Bratschi Ltd.,
What law(s) specifically govern personal data / information?
The principal legislation governing the processing of personal data in Switzerland is the Swiss Federal Act on Data Protection ('FADP' / German 'DSG'), which entered into force in its revised form on 1 September 2023.
The FADP is supplemented by the Ordinance on Data Protection (Data Protection Ordinance, 'DPO').
While Switzerland is not a member of the EU and the EU General Data Protection Regulation ('GDPR') does not apply directly, Swiss companies may nevertheless be subject to the GDPR if they (i) offer goods or services to individuals in the EU or (ii) monitor the behaviour of individuals in the EU (extraterritorial scope under Art. 3 GDPR).
In practice, many Swiss businesses need to comply with both the FADP (incl. DPO) and the GDPR.
What are the key data protection principles in this jurisdiction?:
The key principles are (Article 6 (1-5) FADP):
- The Principle of Lawfulness, meaning that personal data must be processed lawfully and that the personal data may only be processed if it has been collected in accordance with the applicable law.
- The Principle of Good Faith and Proportionality, meaning that personal data must be processed in accordance with the principle of good faith and in a proportionate manner.
- The Principle of Purpose Limitation, meaning that personal data must be processed only for the purpose:
- indicated at the time of collection;
- that is evident from the circumstances; or
- that is provided for by law;
- and may only be processed in a way that is compatible with the purpose.
- The Principle of Recognisability, meaning that the collection of personal data and the purpose of its processing must be evident to the data subject.
- The Principle of Data minimisation and storage limitation, meaning that only data necessary for the intended purpose shall be collected and processed and that personal data must be deleted or anonymised once it is no longer needed for the specific purpose.
- The Principle of Accuracy, meaning that the responsible data controller ('Controller') and processor need to ensure they only process personal data that is accurate.
What is the supervisory authority / regulator in charge of data protection?
The Federal Data Protection and Information Commissioner ('FDPIC').
Is there a requirement to register with a supervisory authority / regulator?
No, the FADP does not impose any general registration obligation with the FDPIC.
Is there a requirement to notify the supervisory authority / regulator?
Yes, the FADP establishes notification obligations, but only if specific conditions are met in the individual case. In particular:
- Data protection impact assessment: If the processing of data may pose a high risk to the personality or fundamental rights of the data subject, the Controller must carry out a data protection impact assessment ('DPIA') in advance (Article 22 FADP). If the DPIA shows that the planned processing will still result in a high risk to the personality or fundamental rights of the data subject despite the measures envisaged by the Controller, the Controller must first notify the FDPIC (Article 23 FADP).
- Data security breaches: The controller shall notify the FDPIC of any breach of data security that is likely to lead to a high risk to the data subject's personality or fundamental rights as quickly as possible (Article 24 FADP).
- Record of processing activities: The federal bodies shall notify the FDPIC of their records of processing activities (Article 12 FADP).
- Data protection officer: Private Controllers may appoint a data protection officer. The Controller publishes the contact details of the data protection officer and notifies the FDPIC thereof (Article 10 FADP).
Is it possible to register with / notify the supervisory authority / regulator online?
Yes, the FDPIC provides five online reporting portals, see https://www.edoeb.admin.ch/en/reporting-portals:
What are the key data subject rights under the data protection laws of this jurisdiction?
Data subjects have the following key rights regarding personal data:
- The right to information (Article 25 FADP);
- The right to data portability (Article 28 FADP);
- The right to rectification or deletion (Article 32 FADP);
- The right to opt-out (Article 30(2)(b) FADP).
Is there a requirement to appoint a data protection officer (or equivalent)?
Private Controllers may appoint a data protection officer (Article 10(1) FADP). Every federal body shall appoint a data protection officer (Article 25 DPO).
For companies, there is therefore the possibility, but no obligation, to appoint a data protection officer. However, companies appointing a data protection officer become exempt from the obligation to notify the FDPIC in cases of DPIAs with high risk to the personality or fundamental rights of the data subject (Article 23(4) FADP).
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
According to Article 22 FADP the Controller must carry out a DPIA in advance if a processing operation may entail a high risk to the personality or fundamental rights of the data subject.
Does this jurisdiction have any specific data breach notification requirements?
In case of a data security breach, the Controller has to notify the FDPIC, but only if the data security breach is likely to result in a high risk to the personality or fundamental rights of the data subject (Article 24 FADP). The law does not stipulate a time frame for the required notification but only demands a notification as quickly as possible. The Swiss courts will have to clarify what 'as quickly as possible' means.
What restrictions apply to the international transfer of personal data / information?
The FADP restrict cross-border transfers to countries that do not ensure an adequate level of data protection.
