Knowing and asserting my rights

Right to information

Under Article 25 of the Data Protection Act (FADP), you can request information from the controller at any time as to whether personal data concerning you are being processed and if so, what data.
The information includes:

• the identity and contact details of the controller
• the type of data being processed and purpose of processing
• the recipients or categories of recipients
• the storage period or the criteria for determining the storage period

The information is generally provided free of charge, usually within 30 days.

The right to information allows you to find out what data a controller has about you and in what context, i.e. the purpose for which the data are being processed, including the identities of persons to whom the controller discloses the data.

• Further information on this particular right can be found here:

  In accordance with the Federal Act on Data Protection (FADP), any person may request information from the controller of a data file as to whether their personal data is being processed and may, if necessary, have the data corrected or destroyed. This right to information allows everyone to maintain control over the data collected about them. It is key to enabling data subjects to assert their rights under the law and ensures transparency regarding what use is made of the data. Nevertheless, each person must take action themselves to exercise this right.

  The FADP sets out a non-exhaustive list of information that must always be provided to the person exercising their right to information. In all cases, the person requesting information must be provided with information on the identity and contact details of the controller. Furthermore, the data subject must be informed of the personal data that has been processed and the purpose of the processing. He or she must also be informed of the period of time the data will be stored or, if this is not possible, the criteria for defining the retention period. The data subject must also be provided with the available information on the source of the data (in cases where they have not provided the data themselves). Furthermore, the data subject must be informed, if applicable, whether an automated individual decision has been taken and the logic behind the decision. Finally, the data subject must also be informed of the recipients or categories of recipients to whom the data may have been disclosed. If the recipients are located abroad, the information must specify the country concerned and, if applicable, the guarantees of adequate protection that are provided or the application of one of the exceptions.

  It is not necessary for a person to justify their request to the controller when exercising their right to information. In principle, the information must be provided free of charge within 30 days. It should be noted that requests requiring a disproportionate effort may incur fees (up to a maximum of CHF 300).

  In certain cases, the right to information may be refused, restricted or delayed, in particular if overriding private or public interests oppose it. In such a case, the controller must indicate indicate why it is refusing, restricting or delaying the provision of the information. Any federal body refusing or granting only restricted access must communicate a decision  to you, and you have the right to appeal that decision. The reasoning given must enable the person concerned to check whether the restriction of their right to information is justified. The procedural implementation of data subjects' rights is strengthened because the FADP now provides for easier access to justice by waiving court costs in civil proceedings.

  For information on the procedure and how to assert your rights with the controller, see “How to assert your rights with the controller.”

  Frequently asked questions on data protection concerns

  From A to Z

  More about «Frequently asked questions on data protection concerns»

A request for information does not need to be made in any particular form, but you are welcome to use our sample letter to ensure that your request is understood as a request for information:

Right to have data corrected

The processing of incorrect personal data can have serious disadvantages for the data subject concerned. For example, if the payment history of a person who shares your name and regularly fails to pays their debts is wrongly assigned to you and you are therefore refused credit (see Credit & Collection). Processing incorrect personal data therefore constitutes an unlawful violation of your personality rights.

This means that any person who processes personal data must take appropriate measures to ensure that the data are accurate. The right to correction is derived from this obligation that the controller must observe (Art. 6 para. 5 FADP).

If your personal data are incorrect or incomplete, you can request that they be corrected on the basis of Article 32 paragraph 1 FADP. The right to correction goes hand in hand with the right to information, because when you request information, you often find out that the data being processed about you are incorrect.

If the controller responsible for processing is a federal body, you are entitled to have data corrected on the basis of Article 41 paragraph 2 letter a FADP. This right can be particularly useful if an entry in official records is no longer up to date and this has negative consequences for you as the data subject (e.g. if you receive a bill for the radio and television licence fee but no longer live in the household in question).

