Latest News

Federal Administration introduces public cloud-based application Microsoft 365  

07.03.2023 - The Microsoft Office 2021 applications that are currently still run locally throughout the Federal Administration are to be replaced by the public cloud-based Microsoft 365 application. The FDPIC will provide supervisory support for the outsourcing project.

In a press release dated 15.2.2023, the Federal Council announced that the version of Microsoft Office currently used by the Federal Administration would have to be replaced because important applications had reached the end of their lifecycle and would no longer be supported by Microsoft in a few years' time (probably 2026). The situation regarding the follow-on products is exceptional because the Federal Administration will only be able to use them via a public cloud connection. At present, the Federal Administration is effectively dependent on Microsoft’s Office products. A change of provider and product is currently considered too risky and too costly due to the numerous dependencies on specialised applications. In order to reduce dependency in the medium and long term, the examination of alternatives to Microsoft 365 will continue. As part of an exit strategy, the Federal Chancellery’s Digital Transformation and ICT Steering Sector (DTI) is also examining open-source alternatives. The introduction of Microsoft 365  will have to be accompanied by protective measures; in particular, users will not be allowed to store particularly sensitive data and confidential documents in the Microsoft cloud.

The DTI involved the FDPIC in its preliminary work on the introduction of Microsoft 365, in particular by submitting to it the drafts of an analysis of the legal requirements and the ISDP (information security and data protection) concept. In his comments, the Commissioner stated, among other things, that in his opinion it was uncertain how long it would remain technically feasible to run certain applications in the federal government's own IT centres instead of in the cloud operated by the US company Microsoft, as the DTI project envisages today. In view of this uncertainty, the Commissioner requested that alternatives to Microsoft 365 be put forward that are less problematic from a data protection perspective. He went on to request that a more detailed analysis be made of whether a sufficient legal basis exists for the processing of personal data in the cloud operated by the US company, and whether the principle of proportionality is maintained. Finally, the FDPIC requested that the DTI prepare a comprehensive data protection impact assessment that transparently shows the risks of outsourcing to the cloud. In this context, the Commissioner considered it essential that the problem of possible access by the US security authorities to personal data processed by the Federal Administration in the Microsoft cloud be analysed in depth.

In view of its concerns, the FDPIC welcomes the fact that the Federal Chancellery disclosed in its press release the problem of economic and technological dependence on the US company Microsoft and is continuing to examine alternatives, in particular open-source alternatives as part of an exit strategy. The FDPIC will provide supervisory support for the outsourcing project as well as in analysing the results of the search for alternatives, as well as the data protection impact assessment, which is still outstanding.

Data Protecion Day 2023 - topics: elections and new data protection legislation in the Confederation and cantons

27.01.2023 - Elections and votes at all federal levels in Switzerland now take place in a digitalised world. Those involved in forming political opinion use the potential of digitalisation to specifically target their campaigns at voters. In this, voters’ rights to privacy and self-determination may come under considerable threat. 

Anyone who processes data in the context of elections and votes must be aware that information on political and ideological views is classified as sensitive under both the current and the new Federal Data Protection Act. The latter will come into force on 1 September 2023, shortly before the upcoming general election of Parliament.

In updating their guide, the Federal Data Protection and Information Commissioner (FDPIC) and the Conference of Swiss Data Protection Commissioners (privatim) want to emphasise the tremendous importance attached to the principle of transparency under data protection law in the context of elections and votes. Voters have a right to understand which digital processing methods and technologies are being used to target them.

New data protection legislation in the Confederation and cantons

  • The FDPIC’s preparations for the new Data Protection Act (FADP), which comes into force on 1 September 2023, are going according to plan. There will be three ways of registering:
    Federal bodies can register their records of processing activities electronically (
  • Data protection advisors can also be registered via an electronic platform.
  • High-risk data security breaches must in future be reported to the FDPIC. A special portal has also been set up for this purpose. Instructions for data protection officers in both the public and private sectors is provided in the input mask. 

Before the new FADP comes into force, the FDPIC will launch a newly designed and completely revised website. All information will then reflect the requirements of the new law. There will also be explanations available on new instruments, such as the data protection impact assessment.

The cantons are also updating their data protection legislation to reflect the new European data protection requirements. An overview of what has been achieved so far is published on the privatim website and periodically updated.

Further information:

Cyber attack on Infopro AG – Status of the FDPIC's ongoing preliminary investigation and list of questions for Winbiz SA

14.12.2022 - The aim of the FDPIC's ongoing preliminary investigation is to supervise the work to regain control over compromised customer data and thus to ensure correct compliance with data protection information obligations. This work is being carried out under great time pressure.

