Switzerland: Data Protection Laws of the World Handbook: Second Edition - Switzerland

E-Commerce And Privacy Alert

LAW

The processing of personal data is mainly regulated by the Federal Act on Data Protection of 19 June 1992 ("DPA") and its ordinances, i.e. the Ordinance to the Federal Act on Data Protection ("DPO") and the Ordinance on Data Protection Certification ("ODPC").

In addition, the processing of personal data is further restricted by provisions in other laws, mainly with regard to the public sector and regulated markets.

DEFINITION OF PERSONAL DATA

Personal data means all information relating to an identified or identifiable natural or legal person.

DEFINITION OF SENSITIVE PERSONAL DATA

Sensitive personal data is defined as data on:

  • religious, ideological, political or trade union related views or activities;
  • health, the intimate sphere or racial origin;
  • social security measures; and
  • administrative or criminal proceedings and sanctions.

"Personality profiles" are protected to the same extent under the DPA as sensitive personal data. Personality profiles are collections of data that allow the appraisal of essential characteristics of the personality of an individual.

NATIONAL DATA PROTECTION AUTHORITY

Federal Data Protection and Information Commissioner ("FDPIC")

The FDPIC supervises federal and private bodies, advises and comments on the legal provisions on data protection and assists federal and cantonal authorities in the field of data protection.

The FDPIC informs the public about his findings and recommendations, and maintains and publishes the register for data files.

REGISTRATION

The processing of personal data by private persons does not usually have to be notified or registered, respectively. However, private persons must register their data files before the data files are opened, if:

  • they regularly process sensitive personal data or personality profiles; or
  • they regularly disclose personal data to third parties;

and unless one of following exemptions applies;

  • the data is processed pursuant to a statutory obligation;
  • the Swiss Federal Council has exempted the particular processing from the registration requirement because it does not prejudice the rights of the data subjects;
  • the data controller uses the data exclusively for publication in the edited section of a periodically published medium and does not pass on any data to third parties without informing the data subjects;
  • the data is processed by journalists who use the data file exclusively as a personal work aid;
  • the data controller has designated a data protection officer who independently monitors internal compliance with data protection regulations and maintains a list of the data files; or
  • the data controller has acquired a data protection quality mark under a certification procedure according to Article 11 DPA and has notified the FDPIC of the result of the evaluation.

DATA PROTECTION OFFICERS

There is no requirement under Swiss data protection law to appoint a data protection officer.

However, a data controller can be dispensed from registering its data files if it has designated a data protection officer who:

  • carries out his/her duties autonomously and independently, i.e. without being subject to instructions;
  • has a certain level of expertise that is appropriate for the relevant data processing at the company (whereas it is not relevant if the respective expertise was not acquired in Switzerland);
  • must check and audit the processing of personal data within the company;
  • must be in a position to recommend corrective measures when detecting any breaches of applicable data protection rules;
  • must have access to all data files and all data processing within the company as well as to all other information that he/she requires to fulfill his/her duties;
  • must maintain records of all data files controlled by the company and provide this list to the FDPIC or affected data subjects upon request;
  • may not carry out any other activities that are incompatible with his/her duties as data protection officer.

The data controller must notify the FDPIC of the appointment of a data protection officer to be listed on the public list of companies exempted from the requirement to register their data files.

COLLECTION AND PROCESSING

The following principles apply to the collection and processing of personal data (including data of legal entities):

  • personal data may only be processed lawfully, in good faith and according to the principle of proportionality;
  • the collection of personal data and, in particular, the purpose of its processing must be evident to the data subject;
  • personal data should only be processed for a purpose that is indicated or agreed at the time of collection, evident from the circumstances at the time of collection, or provided for by law;
  • the data controller and any processor must ensure that the data processed is accurate;
  • personal data must not be transferred abroad if the privacy of the data subject may be seriously endangered (see below);
  • personal data must be protected from unauthorised processing by appropriate technical and organisational measures;
  • personal data must not be processed against the explicit will of the data subject, unless this is justified by:
    • the consent of the data subject (which must be given voluntarily and based upon adequate information);
    • an overriding private or public interest; or
    • law;
  • sensitive personal data or personality files must not be disclosed to a third party, unless this is justified by:
    • the consent of the data subject (which must be given expressly in addition to the voluntariness and adequate information requirement);
    • an overriding private or public interest; or
    • law.

TRANSFER

Personal data may be disclosed outside Switzerland if the destination country offers an adequate level of data protection. The FDPIC maintains and publishes a list of such countries.

The FDPIC deems the data protection legislation of all EU and EEA countries to be adequate with regard to personal data of individuals. With regard to personal data of legal entities, only a few EU countries, such as Austria, Italy and Liechtenstein, provide an adequate level of data protection.