Right to have data deleted

In certain situations, you have the right to request the deletion or destruction of your personal data:

• if the data are no longer required for the original purpose, you can request that your personal data be deleted based on the principle of proportionality or data minimisation (Art. 6 para. 4 FADP). For example, if data on your credit record are over 10 years old (see Credit & debt collection).
• if you have given your consent to the data being processed but no longer agree to it, i.e. if you withdraw your consent.
• if the data processing has been carried out unlawfully, e.g. if photographs of you have been published without your permission (see Dealing with photos).
• or, in general, if the data were obtained or used in a way that is contrary to the processing principles of transparency or good faith, e.g. if you have received advertising addressed specifically to you but cannot trace where your address data comes from.

However, the controller may refuse to delete the data if it can justify the processing on other grounds, e.g. because it is required by law to process the data or if it has its own overriding interests in processing the data.

The relevant legal rights are regulated in Article 32 paragraph 2 letter c FADP (data processing by private persons or legal entities) and Article 41 paragraph 2 letter a FADP (data processing by federal bodies).

Right to restriction of data processing (blocking and de-indexing of data)

In similar way to deletion, you can request the restriction of data processing based on Article 32 paragraph 2 letter b FADP if you dispute the proportionality of the data processing or the accuracy of the data.

For example, it may be the case that certain information is archived or published because there is an overriding private or public interest in doing so. However, you may consider it is unreasonable that everyone should have unrestricted access to this information. It may be that this information relates to an old matter, such as a sporting event in which you took part several years ago (see sporting events). Or the purpose of the processing would also be fulfilled if only certain persons who can prove a special interest could access the information (e.g. information about your creditworthiness). This may also apply to the reproduction of data from public registers (such as the commercial register).

If you exercise this right in an online context, this often involves filing a request to deindex the information, i.e. that search engines’ ability to find the information is restricted so that the data no longer appear in internet searches for your name. Deindexing must be carried out by the data controller.

When it comes to the ability to find information that was originally published out of public interest and this interest no longer applies after a certain period of time, this is referred to as the right to be forgotten (see search engines).

You can also exercise the right to restrict the processing of data in order to prevent the disclosure of data whose accuracy is disputed or still needs to be clarified. While the restriction applies, the data may only be stored, but not processed or disclosed.

If the controller is a federal body, the data subject may also have the processing restricted. A federal body may only disclose personal data to another authority – whether in Switzerland or abroad – if there is a legal basis for doing so. As a result, under Article 41 paragraph 1 FADP, a data subject can prevent the transfer of information to a foreign authority, for example in the context of administrative assistance in tax matters, if they believe that the legal requirements are not met.

Right to object to processing

You have the right to object to the processing of your personal data by the controller at any time (Art. 30 para. 2 let. b FADP).

After receiving your objection, the controller has to either stop processing the data or explain why it is entitled to continue to process the data against your wishes.

Right to data portability

If it is technically possible, you are entitled to have personal data that a provider is processing with your consent or in accordance with an existing contract between you handed over in a commonly used, machine-readable format and/or have it transferred to another controller.

This right is expressly set out in Article 28 FADP in conjunction with Articles 20-22 of the Data Protection Ordinance (DPO) and is intended to make it easier for your data to still be used if you switch providers, but may be restricted in accordance with Article 29 FADP.

Rights in relation to automated individual decisions

With digitalisation and the spread of AI-supported data processing, more and more decisions are being completely automated, i.e. they are not made by humans, but solely by algorithms based on the available information and programmed logic. If there is no human review, then what is known as an ‘automated individual decision’ is made. If this decision leads to a significant disadvantage for the data subject, Article 21 FADP provides firstly for a right to be informed and then for a right to have the decision reviewed by a real person.

Right to be informed (under Article 21 FADP) and to request information (under Article 25 FADP) about automated decisions

If an automated individual decision is made, you must be informed of this. On request, you are also entitled to information on the logic on which the decision is based.

Right to a review of automated decisions

You also have the right to express your point of view on such decisions and to request that a real person review the decision.