According to Article 16(1) FADP, the Swiss Federal Council has to establish which countries and international bodies it deems to ensure an adequate level of data protection. In the event, personal data is to be transferred to a country without an adequate level of data protection, personal data may still be disclosed lawfully abroad if appropriate data protection is guaranteed by:
- an international treaty;
- data protection clauses in a contract with the recipient which have been notified in advance to the FDPIC;
- standard data protection clauses which the FDPIC has approved, issued or recognised in advance (in particular, the standard contractual clauses for data transfers between EU and non-EU countries); or
- binding corporate rules that have been approved in advance by the FDPIC or by an authority responsible for data protection in a State that guarantees an adequate level of protection.
The list of countries considered adequate is set out in Annex 1 to the DPO (https://www.fedlex.admin.ch/eli/cc/2022/568/en#annex_1). For transfers to certified US companies (see Annex 1 DPO, No. 44), the Swiss-US Data Privacy Framework ('DPF') provides a legal basis for secure cross-border data transfers, effective from 15 September 2024.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
The FADP explicitly states that the territorial scope of application is determined according to the effect's doctrine, i.e. the data protection law is also applicable to companies established abroad that process personal data if the data processing affects Switzerland (Article 3 FADP).
What rules specifically deal with marketing?
The FADP does not contain specific provisions on marketing.
However, as with all data processing, the general principles of the data protection law must be observed and it must be examined whether the marketing activity could infringe the person's privacy and whether there is a justification.
Marketing activities in Switzerland are primarily regulated under the Federal Act on Unfair Competition ('UCA' / German 'UWG').
Do different rules apply to business-to-business and business-to-consumer marketing?
No.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Article 3(1)(o) UCA applies to electronic marketing and imposes certain restrictions regarding the delivery of electronic advertisements.
According to Article 3(1)(o) UCA the delivery of electronic advertisement by e-mail is only permissible in two cases:
- If the recipient has given explicit consent to the delivery of electronic advertising;
- If a contract has already been concluded with the recipient and the mass advertising concerns similar offers.
The UCA thus prohibits automated electronic marketing activities towards not yet existing customers (cold calling).
What rules specifically deal with cookies?
The Federal Act on Telecommunications ('TCA' / German 'FMG') regulates the transmission of information by means of telecommunications techniques and, therefore, also applies when cookies are used.
According to Article 45c(b), TCA, the use of cookies is only permitted if users are informed about the processing and its purpose and are made aware of their right to refuse the processing (right to opt out).
Also, the general data protection provisions must be considered when using cookies, as the IP address is, in principle, qualified as personal data.
Whether a distinction is made between essential and non-essential cookies is still unclear due to the lack of case law in Switzerland. However, if you want to be on the safe side, you ask for consent before applying marketing cookies.
What are the consequences of non compliance with data protections laws (including marketing laws)?
The FADP provides for criminal sanctions in the form of a fine of up to CHF 250'000 in particular for the following violations:
- intentionally providing false or incomplete information to a data subject requesting access to its personal data (Article 60(1)(a) FADP);
- intentionally failing to provide information requested in order to ensure transparency in particular in connection with the collection of personal data and the purpose of processing personal data (Article 60(1)(b) FADP);
- intentionally providing false information to the FDPIC, or intentionally refusing to cooperate with it, in the context of an investigation (Article 60(2) FADP);
- intentionally conducting cross-border transfers without complying with the requirements to ensure adequate data protection (Article 61(a) FADP);
- intentionally transferring data to the data processor without complying with the requirements to ensure data security (Article 61(b) FADP);
- intentionally failing to comply with the minimum data security requirements (Article 61(c) FADP);
- intentionally disclosing confidential personal data obtained in the course of professional activities (Article 62(1) FADP);
- intentionally failing to comply with an order of the FDPIC or a decision of the appellate authorities issued with reference to the threat of punishment under this article (Article 63 FADP).
Other violations of the FADP may lead to administrative proceedings initiated by the FDPIC or civil lawsuits initiated by the concerned data subject.
While the FADP does not contain specific criminal sanctions for marketing violations per se, unlawful direct marketing may trigger civil or administrative actions under the UCA:
- intentional violations of the UCA can result (i) in custodial sentence for up to three years or (ii) a monetary penalty (Article 23 UCA);
- affected parties have the right to initiate civil proceedings for damages or to seek injunctive relief against unfair practices.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
According to Article 14(1) FADP, a Controller established abroad has to designate a representative in Switzerland if personal data relating to individuals in Switzerland are being processed and
- the processing is related to the offer of goods and services or the observation of the behaviour of persons in Switzerland;
- the processing entails a high risk for the personality of the data subject;
- the processing is extensive and occurs on a regular basis.
What upcoming data protection developments should multinational organisations be aware of?
The FADP was fully revised and came into force on 1 September 2023. Therefore, no major developments/legislative changes are expected in Swiss law in the near future.
The Swiss-US DPF provides a legal basis for cross-border transfers to certified US companies. Controllers should closely monitor its application, as the practical implementation and future recognition of the DPF remain subject to change.