In the absence of legislation that guarantees adequate protection, personal data may be disclosed abroad only if:

  • sufficient safeguards, such as data transfer agreements or other contractual clauses, ensure an adequate level of protection abroad. These agreements or other safeguards must be notified to the FDPIC; to the extent that model clauses recognised by the FDPIC are used, mere information is sufficient;
  • there are binding corporate rules that ensure an adequate level of data protection in cross border data flows within a single legal entity or a group of companies, e.g. the US Swiss Safe Harbor Framework (which mirrors the US EU Safe Harbor Framework). Such rules must be notified to the FDPIC;
  • the data subject consents to the particular data export (consent must be given for each individual case, a generic consent is not sufficient);
  • the processing is directly connected with the conclusion or performance of a contract with the data subject;
  • disclosure is essential in order to safeguard an overriding public interest or for the establishment, exercise or enforcement of legal rights before the courts;
  • disclosure is required in order to protect the life or the physical integrity of the data subject; or
  • the data subject has made the personal data publicly accessible and has not expressly prohibited its processing.

SECURITY

The data controller and any processor must take adequate technical and organisational measures to protect personal data against unauthorised processing and ensure its confidentiality, availability and integrity. In particular, personal data shall be protected against the following risks:

  • unauthorised or accidental destruction;
  • accidental loss;
  • technical errors;
  • forgery, theft or unlawful use; and
  • unauthorised altering, copying, accessing or other unauthorised processing.

The technical and organisational measures must be appropriate, in particular with regard to the purposes of the data processing, the scope and manner of the data processing, the risks for the data subjects and the current technological standards.

BREACH NOTIFICATION

There is no mandatory requirement to notify the FDPIC of any breach of the obligations under the DPA.

ENFORCEMENT

The FDPIC does not have specific direct powers to enforce the DPA. He may investigate cases on his own initiative or at the request of a third party and may issue recommendations that the method of processing be changed or abandoned. If the FDPIC's recommendation is not complied with, he may refer the matter to the Swiss Federal Administrative Court for a decision.

Furthermore, the DPA provides for criminal liability and fines of up to CHF 10,000 if a private person intentionally fails to comply with the following obligations under the DPA:

  • duty to provide information when collecting sensitive data and personality profiles;
  • duty to safeguard the data subject's right to information;
  • obligation to notify the FDPIC with regard to contractual clauses or binding corporate rules in connection with the data transfer abroad;
  • obligation to register data files; or
  • duty to cooperate in an FDPIC investigation.

Criminal proceedings must be initiated by the competent cantonal prosecution authority.

Finally, under Swiss civil law the data subject may apply for injunctive relief and may file a claim for damages as well as satisfaction and/or surrender of profits based on the infringement of its privacy.

ELECTRONIC MARKETING

Electronic marketing practices must comply with the provisions of the Swiss Federal Act against Unfair Competition ("UCA").

With regard to the sending of unsolicited automated mass advertisement (which, in addition to emails, includes SMS, automated calls and fax messages) the UCA generally requires prior consent by the recipient, i.e. opt-in. As an exception, mass advertisings may be sent without the consent of the recipient if the sender received the contact information in the course of a sale of his products or services, the recipient was given the opportunity to refuse the use of his/ her contact information upon collection and the mass advertising relates to similar products or services of the sender.

In addition, mass advertising emails must contain the sender's correct name, address and email contact and must provide for an easy-access and free of charge opt-out.

The UCA generally applies to business-consumer relationships as well as to business-business relationships, i.e., mass advertisements sent to individuals and to corporations are subject to the same rules.

In principle, direct marketing by telephone is lawful in Switzerland as long as it is not done in an aggressive way (e.g. by repeatedly calling the same person). Moreover, art. 3 para. 1 lit. u UCA prohibits direct marketing by telephone to people who wish to not receive commercial communication and expressed that wish (i.e. opted-out) by marking their entry in the telephone book (e.g. through an asterisk next to a person's entry).

In addition to the rules of the UCA, the general data protection principles under the DTA also apply with regard to electronic marketing activities, e.g. the collection and maintenance of email addresses or processing of any other personal data.

ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)

In general, the processing of personal data in the context of online services is subject to the general rules pertaining to the collection of personal data under the DPA. In addition, certain aspects of online privacy are covered by other regulations, such as the use of cookies which is also subject to the Swiss Telecommunications Act ("TCA").

Under the TCA, the use of cookies is considered to be processing of data on external equipment, e.g. someone else's computer. Such processing is only permitted if users are informed about the processing and its purpose as well as about the means to refuse the processing, e.g. by configuring their web browser to reject cookies.

In addition, the general rules under the DPA apply where cookies collect data related to identified or identifiable persons, i.e., personal data. The collection of personal data through cookies as well as the purpose of such a collection must be evident to the data subject. Further, the personal data collected may only be processed for the purpose (i) indicated at the time of collection, (ii) that is evident from the circumstances, or (iii) that is provided for by law.

Where the personal data collected through a cookie is (i) considered sensitive data, e.g. data regarding religious, ideological, political views or activities, or (ii) is so comprehensive that it forms a personality profile, i.e. permits an assessment of essential characteristics of the personality of a person, the stricter rules pertaining to the processing of sensitive personal data are applicable. These stricter rules provide, inter alia, that the data subject must be informed of (i) the identity of the data controller, (ii) the purpose of data processing and (iii) the categories of data recipients if the data shall be disclosed to third parties. Further, in relation to the processing of sensitive personal data implied consent is not sufficient; consent must be given expressly.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.


DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Practice Guides
by Mondaq Advice Centres
Relevancy Powered by MondaqAI
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions