to a lower level of data protection for the Swiss population than in neighbouring European countries and to a partial reduction in the level of data protection afforded by the current Data Protection Act of 1992.

In its public debate on 24 and 25 September, the National Council will have the opportunity to compare the respective drafts of the committee’s majority and minority and to decide whether it wishes to improve the level of protection given to the Swiss population and adapt to European standards.

The summary with the requests of the Political Institutions Committee of the National Council for the revision of the Federal Data Protection Act has been published.

33

Postfinance: no equal treatment for customers under the current law

30.08.2019 - In a letter dated 13 June 2019 in response to an enquiry from the FDPIC, Postfinance AG confirmed that their Swiss customers will still require to register an express objection if they do not wish their identity to be authenticated by voiceprint. In contrast, Postfinance makes authentication by voiceprint for foreign customers subject to their express consent. This unequal treatment, which the FDPIC has publicly criticised, (see the report on SRF’s 10vor10 programme on 20.5.2019) is set to continue.

In its response to the FDPIC, Postfinance AG maintained that this difference in treatment is due to differences in the requirements of Swiss and foreign law, and that the adoption of foreign law to cover domestic circumstances is a political matter reserved to parliament. Postfinance AG will therefore continue to treat Swiss customers differently for as long as Swiss data protection law is not brought in line with EU law.

33

26^th Annual Report: Switzerland must maintain its level of data protection

18.06.2019 - The FDPIC expects that the Federal Council and Parliament will continue to guarantee the Swiss population a level of data protection that is in line with its European neighbours by signing the Council of Europe Convention 108 in the near future and swiftly bringing to a close the complete revision of the Data Protection Act.

Link to the media release

Data Protection Day 2019 - 3 priorities for the Confederation and cantons: elections, police, OASI number

28.01.2019 - Federal and cantonal data protection authorities' press release:

Press release Data Protection Day 2019 (PDF, 347 kB, 29.01.2019)

25^th Annual Report: Freedom before security

25.06.2018 - Monitoring major digital projects has once again been the focus activity for the FDPIC. The E-ID Act as the basis for using a SwissID, the risk report on using the OASI number as a univer-sal personal identifier or the conditions that must be met by e-ticketing or public transport apps underline this prioritisation. As a supervisory authority, the Commissioner had to intervene to prevent the processing of data on compulsory health insurance and had to deal with data leaks at several large companies. As the Freedom of Information Commissioner, the FDPIC succeeded in achieving a substantial increase in the efficiency of his arbitration procedures and welcomed the National Council’s unanimous commitment to guaranteeing transparency in connection with public procurement – thus ensuring that the principle of freedom of information does not become a farce.

Continue...

Selection of arbitrators for the Data Protection Arbitration Panel under the Swiss-U.S. Privacy Shield - First call for Interest

Deadline: April 30, 2018

06.04.2018 - According to Swiss law, personal data transmitted to the USA must be subject to an appropriate level of data protection. The Swiss-U.S. Privacy Shield serves this purpose. Thanks to this new legal framework, personal data can be transferred from Switzerland to a company in the USA, provided that the US company complies with a set of data protection rules and safeguards. This protection that is given to personal data applies to everyone who is resident in Switzerland. For this mechanism to become operational, a list up to five arbitrators must be agreed between the Swiss administration and the DOC. In the event of a dispute, the parties may select the arbitral tribunal from the arbitration pool developed under the EU-U.S. Privacy Shield which has been supplemented by the pool developed under the Swiss-U.S. Privacy Shield. The call for interest has been published in the U.S. Federal Register and can be accessed under the following link: https://www.federalregister.gov/documents/2018/04/02/2018-06737/swiss-us-privacy-shield-invitation-for-applications-for-inclusion-on-the-supplemental-list-of

The deadline for applications is April 30, 2018. They must be submitted to David Ritchie at the U.S. Department of Commerce, either by email at david.ritchie@trade.gov or by fax at: 202-482-5522.

Dispatch concerning the revision of the Data Protection Act: the FDPIC's general assessment

15.09.2017 - The rapid development of information and telecommunications technology and the related digitalisation of society have required the Council of Europe and the European Union to further develop their data protection legislation, and have now necessitated the complete revision of the Federal Data Protection Act, which originally came into force in 1993. The draft act prepared by the Federal Council has the aim of increasing the protection of data by improving the transparency of data processing and increasing the options that data subjects have to control their own data. In addition, the revision of the Act should ensure consistency between the level of data protection in Switzerland and that in the EU. Having a level of data protection that is comparable with that in EU states is particularly important for Swiss businesses, especially because the new EU General Data Protection Regulation (EU-GDPR), which comes into force at the end of May 2018, will have a direct effect on many Swiss enterprises.

