Talacker 41, 8001 Zurich, Switzerland, Phone: +41 43 443 72 00, Fax +41 43 497 22 70, info@amcham.ch 
what we do
home  |  sitemap  |  disclaimer  | 
News Chamber in the Media Events Publications Key Topics
who we are
About us
How to join
Leadership
Our Members
Regional Chapters
 
Switzerland 
|
Legal 
|
Setting up a business 
|
Tax 
|
FATCA 
|
CH-US Treaty 
|
Arbitration 
USA 
|
Legal 
|
Legal ACC 
|
Setting up a business 
|
Tax 
Agency and Distribution
Anti-Trust Regulations
Banking Confidentiality
Bilateral Treaties
Consumer Protection
Data Protection
EU Relations
Forms of Business Organizations
Immigration Law
Insolvency and Bankruptcy
Insurance Law
Intellectual Property Law
Labor and Employment Law
Legal Developments
Legal Developments for Directors
Mergers and Acquisition
Money Claim
Mutual Assistance
Prohibited Procedural Acts
Real Estate
Social Security in Switzerland
Details on Site Contribution
 
Site contribution
Date: December 2015
Prepared by:
Christian Drechsler
Head Legal IT/IP|Data Protection
Zurich Insurance Group AG
Mythenquai 2, P.O. Box
8022 Zurich
Phone:   +41 44 625 25 25
Fax:   +41 44 625 09 09
E-Mail:   christian.drechsler@zurich.com
Summary
The applicable law consists of the Federal Statute on Data Protection of June 19, 1992 and the Ordinance thereto. The law is applicable in case personal data is processed.
Several principles, the so-called "data protection principles", must always be adhered to when personal data is processed. For example, personal data must be processed in good faith, the data processing must be proportionate and adequate technical and organizational measures must be taken to protect personal data against unauthorized access by third parties.
In case data is processed outside the boundaries of the data protection principles, such data processing is – according to the prevailing view of the Swiss scholars – still permissive if it can be justified. There are three types of justification: (1) the consent of the data subject to the data processing, (2) an overriding public or private interest in the data processing or (3) a statutory obligation to process data.
The company responsible for the data (the so-called "data controller") can engage a third party ("data processor") to process the data on its behalf, subject to the following: (1) the data controller must select the data processor carefully and must monitor the data processing by the data processor during the contractual relationship; and (2) the data controller must enter into an agreement with the data processor, which safeguards that the data processor only processes the data at the instruction of the data controller and contains appropriate clauses to protect the data, especially regarding data security.
The transfer of personal data to countries outside Switzerland and the EU that are not recognized to possess an adequate level of data protection by European standards, such as the U.S., is only possible in a limited number of exceptional situations, most importantly: (1) the consent of the data subjects in the specific case (2) a specific, standardized data transfer agreement between the European data controller and the non-European data processor, and (3) in case of a group internal transfer, group internal data protection guidelines. Since October 2015, data transfers to the U.S. can no longer be legitimized with a membership of the U.S. data processor with the Safe Harbor regime.
In certain situations of data processing the data controller is under an obligation to register the respective data collection with the Federal Data Protection and Information Commissioner ("FDPIC"). Yet, the law gives the data controller some means to avoid this registration obligation, especially by implementing certain self-regulatory measures. Further, if personal data is transferred to a country that lacks a level of data protection similar to Switzerland, the data controller may be obliged to inform the FDPIC on certain aspects of this data transfer.
The data subjects have a right to information regarding their data. Additionally, if personal data is processed unlawfully, the data subjects have a number of remedies in civil law. Willful non-compliance with certain statutory obligations, e.g. the notification obligations mentioned above, can be fined. Non-compliance with the data protection law is rarely sanctioned in Switzerland, neither by way of a civil action, nor by way of a fine in criminal law. Irrespective of this, the non-compliance with the privacy laws can severely damage the image of a company.
Same as the corresponding legislation in the EU, the Swiss Data Protection legislation is currently under revision.
Applicable Law
  •  
  • Federal Statute on Data Protection of June 19, 1992 and Ordinance thereto.
