
		Updated presentation on why we say: "Switzerland - the best place to do business"

		Switzerland - why?

		Forms of businesses

		Establishing a company

		Business development agencies


		Swissnetwork - The portal for business & investment in Switzerland

		Forms of businesses

		M&A in Switzerland

		Labor law

		Work permit rules

		Intellectual property

		Consumer protection

		Data protection

		Real estate, incl. Lex Friedrich

		Banking confidentiality

		Rules against money laundering

		Enforcement of a money claim

		Insolvency and bankruptcy

		Mutual assistance in Switzerland

		Prohibited procedural acts, depositions

		EU-relations

		Distribution agreements

		Anti-trust regulations

		Bilateral treaties

		Legal developments

		Others

		Swiss Code of Conduct

		Corporate taxes, summary

		Individual taxes, summary

		Expatriates taxation

		IRS - Info for int'l taxpayers

		Federal laws and authorities

		Cantonal laws and authorities

		Double taxation treaties, foreign taxes

		Tax calculations & tax rates

		Tax laws in english Federal law with regard to Value-Added

		Swiss VAT (refund of)

		Social insurance

		Quality of living - Ranking

		Country, population, language

		Education, schools

		Clubs, organizations

		Postal rates

		Transportation

		Conversions

		Maps

		Weather forecasts

		Newspapers, Books and Media

		Embassies

		Zurich

		Geneva

		Ticino

		Travel, trade fairs

		Associations, embassies

		Overview

		Work Permits

		Pertinent Websites - Lake Geneva Area

		Job Banking Employment Web-Sites

		Link to Events page

		Link to Publications page

Data protection in Switzerland - Details

Applicable law

Federal Statute on Data Protection of June 19, 1992 and Ordinance thereto.

http://www.admin.ch/ch/d/sr/2/235.1.de.pdf

The Swiss data protection law is applicable to the processing of any information related to an individual or a legal entity that identifies the respective person or with which the person can be identified by the persons having access to the data. Other than the EU legislation on data protection, Swiss privacy law also protects the data of companies. Processing is any handling of personal data, especially the procuring, safekeeping, editing, archiving etc., irrespective of the means and procedures used. The law applies to both, automated and manual data processing.

Principles of and justification for data processing

Several principles must always be adhered to when personal data is processed. For example, the data processor must ascertain that the data processed is accurate and adequate organizational measures must be taken to protect personal data against unauthorized access by third parties.

Conceptually, data protection is part of the law on privacy. Because of this the processing of personal data always requires a justification to be lawful. There are three types of justification: (1) the consent of the data subject to the data processing, (2) an overriding public or private interest in the data processing or (3) a statutory obligation to process data.

"Regular" and qualified personal data

The law distinguishes between “regular” personal data and qualified personal. To such qualified personal data special more rigid rules apply. The law distinguishes between threes categories of such qualified data: (1) sensitive data: data concerning one’s religion, political views, sexual preferences, health records etc., (2) personality profiles: compilations of data that allow determining essential aspects of the personality of an individual, and (3) data collections: any stock of personal data that is composed in a way that allows retrieving the data by the persons affected.

Procurement of personal data

The revised law requires that the procurement of personal data and the purpose of the data processing following thereafter must be recognizable to the data subject. The consequence of this is that, if the procurement of data and/or the purpose of the data processing is not obvious, the data processor must inform the data subjects of such data procurement and the purpose of the processing. The data processor has a term of one year after the entry into force of the revised law to comply with this new obligation.

If sensitive personal data or personality profiles are being procured, the revised law puts an obligation on the owner of the respective data collection to explicitly inform the data subjects at least on the following: (1) the owner of the data collection, (2) the purpose of the data processing, and (3) the data recipients (by category). Also, for compliance with this obligation, the revised law gives a one year grace period.

Justification: Consent and private interest in particular

Out of the justifications for processing, consent plays an important role in practice. Written consent is not required by law, but may be recommended for evidentiary reasons. Consent can also validly be declared electronically, provided that the data subject has sufficient information to be able to make an informed decision. The revised law requires explicit consent if sensitive data or personality profiles are processed.

