When conducting business in Switzerland, one should be conscious of the laws in place to protect individuals’ and companies’ data. The main regulation of data protection in Switzerland is found in the Federal Act on Data Protection of 19 June 1992 (“DPA”) and the corresponding Ordinance to the Federal Act on Data Protection of 14 June 1993 (“DPO”). The law in respect of data protection is wide-reaching and has formed a pivotal part of the Swiss legal system since 1992. In light of vast changes being made in respect of banking secrecy and advancements in internet technology, it is essential for Swiss businesses and individuals alike to be aware of their rights and obligations with respect to data protection laws in Switzerland as well as the limits thereupon.
This newsletter forms part of a set of four publications discussing and analyzing data protection in Switzerland. The current publication sets out the well-established data protection laws as well as the limits and applicable remedies and penalties. The second publication, for release in November 2015, will present one of the most important and relevant areas in respect of Swiss data protection, being banking secrecy and the current and planned restrictions thereof. The third publication, for release in early 2016, will look at significant challenges faced by data protection. This includes matters arising as a result of the internet, such as cloud computing and cookies, as well as cross-border protection and assignment of data to third parties. The fourth and final publication, also for release in early 2016, will present a comparison of the Swiss data protection laws with European Union and United States’ data protection laws.
Data protection in Swiss law
Personal data can be considered an essential and often invaluable asset to most businesses in today’s society. Data allows a business to predict the purchases a consumer might make or what services may best suit a client of a bank.[1] Conversely, to remain competitive, the respective legal system must uphold the protection of data so that the information is not exploited and the subjects disadvantaged.
The Swiss legal system provides clear rules governing the collection and use of personal data, which are set out below.
Constitution
The protection of data is first and foremost enshrined in the Federal Constitution of the Swiss Confederation of 19 April 1999 (“Constitution”).
Article 13(1) of the Constitution states that all persons have the right to privacy in their private life, family life and in their homes as well as in respect of mail and telecommunications. Article 13(2) of the Constitution goes to the heart of actual protection by giving the right to persons to be protected against misuse of their personal data.
Personal data is not defined in the Constitution but rather in the DPA (see directly below).
Federal Act on Data Protection
The basis and boundaries of data protection is set out in the DPA. It is interesting to observe that provisions contained therein are generally broad in nature and put the protection of data as widely as possible. Where the protection is in any way limited, exhaustive limitations are subsequently provided.
“Data” or “personal data” (these terms are used interchangeably) is defined in Article 3 as “all information relating to an identified or identifiable person.” This broad definition infers that it is all-inclusive, whereby information would prima facie be considered personal data.
The term “sensitive personal data” is also used in the DPA and refers to data on religious, ideological, political or trade union-related views or activities, health or racial origin, social security measures or administrative or criminal proceedings and sanctions.[2]
A “personality profile” is defined to include a collection of data that permits an assessment of essential characteristics of the personality of a natural person.[3]
The main action in respect of the data as referred to in the DPA is “processing”, which is also very broadly defined and refers to any operation undertaken in connection with data.
The DPA applies to data pertaining to natural and legal persons, whereby the data is processed by private persons and federal bodies.[4]
Cantonal Laws
Each Canton in Switzerland has in place a data protection act, which are directed at cantonal governmental bodies or specific sectors.
How is data protected?
The Swiss perspective on data protection is succinctly summarized in Article 1 of the DPA, which provision states that the purpose of the DPA is “to protect the privacy and the fundamental rights of persons when their data is processed.”
The principles in respect of data protection as well as the processing of personal data flow therefrom and are as follows:
- personal data may only be processed lawfully;[5]
- the processing of personal data must be carried out in good faith and must be proportionate in the circumstances;[6]
- personal data can only be processed for the purpose given at the time of collection;[7]
- if consent is required for the processing by the data subject, such consent is only valid if given voluntarily and if adequate information is provided. For the processing of sensitive personal data or personality profiles, express consent must be provided;[8]
- anyone processing personal data must ascertain that the data is correct and must take reasonable measures to ensure that incorrect or incomplete data in light of the purpose of its collection is either corrected or destroyed;[9]
- personal data must be protected against unauthorized processing through implementing proper technical and organizational measures;[10]
- the privacy of the data subject must not be breached in the processing of personal data;[11]
- data must not be processed against a person’s express wish without justification;[12]
- sensitive personal data and personality profiles must not be disclosed to third parties without justification;[13]
- federal bodies may only process personal data if there is a statutory basis for doing so;[14]and
- federal bodies may only process sensitive personal data and personality profiles if a formal enactment expressly provides for it, if the Federal Council authorizes the processing because the rights of the subject are not endangered, or if the data subject has given his consent or made their data generally accessible and not expressly prohibited its processing.
