Data protection and cybersecurity laws in Switzerland

• Federal Act on Data Protection (FADP)
• Ordinance to the Federal Act on Data Protection (DPO)
• In employment relationships especially Art. 328b of the Swiss Code of Obligations (CO)
• Swiss Federal Act against Unfair Competition (UCA)

Federal Data Protection and Information Commissioner (FDPIC): https://www.edoeb.admin.ch/

• The draft of the new Federal Act on Data Protection (FADP) and its relating Federal Council Dispatch were published on September 15th 2017.
• Parliamentary discussion is completed.
• The expected date of entry into force is mid-2022.

Administrative sanctions:

N/A

Criminal sanctions:

Sanctions can only be imposed by a judge in a criminal proceeding. Potential criminal sanctions: maximum SFR 10,000 but only in a limited number of non-compliance cases and only upon complaint.

According to our review there are no court cases with criminal sanctions so far.

Others: 

The Federal Data Protection and Information Commissioner does not yet have enforcement powers. By now, the Federal Data Protection and Information Commissioner can “only”

• make recommendations;
• refer the matter to the Federal Administrative Court;
• apply to the Federal Administrative Court for interim measures to be taken. 

No notification requirement with the data protection authority for each and every data processing activity but

1. a duty to register data files in case of
   1. regular processing of sensitive personal data or personality profiles; or
   2. regular disclosing of personal data to third parties.
2. Data transfer agreements that are identical to the EU model clauses need only to be notified in brief to the Federal Data Protection and Information Commissioner. Data transfer agreements that derogate from the EU model clauses may be reviewed by the Federal Data Protection and Information Commissioner.

Failure to comply with 1) or 2) triggers criminal liability.

• Maintaining a high security standard for stored data, including inter alia monitoring compliance
• Duty to provide information on the collection of sensitive personal data and personality profiles. This duty to provide information also applies where the data is collected from third parties.
• Consent is not a mandatory requirement for a processing activity but it might serve as a justification for a processing activity. Consent in employment context is considered to be problematic. 
• Duty to register data files
• Duty to inform the Federal Data Protection and Information Commissioner on data transfer agreements relating to cross-border data flow to countries that do not guarantee an adequate level of protection.

• Right to information on all available data concerning the subject in the data file, including the available information on the source of the data; the purpose of and if applicable the legal basis for the processing as well as the categories of the personal data processed, the other parties involved with the file and the data recipient;
• Right to rectification;
• Right to erasure and restriction of processing is not explicitly regulated so far but derives from the right of privacy

Data processing by third parties is generally allowed if (1) the data is processed only in the manner permitted for the instructing party itself and (2) it is not prohibited by a statutory or contractual duty of confidentiality. The instructing party must in particular ensure that the third party guarantees data security. A written agreement that should include an auditing right is not mandatory but surely recommended.  

Personal data may, as a rule, be disclosed abroad provided there is an adequate level of protection in that country, like, eg in the EU (please see list of countries published by the Federal Data Protection and Information Commissioner). Transfer to non-adequate countries is only allowed in a limited number of cases (eg use of EU-Model Clauses, Binding Corporate Rules, consent of the data subject in the specific case). 

There is no Data Protection Officer.

Personal data must be protected against unauthorised processing through adequate technical and organisational measures. The Federal Council issued detailed provisions on the minimum standards for data security in the Ordinance to the Federal Act on Data Protection. 

No data breach reporting requirements to public authorities are regulated so far, but a duty to notify affected individuals may arise from contractual obligations or general data protection obligations (obligation to ensure data security and to observe the rules of good faith). 
Please note that the newly revised FADP will introduce data breach notifications as foreseen under the GDPR.

If by electronic mail: need to obtain consent, unless it is possible to rely on the soft opt-in exemption, such as (1) contact details were obtained in the course of a sale; (2) the sender is marketing their own similar products or services; (3) easy and free-of-charge opt-out in every marketing communication; (4) contact information including email address.

If by regular mail: a grey zone, because the "Robinson Asterisk" does not apply, strictly speaking, to regular mail. Data Protection law provides for requests to individual marketeers to stop sending marketing material.

If by "cold call" (ie not answering a request of the customer): No marketing call in case the client has put a "Robinson Asterisk" in the official phone directory indicating that he or she does not want to receive marketing calls and his or her data must not be shared for purposes of direct advertisement. In any other cases: opt-out regime by way of Data Protection law.

The law does not differentiate between B2B and B2C-settings in this regard.

No pertaining special legislation and no specific case law.

The general view is that cookies obviously are permitted if the users are informed about the processing and purpose, and that they may refuse to allow the processing. No special consent form requirements for cookies but general data protection law applies so that explicit consent is recommended.

Moderate.

• https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/task.html

No special law regarding cybersecurity, but of course personal data must be protected against unauthorised processing through adequate technical and organisational measures under the general Federal Act on Data Protection (FADP) and the Federal Council issued detailed provisions on the minimum standards for data security in the Ordinance to the Federal Act on Data Protection. In addition to that, regulated industries, eg the banking industry are subject to special security requirements under their regulatory regime. 

There has been no implementation or alignment of the NIS Directive of the EU so far, but standardisation and regulation of a minimum standard of cybersecurity and reporting obligations are part of the new national strategy to protect Switzerland against cyber risks (NCS) for 2018-2022. 

Swiss data protection law applies

• to all processing activities on Swiss territory; and
• by virtue of international private law, including in particular to individuals domiciled in Switzerland    

Regulated industries such as banking are subject to special security requirements under their regulatory regime.

• Regarding data security in general: Federal Data Protection and Information Commissioner (FDPIC): https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/task.html
• Regarding the implementation of the national strategy for the protection of Switzerland against cyber risks (NCS): Reporting and Analysis Centre for Information Assurance (MELANI): https://www.melani.admin.ch/melani/en/home.html

For example, see the Ordinance to the Federal Act on Data Protection:

• Protection against unauthorised or accidental destruction, forgery, theft or unlawful use;
• Respective measures must be reviewed periodically;
• Internal guidelines governing data processing must be drafted;
• Compliance with data protection law and with internal guidelines must be demonstrated

Administrative sanctions:

N/A

Criminal sanctions:

Sanctions can only be imposed by a judge in a criminal proceeding. Potential criminal sanctions: maximum SFR 10,000 but only in a limited number of non-compliance cases, not including breaches of data security.

Others: 

The Federal Data Protection and Information Commissioner do not yet have enforcement powers. Currently, the Federal Data Protection and Information Commissioner can “only”

• make recommendations;
• refer the matter to the Federal Administrative Court;
• apply to the Federal Administrative Court for interim measures to be taken.

Yes. GovCERT.ch is the Computer Emergency Response Team (GovCERT) of the Swiss government and the official national CERT of Switzerland. GovCERT.ch's parent organisation is the Reporting and Analysis Centre for Information Assurance (MELANI), which belongs to the Federal IT Steering Unit (FITSU). Since 2010, GovCERT.ch has been a member of the Forum of Incident Response and Security Teams (FIRST). In addition, GovCERT.ch is member of the group of European Government CERTs (EGC).

No, but awareness is currently sharply rising.

As a good example, GovCERT.ch supports the critical national IT infrastructure in dealing with cyberthreats by providing services such as technical analysis and information about targeted (but not limited to) attacks against the national critical IT infrastructure. Additionally, GovCERT.ch is authorised to handle all types of computer security incidents related to Switzerland, representing the national CERT of Switzerland.

Switzerland will play an active role on global internet governance issues.

• GovCERT
• MELANI