Consent is only valid if given voluntarily. The revised law explicitly spells out this rule, even though it was recognized under the current law already. Especially, the consent of employees to the processing of HR data is delicate, since the employees by virtue of their employment are subordinated to the employer. For that reason the employer who wants to justify the processing of personal data with employee consent is well advised to safeguard that such consent is fully voluntary, i.e. without any kind of detriment to an employee that refuses consent.

The second important justification for data processing in the private sector is an overriding private interest of the data processor. The law contains a non-exclusive list of scenarios in which the data processor may invoke an overriding private interest for the data processing, most importantly: (1) personal data is processed directly in connection with the entering into or execution of an agreement; (2) personal data of a competitor is processed; (3) personal data is processed to evaluate someone’s creditworthiness.

Transfer of personal data abroad

Even though the transfer of personal data abroad is simply one form of data processing, it is separately regulated. The reason for this is that many foreign jurisdictions have weaker data protection laws than Switzerland.

Pursuant to the statute, personal data may generally not be transferred abroad “if this would jeopardize the privacy of the affected persons severely, namely if the foreign jurisdiction lacks data protection that safeguards adequate protection”. Firstly, this means by reverse analogy that personal data may generally be transferred without special precautions to countries that provide of a data protection level similar to Switzerland. Pursuant to the revised law, the Data Protection Commissioner must publish a list with these countries (available on his website, see below) and keep it up-to-date. Currently this is the case for all member countries of the European Union, Norway, Iceland, Liechtenstein, New Zealand, Canada, and Argentina and, to some extent, Australia. Secondly, despite the seemingly prohibitive language quoted above, the Statute (in its next paragraph) allows the transfer of data to countries without adequate data protection, provided that one of seven specific justifications listed in the revised law is fulfilled. The most important justifications are: (1) the data protection abroad is warranted through guarantees, namely the terms of a data transfer agreement, (2) the affected person has consented to the transfer “in the individual case”, or (3) in case of a group internal transfer, the data protection is safeguarded by binding group internal data protection guidelines. The list with these exceptions under the revised law is exhaustive.

The competent authorities of the EU have developed standard clauses for data transfer agreements for the data transfer to countries with a weaker level of data protection than the EU. The use of these agreements is recognized in the EU countries to warrant the level of data protection of the EU legislations (see link below). These standard clauses are also recognized by the Swiss Data Protection Commissioner for compliance with Swiss law. The Commissioner is obliged by the revised law to make available contract clauses recognized by him for download on his website (see below).

Special rules apply if personal data is transferred to a company in the U.S., which joined the Safe Harbor framework (see 11. below).

Regulatory filing obligations with the Swiss Data Protection Commissioner

The law contains rather elaborate rules on regulatory filing obligations. They apply in defined cases of data processing with a higher potential of privacy infringement and compel the data processor (owner of the data collection) to file certain information with the Swiss Data Protection Commissioner. The modalities of these obligations were an important aspect of the recent statutory revision.The law distinguishes between two types of filing obligations: A registration obligation and an information obligation. The objective of these obligations is on the one hand to allow the Data Protection Commissioner to monitor compliance with the law (to some extent), on the other hand to directly strengthen the position of each individual, since all such filings are available on public record or even on the internet. Willful non-compliance with the filing obligations is subject to fines.

The registration obligation applies to data collections. In the following three situations, information about the respective data collections have to be filed with the Data Protection Commissioner: (1) Sensitive personal data are regularly processed, (2) personality profiles are regularly processed, or (3) personal data is regularly disclosed to third parties (Outsourcing partners, see below, are not considered third parties in this sense). What attributes of the respective data collections exactly have to be filed with the Data Protection Commissioner is defined in the law. The Data Protection Commissioner also offers a form that can be used for such registrations, which is available on his website (see below). The filing must be made prior to the processing.

