Home / Publications / Data Law Navigator | Switzerland

Data Law Navigator | Switzerland

Information on Data Protection and Cyber Security laws from CMS experts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security
 

Data Protection

Last updated 8 October 2018

Risk scale

Risk Scale Orange

*mature data protection regime with low sanctions for non-compliance, but with repressive regulator

Laws 

  • Federal Act on Data Protection (FADP)
  • Ordinance to the Federal Act on Data Protection
  • In employment relationships especially Art. 328b of the Swiss Code of Obligations (CO)
  • Swiss Federal Act against Unfair Competition (UCA)

Authority

Federal Data Protection and Information Commissioner (FDPIC): https://www.edoeb.admin.ch/

Anticipated changes to law

  • The draft to the new Federal Act on Data Protection (FADP) and its relating Federal Council Dispatch have been published on September 15th 2017.
  • The draft will be subject to further discussion in Parliament now.
  • The earliest expected date of entry into force is 2019.

If applicable: stage of legislative implementation of GDPR

Switzerland will align with the GDPR with the objective of, inter alia, again receiving an adequacy decision from the European Commission, paving the way for trans-border data flows with the EU. Regarding the status of legislation please see above (Anticipated changes to law).

If applicable: local derogations as permitted by GDPR 

Not applicable as Switzerland is not a Member State..

Scope

Swiss data protection law applies:

  • to all processing activities on Swiss territory
  • by virtue of international private law, including to individuals domiciled in Switzerland.

Penalties/enforcement

The Federal Data Protection and Information Commissioner does not yet have enforcement powers. By now, the Federal Data Protection and Information Commissioner can “only”

  • make recommendations
  • refer the matter to the Federal Admininstrative Court
  • apply to the Federal Administrative Court for interim measures to be taken.

Sanctions can only be imposed by a judge in a criminal proceeding. Potential criminal sanctions: max. 10.000 Swiss Francs but only in a limited number of non-compliance cases and only upon complaint.

According to our review there are no court cases with criminal sanctions so far.

Registration / notification 

No notification requirement with the data protection authority for each and every data processing activity but

1)   a duty to register data files in case of

  • regular processing of sensitive personal data or personality profiles or
  • regular disclosing of personal data to third parties.

2)   Data transfer agreements that are identical to the EU model clauses need only to be notified as a brief information to the Federal Data Protection and Information Commissioner. Data transfer agreements that derogate from the EU model clauses might be reviewed by the Federal Data Protection and Information Commissioner.

Failure to comply with 1) or 2) triggers criminal liability.

Main obligations and processing requirements

E.g.:

  • Maintaining a high security standard for stored data, including inter alia monitoring compliance
  • Duty to provide information on the collection of sensitive personal data and personality profiles. This duty to provide information also applies where the data is collected from third parties.
  • Consent is not a mandatory requirement for a processing activity but it might serve as a justification for a processing activity. Consent in employment context is considered to be problematic. 
  • Duty to register data files
  • Duty to inform the Federal Data Protection and Information Commissioner on data transfer agreements relating to cross-border data flow to countries that do not guarantee an adequate level of protection.

Data subject rights

  • Right to information on all available data concerning the subject in the data file, including the available information on the source of the data; the purpose of and if applicable the legal basis for the processing as well as the categories of the personal data processed, the other parties involved with the file and the data recipient;
  • Right to rectification;
  • Right to erasure and restriction of processing is not explicitly regulated so far but derives from the right of privacy

Processing by third parties

Data processing by third parties is generally allowed if (1) the data is processed only in the manner permitted for the instructing party itself and (2) it is not prohibited by a statutory or contractual duty of confidentiality. The instructing party must in particular ensure that the third party guarantees data security. A written agreement which should include and auditing right is not mandatory but surely recommended. 

Transfers out of country

Personal data may, as a rule, be disclosed abroad provided there is an adequate level of protection in that country, like, e.g. in the EU (please see list of countries published by the Federal Data Protection and Information Commissioner). Transfer to non-adequate countries  is only allowed in a limited number of cases (e.g. use of EU-Model Clauses, Binding Corporate Rules, consent of the data subject in the specific case).

Data Protection Officer

No

Security

Personal data must be protected against unauthorized processing through adequate technical and organisational measures. The Federal Council issued detailed provisions on the minimum standards for data security in the Ordinance to the Federal Act on Data Protection.

