The FADP provides an overall framework and deals with data protection using principles similar to those applied in other countries. The Act extends the protection of private persons provided by the Swiss Civil Code (SCC) and regulates in a more detailed manner the processing of data by Federal authorities. Private persons need no authorisation to process data and registration with the Federal Data Register is required only in certain specific cases. Although the majority of interested parties asked for separate treatment of the private and public sectors, the law covers both in order to ensure harmonised development and to facilitate the access of individuals to the data protection system.
Structure of the Federal Act on Data Protection
- Objective, Scope and Definitions
- General Provisions on Data Protection
- Processing of Personal Data by Private Persons
- Processing of Personal Data by Federal Authorities
- The Swiss Federal Data Protection and Information Commissioner
- Legal protection: The Swiss Federal Administrative Court
- Penal Sanctions
- Final Provisions
Main Provisions
The purpose of the FADP is to protect the privacy, interests and fundamental rights of data subjects. Furthermore, it has as its central goal
- the maintenance of good data file practice; and
- the facilitation of international data exchange by providing a comparable level of protection.
The FADP is very wide in its scope and applies to personal data file activities carried out by Federal authorities, private organisations and individual private persons (excluding those for normal private purposes). While data collections kept by journalists and by the media are covered under Art. 10, they benefit from several exemptions (i.e. provisions regarding freedom of the press and speech).
The law covers data relating to both private and legal persons and applies to electronic data processing (EDP) as well as manual files (Art. 2, Art. 3 para. a). The transfer of data abroad is not permitted if adequate data protection cannot be assured (Art. 6 para. 1). Whereas prior to the revision, "equivalent data protection" in the target country was required as well as the notification of the FDPIC if the disclosure of data was not due to a legal requirement and if the person concerned was not informed, a new practice has been introduced for two reasons: The first is that the number of notifications has been very modest in comparison with the total number of assumed international data transfers. Second, the Data Protection and Information Commissioner does not have the necessary resources to verify all notifications before the data are disclosed. Therefore, the law now emphasizes the duty of due care which applies both to private individuals and federal bodies who may be involved in cross-border data disclosure. This practice corresponds with European standards. Any processing must ensure accuracy and be balanced. Data must be secured against unauthorised access. Furthermore, the data subject must be informed of the purpose of the collection, have a right of access (Art. 8) and have the right to correct errors (Art. 5).
Sensitive data - such as that relating to religion, political beliefs, trade union activities, health, race, social assistance or criminal records - enjoy more effective protection in various respects.
All data files held by Federal authorities must be registered with the Federal Data Protection Commissioner. Private persons only have to register data collections if they include sensitive data or if the data is communicated regularly to third persons, and where the file controller is not under a legal obligation to process the data. So far, the FDPIC's register of data files was not paid a lot of attention to. The revision of the law is designed to correct this situation. The register will be published on the internet. The notification procedure is also to be simplified. Thus, the owners of data sets will in future be able to register on line. The system will initially be limited to the federal administration, but it will soon be opened up for use by the general public.
The demand for more transparency in data processing (Art. 4, para. 4, Art. 7a) also has an impact on the duty to register data collections. Federal bodies must continue to register their data collections as in the past. However, the requirement has been extended to cover the private sector. As a result, all owners of data sets will be required to register their collections if they regularly process highly sensitive personal data or personality profiles, or if they regularly disclose personal data to third parties, even if the persons concerned have been duly informed. As a result, it is now compulsory to register all data collections which were not subject to a registration obligation before the entry into force of the revised Data Protection Act. Although the revision is not explicit on the issue, the FDPIC will grant the owners of data collections one year in which to adapt their practices to the new provisions (by analogy with Art. 38 of the Data Protection Act). Data collections will have to be registered before they can be opened (Art. 11a, para. 4).
However, the law also provides for certain exceptions to the compulsory registration requirement (Art. 11a, para. 5).
The Federal Council established the detailed rules relating to the implementation of the FADP.
Private Sector Legislation
The collecting of personal data by private persons must not harm the privacy or personality of the data subject. In general, there is no violation if the data has been made publicly available without expressly prohibiting processing (Art. 12 para. 3). The acquisition of the data and the purpose for which they are to be processed must in any case be readily identifiable by the data subject. There is a duty to actively inform the data subject if particularly sensitive personal data or personality files are involved.
Processing can be justified by consent, by law or by an overriding private or public interest, such as:
- data collection in connection with the conclusion of a contract,
- credit information,
- research and statistics (provided no individual data subject can be identified), or
- publication in the media.
Private persons can instruct third parties to process data on their behalf if no secrecy obligation is violated. In such cases, third parties may assert the same justifications as the file controller (Art. 10a).
Certification Procedure
Art. 11 is a first step towards self-regulation which is intended to supplement and give substance to legal requirements. According to this provision, the manufacturers of data processing systems or programmes, as well as private individuals or federal bodies, who process personal data, may have their systems, processes and organisation certified by a recognised independent certification authority.
Public Sector Legislation
In the public sector, the FADP regulates the collection and processing of data by Federal authorities only. The activities of cantonal and communal authorities are governed by cantonal law. The majority of Swiss cantons have introduced legislation on data protection with rules similar to those at a Federal level.
Federal authorities may collect and process personal data only if authorised to do so or in order to fulfil a legal obligation (Art. 17).
Personal data can only be made available to third parties if there is clear legal justification, to fulfil legal obligations, or if consent has been given (Art. 19). There are no legal restrictions on the communication of a data subject's name, address and date of birth. Personal data may only be used for statistics, planning and research if (i.e. in case of publication) the individuals involved cannot be identified through the data (Art. 22).
Art. 17a introduces a further formal exception to the terms of the law with regard to the processing of particularly sensitive personal data or personality profiles. It is a kind of transitional provision that allows the Federal Council (government) to authorise such processing even before the relevant legal basis has been adopted if the technical implementation of a particular type of processing or an IT system cannot be done without a test phase.
Federal Data Protection and Information Commissioner FDPIC
The Swiss Federal Data Protection and Information Commissioner (FDPIC) is appointed by the Federal Council and supervises the compliance of Federal authorities with the FADP (Art. 27). In the private sector, the FDPIC acts as an "ombudsman". The Commissioner can only investigate and give binding decisions to private persons in cases where data collections have been registered, in cases of cross-border transfers, and if the methods of data processing endanger the privacy of a larger number of individuals (Art. 29).
The revision of the Data Protection Act also introduces a few changes in the responsibilities of the FDPIC (cf. Art. 29, para. 2c, Art. 31, para 1d to 1g). In future, if the Federal Chancellery and Departments (ministries) override a recommendation of the FDPIC to any part of the federal administration, he will be able to file a complaint with the Federal Administrative Court against their disposition.
Federal Administrative Court
The Federal Administrative Court acts as an appeal body in relation to decisions of Federal authorities with regard to data protection as well in relation to cantonal judgements based on Federal public law on data protection.
Penalties
Private persons violating their obligations with respect to information, notification and granting access to information are punishable by fine or detention. Unauthorised access to sensitive data is punishable by fine or imprisonment, i.e. the data subject enjoys all usual remedies available under normal civil procedure (i.e. injunctions, right to restitution, or right to claim damages).