Bratschi Ltd.,
What law(s) specifically govern personal data / information?
Personal data is governed by the Federal Act on Data Protection ("FADP").
It should be noted that the FADP has been revised and that the revised Federal Act on Data Protection ("revFADP") will come into force on 1 September 2023, which is why the revised law is also, if not mainly, considered below.
What are the key data protection principles in this jurisdiction?:
The key principles are (Article 4 (1-4) FADP):
- The Principle of Lawfulness, meaning that personal data must be processed lawfully and that the personal data may only be processed if it has been collected in accordance with the applicable law.
- The Principle of Good Faith and Proportionality, meaning that personal data must be processed in accordance with the principle of good faith and in a proportionate manner.
- The Principle of Purpose Limitation, meaning that personal data must be processed only for the purpose:
- indicated at the time of collection;
- that is evident from the circumstances; or
- that is provided for by law.
- The Principle of Recognisability, meaning that the collection of personal data and the purpose of its processing must be evident to the data subject.
What is the supervisory authority / regulator in charge of data protection?
The Federal Data Protection and Information Commissioner ("Commissioner").
Is there a requirement to register with a supervisory authority / regulator?
Under the FADP, private individuals may be required to disclose data collections to the Commissioner in order to have them registered (Article 11a FADP). However, this requirement has been abandoned under the revFADP.
The revFADP no longer imposes a registration obligation, but under certain circumstances, it requires the Commissioner's notification, see question below.
Is there a requirement to notify the supervisory authority / regulator?
If the processing of data may pose a high risk to the personality or fundamental rights of the data subject, the responsible data controller ("Controller") must carry out a data protection impact assessment ("DPIA") in advance (Article 22 revFADP).
If the data protection impact assessment shows that the planned processing will still result in a high risk to the personality or fundamental rights of the data subject despite the measures envisaged by the Controller, the Controller must first notify the Commissioner (Article 23 revFADP).
Is it possible to register with / notify the supervisory authority / regulator online?
Regarding registration of data collections according to Article 11a FADP:
https://www.datareg.admin.ch/declaration/DeclarationNewRegsCompany.aspx
The obligation to register data collections will no longer apply under the revFADP.
What are the key data subject rights under the data protection laws of this jurisdiction?
Data subjects have the following key rights regarding personal data:
- The right to information (Article 25 revFADP);
- The right to data portability (Article 28 revFADP);
- The right to rectification or deletion (Article 32 revFADP);
- The right to opt-out (Article 30(2)(b) revFADP).
Is there a requirement to appoint a data protection officer (or equivalent)?
The revFADP includes the possibility to appoint a data protection advisor, but does not impose an obligation. However, companies appointing a data protection advisor become exempt from the obligation to notify the Commissioner in cases of data protection impact assessments with high risk to the personality or fundamental rights of the data subject (Article 23(4) revFADP).
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
According to Article 22 revFADP the Controller must carry out a data protection impact assessment in advance if a processing operation may entail a high risk to the personality or fundamental rights of the data subject.
Does this jurisdiction have any specific data breach notification requirements?
In case of a data security breach, the Controller has to notify the Commissioner but only if the data security breach is likely to result in a high risk to the personality or fundamental rights of the data subject (Article 24 revFADP). The law does not stipulate a time frame for the required notification but only demands a notification as soon as possible. The Swiss courts will have to clarify what "as soon as possible" means.
What restrictions apply to the international transfer of personal data / information?
The FADP as well as the revFADP restrict cross-border transfers to countries that do not ensure an adequate level of data protection.