    Detailed Information
    1.  Scope
    The Swiss data protection law is applicable to the processing of personal data. Personal data is "all information relating to an identified or identifiable person" (the "data subject"). Other than the EU legislation on data protection, Swiss privacy law also protects the data of companies. Processing is any handling of personal data, especially the procuring, safekeeping, editing, archiving etc., irrespective of the means and procedures used. The law applies to both, automated and manual data processing.
    Several principles must be adhered to when personal data is processed. For example, personal data must be processed in good faith, the data processing must be proportionate, the data controller must ascertain that the data processed is accurate and adequate organizational and technical measures must be taken to protect personal data from random destruction or loss, theft or falsification and illegal modification, copying and access. The Ordinance contains rather detailed provisions on the technical measures to be taken to protect personal data.
    One important key word in connection with the data protection principles is transparency: Data processing must be transparent to the data subjects. This means that the data processing should either be obvious to the data subjects or, if this is not the case, that the data subjects are informed in an appropriate way on the processing. In case of the processing of sensitive personal data or personality profiles, the law puts an obligation on the data controller to explicitly inform the data subjects on certain aspects of the data processing.
    In case data is processed outside the boundaries of the data protection principles, such data processing is – according to the prevailing view of the Swiss scholars – still permissive if it can be justified. There are three types of justification: (1) the consent of the data subject to the data processing, (2) an overriding public or private interest in the data processing or (3) a statutory obligation to process data.
    Consent is only valid if given voluntarily. This is especially a potential issue in case employers seek to justify the processing of HR data with employee consent, because the employees are subordinated to the employer. There it is questionable whether the consent was given voluntarily. To avoid this uncertainty employers often rely on other justifications than consent. Also, for the consent to be valid, the data subject needs to be provided with sufficient information on the data processing in order to be able to make an informed decision. Written consent is not required by law, but may be recommended for evidentiary reasons. Consent can also validly be declared electronically. Explicit consent is required if sensitive data or personality profiles are processed
    An overriding private interest of the data controller is an important justification for data processing. The law contains a (non-exclusive) list of scenarios where the data processor typically has an overriding private interest, e.g.: (1) personal data is processed directly in connection with the entering into or execution of an agreement; (2) personal data of a competitor is processed; (3) personal data is processed to evaluate someone's creditworthiness. This list is not exhaustive. Many other scenarios of data processing fall under this justification in practice.
    Finally, there is often a legal basis for the data processing, which makes it lawful, especially in regulated industries. For example, financial services providers are obliged to process certain customer data to comply with anti-money laundering laws.
    The law distinguishes between “regular” personal data and qualified personal data. More stringent rules apply to such qualified personal data. Swiss law basically knows two categories of such qualified personal data: (1) sensitive data: data concerning one’s religion, political views, sexual preferences, health records etc. and (2) personality profiles: compilations of data that allow determining essential aspects of the personality of an individual.
    It is permissive for the data controller to contract a third party to process the data on its behalf. However, the data controller must enter into an agreement with the data processor and the agreement must safeguard that the data processor only processes the data at the instruction of the data controller and it must contain appropriate clauses to protect the data, especially regarding data security. Also, the data controller must select the data processor carefully and monitor the data processor during the contractual relationship. In case of commissioned data processing, the data controller remains responsible for the lawful data processing.
    Special rules apply in case of transfers of personal data to countries that do not possess an adequate level of data protection by Swiss and EU standards. Currently only the following countries are recognized to possess such an adequate level of data protection: All member countries of the European Union, Norway, Iceland, Liechtenstein, Guernsey, Jersey, Isle of Man, Canada, Argentina, Uruguay and New Zealand. Transfers of data to countries without adequate data protection like the U.S. are only allowed in case one of seven specific exceptions listed in the law is fulfilled. Otherwise they are prohibited. The most important exceptions are: (1) the data protection abroad is warranted through guarantees, namely the terms of a standardized data transfer agreement between the data controller and the data processor (see next paragraph), (2) the affected person has consented to the transfer "in the individual case", (3) in case of a group internal transfer, the data protection is safeguarded by binding group internal data protection guidelines. Since the landmark case of the Court of Justice of the European Union of October 6, 2015 and the announcement by FDPIC shortly thereafter, data transfers to the U.S. can no longer be justified with the Safe Harbor regime.