Continue...

Guide to the Swiss-US Privacy Shield

22.08.17 - The FDPIC has elaborated a practical brochure to the Swiss-US Privacy Shield. It provides information on the company's obligations and the rights of persons whose data is processed as well as how they can complain.

Swiss-US Privacy Shield Guide (PDF, 171 kB, 06.12.2017)

Transfer of data to the USA

Annual report 2016/2017

26.06.2017 - The Federal Data Protection and Information Commissioner presents his new annual report for the period from 1st of April 2016 to 31st March 2017.

Media release FDPIC annual conference 2017 (PDF, 152 kB, 26.06.2017)

Summary Annual report 2016/2017 (PDF, 35 kB, 26.06.2017)

Main Navigation

FDPIC

Search

Breadcrumb

Latest News

Federal Administration introduces public cloud-based application Microsoft 365

Data Protecion Day 2023 - topics: elections and new data protection legislation in the Confederation and cantons

New data protection legislation in the Confederation and cantons

Cyber attack on Infopro AG – Status of the FDPIC's ongoing preliminary investigation and list of questions for Winbiz SA

Registering a data file - reporting inventories (DataReg)

European Union-U.S. Data Privacy Framework (EU-U.S. DPF)

Oracle: Tracking technologies encroach on internet users' privacy rights

Implications for Switzerland

Protective measures against unwanted tracking in the digital space

08.07.2022 - Credential stuffing: report and guidelines

13.06.2022 - Outsourcing of personal data processing by Suva to a Microsoft cloud service

Rencontre du PFPDT avec la délégation tunisienne à Berne

Update Mitto AG

The transfer of personal data to a country with an inadequate level of data protection based on recognised standard contractual clauses and model contracts

FDPIC comments on the transfer of data to the United States Securities and Exchange Commission

FDPIC recommends use of COVID Certificate Light at Swiss events

New FADP: five new posts from July 2022

Covid certificate dispels major data protection concerns

FDPIC takes on advisory role in the FOPH project for a data protection compliant COVID-19 vaccination certificate

The new FADP from the FDPIC’s perspective

Breakthrough for up-to-date data protection

Court of Justice of the European Union (CJEU) ruling on European standard contractual clauses and the EU-US Privacy Shield

Update Proximity Tracing App: technical security of the SwissCovid app confirmed

Update Proximity Tracing App

Update Proximity Tracing App

Update «Covid proximity tracing App»

Coronavirus protection plans

Measures for the safe use of audio and video conferencing systems

Update Libra

4th Update concerning the Libra project

3rd Update concerning the Libra project

23.08.2019 -The Libra Association sent the first part of the requested documents to the FDPIC on time. Further documents and explanatory information will follow in the coming weeks.

2nd Update concerning the Libra project

1st Update concerning the Libra project

Legal data protection framework for coronavirus containment

What impact does Brexit have on cross-border data flows?

Second chamber concludes consultation on Data Protection Act (DPA)

The Data Protection Act goes to the Council of States in the winter session

Facebook to introduce special features in Switzerland for the elections

Complete Revision of the Federal Act on Data Protection (FADP) goes to the Commission of the Council of States

Draft of new Data Protection Act to be debated in the National Council

Postfinance: no equal treatment for customers under the current law

26th Annual Report: Switzerland must maintain its level of data protection

Data Protection Day 2019 - 3 priorities for the Confederation and cantons: elections, police, OASI number

25th Annual Report: Freedom before security

Selection of arbitrators for the Data Protection Arbitration Panel under the Swiss-U.S. Privacy Shield - First call for Interest

Deadline: April 30, 2018

Dispatch concerning the revision of the Data Protection Act: the FDPIC's general assessment

Guide to the Swiss-US Privacy Shield

Annual report 2016/2017

4^th Update concerning the Libra project

3^rd Update concerning the Libra project

2^nd Update concerning the Libra project

1^st Update concerning the Libra project

26^th Annual Report: Switzerland must maintain its level of data protection

25^th Annual Report: Freedom before security