{"id":7199,"date":"2017-12-07T16:05:38","date_gmt":"2017-12-07T15:05:38","guid":{"rendered":"https:\/\/swissdataprotectionlaw.ch\/\/?page_id=7199"},"modified":"2023-08-03T11:00:46","modified_gmt":"2023-08-03T09:00:46","slug":"grundlagen","status":"publish","type":"page","link":"https:\/\/swissdataprotectionlaw.ch\/en\/grundlagen\/","title":{"rendered":"Basics"},"content":{"rendered":"<section class=\"l-section wpb_row height_medium\"><div class=\"l-section-h i-cf\"><div class=\"g-cols vc_row via_grid cols_1 laptops-cols_inherit tablets-cols_inherit mobiles-cols_1 valign_top type_default stacking_default\"><div class=\"wpb_column vc_column_container\"><div class=\"vc_column-inner\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><h1 style=\"text-align: center;\">Basics<\/h1>\n<\/div><\/div><div class=\"w-separator size_custom\" style=\"height:32px\"><\/div><div class=\"w-tabs style_default switch_click accordion type_togglable has_scrolling\" style=\"--sections-title-size:inherit\"><div class=\"w-tabs-sections titles-align_none icon_chevron cpos_right\"><div class=\"w-tabs-section\" id=\"h822\"><button class=\"w-tabs-section-header\" aria-controls=\"content-h822\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">Applicable laws<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-h822\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>The processing of personal data in the private sector and by federal bodies in Switzerland is primarily governed in the Federal Act on Data Protection (<a href=\"https:\/\/www.admin.ch\/opc\/en\/classified-compilation\/19920153\/index.html\" target=\"_blank\" rel=\"noopener\">FADP<\/a>) and the related Ordinance to the Federal Act on Data Protection (<a href=\"https:\/\/www.admin.ch\/opc\/en\/classified-compilation\/19930159\/index.html\" target=\"_blank\" rel=\"noopener\">OFADP<\/a>). Although Switzerland is not a member of the European Union or the European Economic Area, Swiss companies and organisations have to observe the European data protection regulation. With the entry into force of the EU General Data Protection Regulation (<a href=\"http:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=CELEX%3A32016R0679\" target=\"_blank\" rel=\"noopener\">EU GDPR<\/a>) on 25 May 2018, the EU law is directly applicable to many companies in Switzerland. Apart from these general provisions various other laws contain provisions relating to data protection in specific fields of application, e.g. for processing patient data in healthcare, for employee data or bank client data.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"p9f2\"><button class=\"w-tabs-section-header\" aria-controls=\"content-p9f2\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">Personal Data<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-p9f2\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>Swiss and European data protection laws define personal data as any information relating to an identified or identifiable natural person. Current Swiss law extends not only to data about individuals but also to data of legal entities. The processing of personal data of legal entities is subject to the same provisions as the processing of data of individuals. A person is identifiable if the person concerned can be identified by reference to other information. The definition is very broad. With the technological development and the opportunities of Big Data more and more data that does not appear to be personally identifiable at first glance can be considered as personal data. For example, identification numbers or location data may constitute personal data if they can be related to a particular person.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"ebac\"><button class=\"w-tabs-section-header\" aria-controls=\"content-ebac\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">Territorial scope<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-ebac\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>The revised Swiss Data Protection Act now explicitly applies to all data processing operations that have an effect in Switzerland, regardless of whether it is initiated or carried out abroad (Art. 3 rev. FADP).\u00a0 Likewise, the EU GDPR is applicable to many companies and organisations in Switzerland. The GDPR applies to the processing of personal data when it is related to the offering of goods or services to data subjects in the EU or to the monitoring of the behaviour of such data subjects in the EU (e.g. by tracking on the internet).<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"cdee\"><button class=\"w-tabs-section-header\" aria-controls=\"content-cdee\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">Sensitive personal data \/ Special categories of personal data<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-cdee\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>Sensitive personal data or special categories of personal data are personal data relating to<\/p>\n<ul>\n<li>religious, philosophical, political or trade union-related views and activities,<\/li>\n<li>health, sexual orientation, intimate sphere and racial origin,<\/li>\n<li>social assistance measures and<\/li>\n<li>criminal or administrative proceedings and penalties.<\/li>\n<\/ul>\n<p>These personal data are subject to enhanced legal protection, e.g. the conditions for a consent to be valid for the processing of health data are stricter than for normal personal data.