According to Article 16(1) revFADP the Swiss Federal Council has to establish which countries and international bodies it deems to ensure an adequate level of data protection. In the event, personal data is to be transferred to a country without an adequate level of data protection, personal data may still be disclosed lawfully abroad if appropriate data protection is guaranteed by:
- An international treaty;
- Data protection clauses in a contract with the recipient which have been notified in advance to the Commissioner;
- Standard data protection clauses which the Commissioner has approved, issued or recognised in advance (in particular the Standard contractual clauses for data transfers between EU and non-EU countries); or
- Binding internal company data protection regulations which have been approved in advance by the Commissioner or by an authority responsible for data protection in a state which guarantees adequate protection.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
The revFADP explicitly states that the territorial scope of application is determined according to the effect's doctrine, i.e the data protection law is also applicable to companies established abroad that process personal data if the data processing affects Switzerland.
What rules specifically deal with marketing?
There are no specific rules dealing with marketing activities.
However, as with all data processing, the general principles of the data protection law must be observed and it must be examined whether the marketing activity could infringe the person's privacy and whether there is a justification.
Do different rules apply to business-to-business and business-to-consumer marketing?
No.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Article 3(1)(o) of the law against unfair competition ("UWG") applies to electronic marketing and imposes certain restrictions regarding the delivery of electronic advertisements.
According to Article 3(1)(o) UWG the delivery of electronic advertisement by e-mail is only permissible in two cases:
- If the recipient has given explicit consent to the delivery of electronic advertising;
- If a contract has already been concluded with the recipient and the mass advertising concerns similar offers.
The UWG thus prohibits automated electronic marketing activities towards not yet existing customers (cold calling).
What rules specifically deal with cookies?
The Federal Act on Telecommunications ("TCA") regulates the transmission of information by means of telecommunications techniques and therefore also applies when cookies are used.
According to Article 45c (b) TCA the use of cookies is only permitted if users are informed about the processing and its purpose and are made aware of their right to refuse the processing (right to opt-out).
Also, the general data protection provisions must be considered when using cookies, as the IP address is, in principle, qualified as personal data.
Whether a distinction is made between essential and non-essential cookies is still unclear due to the lack of case law in Switzerland. However, if you want to be on the safe side, you ask for consent before applying marketing cookies.
What are the consequences of non compliance with data protections laws (including marketing laws)?
Under the FADP, specific violations of the FADP provide criminal sanctions in the form of a fine up to CHF10'000. However, no fines have been issued so far.
The revFADP is much stricter and provides for criminal sanctions in the form of a fine of up to CHF 250'000 in particular for the following violations:
- intentionally providing false or incomplete information to a data subject requesting access to its personal data (Article 60(1)(a) revFADP);
- intentionally failing to provide information requested in order to ensure transparency in particular in connection with the collection of personal data and the purpose of processing personal data (Article 60(1)(b) revFADP);
- intentionally providing false information to the Commissioner, or intentionally refusing to cooperate with it, in the context of an investigation (Article 60(2) revFADP);
- intentionally conducting cross-border transfers without complying with the requirements to ensure adequate data protection (Article 61(a) revFADP);
- intentionally transferring data to the data processor without complying with the requirements to ensure data security (Article 61(b) revFADP);
- intentionally failing to comply with the minimum data security requirements (Article 61(c) revFADP);
- intentionally disclosing confidential personal data that have come to the knowledge of the defendant in the course of its professional activities (Article 62(1) revFADP);
- intentionally failing to comply with an order of the Commissioner or a decision of the appellate authorities issued with reference to the threat of punishment under this article (Article 63 revFADP).
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
According to Article 14(1) revFADP a Controller established abroad has to designate a representative office in Switzerland if personal data relating to individuals in Switzerland are being processed and
- the processing is related to the offer of goods and services or the observation of the behaviour of persons in Switzerland;
- the processing entails a high risk for the personality of the data subject;
- the processing is extensive and occurs on a regular basis.
What upcoming data protection developments should multinational organisations be aware of?
As already mentioned above, the revFADP will come into force on 1 September 2023. The revFADP is, to a certain extent, aligned with the EU's General Data Protection Regulation (EU) 2016/679) (" GDPR ") but retains its own basic concept and deviates from the GDPR in a number of aspects.