The FDPIC has been in contact with those responsible at Infopro AG, the National Centre for Cybersecurity (NCSC), and the cantonal data protection authorities since the revelation that Infopro, which processes personal data on behalf of the company Winbiz, was the victim of a serious cyberattack.

In this context, the FDPIC has received enquiries from Infopro AG's business clients about this matter, which it is answering on an ongoing basis. Insofar as personal data is concerned, the FDPIC has drawn the attention of these customers to their obligations to provide information and limit damage under data protection law and has noted that the companies concerned are endeavouring to fulfil these obligations within a very narrow timeframe.

Since the beginning of this week, the FDPIC has also received requests from business clients of Fiducial Winbiz SA as they can no longer access their data, which was stored by Winbiz on the Infopro servers affected by the cyberattack. In addition, the FDPIC also received indications on 13 December 2022 that business clients of Fiducial Winbiz SA had allegedly gained access to data of other Winbiz clients. As part of the ongoing preliminary investigation, the FDPIC has today sent Fiducial Winbiz SA a list of questions and asked it to comment within a short time on the reported violation of access restrictions. 

Registering a data file - reporting inventories (DataReg)

17.11.2022 - When the new Data Protection Act (FADP) comes into force on 1 September 2023, the procedure for registering data files with the FDPIC will undergo a change. From this date onwards, only federal bodies will have to report their data processing activities to the FDPIC.

Until the new FADP comes into force, the FDPIC will maintain two registers for a short period – the new DataReg for reports from federal bodies in accordance with the new law, and the current register for reports from private individuals and entities in accordance with the law that applies at present.

More information

European Union-U.S. Data Privacy Framework (EU-U.S. DPF)

07.10.2022 - The FDPIC has taken note of the factsheet released by the US regarding the «Data Privacy Framework (DPF)» and is analysing it.

Oracle: Tracking technologies encroach on internet users' privacy rights

27.09.2022 - In a lawsuit filed in the US on 19 August 2022 against Oracle America Inc., plaintiffs raise serious allegations of unlawful tracking of internet users. Specifically, the lawsuit accuses Oracle of using tracking technologies to collect detailed data on 5 billion internet users, and compiling it in a database. Oracle also allegedly analysed and evaluated the information it collected in order to create a dossier on each of the data subjects. In addition to names and addresses, all types of internet activity are recorded, for example purchasing behaviour, GPS data and health information – even across devices. The lawsuit claims that Oracle tracks internet users by means of various technologies, in particular cookies and pixels, as well as JavaScript code integrated in websites and apps.

Implications for Switzerland

The FDPIC is currently analysing the allegations made in the lawsuit with regard to possible breaches of privacy against the Swiss population. It is known that Oracle provides cookies, pixels and JavaScript code for website operators and applications. By embedding these elements in websites, Oracle receives the information on internet users that is collected across websites and mobile apps. The FDPIC's initial investigations have shown that the tracking technologies listed in the lawsuit are also widely used in Switzerland. Persons from Switzerland are therefore also affected by Oracle's tracking.

Clarifications are now underway to determine the extent to which Swiss website operators and app providers are in violation of the data protection principles under the Swiss Data Protection Act by integrating the tracking technologies. The focus here is on the principles of transparency and proportionality, as well as the need to grant explicit consent to create personality profiles and process sensitive personal data.

Protective measures against unwanted tracking in the digital space

Website operators and app providers have a duty to check in advance which technologies they are using and whether these technologies may be tracking website visitors or mobile app users. If they are in fact tracking users, either the technology must be removed or the users must be provided with transparent and understandable information about how the data is processed, its purpose and their ability to object, as well as the possibility that their data will be transferred abroad. Furthermore, website operators and app providers must offer an easy way for users to deny consent to use their data (opt-outs or using default settings such as ‘Do not track’). Since tracking violates the personal privacy of data subjects, users must explicitly consent to tracking (opt in) when personality profiles are created or sensitive personal data is processed.

Internet users can protect themselves against unwanted tracking on the internet by deliberately selecting a private internet browser and adjusting their settings accordingly. They can also use ad blockers and add-ons or extensions to prevent the collection of their data.

In addition to complying with data protection principles, operators of databases containing personal data must always ensure the rights of data subjects. This means that any person can request information from the data controller (in this case the website or app operator) about what personal data is being processed about them, why it is being processed, and who can access it. Anyone who does not agree to the further processing of their data can request that it be deleted.

