The processing of personal data in the private sector and by federal bodies in Switzerland is primarily governed in the Federal Act on Data Protection (FADP) and the related Ordinance to the Federal Act on Data Protection (OFADP). Although Switzerland is not a member of the European Union or the European Economic Area, Swiss companies and organisations have to observe the European data protection regulation. With the entry into force of the EU General Data Protection Regulation (EU GDPR) on 25 May 2018, the EU law is directly applicable to many companies in Switzerland. Apart from these general provisions various other laws contain provisions relating to data protection in specific fields of application, e.g. for processing patient data in healthcare, for employee data or bank client data.
Swiss and European data protection laws define personal data as any information relating to an identified or identifiable natural person. Current Swiss law extends not only to data about individuals but also to data of legal entities. The processing of personal data of legal entities is subject to the same provisions as the processing of data of individuals. A person is identifiable if the person concerned can be identified by reference to other information. The definition is very broad. With the technological development and the opportunities of Big Data more and more data that does not appear to be personally identifiable at first glance can be considered as personal data. For example, identification numbers or location data may constitute personal data if they can be related to a particular person.
The revised Swiss Data Protection Act now explicitly applies to all data processing operations that have an effect in Switzerland, regardless of whether it is initiated or carried out abroad (Art. 3 rev. FADP). Likewise, the EU GDPR is applicable to many companies and organisations in Switzerland. The GDPR applies to the processing of personal data when it is related to the offering of goods or services to data subjects in the EU or to the monitoring of the behaviour of such data subjects in the EU (e.g. by tracking on the internet).
Sensitive personal data or special categories of personal data are personal data relating to
- religious, philosophical, political or trade union-related views and activities,
- health, sexual orientation, intimate sphere and racial origin,
- social assistance measures and
- criminal or administrative proceedings and penalties.
These personal data are subject to enhanced legal protection, e.g. the conditions for a consent to be valid for the processing of health data are stricter than for normal personal data.
Personal data have to be obtained lawfully, i.e. data must not be obtained by unlawful means. Personal data have to be processed in good faith and the processing has to be carried out in a proportionate manner. Personal data must be processed for purposes indicated to the data subject at the time of collection, evident from the circumstances or provided for by law. The collection of personal data and the purposes of their processing have to be transparent to the data subject. Personal data must be protected against unauthorised processing through adequate technical and organisational measures.
Under Swiss data protection law, processing of personal data is in principle permitted. Swiss law thus differs from the basic concept in the EU. European law requires justification for any data processing. The lawful reasons for data processing are exhaustively listed in the GDPR. It includes i.a. the consents of the data subject, the performance of a contract with the data subject, compliance with a legal obligation or overriding interests. According to Swiss law, no particular justification is required for the processing of personal data if the processing is made in compliance with the data processing principles. An exception to this rule applies to the processing of personal data against the express will of the data subject and to the disclosure of sensitive personal data or personality profiles to third parties. A justification is necessary for these operations, namely the consent of the data subject, a statutory basis for the processing or an overriding private or public interest which justifies the processing. An overriding private interest may be considered in particular if processing is directly connected with the conclusion or execution of a contract.
Anyone who processes personal data must ensure their confidentiality, availability and integrity. Furthermore, systems for processing personal data must be resilient to security threats. Personal data have to be protected against unauthorised processing by appropriate technical and organisational measures. When determining the technical and organisational measures, the following criteria must be taken into account: purpose, nature and scope of data processing; assessment of the potential risks for the data subjects, in particular in the case of destruction, loss, alteration or unauthorised disclosure of personal data; and the state of the art. Therefore, a risk-based approach must be used when determining the measures to be taken.
A third party may be entrusted with the processing of personal data on behalf of the data controller (outsourcing). The processing by a third party data processor is permitted if
- the third party processes the data only in the manner permitted for the instructing data controller;
- the instructing data controller ensures that the third party guarantees data security; and
- the outsourcing is not prohibited by a statutory or contractual duty of confidentiality.
Furthermore, a data processing agreement has to be concluded between the data controller and the data processor.