Frequently asked questions on data protection concerns

Advertising

• I receive unwanted advertising by e-mail - how can I stop it?

  You can find the answer to this question here: advertising and marketing

• I receive unsolicited advertising by mail / begging letters - how can I stop them?

  You can find the answer to this question here: advertising and marketing

• I receive unsolicited commercial calls - how can I stop them?

  You can find the answer to this question here: advertising and marketing

• I have received unsolicited advertising and want to know where the sender got my details. What can I do?

  You have a right to information from the data controller based on Art. 25 DPA. The controller must provide you with the available information about the origin of the personal data. If a controller refuses to provide information, you can assert your claim before the civil court. You can find further information here: right to information

AHV number

• Can my bank ask for my AHV number?

  In 2017, Switzerland implemented the global standard for the international automatic exchange of information in tax matters (AEOI). This standard regulates how the tax authorities of participating countries exchange data on the accounts and securities deposits of taxpayers. Because the AHV number is considered a tax identification number for natural persons, financial institutions such as banks are permitted, pursuant to Art. 20 of the Federal Act on Automatic Exchange of Information in Tax Matters (AIAG), collect the AHV number of a natural person and transmit it to the competent authorities in order to fulfill their obligations (see the further information provided by the Federal Tax Administration [ESTV]).

  • Federal Acton the International Automatic Exchange of Information in Tax Matters (AEOIA)
  • ESTV - Steueridentifikationsnummer beim Automatischen Informationsaustausch

Apartment search

• What data may a landlord request? Is he allowed to pass on my data?

  You can find the answer to your question here: Data collection when renting accommodation

• How long may copies of identification documents be kept?

  Copies of passports and/or ID cards that you have collected, for example, for an apartment application, should not be kept longer than necessary, i.e. they should be destroyed as soon as the purpose for which the copies were requested (usually the identification) has been achieved. This is derived from the principles of proportionality and purpose.

Associations

• Are sports clubs allowed to pass on member data to sponsors?

  This is permissible under certain conditions. You can find more information here: Data protection in clubs and associations

• May member lists be shared within the association?

  This is permissible under certain conditions. You can find more information here: Data protection in clubs and associations

• Can the name of a donor be disclosed to the family of a deceased person?

  The disclosure of the identity of donors, possibly with details of the amount donated, to the family of a deceased person requires the consent of the donors. They must be informed at the time the donation is made that their details will be passed on, and they must be offered a simple way of agreeing to or prohibiting this disclosure, e.g. by making a note on the payment slip.

Codes of Conduct

> go to this page

Credit and collection

• Why is my online purchase against invoice denied? Why do I have a bad credit rating?

  You can find the answer to this question here: Credit and collection

• May credit reporting agencies collect data about me without my consent?

  You can find the answer to this question here: Credit and collection

• What data may credit reporting agencies collect?

  You can find the answer to this question here: Credit and collection

• I never gave my consent for a collection agency to share my data with credit reporting agencies. Is it still allowed to pass on the data?

  You can find the answer to this question here: Credit and collection

• Can I have data that a credit agency has collected about me deleted or corrected?

  You can find the answer to this question here: Credit and collection

• What documents can a bank ask me to provide if I want to take out or extend mortgage?

  The Swiss Bankers Association, the umbrella organisation for Swiss banks, has issued ‹Guidelines on assessing, valuing and processing loans secured against property› (not available in English). These guidelines lay down the principles of mortgage business and have been recognised by the Swiss Financial Market Supervisory Authority FINMA as a minimum standard for banks in terms of The provisions of the guidelines are implemented by the banks in their internal regulations. The banks undertake to verify creditworthiness and the value of collateral both before granting a loan and periodically thereafter. In accordance with the principle of proportionality laid down in Article 6 paragraph 2 FADP, the banks may collect personal data from their customers provided that the data are relevant and necessary, and their collection is the least intrusive way of assessing the customer’s creditworthiness and the value of the property.

  • Swiss Bankers Association: ‹Guidelines on assessing, valuing and processing loans secured against property› (not available in English)
  • Financial Market Act: Article 7 paragraph 3
  • Art. 6 FADP

Death notice

• May a death notice be published online?

  A distinction must be made between publication by a newspaper, where you as a relative place a death notice which then appears in the online edition of the same newspaper, and the collection and publication of death notices by operators of specialised online portals.

  In the first case, publication is usually based on the contract between the relatives and the newspaper. If you do not want the notice to be published in the online edition of the newspaper, you must inform the newspaper accordingly. The second case involves the reproduction of personal data of a deceased person and, where applicable, of their relatives by a third party. As a rule, these online portals reproduce the death notices originally published by the relatives without any changes.

  As personality rights expire upon death, the personal data of the deceased is not subject to data protection law. With regard to the processing of personal data, including address details of any relatives listed in the death notice, it is reasonable to assume that no breach of privacy occurs if data is passed on that the persons concerned have made generally accessible themselves. That is unless they have expressly prohibited further processing (Art. 30 para. 3 FADP). However, this is just an assumption: if your privacy has been violated by such a publication, please contact us via the online portal and request the deletion of your data based on your right to object (Art. 30 para. 2 let. b FADP).

Data protection officer

• Do I have to appoint a data protection officer?

  For private data controllers (companies, associations, SMEs...), the appointment of a data protection officer is voluntary. 

• Does the data protection officer have to be a natural person?

  No, the function of data protection officer can also be performed by several people in the company or by a legal entity. However, the requirements of Art. 10 FADP must be met, in particular it must be a viable point of contact.

• Is the data protection officer exposed to the criminal sanctions of the FADP?

  The penal provisions are primarily aimed at the actions (and omissions) of the persons in charge. A data protection advisor's primary task is to control and monitor the data processing processes of her organization. However, she should not have decision-making authority over these processes, nor should she be responsible for an information system. In other words, she is neither the one who decides on data processing nor the one who carries it out. Under these conditions - provided they are strictly observed - it is not a priori exposed to the risk of criminal prosecution. Moreover, it should be emphasized that the FADP only criminalizes intentional violations - as opposed to negligence.

  However, the FDPIC points out that it is not a prosecuting authority itself and therefore it will not be its task to decide this issue in a practical case.

  Further information on the criminal law aspects of the FADP: Criminal law

• What does a data protection officer do?

  You can find information about this here: Data protection officer

• Does a data protection officer have to be resident in Switzerland?

  There is no legal requirement for a data protection officer (DPO) to be resident or based in Switzerland. What is important, however, is that the DPO can be easily and reliably contacted through suitable communication channels by data subjects, the FDPIC as the supervisory authority, and by persons within the DPO’s own organisation. In order to carry out the tasks effectively, a DPO is recommended to have expertise in Swiss data protection law and knowledge of one of the national languages.

Data protection impact assessment

• When is a data protection impact assessment needed?

  Art. 22 para. 1 FADP makes specifications in this regard. Further information can be found here: Art. 22 para. 1 FADP

  • Art. 22 DSG

• Do I have to submit the data protection impact assessment to the FDPIC?

  Art. 23 para. 1 FADP makes specifications in this regard. Further information can be found here: Art. 23 para. 1 FADP

  • Art. 23 DSG

Data transmission abroad / SCC

• Do I have to report the use of standard contractual clauses to the FDPIC?

  If you use standard contractual clauses recognized by the FDPIC, e.g. those of the EU Commission (Implementing Decision (EU) 2021/914), you do not have to notify the FDPIC. If you wish to use your own or previously unrecognized standard contractual clauses, these must be approved in advance by the FDPIC. The decision on approval is issued in an appealable ruling; no transfer abroad may take place beforehand.
  