For the time being, the FDPIC has taken note of the serious allegations made in the lawsuit, is analysing them and their possible implications for Switzerland. He wrote to Oracle Software (Switzerland) GmbH on 2 September 2022 and reserves the right to take further steps if necessary.

08.07.2022 - Credential stuffing: report and guidelines

08.07.2022 - In its latest report, the Global Privacy Assembly identifies credential stuffing as a growing threat to personal data. The related guidelines provide users with information on security measures that can be taken to protect against this threat.

Credential stuffing is a form of cyberattack that exploits people’s tendency to use the same user name and password combinations for multiple online accounts. These attacks are automated and often perpetrated on a large scale. The stolen login data are used to gain access to accounts on various internet platforms.

The report, published by the International Enforcement Working Group (IEWG) as part of the Global Privacy Assembly (GPA), includes contributions from the Federal Data Protection and Information Commissioner as well as data protection authorities from the UK, Canada, Gibraltar, Jersey and Turkey. It emphasises the growing trend of credential stuffing attacks and provides information on how organisations and individuals can prevent, recognise and minimise their risk.

The Global Privacy Assembly considered the multi-factor authentication for online accounts as the most effective protection against credential stuffing.

Bringing together more than 130 data protection authorities from around the world, the Global Privacy Assembly is one of the leading organisations globally for data protection and privacy authorities.

The report and guidelines can be found at the following links:

13.06.2022 - Outsourcing of personal data processing by Suva to a Microsoft cloud service

13.06.2022 - In view of certain differences of legal opinion, the FDPIC is advising Suva to reconsider the decision to outsource its personal data processing to a cloud service operated by the US company Microsoft.

On 10 December 2021 Suva voluntarily sent the FDPIC a document entitled Risk Assessment Project Digital Workplace M365. This project concerns the outsourcing – imminent at the time – of Suva's personal data processing from an on-premises solution, i.e. on its own infrastructure, to a data centre operated on Swiss territory by the US company Microsoft. 

After studying the documentation voluntarily submitted to him, the Commissioner welcomes the fact that Suva presented its outsourcing project for an independent data protection review. However, he advises Suva to reassess the outsourcing forthwith. 

In view of the widespread use of Microsoft products and services throughout the private and public sectors in Switzerland, this outsourcing project is of interest to a broad public, which is why the Commissioner is publishing his summary statement in this regard. 

As there is not yet any legal precedent in Switzerland on the outsourcing issue raised, the FDPIC, with Suva's approval, is also publishing Suva's written response, which reveals differences of opinion in certain respects.

Depending on the evolution of the situation and the legal position, the Commissioner reserves the right to take supervisory action ex officio at a later stage.

Rencontre du PFPDT avec la délégation tunisienne à Berne

12.05.2022 - Le Préposé fédéral à la protection des données et à la transparence, M. Adrian Lobsiger, a rencontré le 11 mai 2022, à Berne, ses homologues tunisiens.
Leurs échanges ont principalement porté sur les différents cadres législatifs et sur les enjeux liés à la numérisation croissante de la société. La coopération internationale joue un rôle incontournable dans les activités du PFPDT et cette rencontre montre l'importance qui lui est accordéedifférents cadres législatifs et sur les enjeux liés à la numérisation croissante de la société. 

de gauche à droite: Chawki Gaddes, Président de l'INPDP (Instance nationale de protection des données personnelles) et de l'AFAPDP (Association francophone des autorités de protection des données personnelles); Adrian Lobsiger, Préposé fédéral à la protection des données et à la transparence (PFPDT); Adnen Lassoued, Président de l'INAI (Instance nationale d'accès à l'information)

Update Mitto AG

23.12.2021 - In the preliminary investigation now opened, the FDPIC has contacted Mitto AG and the mobile phone operators in Switzerland.

The latter have confirmed that they cooperate with Mitto AG, but have pointed out that technical measures are in place to prevent unauthorised access to personal data. On the basis of this initial feedback, the FDPIC has no indications for the time being that any misconduct has occurred to the detriment of people in Switzerland.

In the coming weeks, the FDPIC will receive further and more detailed information on the facts of the case. After evaluating this information, we will decide on the further course of action and inform the public.

Press release (07.12.2021)

The transfer of personal data to a country with an inadequate level of data protection based on recognised standard contractual clauses and model contracts

27.08.2021 - In its statement of 27 August 2021, the FDPIC recognises the standard contractual clauses for the transfer of personal data to third countries in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (pursuant to Implementing Decision 2021/914/EU) as the basis for personal data transfers to a country without an adequate level of data protection, provided that the necessary adaptations and amendments are made for use under Swiss data protection law.