How to exercise the rights you have vis-à-vis the controller

You should make your request in writing, either by letter or by email. Check whether the controller sets its own guidelines as to how it a request should be made.

State specifically which right you wish to exercise. If you dispute the accuracy of any information, explain why.

As these are strictly personal rights, you must exercise them yourself or instruct your legal representative to exercise them on your behalf.

To ensure that the request is genuinely about you, the controller must take reasonable measures to verify your identity and you must cooperate with this. If the controller only knows you by a pseudonym or through an email address, it may require you to log in to your account or submit your request by email using the email address known to the controller.

Under certain circumstances, the controller may request a copy of an identification document to confirm your identity.

Tips to avoid problems when enforcing your rights

Contact the right person

As part of their duty to provide information, controllers must provide you with information on how to contact them. This information can usually be found in a controller’s ‘privacy statement’ (Datenschutzerklärung) or in the data protection provisions (see Privacy statements on the internet).

Allow a reasonable time for your request to be processed

Please do not set unrealistic deadlines for processing your request: Under Article 25 FADP, data controllers are allowed 30 days to provide information. If the controller is unable to provide the information within 30 days, it must inform you and let you know how long you may have to wait for the information to be provided. For other requests, such as deletion or correction requests, a shorter or longer period may be appropriate depending on the case.

Protect your online accounts

We are often contacted by people who can no longer log into their social media profiles or no longer have access to an email account or phone number associated with their social media profile. Unfortunately, the FDPIC cannot help you in these cases. The providers are required to protect your personal data from unauthorised access, which is why they take measures to verify your identity as a user. Some providers offer alternative identification methods, but this is not mandatory. To avoid such problems, we strongly recommend that you protect your accounts with secure passwords and only try to use email addresses and telephone numbers that you know to be valid and in operation. If you no longer actively use an account, download the data it contains yourself and delete them while you still have access.

Enforcing your rights in court

If a private controller (a company, an association, a political party, etc.) does not respond to your request after a reasonable period of time or if you believe that the controller's decision not to comply with your request is incorrect, you have the option of taking court action to enforce your rights (Art. 32 para. 2 FADP in conjunction with Art. 28 ff. Swiss Civil Code).

As a first step, you must submit an application for conciliation to the conciliation authority of the district court at your place of residence or where the controller is based. You can do this by writing to the court or going there in person.

You can also contact the court by telephone to find out about the formalities involved in this procedure or check on the court’s website. The purpose of a conciliation hearing is to try to reach an agreement between the parties.

If no agreement can be reached, you will receive authorisation to proceed in order to bring an action before the civil court. It is a good idea to consult a lawyer, although you are not obliged to do so. No security deposit is required in proceedings relating to disputes under the Data Protection Act and no court costs are charged. However, you may have to pay legal fees.

In disputes concerning the enforcement of the right to information, the court applies a simplified proceeding that is both faster and less costly than ordinary proceedings (Art. 243 para. 2 let. d Civil Procedure Code).

Enforcing your rights against a federal body

If the controller is a federal body, it must respond to your request (right to information, stopping processing, deleting data, etc. – see Art. 41 FADP) with a formal ruling. This will include information on how you can appeal against the ruling, and the deadline for doing so.

If the federal body does not issue a ruling, you can request one.

If you wish to contest the ruling, you must normally file an appeal with the competent authority within 30 days. However, the appeal procedure and the competent authority may vary depending on the subject matter of the appeal: this is explained in the instructions on legal remedies. The procedure is governed by the Administrative Procedure Act.

It should be noted that an advance payment of costs is usually required for the appeal procedure, but this will be refunded to you if your appeal is successful.

Making a report to the FDPIC

If a private controller or a federal body does not respond to your request after a reasonable period of time or if you believe that the controller's decision not to comply with your request is incorrect, you also have the option of filing a report with the FDPIC.

The FDPIC can take action against the controller in the event of a significant breach of data protection regulations.