III. Obligations of File Controllers and Rights of Data Subjects

The data subject generally has the right to inspect and to correct false, incomplete or erroneous data. This right may only be restricted if there is an overriding public or private interest in doing so. There is, however, no obligation of automatic notification as is the case in other countries.

The acquisition of the data and the purpose for which they are to be processed must be readily identifiable by the data subject. There is a duty to actively inform the data subject if particularly sensitive personal data or personality files are involved.

The file controller has the responsibility of ensuring the security of the data and is required to prohibit unauthorised access. Under the FADP, the Federal Council has the flexibility to issue detailed regulations on security procedures not only in the public, but also in the private sector.