The following explanations show which adaptations and amendments must be made.  The standard contractual clauses pursuant to the European Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (2010/87/EU), the Swiss Transborder Data Flow Agreement (for outsourcing of data processing) of November 2013 and Council of Europe model contract to ensure equivalent protection in the context of cross-border data flows can still be notified until 27 September 2021 and continue to be used during a transitional period until 31 December 2022. 

FDPIC comments on the transfer of data to the United States Securities and Exchange Commission

04.08.2021 - The FDPIC has issued the following memorandum to the US Securities and Exchange Commission (SEC) on the question of the lawfulness of the transfer of data from Swiss asset managers to the US supervisory authority:

FDPIC recommends use of COVID Certificate Light at Swiss events

19.07.2021 - Using the latest version of the COVID certificate app, a data protection-friendly Certificate Light can be generated easily. The Certificate Light does not contain any health data. The FDPIC recommends the public to use the Light certificate at events in Switzerland.

While monitoring the development of the COVID certificate, which is primarily intended for travel abroad, the Federal Data Protection and Information Commissioner (FDPIC) lobbied for the federal government to provide a second, data-minimised 'Light' certificate. With the latest version of the COVID certificate app, the Certificate Light can now be generated simply and easily:

Link on FOPH website: COVID certificate (

The FDPIC recommends that the public use the data protection-friendly (i.e. data-minimised) Certificate Light in Switzerland (in particular when attending large events). 

When the Certificate Light is activated in the normal COVID certificate display, a new QR code is created from the available that does not contain health data. The Certificate Light only contains the information required to identify the holder and an electronic signature. This eliminates the risk of health data (such as details of the vaccine used) being read without authorisation when the certificate is checked. This can happen if verification apps other than the COVID Certificate Check app provided by the federal government are used. The Certificate Light, which is also forgery-proof, can only be used in Switzerland and must be regenerated in the app after 48 hours. This short validity period was deliberately chosen so that there is no indication as to whether the certificate was issued based on a test, vaccination or recovery.

New FADP: five new posts from July 2022

13.07.2021 - The Federal Council has approved five new posts for the FDPIC in anticipation of the new Federal Act on Data Protection (FADP) coming into force in the second half of 2022. This is in addition to the three posts previously approved in 2019, which have since been filled. Subject to Parliament’s approval of this expansion, with the federal decree on the 2022 budget in December 2021, the FDPIC will begin recruiting for the five new posts from 1 July 2022. 

In recruiting for these five vacancies, the FDPIC will strive to cover its extended range of tasks and responsibilities. This is particularly relevant for its new duty to deal with all individual complaints that are more than 'of minor importance'.

Covid certificate dispels major data protection concerns

04.06.2021 - At its press conference today, the Federal Council explained the creation and introduction of the COVID-19 certificate. By offering the option of providing certificates in paper form, and creating an additional minimal data QR code for use in Switzerland, the Federal Council has dispelled key concerns raised by the Federal Data Protection and Information Commissioner (FDPIC).

In line with his statutory duties, in recent weeks the FDPIC has been advising the Federal Office of Public Health (FOPH) and the Federal Office of Information Technology, Systems and Telecommunication (FOITT) on the legal and technical development of the COVID-19 certificate.  For the most part, the offices have taken account of the data protection concerns raised by the Commissioner. 

  • The Commissioner firstly welcomes the fact that the certificate can not only be used on electronic devices, but will also be available in paper form – this avoids creating a de facto obligation for everyone to carry a smartphone.

  • Secondly the Commissioner was successful in ensuring that the FOITT was instructed to develop a second, minimal data QR code for use in Switzerland, in addition to the EU-compatible QR code for cross-border travel. This second code guarantees a minimum of data will be visible when reading the certificate. Persons using this second code prevent unauthorised software being used when scanning certificates to ascertain why a certificate is valid or invalid. This means, for example, that staff checking persons entering a large-scale event will be unable to find out whether a certificate holder is entitled to attend the event because he or she has been vaccinated, has recovered from the disease or has tested negative. 

Given that information on vaccination, testing and recovery are data on a person’s health condition, the Commissioner nevertheless views with some concern that, ahead of the certificate’s introduction, "sufficient evidence" will be accepted at pilot events during a transitional phase. He also regrets that the minimal data QR code can only be made available to the population in a second phase. He will undertake to ensure that these transitional arrangements apply for as short a time as possible.

The new FADP from the FDPIC’s perspective

05.03.2021 - Until the new FADP comes into force, the private sector and federal authorities will have to adapt their processing of personal data to the new provisions. The FDPIC outlines below the most important alterations that they need to take into consideration.