    The EU and Swiss data protection authorities have developed standard clauses for data transfer agreements for transfers to countries, which do not possess an adequate level of data protection by European standards. The use of these standard agreements makes the transfer of personal data to such countries compliant with Swiss/European law.
    The law contains rather elaborate rules on regulatory filing obligations. They apply in defined cases of data processing with a higher potential of privacy infringement and compel the data controller to file certain information with the FDPIC.
    The law distinguishes between two types of filing obligations: A registration obligation and an information obligation.
    The registration obligation applies to data collections. A data collection is any stock of personal data that is composed in a way that allows retrieving the data by the persons affected. In three situations information about the underlying data collections have to be registered with the FDPIC: (1) Sensitive personal data are regularly processed, (2) personality profiles are regularly processed, or (3) personal data is regularly disclosed to third parties. The filing must be made prior to the processing. The data controller is discharged of the registration obligation in certain situations, most importantly if: (1) there is a legal duty for the data processing, (2) he appointed a data protection officer, “which supervises the internal corporate compliance with the law independently and which keeps a registry of the data collections”, or (3) he acquired a data protection quality seal of an accredited data protection audit institution and the results of the audit have been notified to the FDPIC.
    If personal data is transferred to countries, which do not possess an adequate level of data protection by Swiss standards, the data controller may be under an obligation to inform the FDPIC on specific aspects of such transfer. This obligation must generally be complied with before the transfer takes place. The information obligation lives up if the data transfer abroad is governed by a data transfer agreement or if in case of a data transfer within a group, the transfer is governed by group internal data protection guidelines. The owner of the data collection is obliged to inform the FDPIC on the "guarantees" of the agreement or the guidelines, which protect the personal data.
    Most importantly, the data subject has a comprehensive right to information: Whoever processes personal data must disclose the following information to a data subject upon request:
  •  
  • All personal data of the respective person processed and all available information on the origin of the data,
  •  
  • The purpose and, if applicable, the legal basis for the processing,
  •  
  • The categories of data processed, of persons/entities involved in the data processing and of data recipient.
    In addition, the data subject has a number of other remedies, especially a remedy for the rectification in case the data is not correct or a remedy for destruction of the data or that the transfer of the data to third parties is stopped in case the respective data processing or transfer is not lawful. Finally, the data subject theoretically also has a claim for damages.
    In practice only very few claims in civil law are made based on the data protection legislation in Switzerland. Also the fines, which can be imposed in certain cases of willful non-compliance with the law, are rare. Irrespective of this, the non-compliance with the privacy laws can severely damage the image of a company.
    Same as the corresponding legislation in the EU, the Swiss Data Protection legislation is currently under revision.
    Frequently Asked Questions
  • Question #1:
    When does the Swiss data protection legislation apply?
    The legislation applies as soon as information related to an identified or identifiable person is processed. Processing is any handling of personal data, e.g. the procuring, safekeeping or editing, irrespective of the means and procedures of use (manual or automated).
  • Question #2:
    What rules must I respect when I process personal data?
    The law contains a number of principles that must always be respected, e.g. personal data must be processed in good faith, the data processing must be proportionate, the data controller must ascertain that the data processed is accurate and adequate organizational and technical measures must be taken to protect personal data from random destruction or loss, theft or falsification and illegal modification, copying and access.
  • Question #3:
    We want to make a customer satisfaction survey and we want to use an external firm, also located in Switzerland, which is specialized in surveys to carry out the survey for us? What measures have to be taken so that the survey is done in a data protection compliant way?
    The survey company can only do the survey on behalf of the data controller if it receives data on the customers. Typically this data will constitute personal data. The retaining of the survey company for the purposes of the survey constitutes commissioned data processing. Consequently, the data controller must first persuade itself that the survey company will adequately protect the customer data handed over. Further, the data controller must enter into an agreement with the survey company (data processor), which makes sure that the customer data is adequately protected. Finally, the data controller must monitor the survey company during contract performance.
  • Question #4:
    Variation of Question #3 with the difference that the survey company is located in the U.S.
    Same answer than Answer #3 with the difference that the data controller should use the pre-approved model clauses for the data processing agreement with the survey company. Alternatively, the data processing by the U.S. entity could be justified with the consent of the data subjects.
    Useful Links
  •  
  • Website Federal Data Protection and Information Commissioner
  •  
  • Website of the European Commission on data protection