  • Commission Implementing Decision (EU) 2021/914

• Can I use the European Commission's standard contractual clauses?

  Ja, der EDÖB hat die Standardvertragsklauseln der Europäischen Kommission (Durchführungsbeschluss (EU) 2021/914 der Kommission vom 4. Juni 2021 über Standardvertragsklauseln für die Übermittlung personenbezogener Daten an Drittländer gemäß der Verordnung (EU) 2016/679 des Europäischen Parlaments und des Rates) in seiner Mitteilung vom 27.08.2021 anerkannt.
  

  • Commission Implementing Decision (EU) 2021/914

  Cross-border transfer of personal data

• Which countries have an adequate level of data protection?

  The list can be found in Appendix 1 DPO:

  • DPO annex 1

Editing regulations

• Do we need to create editing regulations?

  Processing regulations - not to be confused with the processing directory - must be drawn up by private data processors if they carry out automated processing of personal data requiring special protection on a large scale or carry out high-risk profiling.
  

• What is in a processing regulation?

  The regulations (in the form of a manual or as documentation) provide information on the internal organization, e.g. description of the system architecture; on the data processing procedures, in particular data disclosure and the exercise of information rights; on the control procedures (authorizations) and on the technical and organizational data security measures.
  

Employment

• Can photos of employees be published on the intranet or internet?

  As photographs of employees may reveal information about their religion, race or a physical disability, and usually serve no practical purpose, they may only be published on the internet or intranet with the data subject's consent. The same applies to photos of events, such as Christmas parties or company excursions. In principle, it should be evaluated beforehand whether publishing the staff photographs is really necessary in the specific case.
  

• What rights do HR staff have with regard to accessing appraisal forms?

  Staff appraisals are relevant in the workplace and can be stored in an HR file, both during an employment relationship and after it has ended. The processing and storage of the appraisal is particularly in employees' interest as they are entitled to a final reference until expiry of the limitation period. The limitation period is usually considered to be ten years (Article 127 Swiss Code of Obligations, CO). This means that employees can contest a reference before the courts up to ten years after it is issued. When drawing up an employment reference, usually only the last two employee appraisals are considered. Earlier appraisals should be regularly removed from the HR file and destroyed.

  In its standard dealings, the HR department does not usually need all appraisal documents (such as the personality profile). For salary management reasons, however, it is entitled to consult the outcome of an employee appraisal. In addition, in exceptional cases and on the basis of specific obligations, it can use other information from the performance review meeting if this is necessary for organisational reasons.

  Accordingly, employee appraisals must generally be stored in a sealed envelope in the HR file.
  In terms of computerised management of employee appraisals, it is advisable to encrypt electronic performance review forms when sending and in the corresponding database.
  

• Can an employer limit or completely prohibit the use of information and communication technologies (computers, phones)?

  Yes. An employer can, for example, issue a directive saying that employees can only use the phone and/or email for work purposes. Restrictions can be placed on private browsing by blocking unwanted websites (e.g. stock market or porn sites), or by setting a time from which private internet use is allowed (e.g. during breaks or after 6pm).
  

• How can employers ensure in a data protection-friendly way that employees don't abuse ICT?

  They can primarily do so using technical safeguards. While they do not provide absolute security, such technical safeguards can reduce the risks associated with internet and email use.

  Through the use of safeguards, employers should be able to prevent potential risks to the security and functioning of their electronic systems at an early stage. The preventive effect of safeguards should largely replace the use of repressive methods such as surveillance. The most important technical safeguards include password and access protection, antivirus and disk quota managers, backups and firewalls. In addition, the latest versions of browsers and mail programs should be installed and configured securely, and should be regularly updated.
  

• Can an employer read employees' emails?

  Employers cannot read the content of emails marked or identifiable as private even if the private use of email is prohibited according to the regulations for use. It can monitor compliance with the ban on private use, but only on the basis of addresses. The systematic monitoring of emails using spy programs (content scanners) is not permitted.

  However, employers are entitled to carry out performance and business controls. The systematic analysis of work email that is not expressly marked as private must be justified and proportionate, and employees must be notified in advance.
  

• Where is the line between business and private correspondence (email or post)?

  Various elements may indicate that a letter or parcel is private: they may be expressly marked as 'private' or 'confidential' or they may be identifiable as such based on the way they are addressed. However, putting the person's name before the company name on a letter is not enough to designate it as private; it must be explicitly marked as such (e.g. with the words 'private', 'confidential' or 'c/o'). If external characteristics suggest that the letter is of a private nature (e.g. colour or format), it should be forwarded unopened to the addressee. If in doubt, do not open the letter but forward it, possibly with a corresponding note.

  With emails it is usually more difficult to determine whether the message is private. Here, too, the following rule applies: if in doubt, do not read as private mail enjoys unlimited protection (postal secrecy). Instead, flag the problem to the recipient and ask them whether the mail in question is private or not.
  

• Under what circumstances can an employer access the inbox of an employee who has left the company?

  When an employee leaves a company, they must be given the opportunity to take all private messages from their inbox with them (as well as all other personal data). The work emails that are still needed or are still in progress should be forwarded to the deputy or line manager. At the end of the employee's last working day, their inbox should be emptied and blocked.
  

• Under what circumstances can an employer access the inbox of an employee who is absent due to illness or for other foreseeable or unforeseeable reasons?

  In the event of a foreseeable absence, the employee in question can set an out-of-office reply. An automated forwarding rule may also be defined, which transmits every incoming message to the deputy. However, this measure is problematic for two reasons: first, because it is not easy to ensure that private messages will not also be forwarded; and second because the sender has no way of preventing the message being forwarded. An out-of-office reply containing the email address of the deputy is therefore a better idea. This leaves it up to the sender to decide whether or not to email the deputy.

  In addition, it is worth considering the creation of a functional non-personalised email address (salesmanagement@firma.ch) in addition to a personalised email address (hans.meier@firma.ch). This solution offers a number of advantages: on the one hand, it is immediately obvious that an email sent to this address is a work message; on the other, staff changes will not have a negative impact on email traffic if a certain person leaves the company as long as their role still exists.

• Under what circumstances can the secretariat of a company or administration open employees' mail?

  The secretariat can open business mail. However, private mail that an employee receives at their workplace enjoys unlimited protection. Of course, this means that it must be immediately obvious that the letter or parcel is of a private nature.Various elements may indicate that a letter or parcel is private: they may be expressly marked as 'private' or 'confidential', or it may be clear from the way they are addressed (Hans Meier, c/o Firma AG). In any case, putting the person's name before the company name on a letter is not enough to designate it as private. It must be explicitly marked as such (e.g. personal, confidential, c/o). If external characteristics suggest that the letter is of a private nature (e.g. colour or format), it should be forwarded unopened to the addressee. If in doubt, do not open and forward instead, possibly with a corresponding note.

• Under what circumstances can an employer listen in on and/or record the phone conversations of employees?

  The content of phone calls may only be recorded for performance monitoring or for security reasons, and in such cases, only if the persons whose calls are being recorded have given their consent and have been informed in a clear and timely manner. There are other ways of enforcing a ban on private calls rather than monitoring phone calls (e.g. by routing outside lines via a central switchboard, or only allowing such calls to be made on certain lines).

• Under what circumstances is video surveillance permitted in companies or administrations?

  Surveillance and control systems may not be deployed for the purpose of monitoring employee behaviour in the workplace. If surveillance or control systems are required for other reasons (production management or security controls), they must be designed and organised so as not to affect employees' health and freedom to move around freely.

  Video surveillance in the workplace

• What information may be stored in an employee file, for how long and in what form?