(The integral document is attached below as a pdf)

Breakthrough for up-to-date data protection

25.09.2020 - In its final vote, the Parliament adopted today the total revision of the Federal Act on Data Protection (FADP). It was able to resolve the remaining differences standing in the way of more up-to-date protection of privacy.

The FDPIC welcomes the completion of the total revision of the Data Protection Act that the Federal Council submitted for parliamentary deliberation in a dispatch three years ago. This enhances the Swiss public’s right to privacy and to determine how their data are used, better reflecting today’s digital reality.

The FDPIC will offer a more detailed statement on the revised law once the ongoing referendum period has expired.


Court of Justice of the European Union (CJEU) ruling on European standard contractual clauses and the EU-US Privacy Shield

16.07.2020 - In its judgment of 16 July 2020 in Case C-311/18 Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems, the Court of Justice annulled Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield. However, the EU Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries remains valid.

The FDPIC has taken note of the CJEU ruling. This ruling is not directly applicable to Switzerland. The FDPIC will examine the judgement in detail and comment on it in due course.

Link to the CJEU press release

Press release of 08.09.2020: FDPIC considers CH-US Privacy Shield does not provide adequate level of data protection 


Update Proximity Tracing App: technical security of the SwissCovid app confirmed

12.06.2020 - After reviewing the NCSC report on Risk Estimation Proximity Tracing published today, the FDPIC has confirmed his assessment that the Swiss proximity tracing system operated by the Federal Office of Public Health and the SwissCovid app are data protection compliant. 

Report from the National Cyber Security Centre (NCSC) 

The FDPIC is aware of the widespread criticism of Google and Apple’s failure to disclose the API (application programming interface) for the SwissCovid app. The situation, however, is not new. The data protection impact assessment of 1 May 2020 and the report from the National Cyber Security Centre (NCSC) of 28 May 2020, which is published today, also make reference to this lack of disclosure.

The SwissCovid app is based on globally standardised interfaces and their underlying operating systems. The source code for the operating systems and the interfaces is partially available in some cases or not available at all. This issue is known and is not specific to the SwissCovid app.

In the FDPIC’s opinion, when compared to other everyday uses that public makes of the smart devices offered by these two manufacturers, the use of the Google and Apple APIs for the SwissCovid app does not represent a significantly greater risk to their personal data. Anyone who assumes that Google and Apple, regardless of their legal responsibilities and the reputational risks, would disregard the restrictions on use they have promised for the SwissCovid app, should be aware of the following: the use of the SwissCovid app would have to be based on Google or Apple operating systems and their general Bluetooth interfaces even if their proximity tracing API were not used.

In order to be consistent, anyone who mistrusts these manufacturers whatever they may do would have to refrain from using not only the SwissCovid app, whatever its design, but also any other smart devices or operating systems offered by Apple and Google. This option always remains open.

For further information, we would refer you to the full text of our assessment:

Full text (in German) (PDF, 134 kB, 12.06.2020)


Coronavirus protection plans

19.05.2020 - The FDPIC supervises the implementation of the protection plans by private companies. He attaches importance to the fact that the procurement and transfer of personal data within the framework of these plans is voluntary.

As part of the easing of measures to contain the corona pandemic, the Federal Council in Ordinance 2 on Measures to Combat the Coronavirus (COVID-19; SR 818.101.24) has made the resumption of activities and the re-opening of businesses and institutions conditional on the introduction of precautionary measures (s. FOPH's recommendations for the workplace and schools).

It is the responsibility of the businesses and institutions concerned to implement their own precautionary measures. Where this requires them to process the personal data of customers, members, employees, etc., this will be carried out under the FDPIC’s oversight. The FDPIC will seek to ensure that businesses and institutions respect the principles of the Federal Data Protection Act, in particular that of proportionality. Depending on the sector and the size of the business or institution, in-house legal and data protection advisers will also help to implement the precautionary measures in accordance with data protection law.

The FDPIC regards it as important the customers, etc., will be under no obligation to provide  their personal data as part of the precautionary measures and that they cannot be indirectly compelled to provide data, e.g. by making the provision of goods and services dependent on doing so.

The FDPIC takes the view that using direct or indirect pressure to obtain and process data relating to customers, etc., constitutes an invasion of privacy and of a person’s autonomy over their own information. This is incompatible with the principle of proportionality, other than in the case of mandatory data processing requirements based on precisely defined principles of federal and cantonal public law.