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"pfb1\"><button class=\"w-tabs-section-header\" aria-controls=\"content-pfb1\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">Principles relating to all processing of personal data<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-pfb1\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>Personal data have to be obtained lawfully, i.e. data must not be obtained by unlawful means. Personal data have to be processed in good faith and the processing has to be carried out in a proportionate manner. Personal data must be processed for purposes indicated to the data subject at the time of collection, evident from the circumstances or provided for by law. The collection of personal data and the purposes of their processing have to be transparent to the data subject. Personal data must be protected against unauthorised processing through adequate technical and organisational measures.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"z186\"><button class=\"w-tabs-section-header\" aria-controls=\"content-z186\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">Lawfulness of processing<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-z186\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>Under Swiss data protection law, processing of personal data is in principle permitted. Swiss law thus differs from the basic concept in the EU. European law requires justification for any data processing. The lawful reasons for data processing are exhaustively listed in the GDPR. It includes i.a. the consents of the data subject, the performance of a contract with the data subject, compliance with a legal obligation or overriding interests. According to Swiss law, no particular justification is required for the processing of personal data if the processing is made in compliance with the data processing principles. An exception to this rule applies to the processing of personal data against the express will of the data subject and to the disclosure of sensitive personal data or personality profiles to third parties. A justification is necessary for these operations, namely the consent of the data subject, a statutory basis for the processing or an overriding private or public interest which justifies the processing. An overriding private interest may be considered in particular if processing is directly connected with the conclusion or execution of a contract.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"r343\"><button class=\"w-tabs-section-header\" aria-controls=\"content-r343\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">Data Security<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-r343\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>Anyone who processes personal data must ensure their confidentiality, availability and integrity. Furthermore, systems for processing personal data must be resilient to security threats. Personal data have to be protected against unauthorised processing by appropriate technical and organisational measures. When determining the technical and organisational measures, the following criteria must be taken into account: purpose, nature and scope of data processing; assessment of the potential risks for the data subjects, in particular in the case of destruction, loss, alteration or unauthorised disclosure of personal data; and the state of the art. Therefore, a risk-based approach must be used when determining the measures to be taken.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"w54c\"><button class=\"w-tabs-section-header\" aria-controls=\"content-w54c\" aria-expanded=\"false\"><div class=\"w-tabs-section-title\">Processing by a third party data processor \/ Outsourcing<\/div><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-w54c\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>A third party may be entrusted with the processing of personal data on behalf of the data controller (outsourcing). The processing by a third party data processor is permitted if<\/p>\n<ul>\n<li>the third party processes the data only in the manner permitted for the instructing data controller;<\/li>\n<li>the instructing data controller ensures that the third party guarantees data security; and<\/li>\n<li>the outsourcing is not prohibited by a statutory or contractual duty of confidentiality.<\/li>\n<\/ul>\n<p>Furthermore, a data processing agreement has to be concluded between the data controller and the data processor.<\/p>\n<\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/section>\n","protected":false},"excerpt":{"rendered":"{:de}Grundlagen Gesetzliche GrundlagenDer Schutz von Personendaten bei der Bearbeitung durch private Personen und durch Bundesorgane in der Schweiz ist haupts\u00e4chlich im Bundesgesetz \u00fcber den Datenschutz (DSG) und in der zugeh\u00f6rigen Verordnung zum Bundesgesetz \u00fcber den Datenschutz (VDSG) geregelt. Obwohl die Schweiz nicht Mitglied der EU oder des Europ\u00e4ischen Wirtschaftsraums EWR ist, sind f\u00fcr Schweizer Unternehmen...","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"translation":{"provider":"WPGlobus","version":"2.12.2","language":"en","enabled_languages":["de","en"],"languages":{"de":{"title":true,"content":true,"excerpt":false},"en":{"title":true,"content":true,"excerpt":false}}},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.12 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Basics - Swissdataprotectionlaw<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/swissdataprotectionlaw.ch\/grundlagen\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Basics - Swissdataprotectionlaw\" \/>\n<meta property=\"og:url\" content=\"https:\/\/swissdataprotectionlaw.ch\/grundlagen\/\" \/>\n<meta property=\"og:site_name\" content=\"Swissdataprotectionlaw\" \/>\n<meta property=\"article:modified_time\" content=\"2023-08-03T09:00:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/swissdataprotectionlaw.ch\/wp-content\/uploads\/2021\/06\/Dataprotectionlaw1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"2746\" \/>\n\t<meta property=\"og:image:height\" content=\"2746\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/swissdataprotectionlaw.ch\/grundlagen\/\",\"url\":\"https:\/\/swissdataprotectionlaw.ch\/grundlagen\/\",\"name\":\"Basics - Swissdataprotectionlaw\",\"isPartOf\":{\"@id\":\"https:\/\/swissdataprotectionlaw.ch\/#website\"},\"datePublished\":\"2017-12-07T15:05:38+00:00\",\"dateModified\":\"2023-08-03T09:00:46+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/swissdataprotectionlaw.ch\/grundlagen\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/swissdataprotectionlaw.ch\/grundlagen\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/swissdataprotectionlaw.ch\/grundlagen\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\/\/swissdataprotectionlaw.ch\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Grundlagen\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/swissdataprotectionlaw.ch\/#website\",\"url\":\"https:\/\/swissdataprotectionlaw.ch\/\",\"name\":\"Swissdataprotectionlaw\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/swissdataprotectionlaw.ch\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/swissdataprotectionlaw.ch\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/swissdataprotectionlaw.ch\/#organization\",\"name\":\"Swissdataprotectionlaw\",\"url\":\"https:\/\/swissdataprotectionlaw.ch\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/swissdataprotectionlaw.ch\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/swissdataprotectionlaw.ch\/wp-content\/uploads\/2017\/12\/Dataprotectionlaw.jpg\",\"contentUrl\":\"https:\/\/swissdataprotectionlaw.ch\/wp-content\/uploads\/2017\/12\/Dataprotectionlaw.jpg\",\"width\":336,\"height\":23,\"caption\":\"Swissdataprotectionlaw\"},\"image\":{\"@id\":\"https:\/\/swissdataprotectionlaw.ch\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Basics - Swissdataprotectionlaw","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/swissdataprotectionlaw.ch\/grundlagen\/","og_locale":"en_US","og_type":"article","og_title":"Basics - Swissdataprotectionlaw","og_url":"https:\/\/swissdataprotectionlaw.ch\/grundlagen\/","og_site_name":"Swissdataprotectionlaw","article_modified_time":"2023-08-03T09:00:46+00:00","og_image":[{"width":2746,"height":2746,"url":"https:\/\/swissdataprotectionlaw.ch\/wp-content\/uploads\/2021\/06\/Dataprotectionlaw1.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/swissdataprotectionlaw.ch\/grundlagen\/","url":"https:\/\/swissdataprotectionlaw.ch\/grundlagen\/","name":"Basics - Swissdataprotectionlaw","isPartOf":{"@id":"https:\/\/swissdataprotectionlaw.ch\/#website"},"datePublished":"2017-12-07T15:05:38+00:00","dateModified":"2023-08-03T09:00:46+00:00","breadcrumb":{"@id":"https:\/\/swissdataprotectionlaw.ch\/grundlagen\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/swissdataprotectionlaw.ch\/grundlagen\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/swissdataprotectionlaw.ch\/grundlagen\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/swissdataprotectionlaw.ch\/"},{"@type":"ListItem","position":2,"name":"Grundlagen"}]},{"@type":"WebSite","@id":"https:\/\/swissdataprotectionlaw.ch\/#website","url":"https:\/\/swissdataprotectionlaw.ch\/","name":"Swissdataprotectionlaw","description":"","publisher":{"@id":"https:\/\/swissdataprotectionlaw.ch\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/swissdataprotectionlaw.ch\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/swissdataprotectionlaw.ch\/#organization","name":"Swissdataprotectionlaw","url":"https:\/\/swissdataprotectionlaw.ch\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/swissdataprotectionlaw.ch\/#\/schema\/logo\/image\/","url":"https:\/\/swissdataprotectionlaw.ch\/wp-content\/uploads\/2017\/12\/Dataprotectionlaw.jpg","contentUrl":"https:\/\/swissdataprotectionlaw.ch\/wp-content\/uploads\/2017\/12\/Dataprotectionlaw.jpg","width":336,"height":23,"caption":"Swissdataprotectionlaw"},"image":{"@id":"https:\/\/swissdataprotectionlaw.ch\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/swissdataprotectionlaw.ch\/en\/wp-json\/wp\/v2\/pages\/7199"}],"collection":[{"href":"https:\/\/swissdataprotectionlaw.ch\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/swissdataprotectionlaw.ch\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/swissdataprotectionlaw.ch\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/swissdataprotectionlaw.ch\/en\/wp-json\/wp\/v2\/comments?post=7199"}],"version-history":[{"count":37,"href":"https:\/\/swissdataprotectionlaw.ch\/en\/wp-json\/wp\/v2\/pages\/7199\/revisions"}],"predecessor-version":[{"id":8271,"href":"https:\/\/swissdataprotectionlaw.ch\/en\/wp-json\/wp\/v2\/pages\/7199\/revisions\/8271"}],"wp:attachment":[{"href":"https:\/\/swissdataprotectionlaw.ch\/en\/wp-json\/wp\/v2\/media?parent=7199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}