  The question of whether to retain or delete personal data in an employee file that are no longer required raises various issues and uncertainties for employers. From a data protection perspective, the principle of proportionality is particularly important. 

  Under Article 328b of the Code of Obligations (CO), the only processing of personal data that is permitted is processing that relates to the employee's suitability for the job or that is necessary for the performance of the employment contract (the data must be work-related). This provision emphasises the general principles of data processing related to employment, in particular that processing must be proportionate and have a specific purpose (Art. 6 para. 2 and 3 FADP).

  The criterion of relevance to the job set out in the CO and the data protection principles of proportionality and purpose limitation have the same objective: the employer must only process personal data that is genuinely needed, which also means that personal data must be deleted if it is not (or no longer) needed or the purpose of the data processing has been fulfilled. 

  Retention period

  The duration of storage that is permitted, i.e. how long the storage of personal data remains proportionate and necessary for the employer-employee relationship, must also be assessed in the light of the employer's obligations under civil and commercial law. The FADP itself does not specify a retention period, but sets out general principles for the processing of personal data. The retention period must be defined individually for each category of data. 

  Before employment begins or during the application process, the only personal data of the applicants that may be processed are the data relating to their suitability for the job. When applicants are unsuccessful, employers may retain the application data for up to three months after rejecting their application in order to be able to defend or justify themselves in the event of a claim based on a discriminatory refusal of employment in terms of the Gender Equality Act (Art. 8 para. 2 in conjunction with Art. 5 para. 2 GEA). A further extension of the retention period for a few weeks may also be justified if there is a delay in the court serving the statement of claim on the defendant employer. 

  During and after the end of the employer-employee relationship, the employer's various obligations must be taken into account; these depend on the employer's field of activity. 

  Firstly, employers are required under employment law to retain various data for certain periods; these include: 

  • a retention period of 5 years for personal data required to fulfil the obligation to pay a salary, such as data on working hours, sickness absences, holidays, etc. (Art. 322 CO in conjunction with Art. 128 CO); 
  • a retention period of 10 years for the personal data required to issue an employment reference (Art. 330a CO in conjunction with Art. 127 CO).

  In addition, employers normally have various general documentation and retention obligations, in particular:

  • a retention period of 10 years for the personal data required in connection with the obligation to keep accounts (Art. 958f CO), in particular business books, accounting vouchers, business and audit reports;
  • a retention obligation under tax law of 10 years for the documents to be retained for this purpose (Art. 126 para. 3 Direct Federal Taxation Act (DFTA)). 

  Furthermore, other retention periods may result from various sector-specific obligations, such as reporting, disclosure or information duties (under the Anti-Money Laundering Act, Banking Act, etc.). 

  Method of storage

  The Data Protection Act also does not mention any specifics with regard to the method of storage (in paper or digital form), although certain requirements may be stipulated in other legislation. Under tax law, for example, original receipts may be requested (see Art. 126 para. 2 DFTA). 

  With regard to the obligations under civil and commercial law, it is up to the employer to decide which form of retention is best (for example, there may be an issue as to the probative value in employment law proceedings of documents that are only stored digitally). Here, however, the decision is not based on data protection law, but on contractual and procedural considerations. 

  From the perspective of data protection law, data controllers must ensure that the principles of data protection law are complied with and that the rights of data subjects (e.g. of access, rectification and erasure) can be guaranteed. If an (exclusively) digital format is chosen for employee files, special attention must be paid to data security and appropriate technical and organisational measures must be taken to protect data on employees from unauthorised access (for example by hacking).

Federal Acton Data Protection (FADP)

• Who does federal data protection law protect and what does it regulate?

  Data protection law does not protect data as such, but rather the persons about whom data is processed.

  It contains legal norms that serve the protection of personality and informational self-determination and regulate the processing of personal data carried out by federal authorities or private individuals or legal entities (e.g. associations or commercial enterprises). 

  The central data protection law enactment at the federal level is the Federal Data Protection Act, but there are also data protection provisions in many other federal laws that must be observed, e.g. in federal social security or police law.

  You can also find introductory information on data protection in the FAQ of the Federal Office of Justice (in German, French, Italian) :

  • Federal Office of Justice FOJ

• What is personal data according to the totally revised Federal Data Protection Act?

  Personal data is all information that relates to an identified or identifiable natural person. 

  Information that relates to legal persons (e.g. to a company in the legal form of a stock corporation) is no longer covered. However, their protection continues to be guaranteed by other provisions of the legal system, e.g. the Civil Code and the Federal Constitution.

  You can also find introductory information:

  • Federal Office of Justice FOJ

• What changes with the new FADP?

  The total revision is intended to strengthen the data subjects' self-determination over their personal data. You can find an overview of the most important changes here:
  

GDPR

• Does the GDPR apply in Switzerland?

  The GDPR does not apply directly in Switzerland. However, it could specifically apply to Swiss companies if, among other things, they process data of EU residents in order to offer goods or services in the EU, or if the data is used to monitor the behavior of individuals, e.g., analyzing the data of website visitors or app users from the EU. We have published a detailed document on the GDPR and its impact on Switzerland. You can find it under this link:
  

  • Die DSGVO der EU und ihre Auswirkungen auf die Schweiz

    PDF1.22 MB1 July 2018

• As a Swiss company, do I have to comply with the GDPR?

  Swiss companies are primarily subject to Swiss law and should therefore comply with the FADP.
  

Health

• Does data protection law also apply to the management of medical records?

  Yes. Data protection law also applies to all medical records kept by private doctors and private clinics. Hospitals that are considered federal bodies under the FADP are also subject to the federal data protection legislation (e.g. the SUVA clinic in Bellikon). For medical records that are kept by hospitals with a cantonal mandate (e.g. cantonal hospitals), the relevant cantonal data protection law applies.
  

• Do I have the right to information about the content of my medical records?

  Yes. The medical record constitutes a data file as set out in the Data Protection Act. On the basis of the right to information under data protection law, you can request information about your data at any time. To do so, you need to submit a request in writing and present proof of identity (enclose a copy of an official identity document). Your doctor or hospital must then provide you with copies of your complete medical record, or the requested sections of it. Medical records include all documents relating to your treatment, including X-rays, ECGs, reports and correspondence.

  If both parties agree, the medical record can also be consulted at the hospital or medical practice. This may be particularly useful if the medical record is very extensive or if additional clarification is needed from the doctor (such as explanations of specialist terms).

  The right to information can also be exercised for medical records that have already been archived.
  

• Can a doctor refuse to provide information on personal notes in the medical record?

  Personal notes made by the doctor do not fall under the right to information. However, this only includes personal notes that the doctor makes exclusively for their own use, e.g. remarks or reminders. Notes that contain information that is necessary for treatment and are consulted and used by assistants belong to the medical record and are subject to the right to information.
  

• Can I obtain the original of my medical record?

  The Federal Act on Data Protection does not give patients the right to obtain the original of their medical records. Whether this right can be derived from other legal provisions or from the contractual relationship between doctor and patient remains contentious.

  Indeed, legislation in some cantons expressly requires the doctor to keep the original medical records. If this is the case, only copies can be provided to patients during the prescribed archiving period (usually 20 years). The records may not be completely destroyed during this period. The law does not allow a patient to exempt a doctor from this obligation, even if the patient declares that they waive any claims for medical negligence or any other legal rights.
  

• How much does information about my patient data cost?

  In principle, the information is free of charge. A contribution to costs may only be requested in exceptional cases, e.g. if the request is particularly laborious or time consuming. This means more than just copying, printing and sending documents. In any case, the contribution to costs may not exceed CHF 300. If a contribution is requested, it must be justified and the patient must be notified before the information is supplied, so that they can withdraw or alter their request for information if they wish (e.g. restrict it to a specific period or to specific documents).
  