Measures for the safe use of audio and video conferencing systems 

01.05.2020 - The coronavirus pandemic is showing people all over Switzerland and, indeed, the world how a single event can completely change our surroundings and the way we do things. From one day to the next, it was no longer possible for us to meet friends and family in person, or exchange information with colleagues and hold meetings at our offices. In our work and in our private lives, we have abruptly switched to digital solutions such as audio or video conferencing systems. Despite the rush with which business meetings, children’s ‘visits’ with their grandparents, or even parties have been moved online, we must not forget how important information security and data protection continue to be.

The first part of this information sheet lists measures we recommend you take to ensure that the audio or video conferencing system you are using during this crisis is safe. You should make sure to reassess your choice of service – either immediately or at a later point in time – by carrying out a risk analysis according to data protection criteria. If necessary, choose a different service more suitable to your needs. This information sheet also contains a list of points to observe when setting up and introducing an audio or video conferencing system, to ensure it complies with data protection guidelines 

The information sheet deals with exactly these issues, and is aimed at all user groups – both in business and in private life.


Update Libra

20.04.2020 - Libra informs on FINMA's application and intensifies work on the data protection concept.

On 16 April 2020, the Libra Association informed the FDPIC that it had submitted an application to FINMA for authorisation as a payment system (cf. the information published by FINMA). At the same time, it also informed the FDPIC that work on the data protection concept was underway and had been intensified.


Legal data protection framework for coronavirus containment

17.03.2020 - The authorities, in cooperation with health institutions, are doing everything possible to stem the rapid spread of the coronavirus. Insofar as private individuals (in particular employers) process personal data to combat the pandemic, the principles set out in Article 4 of the Federal Act on Data Protection must be respected.

1. Data processing by health care institutions

Following the declaration of the special situation in accordance with Art. 6 of the Epidemics Act (EpidA) by the Federal Council, the federal, cantonal and communal authorities are continuing to work in conjunction with public health institutions to combat the current coronavirus pandemic.

The Federal Office of Public Health (FOPH), the competent cantonal authorities and the public and private institutions entrusted with tasks in accordance with the EpidA process personal health data in accordance with Section 2 of the EpidA, insofar as this is necessary to identify persons who are ill, suspected of being ill, infected or suspected of being infected, with a view to measures to protect public health. In doing so, they shall also observe the general principles of federal and cantonal data protection legislation. Hospitals and other public or private health care institutions, as well as laboratories and medical personnel, are also subject to special reporting obligations under the EpidA.

2. Data processing by private parties

Insofar as private parties, in particular employers, process personal data to combat the pandemic, the processing must be carried out in compliance with the principles set out in Article 4 of the Federal Data Protection Act:

  • Health data are particularly worthy of protection and, as a matter of principle, may not be obtained by private parties against the will of the persons concerned.
  • Moreover, processing of health data by private parties must be purpose-related and proportionate. This means that they must be necessary and suitable with a view to preventing further infections and must not go beyond what is necessary to achieve this goal.
  • Wherever possible, appropriate data on flu symptoms such as fever should be collected and passed on by those affected themselves.
  • The collection and further processing of health data by private third parties must be disclosed to the data subjects so that the latter understand the purpose and scope of the processing as well as its content and time frame.

3. Body temperature and tracking

Insofar as private individuals collect medical data such as body temperature before entering buildings or workplaces for the purpose of preventing infection, the processing of this data is to be limited to the minimum necessary to achieve the purpose in terms of its content and time. The information and self-determination of the persons concerned must be respected when collecting data. In this context, answering extensive questions about the state of health to non-medical persons proves to be inappropriate and disproportionate.

The same applies to personal data processed by private individuals in connection with operational and organizational measures to prevent infection. At the latest when the pandemic threat has ceased to exist, these data must be deleted as a whole.

If the use of digital methods for the collection and analysis of mobility and proximity data is considered, they must prove to be proportionate to the purpose of preventing infection. They are only so if they are epidemiologically justified and suitable to have an effect justifying the intervention in the personal rights of the persons affected in order to contain the pandemic in the its current stage.


What impact does Brexit have on cross-border data flows?

31.01.2020 - Following the referendum held in the United Kingdom in June 2016, the British government announced its decision to withdraw from the European Union (Brexit). The United Kingdom will leave the EU on 31 January 2020.

