The Federal Act on Data Protection of June 19, 1992, together with the Ordinance to the Federal Act on Data Protection of 14 June 1993 constitute the key legislation for privacy.

Note: The Federal Act on Data Protection of June 19, 1992 (Data Protection Act, hereinafter "DPA") and the Ordinance to the Federal Act on Data Protection of 14 June 1993 ("ODPA") are the key statutory codes governing privacy in Switzerland. In addition, every Swiss canton has its own data protection statutes with respect to data processing of cantonal public authorities. Since Switzerland is not a member of the EU, it does not have to comply with the EU General Data Protection Regulation or any other directives applicable in this field.

The DPA protects personal data, which is defined as all information relating to an identified or identifiable natural and legal person.

Note: The DPA protects personal data, which is defined as all information relating to an identified or identifiable person (art. 3 lit. a DPA). Special requirements apply to sensitive personal data and personality profiles. Sensitive personal data is data on (i) religious, ideological, political, or trade union-related views or activities; (ii) health, the intimate sphere or racial origin; (iii) social security measures; and (iv) administrative or criminal proceedings and sanctions (art. 3 lit. c DPA). Not only personal data of natural persons are protected but also personal data of legal persons (art. 2 para. 1 DPA). Personality profile is a collection of data that permits an assessment of essential characteristics of the personality of a natural person (see article 3 lit. d DPA).

The DPA applies to private persons and federal bodies.

Note: The DPA applies to both private persons and federal bodies (art. 2 para. 1 DPA). Federal bodies are federal authorities and services as well as persons who are entrusted with federal public tasks (art. 3 lit. h DPA). With regards to cantonal public bodies, the respective cantonal data protection statutes define the subjects to the privacy obligations.

The processing of personal data must comply with the general principles of data processing. Special rules apply for the processing of personal data by federal bodies.

Note: Processing of personal data is defined as any operation with personal data, irrespective of the means applied and the procedure, and in particular the collection, storage, use, revision, disclosure, archiving, or destruction of data (art. 3 lit. e DPA). The processing of personal data has, thus, to comply with the general principles of data processing.

The general principles of data processing are:

• Lawful basis for processing: personal data may only be processed lawfully (art. 4 para. 1 DPA);
• Proportionality: data processing must be carried out in good faith and must be proportionate (art. 4 para. 2 DPA);
• The correctness of data: reasonable measures have to be taken to ensure that the collected data is correct (art. 5 para. 1 DPA);
• Purpose limitation: personal data may only be processed for the purpose indicated at the time of collection, that is evident from the circumstances, or that is provided for by law (art. 4 para. 3 DPA); and
• Transparency: the collection of personal data and in particular the purpose of its processing must be evident to the data subject (art. 4 para. 4 DPA).

Data processing by federal bodies is subject to additional requirements. Such processing requires, in addition to the general principles stated above, a statutory basis as well as a public interest for the processing. The federal body has to notify the data subject of the processing of personal data.

The information has to include at least the following items:

• the controller of the data file;
• the purpose of processing;
• categories of the data recipients where disclosure of data is planned, the right to information according to art. 8 DPA; and
• the consequences of the refusal of the data subject to provide the requested personal data (art. 18a para. 2 DPA).

In the case of systematic surveys, the federal body has to disclose also the purpose of and the legal basis for the processing, as well as the categories of persons involved with the data file and of the data recipients (art. 18 para. 1 DPA). For private persons collecting data information, duties only apply in case sensitive personal data or personality profile data (cf. question 2) is collected.

The information has to include at least the following items:

• the controller of the data file;
• the purpose of processing; and
• categories of the data recipients where disclosure of data is planned (art. 14 DPA)

In general, the data should be collected with the data subject. However, data collection via a third party can be justified. In this case, the data subject has also to be notified about the collection (art. 14 para. 1 and art. 18a para. 1 DPA).

The processing of personal data is subject to the general principles of data processing (cf. question 4). Special rules apply to the collection of personal data, disclosure of personal data as well as the processing of personal data for research, planning, and statistics by federal bodies.

Note: The processing of personal data is subject to the general principles of data processing (cf. question 4). In addition, the personality rights of the data subject have to be respected. These include i.a. the prohibition to process data pertaining to a person against that person's explicit wish without any justification and the prohibition to disclose sensitive personal data or personality profiles to third parties without justification (art. 12 DPA). Special rules apply to the collection of personal data, disclosure of personal data as well as the processing of personal data for research, planning, and statistics by federal bodies.

The disclosure of personal data by federal bodies requires, in general, a separate statutory provision for disclosure (exceptions are possible; art. 19 DPA).

Processing of personal data for research, planning, and statistics by federal bodies is subject to a facilitated regime (see art. 22 para. 2 DPA) if the following requirements are met:

• data is rendered anonymous as soon as the purpose of the processing permits;
• the recipient discloses the data only with the federal body's consent; and
• the results are published in such a manner that the data subjects may not be identified (art. 22 para. 1 DPA).

Storage, security, and retention of personal data have to comply with the general principles of data processing (cf. question 4).

Note: Storage, security, and retention of personal data have to comply with the general principles of data processing (cf. question 4). In addition, the ODPA describes in more detail the technical and organizational measures that have to be taken regarding storage, security, and retention of personal data both for private persons processing data (art. 8 et seqq. ODPA) and for federal bodies (art. 20 et seqq. ODPA). Such measures include specific protections for the systems against i.a. destruction, loss, and unauthorized alteration.

Data subjects have the right to request information and correction from the controller of a data file.