Before data files are opened, federal bodies must register the files with the Federal Data Protection and Information Commissioner (“Commissioner”).[15] Federal bodies must declare data files to the Commissioner in order for the files to be registered and before they can be opened.[16]
If private persons regularly process sensitive personal data or personality profiles, or disclose personal data to third parties, the data files must be declared. This must be performed before the file is opened.[17]
Data files do not have to be declared if the controller is a private person and the data is being processed in accordance with a statutory obligation, if the Federal Council has exempted the registration, if the data is used exclusively for publication in a periodically published medium or is processed by journalists to use as a personal work aid, if a data protection officer has been appointed, or if the controller’s data processing system or program has been certified.[18]
There are specific limits on cross-border disclosure contained in Article 6 of the DPA, which will be discussed in the third publication of this series.
Limits on and exceptions to the protection of data in Switzerland
Rather than listing all instances in which data is protected, the DPA lists the specific cases in which protection is not afforded as well as instances where data will not be released by the controller.
In that regard, the DPA expressly excludes the protection of data that is processed by a natural person exclusively for personal use and not disclosed to outsiders.[19]
Data not for release
Any person may prima facie request information from the controller of a data file in respect of whether data is being processed in relation to them.[20]
The DPA specifically does not apply to deliberations of the Federal Assembly and in parliamentary committees. Pending civil proceedings, criminal proceedings and proceedings under constitutional or administrative law (other than administrative proceedings of first instance), public registers based on private law and personal data processed by the International Committee of the Red Cross are also expressly excluded.[21]
Where formal enactment provides or where overriding interests of third parties must be protected, the controller of a data file may refuse or restrict the provision of information.[22] Additionally, a federal body may also refuse, restrict or defer the provision of information if it is required to protect the overriding public interest or Switzerland’s security, or if the information would jeopardize the outcome of criminal proceedings or other investigations.[23] A private controller of data may refuse, restrict or deter the provision of information where their own interests override and so long as they do not disclose the personal data to third parties.[24] In all of the above circumstances, Article 9(5) of the DPA requires the controller to provide reasons for so refusing, restricting or deferring access to information.
The DPA also limits the provision of information by journalists.[25]
Justification
Article 13 of the DPA states that any breach of privacy is considered unlawful, unless it is justified for any of the below reasons:
- consent of the affected party is given;
- by matter of law (such as disclosure of relevant information pursuant to the Federal Act on Combatting Money Laundering and Terrorist Financing of 10 October 1997, to be discussed in the second publication of this series);
- the data is processed in direct connection with the conclusion or performance of a contract and the data relates to an involved party;
- the person processing the data is or intends to be in commercial competition with another but the data is not disclosed to third parties;
- the data being processed is neither sensitive personal data nor a personality profile and is used to verify creditworthiness for the conclusion or performance of a contract with the data subject;
- the personal data is processed on a professional basis for publication in the edited section of a publication;
- the data is for purposes not relating to a specific person; or
- the data is collected on a person of public interest and the data relates to the public activities of the person.
Commissioner’s Role
Under the DPA and the DPO, the Commissioner is given a broad range of powers with respect to data protection compliance. Those powers are summarized as follows:
- The Commissioner may advise private personswith respect to data protection matters.[26]
- The Commissioner may supervise federal bodies(except the Federal Council), either on their own initiative or at the request of another.[27]
- The Commissioner may also supervise data collection in the private sector, either on their own initiative or at the request of another, if:
- the methods of processing are capable of breaching the privacy of a large number of persons;
- there is a requirement to register data files in accordance with Article 11aof the DPA (keeping a register); or
- there is a duty to provide information for cross-border disclosure.[28]
- With respect to both federal bodies and the private sector, the Commissioner has the power to:
- request files, obtain information and ask to view processed data;[29]
- recommend changes to the method of data processing or recommend it be abandoned should it transpire that the federal body or the member of the private sector has breached the data protection laws;[30]and
- refer the matter to the relevant department or the Federal Chancellery for a decision if a recommendation is not complied with or is rejected,.[31]
- The Commission’s supervision of federal bodies and of the private sector set out herein also allows the Commissioner to apply to the President of the Administrative Court to have interim measurestaken should they deem a data subject is threatened with a disadvantage that cannot be easily remedied.[32] This would be advantageous where a person is suffering, or anticipates suffering, a loss as a result of providing data and requires assistance to stop the wrongdoing.