Cross-border transmission of personal data under the Federal Act on Data Protection (FADP)
Cross-border data transmission must comply with the provisions of Article 6 of the Data Protection Act (FADP). According to this article data may only be disclosed abroad if the receiving country has legislation guaranteeing an adequate level of data protection (Art. 6 para. 1 FADP) or if, in the absence of such legislation, it has other provisions or safeguards for ensuring an adequate level of protection (Art. 6 para. 2 letters a and g FADP). Under Article 31 para. 1 let. d FADP, the Federal Data Protection and Information Commissioner (FDPIC) provides an opinion on whether a country’s level of protection is adequate to allow all data transfers to that country. This requires that the data receiver is subject to legislation ensuring a level of protection that is comparable with Swiss law, i.e. legislation that guarantees the rights of the data subjects, that respects the main principles of data protection and that provides for an independent supervisory authority. A list of countries complying with these requirements is published on the FDPIC website (Art. 7 DPO). This list is updated on a regular basis.

United Kingdom and Gibraltar
The UK and Gibraltar currently have an adequate level of data protection; for the moment the FDPIC has no grounds for changing their status on the country list. As regards the legal consequences of Brexit on the protection of personal data as of 1 February 2020, the British authority responsible for protecting personal data, the Information Commissioner’s Office (ICO), states on its website that the UK will continue to guarantee a high level of personal data protection.

However, if the FDPIC decides to change the status of the UK or Gibraltar on its country list, businesses will be notified in due course so that they can prepare themselves, in particular by using standard contracts. 

The EU will decide by the end of 2020 whether the UK has an adequate level of data protection. The FDPIC is monitoring developments closely.

Further information:

FDPIC, Transfer of personal data abroad

FDFA, Directorate for European Affairs DEA: FAQ Brexit

ICO, Statement on data Protection and Brexit implementation

ICO, Data Protection and Brexit

European Commission, UKTF, Task Force for Relations with the United Kingdom


Second chamber concludes consultation on Data Protection Act (DPA)

18.12.2019 - The FDPIC welcomes the fact that the Council of States has debatted the totally revised DPA and has adopted most of the improvements proposed by its Commission in comparison to the National Council version.


The Data Protection Act goes to the Council of States in the winter session

20.11.2019 - The FDPIC welcomes the fact that, within the short time available up to the end of the session, the Political Institutions Committees of the Council of States (PIC-S) has succeeded in adopting a legislative text for the attention of the Plenum of the Council of States that is ready for consultation and significantly improved on the version of the National Council.

Press Release of the PIC-S (in German)

see also:

30.08.2019 - Draft of new Data Protection Act to be debated in the National Council


Facebook to introduce special features in Switzerland for the elections

17.10.2019 – On the eve of the federal parliamentary elections on 20 October, Facebook is set to introduce features aimed to appeal to Swiss users of its social media platform. The company confirmed the plans following an enquiry made by the Federal Data Protection and Information Commissioner. The FDPIC welcomes the company’s transparency.

After the Federal Data Protection and Information Commissioner (FDPIC) learned through various reports that Facebook was planning to introduce features on its social media platform in connection with Switzerland’s 2019 parliamentary elections such as a ‘voter button’, he wrote to the company requesting further information.

In his letter, the FDPIC, referring to sections 5.3 and 7 of the FDPIC’s Guide, pointed out that operators of social media networks are called on to provide fair and full information about how the feature should work and how the resulting data is to be processed. Only if such transparency exists can voters gauge whether and to what extent the way in which the data gleaned from the applications in question are processed could have an influence on opinion forming or voter behaviour.

Facebook Ireland Ltd subsequently confirmed that the functions will be introduced on its social media platform one day before the elections and on election day itself. The features are to be displayed on the profiles of all Swiss voters and Facebook users. Facebook is not going to select certain users or user groups.

According to the written assurances given by Facebook, the features are solely intended to raise the awareness of users for the upcoming elections, and ultimately to encourage voter participation by allowing users to show on their profiles that they have cast their vote in the elections. Facebook stresses that the company will not process data relating to the political views of users in this context.

Furthermore, Facebook has demonstrated that the company has taken heed of the transparency requirements set out in our Guide. Facebook users can read about the various functions and features it employs by clicking on the links to the multi-level information pages (See the following links: Facebook Data Policy; Control who can see what you share; Why am I seeing a reminder about an election and voting on Facebook?; What information does Facebook use to show information about elections and government?)


Complete Revision of the Federal Act on Data Protection (FADP) goes to the Commission of the Council of States

25.09.2019 – Now that the National Council has treated the complete revision of the Federal Act on Data Protection (FADP) as first chamber of parliament, the FDPIC hopes that the second chamber will be able to schedule the debate in its winter session and improve the protection of the Swiss population by aligning it with European standards.


Draft of new Data Protection Act to be debated in the National Council

30.08.2019 - Following its discussion of the Federal Council dispatch of 15 September 2017, the National Council’s political institutions committee decided on 16 August 2019 based on the casting vote of its president to remit the draft of the totally revised Data Protection Act to the plenary session of the National Council for debate.

The proposal made to the National Council contains several provisions which, in the version approved by a majority of the committee, would lead to a lower level of data protection for the Swiss population than in neighbouring European countries and to a partial reduction in the level of data protection afforded by the current Data Protection Act of 1992.

In its public debate on 24 and 25 September, the National Council will have the opportunity to compare the respective drafts of the committee’s majority and minority and to decide whether it wishes to improve the level of protection given to the Swiss population and adapt to European standards.

The summary with the requests of the Political Institutions Committee of the National Council for the revision of the Federal Data Protection Act has been published.


Postfinance: no equal treatment for customers under the current law

30.08.2019 - In a letter dated 13 June 2019 in response to an enquiry from the FDPIC, Postfinance AG confirmed that their Swiss customers will still require to register an express objection if they do not wish their identity to be authenticated by voiceprint. In contrast, Postfinance makes authentication by voiceprint for foreign customers subject to their express consent. This unequal treatment, which the FDPIC has publicly criticised, (see the report on SRF’s 10vor10 programme on 20.5.2019) is set to continue.

In its response to the FDPIC, Postfinance AG maintained that this difference in treatment is due to differences in the requirements of Swiss and foreign law, and that the adoption of foreign law to cover domestic circumstances is a political matter reserved to parliament. Postfinance AG will therefore continue to treat Swiss customers differently for as long as Swiss data protection law is not brought in line with EU law.


26th Annual Report: Switzerland must maintain its level of data protection

18.06.2019 - The FDPIC expects that the Federal Council and Parliament will continue to guarantee the Swiss population a level of data protection that is in line with its European neighbours by signing the Council of Europe Convention 108 in the near future and swiftly bringing to a close the complete revision of the Data Protection Act.

Link to the media release


Data Protection Day 2019 - 3 priorities for the Confederation and cantons: elections, police, OASI number 

28.01.2019 - Federal and cantonal data protection authorities' press release:


25th Annual Report: Freedom before security

25.06.2018 - Monitoring major digital projects has once again been the focus activity for the FDPIC. The E-ID Act as the basis for using a SwissID, the risk report on using the OASI number as a univer-sal personal identifier or the conditions that must be met by e-ticketing or public transport apps underline this prioritisation. As a supervisory authority, the Commissioner had to intervene to prevent the processing of data on compulsory health insurance and had to deal with data leaks at several large companies. As the Freedom of Information Commissioner, the FDPIC succeeded in achieving a substantial increase in the efficiency of his arbitration procedures and welcomed the National Council’s unanimous commitment to guaranteeing transparency in connection with public procurement – thus ensuring that the principle of freedom of information does not become a farce.


Selection of arbitrators for the Data Protection Arbitration Panel under the Swiss-U.S. Privacy Shield - First call for Interest

Deadline: April 30, 2018

06.04.2018 - According to Swiss law, personal data transmitted to the USA must be subject to an appropriate level of data protection. The Swiss-U.S. Privacy Shield serves this purpose. Thanks to this new legal framework, personal data can be transferred from Switzerland to a company in the USA, provided that the US company complies with a set of data protection rules and safeguards. This protection that is given to personal data applies to everyone who is resident in Switzerland. For this mechanism to become operational, a list up to five arbitrators must be agreed between the Swiss administration and the DOC. In the event of a dispute, the parties may select the arbitral tribunal from the arbitration pool developed under the EU-U.S. Privacy Shield which has been supplemented by the pool developed under the Swiss-U.S. Privacy Shield. The call for interest has been published in the U.S. Federal Register and can be accessed under the following link:

The deadline for applications is April 30, 2018. They must be submitted to David Ritchie at the U.S. Department of Commerce, either by email at or by fax at: 202-482-5522.

Dispatch concerning the revision of the Data Protection Act: the FDPIC's general assessment

15.09.2017 - The rapid development of information and telecommunications technology and the related digitalisation of society have required the Council of Europe and the European Union to further develop their data protection legislation, and have now necessitated the complete revision of the Federal Data Protection Act, which originally came into force in 1993. The draft act prepared by the Federal Council has the aim of increasing the protection of data by improving the transparency of data processing and increasing the options that data subjects have to control their own data. In addition, the revision of the Act should ensure consistency between the level of data protection in Switzerland and that in the EU. Having a level of data protection that is comparable with that in EU states is particularly important for Swiss businesses, especially because the new EU General Data Protection Regulation (EU-GDPR), which comes into force at the end of May 2018, will have a direct effect on many Swiss enterprises.


Last modification 07.03.2023

Top of page