Note: Any person may request information from the controller of a data file as to whether data concerning them is being processed (art. 8 para. 1 DPA). Restrictions are only possible if there is a statutory provision for such restrictions or if such restrictions are required to protect the overriding interests of third parties (art. 9 para. 1 DPA). Additional restrictions are available for federal bodies as far as the protection of overriding public interests (in particular internal or external security of Switzerland) or possible jeopardy of the outcome of criminal investigations or other investigative proceedings is at stake (art. 9 para. 2 DPA). Any data subject may request from the controller of a data file at any time that incorrect data be corrected (art. 5 para. 2 DPA).

Yes, the DPA stipulates restrictions on cross-border data transfers.

Note: Personal data must not be disclosed abroad if the personal integrity of the persons concerned would thereby be seriously harmed (art. 6 para. 1 DPA). A serious violation of personal integrity is assumed if there is no legislation ensuring an adequate level of protection in the country where the data are disclosed. The conditions covering disclosure of data abroad are applicable irrespective of whether the transfer takes place within the same corporate body or to another legal entity. As a rule of thumb, all countries which have either ratified the ETS 108 agreement or have implemented the EU Data Protection Regulation are considered to have an adequate level of data protection according to Swiss legislation. In addition, the Federal Data Protection and Information Commissioner ("FDPIC") has prepared a non-binding list of those countries whose data protection legislation should ensure appropriate protection. However, additional precautions according to art. 6 para. 2 DPA may be advisable.

The transfer of data abroad within a group of companies is also permissible to countries without an adequate level of data protection, if the companies concerned are subject to group-wide data protection rules which ensure appropriate protection. This regulation privileges international data transfers within a group of companies (art. 6 para. 2 lit. g DPA). If there are both inadequate legislation in the recipient country as well as insufficient data protection rules within the company, international data transfers among affiliated companies in the group are still permitted, provided one of the minimum requirements of art. 6 para. 2 lit. a to f DPA is satisfied. In order to comply with these requirements, most legal entities use the EU standard contractual clauses as sufficient safeguards in the sense of art. 6 para. 2 lit. a DPA. These situations require information on the FDPIC (art. 6 para. 3 DPA).

No, there are no notification requirements for data breaches.

Note: Swiss law does not provide notification requirements for data breaches. However, based on the general principles of the DPA, e.g. the transparency principle, it is advisable to notify the data subjects about such a breach and inform the data commissioner in case of an important breach. 

The Federal Data Protection and Information Commissioner is the privacy regulator in Switzerland.

Note: The Federal Data Protection and Information Commissioner ("FDPIC") is the relevant authority if personal data is processed by federal authorities, individuals and legal entities. The respective Cantonal Data Protection and Information Officer in each canton is the relevant authority if personal data is processed by public authorities of the respective canton.

The FDPIC has the following rights and duties (art. 27 et seqq. DPA):

• supervision of compliance of federal bodies with the DPA;
• investigation of cases either on his own initiative or at the request of a third party regarding federal bodies as well as in the private sector;
• issuance of recommendations in case of breaches of data protection regulations; and
• advice to private persons on data protection matters

Depending on the circumstances, civil, criminal, and/or administrative remedies are applicable.

Note: In the case of a privacy breach, civil claims are possible according to the general principles of civil claims with respect to the infringement of personality rights (art. 28 et seqq. of the Swiss Civil Code of 10 December 1907).

In the case of contractual relationships between the parties, civil claims based on the agreement and claims for breach of contract are available. For specific breaches of the DPA, penalties may be issued by the criminal authorities upon complaint (art. 34 et seq. DPA). However, the criminal sanctions of the DPA are very limited. In addition, privacy breaches may amount to criminal liability according to the Swiss Criminal Code of 21 December 1937, especially its provisions on secrecy (art. 162, 179 et seqq.).

In addition, cantonal public liability might be applicable based on cantonal statutes.

Finally, depending on the breach, the FDPIC could investigate the case on his own initiative in more detail and issue a recommendation regarding the method of processing, including the security (art. 29 DPA).  

Electronic marketing is regulated by the Federal Act against Unfair Competition of December 19, 1986 ("UCA").

Note: With regard to marketing communications distributed by telephone, email, or fax, art. 3 lit. u UCA prohibits the sending of such communication if the recipient has declared in the telephone registry that he does not wish to receive such communication from persons with whom the recipient has no business relationship. The same applies if a recipient has no entry in the telephone registry. Furthermore, art. 3 lit. v UCA prohibits making advertising calls without displaying a telephone number that is entered in the Swiss telephone registry and which the respective caller is entitled to use and art. 3 lit. w UCA prohibits anyone from relying on the information of which they have become aware as a result of a violation of art. 3 lit. u and v.

Regarding mass emails and text messages, art. 3 lit. o UCA requires that such communication is only sent with the prior consent of the recipients and with information on a simple opt-out procedure. An exception is made if the sender received the contact information in connection with the sale of products or services and if the recipient was informed at the moment of the data collection about the simple opt-out procedure. In that case, information regarding similar products or services may be sent without prior consent.

Yes, the DPA is currently subject to a project of a complete revision.

Note: On September 25, 2020, the Swiss parliament passed the total revision of the DPA In order for the DPA to enter into force, the corresponding implementing provisions in the ODPA must be amended accordingly. The Federal Council's consultation process ended on October 14, 2021, however, the legislative process is still ongoing. It is expected that the revised DPA, together with the revised ODPA,  will enter into force at the end of 2022 or the beginning of 2023.

The revised DPA will contain many changes compared to the current legislation and will strengthen individuals' protection of personal data. It thus responds to social and technological advancements and developments in international data protection standards, including the EU General Data Protection Regulation. The revised DPA is meant to allow Switzerland to uphold its status as a country adequately protecting personal data from an EU perspective. As the revised DPA hardly provides for any transition periods, companies will be obliged to comply with the new regulations from the date of their entry into force.