• Do I have to give reasons for the information request?

  No. The right to information may be exercised at any time without stating reasons. It is beneficial if you specify in your information request in what context you are requesting the information.

• How can I enforce my right to obtain my patient data if I need to?

  You can enforce your right to information before a court. If your case involves private doctors and private clinics, the claim needs to be taken to a civil court. You can file the claim either with the court at your place of residence, or with the court where your doctor or hospital is located. With regard to federal bodies, such as the SUVA Clinic Bellikon, the right to information is governed by the Administrative Procedure Act. For information requests involving cantonal hospitals, the cantonal legislation applies.

• For how long do patient records need to be stored?

  The Data Protection Act does not set out any specific retention periods. According to the principle of proportionality, data that is no longer required should be destroyed. As a rule of thumb, the general limitation period of 20 years is applied. In individual cases, a shorter or longer retention period is possible. In some cantons, cantonal health legislation sets out specific retention periods.

• When can a doctor pass on patient data?

  A doctor can pass on patient data if the patient has given their consent, if their supervisory authority has released them from medical confidentiality, or if the disclosure of their data is provided for by law.

• Does the duty of confidentiality also apply between doctors?

  Yes. To pass on information to other doctors, the doctor must have obtained the patient's consent. This means, for example, that a doctor who is providing you with a second opinion cannot notify your attending doctor without your consent. The fact that the doctor receiving the information is bound by medical confidentiality is irrelevant. If the patient is being treated by a team of doctors, it can be assumed that there is implied consent for information to be shared within the team.

• Does the duty of confidentiality also apply to company medical officers?

  Yes. If employees are absent due to illness or accident, the employer can have them examined by the company physician (medical officer). Company medical officers are also bound by medical confidentiality. This also applies with regard to the employer. Medical officers may only inform the employer about their medical conclusions if they are essential to the employment relationship. Usually this is a statement about the employee's fitness for work (e.g. full/partial incapacity to work as a result of illness/accident and expected length of absence). The company medical officer may not, however, disclose medical data without the employee's consent. This particularly applies to the disclosure of diagnoses.

• Does the duty of confidentiality also apply to health insurance medical examiners?

  Yes. The medical examiner and their assistants are also bound by medical confidentiality. The medical examiner may only notify the responsible party in the health insurance administration of their conclusions so that they can make a decision regarding liability for a claim.

• Does the duty of confidentiality also apply to employees of health insurance companies?

  Employees of health insurance companies are also bound by the duty of confidentiality. For them, the statutory duty of confidentiality applies, which is set out in the general section of the Social Insurance Act. If an employee works directly for a medical examiner, they are deemed to be their assistant and are therefore bound by medical confidentiality.

• Does a doctor have to provide information on the state of health of an employee who is sick?

  No. Medical confidentiality requires doctors to keep confidential any information that becomes known to them in the exercise of their professional activity. Patient data may only be disclosed to third parties if the patient has released the doctor from their duty of confidentiality, or if it is permitted by law. This also applies with regard to the employer of a sick employee.

• Can a health insurer inform the social welfare authority if I'm in arrears on payment of my premiums?

  Yes, but only if it relates to compulsory basic health insurance and the debt collection proceedings have resulted in a certificate of loss. Cantonal provisions may stipulate that the notification can be made at an earlier stage.

• Can a doctor appoint an external body to carry out their billing?

  Yes, but they must notify the patient and obtain their consent. This is because in order to generate the bills, the external medical administrators (Ärztekassen) have access to medical data which is subject to medical confidentiality.

• What information can doctors and dentists systematically collect from their patients using questionnaires?

  Nowadays it is common in many medical and dental practices to get patients to complete a health questionnaire on a more or less regular basis (e.g. once a year or when registering at a new practice). These questionnaires sometimes ask for detailed information (e.g. personal details, employer, insurance, state of health).

  Collecting this information is data processing and must therefore comply with the principles of the Federal Data Protection Act. These include the principle of proportionality, which means that only data that is actually required for the intended purpose may be collected.

  As the details on the questionnaire are systematically collected from all patients, only information that the doctor/dentist needs for normal treatment may be requested. Patients are not obliged to answer questions they consider disproportionate. Ask your doctor to explain why individual questions (or the whole questionnaire) are needed.

  The following principles apply to patient questionnaires:

  • The principle of proportionality applies, in other words the doctor/dentist can only ask for information that may in theory be relevant to treatment. The following are not necessary: employer, AHV/AVS no., partner's name/occupation, marital status and insurance details, as long as the bill is paid by the patient (frequently the case for dental bills).
  • Generally-worded blanket consent clauses in which the patient releases the doctor/dentist in advance and without limitation from their medical confidentiality obligations are invalid. However, such patient questionnaires may include specifically-worded declarations of consent. Consent is needed, for example, to outsource billing to an external administrator. The same applies to consent for data disclosure for debt collection purposes (see FAQs on medical and premium invoices).

  Please note that questions that are disproportionate on a questionnaire may be justified in individual cases. But in such cases, the doctor must be able to explain to the patient why the question is necessary.

  For example, a patient's HIV status is not general information that a dentist needs as part of routine treatment. This question should therefore not be systematically asked of all patients.

  In specific cases, however, the question regarding HIV status may be justified or even necessary. For instance, if a specific treatment entails a risk of infection for the dentist, or if the dentist needs to prescribe a certain medication which is not compatible with other medications (e.g. HIV drugs).

• Why am I presented with a consent form?

  My doctor/physiotherapist/dentist, etc. has presented me with a  declaration of consent to sign. Why does he/she need this document?

  In order to process our medical data for a course of treatment or a check-up, healthcare professionals have a duty to inform the patient and may require certain consents.  : Under Article 19 FADP, they must inform patients in particular about the purpose of the data processing and about any intended disclosure of data (e.g. disclosure to another doctor, to a billing company, etc.).
  

  As well as being subject to the provisions of the FADP, many healthcare professionals are bound by professional confidentiality in accordance with Article 321 of the Swiss Criminal Code: as a general rule, healthcare professionals may not pass on any information about a patient without that patient's consent. (You can find further information here: Patient data disclosure)

  Several organisations (including the Swiss Medical Association and the Ärztekasse/Caisse des Médecins) have prepared a model declaration of consent for their members and partners. These forms usually have a dual purpose. Firstly, they inform patients about the processing of their data, as required by Article 19 FADP. Secondly, they allow healthcare professional to obtain their patients' consent if necessary. It should be noted that, under the law, neither the information nor the consent need be given in writing: however, written consent is often preferred for reasons of documentation and proof. By signing the form, the patient confirms that they have been informed and agree to the proposed data treatment.
  

  The form must have a certain degree of precision: patients must be able to understand exactly what they are agreeing to. This applies in particular when it comes to professional confidentiality pursuant to Article 321 of the Swiss Criminal Code: if the form already provides for situations in which the healthcare professional plans to pass on the data to a third party (e.g. if the doctor plans to use a third party for billing), these situations must be described with sufficient precision so that the patient can recognise exactly what is intended.

  In relation to professional confidentiality pursuant to Article 321 of the Swiss Criminal Code, it should be mentioned that in certain cases the law permits or obliges the professional to disclose data (e.g. notification of the child protection authority under Art. 314c Civil Code if a child appears to be at risk, or notification of the diagnosis of a communicable disease under Art. 12 of the Epidemics Act).

  Patients are free to sign the form or not.  They are not obliged to accept  clauses that they consider inappropriate, and can therefore refuse them.  However, it should be noted that the professional may have a legitimate interest in certain consents in order to carry out their work and that they want a written document that also proves that the information has been provided. Refusing to sign or crossing out certain legitimate clauses could lead the healthcare professional to refuse to treat you, whether or not they have legitimate reasons for doing so, due to the legal uncertainty in which they may find themselves. If certain elements of the form are unclear or seem excessive, or if questions remain unanswered, discuss this with the person who gave you the form.

  It should be noted that consent can be revoked at any time.
  

  Patient data disclosure

Insurance

• Can a health insurance company make me complete a health questionnaire when I apply for compulsory health insurance?

  No, they can't make you complete a health questionnaire. There is a requirement to take out insurance, which means that health insurers have to accept you, regardless of your age or state of health. And they cannot impose any restrictions or waiting periods.

  On the other hand, if you apply for supplementary insurance, the insurance company is entitled to ask you questions about your state of health, impose restrictions or reject your application.

• What is the role of medical examiners in compulsory health insurance?

  Medical examiners advise health insurance companies on medical matters and on issues to do with remuneration and the application of flat-rate amounts. In particular, they review the conditions of the health insurer's liability (i.e. they check whether the medical treatment has to be covered by the health insurance company). Only information that is necessary to make a decision on liability, to define the remuneration, or to justify a decision is passed on to the responsible parties at the health insurance company. In this way, medical examiners act like a filter and protect the privacy of insured persons.

  The medical examiner is a statutory arrangement only in relation to compulsory health insurance. In others fields of insurance (invalidity insurance, accident insurance, military insurance, private insurance) we talk about medical officers or medical reviewers. These fields of insurance have their own rules regarding data disclosure.

• Can the health insurance company always obtain health data directly for the purposes of compulsory health insurance?

  No. In justified cases, doctors are entitled by law to disclose medical information to the health insurance company's medical examiner only, and are required to do so if the insured person requests them to.

  You therefore have the option of requesting that your attending doctor only disclose health data to the medical examiner.

• Can a daily allowance insurer request health data from employees during the registration procedure?

  During the registration procedure, both public and private daily allowance insurance companies may request information about the state of health of employees or of the persons to be insured. However, insurance is bound by the principle of proportionality, which means that only the personal data that is necessary and specific to achieving the desired objective may be obtained. This also means that the health data should be passed on to the medical examiner or medical department of the relevant daily allowance insurer.

  Acceptance on a public daily allowance insurance scheme is governed by the provisions of the Federal Health Insurance Act. In terms of data collection by a daily allowance insurer, it should be borne in mind that a restriction of up to five years may be imposed on insured persons. In addition, public daily allowance insurers – as opposed to private ones – are required to accept every applicant, regardless of their state of health.

• Can an employer view an employee's health data during the process of joining a daily allowance insurance scheme?

  No. This is because the health data should only be sent to the daily allowance insurer or its medical examiner or medical department. It is up to the daily allowance insurer alone to decide whether or not to accept someone.

  In practice, application forms are often designed in such a way that employers as policyholders can access the employee's health data. These forms are not compatible with data protection legislation. In this area it is primarily up to the daily allowance insurer to organise the registration procedure so that the employer cannot access employees' health data.

• Under what circumstances can a daily allowance insurer obtain health data about employees from third parties?

  Health data is mainly needed during the registration procedure and in any subsequent claims. Daily allowance insurers can then obtain health data about employees from third parties if there are grounds for justification as defined in the Data Protection Act.

  The consent of the employee is a possible justification. Consent is necessary in particular if a daily allowance insurer wants to obtain information from a doctor, as doctors are bound by medical confidentiality under the Swiss Criminal Code. Furthermore, written consent is required by law if information needs to be obtained from a social insurance provider.

  However, the consent clause is only valid if the employee is aware of the scope and consent of the consent (principle of transparency). This means that the consent form must clearly and unequivocally state what information can be obtained and from whom. The principle of transparency particularly applies to sensitive personal data such as health data. A 'blank authorisation' to release data is incompatible with data protection legislation.

• Can an occupational pension fund request health data from employees during the registration procedure?

  Provided an employee fulfils the conditions for compulsory insurance under the OPA, the occupational pension fund is obliged to accept them. Health data can thus not be requested in order for an employee to join a compulsory insurance scheme.

  If, however, the insurance benefits offered go beyond compulsory insurance, health questionnaires are generally permitted. In this case, the pension fund is not acting as a social insurer but as a private insurer. Nevertheless, the pension fund must comply with the principle of proportionality, according to which it can only demand the personal data that is necessary and specific to achieving the desired objective. Also, in accordance with this principle, the data must be addressed to the pension fund's medical examiner or medical department.

  Acceptance on supplementary insurance schemes complies with the provisions of the Swiss Code of Obligations (CO), under which occupational benefits funds may make reservations on health grounds in relation to invalidity and life policies. Such reservations may be made for a maximum of five years. The statutory provisions of the CO must be considered when implementing the principle of proportionality.

  Swiss Code of Obligations (CO)

• Can an employer access an employee's health data during the pension fund registration procedure?

  No. This is because the health data should only be sent to the pension fund or its medical examiner or medical department. It is up to the pension fund alone to decide whether or not to accept someone onto a supplementary scheme.

  In practice, application forms are often designed in such a way that employers as policyholders can access the employee's health data. These forms are not compatible with data protection legislation. In this area it is primarily up to pension funds to organise the registration procedure so that employers cannot access employees' health data.

• Under what circumstances can a pension fund obtain health data about employees from third parties?

  Health data is mainly needed during the registration procedure and in any subsequent claims. Pension funds can then obtain health data about employees from third parties if there are grounds for justification as defined in the Data Protection Act. This is only permitted for supplementary insurance schemes, however.

  Possible grounds for justification are the consent of the employee. Consent is necessary in particular if a pension fund wants to obtain information from a doctor, as doctors are bound by medical confidentiality under the Swiss Criminal Code. Furthermore, written consent is required by law if information needs to be obtained from a social insurance provider.

  However, the consent clause is only valid if the employee is aware of the scope and extent of the consent (transparency principle). This means that the consent document must clearly and unequivocally state what information can be obtained and from whom. The transparency principle particularly applies to sensitive personal data, such as health data. A 'blank authorisation' to release data is incompatible with data protection legislation.

• Is a service company to which a pension fund has outsourced some or all of its operational business a processor or a controller?

  Occupational pension funds, which are usually organised as foundations, are obliged to provide compulsory insurance for occupational pensions. In practice, pension funds sometimes outsource some or all of their operational management. Depending on the scenario, these service companies will then be acting either as processors or as controllers as far as their role and data protection qualification are concerned.

  In cases where only certain operational activities are outsourced and the pension fund remains primarily involved in the process, the role of processor may be appropriate. In scenarios in which a more comprehensive delegation of activities takes place that does not simply involve specific operations or data processing, but includes the autonomous fulfilment of occupational pension tasks, the service company may be regarded as a controller. This is particularly the case if the service company takes over the management of the pension fund or has extensive autonomy in making decisions. Even if the pension fund only delegates certain of its tasks, the service company can be a controller if, for example, it is responsible for direct dealings with the insured persons and makes independent decisions in this context. This means that when considering the data protection implications of outsourcing occupational pension fund activities, the agreed contractual relationships with regard to the division of tasks and the specific circumstances must always be taken into account.

Investigation procedure

• Why does the FDPIC require me to contact the controller first before considering any intervention?

  If the person concerned has not yet taken reasonable steps to assert their rights against the controller, there is generally insufficient evidence of a data protection breach to justify intervention by the FDPIC. In addition, to find a quick solution, it is advisable to bring the problem to the attention of the controller and give them the opportunity to resolve it. Often, it is a matter of a misunderstanding or an isolated oversight.