Breach notification

No data breach reporting requirements explicitly regulated so far but a duty to notify affected individuals may arise from contractual obligations or general data protection obligations (obligation to ensure data security and to observe the rules of good faith).

Direct marketing

If by electronic mail: need to obtain consent, unless you can rely on the soft opt-in exemption (i.e. (1) contact details were obtained in the course of a sale; (2) the sender is marketing their own similar products or services; (3) easy and free-of-charge opt-out in every marketing communication; (4) contact information including email address).

If by regular mail: a grey zone, because the "Robinson Asterisk" does not apply, strictly speaking, to regular mail. Data Protection law provides for request to individual marketeers to stop sending marketing material.

If by "cold call" (i.e. not answering a request of the customer): No marketing call in case the client has put a "Robinson Asterisk" in the official phone directory that he or she does not want to receive marketing calls and his or her data must not be shared for purposes of direct advertisement. In any other cases: opt-out regime by way of Data Protection law.

The law does not differentiate between B2B and B2C.

Cookies

No pertaining legislation and no case law.

The general view is that cookies obviously are permitted if the users are informed about the processing and its purpose and that they may refuse to allow the processing. No special consent requirements for Cookies but general data protection law applies so that explicit consent might be necessary depending on the circumstances.

Useful links

 

Cyber Security

Last updated 8 October 2018

Risk scale

Rick Scale Green

*immature cybersecurity regime with no or passive regulator 

Laws and regulations

No special law regarding Cyber Security, but, of course personal data must be protected against unauthorized processing through adequate technical and organisational measures under the general Federal Act on Data Protection  (FADP) and the Federal Council issued detailed provisions on the minimum standards for data security in the Ordinance to the Federal Act on Data Protection. In addition to that, regulated industries, e.g. the banking industry are subject to special security requirements under their regulatory regime.

Anticipated changes to law

No implementation or alignment of the NIS Directive of the EU so far but standardisation and regulation of a minimum standard of cyber security and reporting obligations are part of the new national strategy for the protection of Switzerland against cyber risks (NCS) for 2018-2022.

Application 

Swiss data protection law applies

  • to all processing activities on Swiss territory and
  • by virtue of international private law, including in particular to individuals domiciled in Switzerland

Regulated industries, e.g. the banking industry are subject to special security requirements under their regulatory regime.

Authority

Key obligations

For example (see the Ordinance to the Federal Act on Data Protection):

  • Protection against unauthorised or accidental destruction, forgery, theft or unlawful use
  • Respective measures must be reviewed periodically
  • internal guidelines governing data processing must be drafted
  • compliance with data protection law and with internal guidelines must be demonstrable

Penalties/enforcement

The Federal Data Protection and Information Commissioner does not yet have enforcement powers. By now, the Federal Data Protection and Information Commissioner can “only”

  • make recommendations
  • refer the matter to the Federal Admininstrative Court
  • apply to the Federal Administrative Court for interim measures to be taken.

Sanctions can only be imposed by a judge in a criminal proceeding. Potential criminal sanctions: max. 10.000 Swiss Francs but only in a limited number of non-compliance cases, NOT including breaches of data security.

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

Yes. GovCERT.ch is the Computer Emergency Response Team (GovCERT) of the Swiss government and the official national CERT of Switzerland. GovCERT.ch's parent organisation is the Reporting and Analysis Centre for Information Assurance (MELANI) which belongs to the Federal IT Steering Unit (FITSU). Since 2010 GovCERT.ch is member of the Forum of Incident Response and Security Teams (FIRST). In addition, GovCERT.ch is member of the group of European Government CERTs (EGC).

Is there a national incident management structure for responding to cybersecurity incidents?

No, but awareness is currently sharply rising.

As a good example, GovCERT.ch supports the critical IT infrastructure in Switzerland in dealing with cyberthreats by providing services such as technical analyses and information about targeted (but not limited to) attacks against the national critical IT infrastructure. Additionally, GovCERT.ch is authorized to handle all types of computer security incidents related to Switzerland, representing the national CERT of Switzerland.

Other cybersecurity initiatives

Switzerland will play an active role on global internet governance issues. 

Useful links

 

< back to Overview

Authors

Dirk Spacek
Dr Dirk Spacek, LL.M.
Partner
Zurich