Remedies and Penalties
Legitimate Interest
Any person with a legitimate interest may request the relevant federal body to refrain from processing personal data unlawfully, to eliminate the consequences of unlawful processing or to ascertain whether such processing is unlawful.[33]
Civil Penalties
The DPA in Article 15 includes particular civil penalties found in the Swiss Civil Code of 10 December 1907 (“Civil Code”).
Article 28 of the Civil Code allows a person whose personality rights were unlawfully infringed upon to petition the court for protection against those causing the infringement, unless it can be shown consent was provided or there was an overriding private or public interest or by virtue of a law.
Article 28a of the Civil Code states that a person can ask the court to prohibit a threatened infringement, to order that an infringement cease or to declare that an infringement is unlawful if it continues to have an offensive effect. Article 28a(3) of the Civil Code states that claims can be made for damages or an account of profit in accordance with provisions regarding agency without authority.
An aggrieved party, under Article 15 of the DPA, may ask that data processing cease, that it not be disclosed to third parties or that it be corrected or destroyed.
Criminal Penalties
Pursuant to Article 34(1) of the DPA, private persons are liable to a fine if they willfully provide false or incomplete information or willfully fail to inform the data subject that sensitive personal data or personality profiles are being collected.[34] Additionally, if a private person willfully fails to provide to the data subject with the identity of the data controller, the purpose of the processing and the planned categories of recipients of the data, this will give rise to liability under the same provision.[35]
Article 34(2) of the DPA states that private persons are liable to pay a fine if they willfully fail to or willfully provide false information with respect to cross-border disclosure,[36] or where data files must be declared to the Commissioner.[37] A refusal to cooperate with the Commissioner or the provision of false information during an investigation under Article 29 of the DPA will also result in a fine.
A specific criminal penalty applies where one willfully discloses confidential, sensitive personal data or personality profiles which have come into their knowledge as a result of their professional activities, either where such activities required the knowledge or where the person is bound by professional confidentiality or is training with such a person.[38] This penalty remains in force beyond termination of such professional activities or training.
Fines for a breach of the criminal provisions may be issued up to an amount of CHF 10,000.00.
Administrative Penalties
Administrative penalties initiated by the Commissioner are set out herein under the heading “Commissioner’s Role”.
OUR EXPERIENCE
lecocqassociate provides legal advice on fund legal structures. We have experience in structuring Swiss, Maltese, Luxembourg and offshore funds. lecocqassociate provides professional company incorporation and corporate administration services in Switzerland, Malta and the UAE.
This newsletter is for information purposes only. It does not constitute professional advice or an opinion. Please contact us for any questions.
Footnotes
[1] Confédération suisse, Préposé fédérale à la protection des données et à la transparence, « Protection des données », <http://www.edoeb.admin.ch/datenschutz/00618/00802/00812/index.html?lang=fr > (2014).
[2] Article 3(c) DPA.
[3] Article 3(d) DPA.
[4] Article 2(1) DPA.
[5] Article 4(1) DPA.
[6] Article 4(2) DPA.
[7] Article 4(3) DPA.
[8] Article 4(5) DPA.
[9] Article 5 DPA.
[10] Article 7 DPA.
[11] Article 12 DPA.
[12] Article 12(2)(b) DPA.
[13] Article 12(2)(b) DPA.
[14] Article 17(1) DPA.
[15] Article 16 DPO.
[16] Article 11a(2) DPA.
[17] Article 11a(3) and (4) DPA.
[18] Article 11a(5) DPA.
[19] Article 2(2)(a) DPA.
[20] Article 8 DPA.
[21] Article 2(2)(b) to (e) DPA.
[22] Article 9(1) DPA.
[23] Article 9(2) DPA.
[24] Article 8(4) DPA.
[25] Article 10 DPA.
[26] Article 28 DPA.
[27] Article 27(2) DPA.
[28] Article 29(1) DPA.
[29] Article 27(3) and Article 29(2) DPA.
[30] Article 27(4) and Article 29(3) DPA.
[31] Article 27(5) and Article 27(4) DPA.
[32] Article 33(2) DPA.
[33] Article 25 DPA.
[34] In other words, a breach of Article 14(1) DPA.
[35] In other words, a breach of Article 14(2) DPA.
[36] Article 6(3) DPA.
[37] Article 11a DPA.
[38] Article 35(1) and (2) DPA.