  Please contact the controller first and note that many controllers provide specific contact information or forms for data protection concerns to ensure that your concern is handled by the appropriate persons. This contact information can usually be found in the website's privacy policy, contract or general terms and conditions.

• Can the FDPIC award damages or impose fines on those responsible?

  The FDPIC has no legal basis for awarding damages. Such claims must be brought by the data subject before a civil court. Fines can only be imposed after a criminal conviction, with criminal proceedings being conducted by the competent cantonal prosecution authorities.

• Why does it take so long to receive a response from the FDPIC?

  The FDPIC receives many reports and notifications every day. Depending on the circumstances, our lawyers conduct their own investigations or contact the controller. In doing so, they apply not only the Data Protection Act but also any other laws that may be applicable to the case in question. These investigations are often very time-consuming.

• Should I inform the data controller myself about what I want? Or can the FDPIC enforce my rights?

  You must assert your rights and claims against the controller yourself. Before contacting the FDPIC, please first communicate your concerns to the controller. Your problem may be resolved quickly. If not, you will already have the necessary information to substantiate your suspicion of a data protection violation when you submit your report.

  If the controller fails to comply with their legal obligations, the EDÖB may intervene. However, the purpose of the EDÖB's intervention is not to enforce your personal legal claims on your behalf, but to review the controller's actions and correct them if necessary.

• Why won't the controller delete my data?

  The right to erasure is not absolute. Not all data processing requires the consent of the data subject, so revoking consent does not automatically lead to the deletion of the data. The controller may also have his or her own interests in storing the data, for example because they need it in a legal dispute or to collect outstanding payments. Sometimes there is also a legal obligation to retain data. For further information, please refer to our explanations on the right to erasure.

• Do I have to report my concern to the FDPIC first before I can pursue my claims in civil court?

  No, civil proceedings can be initiated regardless of whether the conditions for an investigation by the EDÖP are met.

• What costs can I expect if I take civil action against a private individual in a data protection dispute?

  A lawsuit for violation of personal rights before a civil court is governed by Art. 28 of the Civil Code in conjunction with Art. 20 of the Code of Civil Procedure. According to Art. 113 and 114 of the Code of Civil Procedure, no court costs are charged for disputes under the Data Protection Act. However, this does not apply to any legal fees.

  • Art. 28 Swiss Civil Code
    Art. 28 Swiss Civil Code
  • Art. 20 Civil Procedure Code, CPC
    Art. 20 Civil Procedure Code, CPC
  • Art. 113 and 114 Civil Procedure Code, CPC
    Art. 113 and 114 Civil Procedure Code, CPC

• The FDPIC has reviewed my complaint and decided not to open an investigation. What can I do if I disagree with the decision? Can I lodge an appeal?

  The person filing the complaint does not have the legal status of a party in the FDPIC's investigation procedure and is therefore not entitled to have an investigation opened. The only parties in any investigation proceedings are the federal body or private individual against whom the investigation has been opened.

  • Art. 52 FADP
    Art. 52 FADP

  The administrative measures under Art. 51 DSG that the FDPIC can impose in the event of a data protection breach are therefore only directed against the data controller responsible. For these reasons, if the FDPIC concludes after examining your report that there are no indications of a breach of data protection regulations, you as the person making the report have no legal remedy against the FDPIC's decision not to open an investigation based on your report.

  • Art. 51 FADP
    Art. 51 FADP

  However, you may at any time assert your data protection claims in accordance with Art. 32 para. 2 FADP before the competent civil court. A claim for violation of personal rights is governed by Art. 28 of the Civil Code in conjunction with Art. 20 of the Civil Procedure Code. According to Art. 113 and 114 of the Civil Procedure Code, no court costs are charged for disputes under the Data Protection Act.

  • Art. 28 Swiss Civil Code
    Art. 28 Swiss Civil Code
  • Art. 20 Civil Procedure Code, CPC
    Art. 20 Civil Procedure Code, CPC
  • Art. 113 and 114 Civil Procedure Code, CPC
    Art. 113 and 114 Civil Procedure Code, CPC
  • Art. 32 FADP
    Art. 32 FADP

• I can no longer access my Instagram/Facebook/Twitter/LinkedIn/ Whatsapp account. My social media account has been blocked or hacked. Why doesn't the FDPIC intervene?

  When you register with an online service or social network, you accept its terms of use, which often include obligations for users, such as using a secure password, using a real email address or providing genuine personal details, complying with community standards or guidelines, etc. Both the operation of the platform and the use of your account are part of the contract you entered into with the platform operator when you registered on the platform. Within this framework, the operator can determine what options are available for restoring your account if you no longer have the means of access, as well as the circumstances under which the operator may unilaterally block your account. Whether you or the operator have complied with the terms of use specified by the operator and accepted by you is not a data protection issue, but primarily a matter of contract law between you and the operator, which is why the FDPIC does not intervene.

• What can I do if I feel that my personality has been violated by a post on another person's social media profile?

  Most platforms have guidelines in place whereby the person concerned can request the removal of content that violates these guidelines, namely by reporting the content in question, e.g. via a web form or by contacting a help or security centre.

  Finally, the major platforms have designated a representative in Switzerland in accordance with Art. 14 FADP, which serves as a point of contact for affected persons. The details for contacting the representative can be found in the respective privacy policies or help pages.

  • Art. 14 FADP
    Art. 14 FADP

• My personal data was entered in the commercial register in connection with my sole proprietorship of a company and is now (after deletion of the commercial register entry) being published on the internet by third parties. Why doesn’t the FDPIC intervene?

  According to the case law of the Federal Administrative Court (judgment of 26 February 2008 A-4086/2007), data that originally came from the commercial register but has since been deleted may be disseminated by private individuals without time limitation due to the public nature of the commercial register under Art. 930 of the Swiss Code of Obligations (SR 220). Data that originally came from the commercial register but has since been deleted may continue to be disseminated by private individuals without any time restriction. The data does not have to be deleted even at the request of the person concerned, provided that it has been taken over unchanged from the commercial register entry.

  • Urteil BVGer vom 26. Februar 2008 A-4086/2007 in Sachen Itonex AG

    PDF6.98 MB26 February 2008

• I have requested information about my data. The controller refuses to provide me with this information unless I submit a copy of my identity card. Why does the FDPIC not intervene?

  Before a controller can provide you with information about your personal data, they must take appropriate measures to identify you as the data subject in accordance with Art. 16 para. 5 DPO. The controller must ensure that they do not disclose the data to the wrong person. They may therefore request documents or information that allow them to identify you. As the data subject, you are obliged to cooperate. However, the evidence requested must be proportionate, i.e. the information requested must be necessary for identification and used appropriately, i.e. it may only be used for this purpose. Depending on the number of requests, the controller may also standardise this process to a certain extent. You also have the option of blacking out certain information if it is not necessary for identification.

  • Art. 16 Data Protection Ordinance, DPO
    Art. 16 Data Protection Ordinance, DPO

• I have received a claim from a debt collection agency, but I never gave my consent for my data to be disclosed to them. The debt collection agency does not want to delete my data. Why does the FDPIC not intervene?

  The task of a debt collection agency is to collect money on behalf of the creditor. To do this, the creditor discloses personal data to the debt collection agency that it has collected from you under a contract. This is generally permissible from a data protection perspective, subject to any professional confidentiality obligations. Due to overriding private interests, personal data may also be disclosed and processed without your permission (Art. 31 para. 1 lit. a FADP). You are also often informed about the possibility of such disclosure in the general terms and conditions. For further information, please refer to our explanations on the subject of ‘Credit and collection’.

  If you dispute the fact that anything is owed at all, then asserting data protection claims such as the right to erasure or rectification is only of limited use. First, the question of whether the claim is actually justified must be clarified, which in turn is not a data protection issue but a matter of contract law. Otherwise, you may not be able to proceed with a request for deletion or correction on the basis of the above-mentioned justification. It is also possible that certain information will be processed despite timely payment. Various actors operate databases for the purpose of providing credit information, known as credit agencies. For further information, please refer to our explanations on the topic of ‘Credit and collection’.

  • Credit and collection

    Credit reporting agencies, debt collection agencies and other bodies process and share data about your payment history – when this is allowed.

    More about «Credit and collection»

• I have seen a video surveillance camera that I believe is not legally compliant. Why does the FDPIC not intervene?

  Even if you feel that you are being monitored by a camera, the FDPIC cannot assume that there has been a violation until it knows the details of the situation. It needs information about the recording area and any privacy settings, and it needs to know the purpose of the system. To obtain this information, you, as the person concerned, can exercise your right to information under Art. 25 FADP with the operator of the system.

  • Art. 25 FADP
    Art. 25 FADP

  In disputes between neighbours, tenants and landlords or between employers and employees, it often makes more sense to clarify the legality of video surveillance directly under civil law before the conciliation authority. If you do not know who is responsible, but public property may be under surveillance, it may be helpful to contact the local authority. For further information, please refer to our explanations on the subject of photos and video surveillance.

  • 23 July 2024

    Photos and video surveillance

    The protection of privacy must be guaranteed in all areas.

    More about «Photos and video surveillance»

• I receive unwanted phone calls from people trying to sell me health insurance. Why doesn't the FDPIC intervene?

  This type of call is known as ‘cold calling’. Since 1 September 2024, cold calling has been prohibited for all insurance intermediaries. However, the FDPIC is not the authority responsible for enforcing this ban.

  For a telephone call to be considered ‘cold calling’, it must meet certain conditions. These are listed on the website of the Federal Office of Public Health (FOPH). People who have received such calls can file a complaint; depending on the case, complaints should be addressed to the FOPH (for basic insurance) or FINMA (supplementary insurance). For other types of unsolicited advertising, SECO is the competent authority. You can find more information on this subject by clicking on the link above (text only available in national languages).

  • Bundesamt für Gesundheit - Telefonische Kaltakquise

  If you would like to know how the data controller (the company that called you) obtained your data, you can exercise your right to information Please note that our website also contains information on advertising & marketing.

  • Right to information

    In accordance with the Federal Act on Data Protection (FADP), any person may request information from the controller of a data file as to whether their personal data is being processed and may, if necessary, have the data corrected or destroyed. This right to information allows everyone to maintain control over the data collected about them. It is key to enabling those affected to assert their rights under the law and ensures transparency regarding what use is made of the data. Nevertheless, each person must take action themselves to exercise this right.

    More about «Right to information»

  • Advertising & marketing

    Mail, e-mail, telephone: Depending on the type of contact, different rules apply for data protection-compliant advertising.

    More about «Advertising & marketing»

• I have received a medical bill that does not concern me. My neighbour has received a medical bill that concerns me. Why doesn’t the FDPIC intervene?

  All data controllers are required to guarantee data security, including when communicating data. When it comes to sensitive data – such as health data – particular care must be taken when processing it.

  However, even though this type of incident should not be minimised, human error is always possible. In most cases, direct contact between the parties involved is sufficient to resolve the situation: a telephone call or letter to the data controller (doctor, pharmacy, etc.) not only corrects the error so that the recipient actually receives their mail, but also makes the controller aware of the problem and enables them to put measures in place to limit the risk of it happening again.

  Individuals who consider that their personal rights have been infringed may assert their rights before a civil court, in accordance with Art. 32(2) of the Data Protection Act, or, if the conditions are met, before the competent criminal prosecution authorities for breach of professional secrecy (Art. 321 of the Criminal Code) or the duty of discretion (Art. 62 of the Data Protection Act).

  • Art. 28 Swiss Civil Code
    Art. 28 Swiss Civil Code
  • Art. 20 Civil Procedure Code, CPC
    Art. 20 Civil Procedure Code, CPC
  • Art. 113 and 114 Civil Procedure Code, CPC
    Art. 113 and 114 Civil Procedure Code, CPC
  • Art. 32 FADP
    Art. 32 FADP

• I received a suspicious call, message or email and provided my personal data. I think it was a scam. Why isn't the FDPIC taking action?

  If you have provided personal data in these circumstances, the FDPIC is unfortunately not the competent authority to help you. The FDPIC is not able to determine whether a person has been the victim of fraud and is not responsible for prosecuting cybercriminals.

  If you have been the victim of fraud, your case may be covered by criminal law. In this case, you can contact the police.

  If you would like information on cyber security in general, please visit the website of the National Cyber Security Centre NCSC. There you will find information on current topics and threats.

  • National Cyber Security Centre (NCSC)
    National Cyber Security Centre (NCSC)

• I am monitored at work with a video camera: under what conditions is this permitted?

  Employers may only process data about employees if it relates to the employment relationship or is necessary for the performance of the employment contract. Video surveillance may be permissible under certain conditions, in particular for security reasons or for production management purposes. Surveillance and control systems may not be used for the purpose of monitoring the behaviour of employees. If they are necessary for other reasons (production or security controls), they must be designed and arranged in such a way that the health and freedom of movement of employees are not impaired. It must therefore be examined whether less intrusive measures would achieve the desired purpose (principle of proportionality). In addition, employees must be informed before video surveillance is put into operation (principle of transparency).

  When implementing the measures, employers must comply with the Federal Act on Data Protection (FADP) and the relevant labour law provisions (in particular Art. 26 of Ordinance 3 to the Labour Act [ArGV 3] concerning the monitoring of employees). Further information on this topic can be found on our website: Video surveillance in the workplace

  • Video surveillance in the workplace

    Video surveillance systems can affect the well-being, mental health and productivity of employees, and should therefore only be considered when less invasive measures are genuinely unsuitable.

    More about «Video surveillance in the workplace»

  Employees can report violations of Article 26 ArGV 3 to the labour inspectorate in their canton if they consider their health to be at risk due to video surveillance in the workplace (Association of Cantonal Labour Inspectorates, IVA).

  • Interkantonaler Verband für Arbeitnehmerschutz (IVA)

Logging

• Should our systems log accesses?

  The obligation to keep records is stipulated in Art. 4 Ordinance to the Federal Act on Data Protection: Art. 4 DPO

Privacy policy

• What information must be included in the privacy policy?

  The privacy policy implements the duty to inform according to Art. 19 DSG. You can find further information here: Privacy statements on the internet

• In which languages must the privacy policy be published on my website?

  You can find the answer to this question here: Privacy statements on the internet

Processing directory

• Do we need to keep an edit log?

  Companies and other organizations under private law with more than 250 employees as well as federal bodies must keep a register of processing activities.

  Smaller companies and organizations under private law as well as natural persons must also keep a processing directory if they process personal data requiring special protection on a large scale or if high-risk profiling is carried out. 

  Please note: even if a company is exempt from the obligation to keep a processing directory, the other provisions of the Data Protection Act still apply, in particular the obligations to provide information and to supply data.
  

• What is in a processing directory?

  The following information should be visible from the list of the responsible person:

  • Processing operation - e.g. HR, customer care, finance, marketing....
  • Purpose of processing - why is the data needed?
  • Categories of data subjects - e.g. customers, employees....
  • Categories of personal data processed - e.g. address data, payment data, pictures...
  • Categories of recipients - e.g. advertising agency, hosting, debt collection...
  • Disclosure abroad - to which countries and - where necessary - with which guarantees?
  • Retention period - per processing operationData security measures
    

• Do we have to report our processing to the FDPIC?

  Only federal bodies must report their processing directories to the FDPIC. The datareg reporting portal is available for this purpose:

  • Datareg Portal

Publication of photos/videos

• I want to take photos or videos at an event. What do I need to consider?

  You can find the answer to this question here: Photos and privacy

• Am I allowed to publish photos of other people?

  Pictures of other persons may generally only be published with the permission of the person depicted. You can find further information here: Photos and privacy

• Am I allowed to share photos of other people on social media?

  Pictures of other people may generally only be posted with the permission of the person depicted. You can find further information here: Photos and privacy

• A person has posted photos or videos of me without my permission. What can I do?

  You can request the removal of the images or video. You can find further information here: Photos and privacy

Reporting a data leak

• Do I need to report a data breach?

  According to Art. 24 FADP, there is a notification obligation if the data breach that has occurred is likely to result in a high risk to the personality or fundamental rights of the data subject.  As the person responsible, you can make the notification here:

  • Databreach portal

• My data has been affected by a data leak. How can I protect myself from negative consequences?

  You can find useful tips here:

  • NCSC: Information for individuals

Right to information

• I would like to know from the controller whether and if so, what data of mine are being processed. Do I have to give reasons for my request?

  No. Any person may ask the controller whether personal data concerning them are being processed, without having to prove or make credible an interest in obtaining this information. 
  

• Who should provide me with the information requested?

  The controller, i.e. the private person or federal body that, alone or jointly with others, determines the purposes and means of processing personal data. When several data controllers jointly process personal data, you can exercise your right to information with any one of them. 

  Furthermore, if the controller delegates the processing of personal data to someone else, it is still the controller who is required to provide the information requested. The delegated assistant must help the controller in providing the information, unless the assistant responds to the request on behalf of the controller.

  In the case of personal data about your health, you can designate a health professional to whom the data may be disclosed, so that he or she can explain the data to you.
  

• What information must the controller provide me with?

  You must be given the information necessary to enable you assert your rights and to ensure the transparency of the processing operation. In any case, you will receive the following information: 

  a. the identity and contact details of the controller; 

  b. the personal data processed as such; 

  c. the purpose of the processing; 

  d. the period of time for which the personal data will be kept or, if this is not possible, the criteria for determining the period of time; 

  e. the available information on the origin of the personal data, unless the data have been collected from the data subject; 

  f. where applicable, the existence of an automated individual decision as well as the logic on which the decision is based; 

  g. where applicable, the recipients or categories of recipients to whom personal data are disclosed, as well as the information provided for in Article 19 paragraph 4 FADP.
  

• How should I proceed?

  The request must be made in writing (or verbally if the controller agrees). The information is provided in writing or in the form in which the data are presented. By agreement with the controller, you can consult your data on the spot. If you agree, the information may be provided verbally. The information may be requested and provided online. It must be provided in a comprehensible form. The controller must take adequate measures to identify you, and you are required to cooperate with this.The controller must also ensure that your data are protected from access by unauthorised third parties when providing you with the information. 

  In principle, the controller should provide the requested information free of charge. Exceptions are possible, in particular if providing the information requires disproportionate efforts; a suitable contribution to the costs may be requested (maximum CHF 300). If a contribution is required, you must be informed of the amount before the information is provided so that you can withdraw the request within ten days. 
  

• Can the controller charge a fee for providing the information?

  As a general rule, the information must be provided within 30 days of receipt of the request. If the information cannot be provided within 30 days, the controller must inform you of this and tell you when the information will be provided. 

  If the controller refuses to give you the information, restricts the information given or delays giving you the information, he or she must communicate this within the same period.
  

• How long does the controller get to provide me with the information?

  As a general rule, the information must be provided within 30 days of receipt of the request. If the information cannot be provided within 30 days, the controller must inform you of this and tell you when the information will be provided. If the controller refuses to give you the information, restricts the information given or delays giving you the information, he or she must communicate this within the same period.

• What can I do if the controller refuses to provide me with the information or does not respond to my request?

  In principle, you have the right to be fully informed about all the data contained in the file which concern you. If the data controller refuses, restricts or postpones the disclosure of the requested information, he or she must inform you of the reasons for this.

  Please note that if a federal body refuses you access or grants only limited access to information, it must issue a formal decision to you.

  If you are of the opinion that the controller has not complied with his or her obligation to provide information or has only done so in part, you can take the following steps:If the controller is a federal body, you can file an appeal against the decision with the Federal Administrative Court within 30 days.

  If the data controller is a private individual, you can take legal action (civil action) to assert your right to information. The court in the place of residence or business of one of the parties is competent to rule on actions and requests based on the FADP. The judge will decide under a simplified procedure. No court fees are charged for disputes relating to the right of access under the FADP. You may apply to the court in person or be represented by a lawyer. You will need to include copies of your correspondence with the controller.
  

• Do I always have a right to information?

  As a general rule, you have the right to be fully and correctly informed about the data that is being processed about you. Providing this information can only be refused, restricted or postponed if permitted by a formal law or if required by the overriding interest of a third party. 

  Private controllers may also refuse, restrict or defer the disclosure of information if their own overriding interests so require and provided that they do not disclose the data to third parties.

  If the controller is a federal body, it may also refuse, restrict or defer the disclosure of information if an overriding public interest, in particular relating to Switzerland’s internal or external security, so requires, or if the disclosure of the information could jeopardise a criminal investigation or other investigative procedure.

  If controllers refuse, restrict or postpone the disclosure of information for any of the above reasons, they must inform the data subject. Controllers are obliged to state the reasons for the decision.

  Right to information

Statistics, registers and research

• I've been invited to take part in a medical research project. Will I be at a disadvantage if I don't take part?

  Participating in research projects or studies is always voluntary. You must not be put at a disadvantage for not taking part. Your consent to participate in such a project must be given in writing and is only valid if you have been notified in advance of the aim and purpose of the project and the planned data processing activities. This is usually done through information pamphlets and information sessions. You can also withdraw your consent to participate in research projects and studies at any time. If you do, your data should be automatically deleted. To be on the safe side, you can request confirmation of this. You can also exercise your right to information on research projects and studies at any time, as set out in the Data Protection Act .

Video surveillance

• My neighbor / landlady has installed a video camera. Is this permissible?

  Under certain conditions, this is permissible. You can find further information here: Video surveillance in the neighbourhood

• I would like to monitor my house/property with cameras. Am I allowed to do that? Do I need a permit?

  Here you will find the necessary instructions before installing a video camera: Video Surveillance by Private Individuals

• Am I allowed to install a dummy camera?

  Since a dummy camera cannot record any footage, it doesn’t actually process any personal data. As a result, the provisions of the Data Protection Act do not apply to the installation or operation of a dummy camera.

  However, the purpose of a dummy camera is to give the impression that video surveillance is taking place. The aim is to create what is known as the ‹watching-eye effect›, i.e. to influence people to behave in a more honest and law-abiding way than they might in some cases have intended .

  Consequently, with regard to legal rights in general, it makes little difference whether it is a real camera or merely a dummy: in both cases, the device exerts the watching-eye effect, which effectively means that a person feels they are not free to move around a certain place unobserved.

  Although the Data Protection Act does not apply because no data processing takes place, there may still be an infringement of legal rights that could form the basis for civil proceedings. In addition, the question arises as to whether dummy cameras do not fundamentally violate the principle that everyone must act in good faith in exercising their rights (Art. 2 para. 1 Swiss Civil Code).