Pursuant to the revised law, the data processor (owner of the data collection) is discharged of the registration obligation in certain situations, most importantly if: (1) there is a legal duty for the data processing, (2) he appointed a data protection responsible, “which supervises the internal corporate compliance with the law independently and which keeps a registry of the data collections”, or (3) he acquired a data protection quality seal of an accredited data protection audit institution and the results of the audit have notified to the Commissioner. Under the current law, also the knowledge of the affected persons on the data processing discharged the data processor of the registration obligation. The revised law abolished this exception.

The modified registration obligation must be adhered to when the revised law enters into force, i.e. January 1, 2008; there is no grace period.

If personal data is transferred to countries with a weaker level of data protection than Switzerland (see 6. above), the data processor (owner of the data collection) may be under an obligation to inform the Data Protection Commissioner on specific aspects of such transfer. This obligation must generally be complied with before the transfer takes place. The revised law abolished the so-called notification obligation of the current law and replaced it with this information obligation, which is less stringent. Other than the notification obligation of the former law, the information obligation is exclusively applicable if data collections are transferred to countries with a level of data protection lower than Switzerland.

The information obligation lives up if the data transfer abroad is governed by a data transfer agreement or if in case of a data transfer within a group, the transfer is governed by group internal data protection guidelines. The owner of the data collection is obliged to inform the Data Protection Commissioner on the “guarantees” of the agreement or the guidelines, which protect the personal data. The knowledge of the data subjects of such data transfer does no longer exempt from this obligation.

The information obligation must be adhered to when the revised law enters into force, i.e. January 1, 2008; there is no grace period.

Employees: Processing of personal data/monitoring

Under the Swiss labor law, the employer may only process data of its employees insofar as they relate to the eligibility of the employee for the job or as they are necessary for the execution of the employment contract. This is a compelling provision of Swiss labor law, i.e. it cannot be modified. Any such data processing beyond the scope of the employment relationship is an infringement of the privacy rights of the employee. If an employee would consent to such excessive data processing, such consent would be void.

A Swiss employer is entitled to prohibit its employees from using the internet and email for private purposes. However, this is rare in practice; rather most employers implicitly or explicitly (by way of a regulation of use) allow the private use of email and the internet to a reasonable extent. Yet, even if the private use is entirely prohibited, the employer cannot systematically monitor the internet and email use of its employees, since the systematic monitoring of the employees at work is illegal under Swiss law. This does not only apply to the use of email and internet; it generally applies to any activity of the employees at work. The lawful monitoring of the internet/email use by employees requires two things from the employer: (1) email and/or internet abuse is established or likely by way of an anonymous analysis of the email/internet use of the employees, and (2) the employees were informed beforehand in writing (preferably through a regulation of monitoring) that their personal internet/email use can monitored in case of abuse of the systems and that such monitoring results can be shared with the principal of the respective employee and the HR department.Special rules on monitoring/accessing employee emails apply in case of a suspicion of a criminal offense committed by an employee and/or in case of a suspicion that confidential company information is sent to third parties by email. Also in case of termination of the employment contract by the employer for cause special rules often apply.

Technical data protection

Compliance with the Swiss data protection legislations requires a significant number of technical measures from the data processor or the provider of the network for the data communication to protect the data, especially the protection from random destruction or loss, theft or falsification and illegal modification, copying and access. The Ordinance contains detailed provisions on the respective obligations.

Outsourcing

Any business process which entails the processing of personal data can be lawfully outsourced if the third party is bound by the data processing rules that apply to the principal. The revised law explicitly spells out that this comprises the obligation of the principal to ascertain that the third party warrants the technical data protection.

In practice, the principals safeguard compliance with this requirement by entering into a written data processing agreement with the third party, which commits the third party to the data processing rules that apply to the principal. If the third party is located in a jurisdiction with a lower level of data protection, such as India or the U.S., such an agreement is essential (see however 11. below on Safe Harbor).

To the outsourcing of business processes by banks, a special ordinance issued by the Swiss Federal Banking Commission applies. However, the content of this ordinance is not really data protection specific, but rather addresses other regulatory issues, e.g. the auditing of the third party. Also to the outsourcing of business proceses by insurance companies special rules apply.

Safe Harbor

Safe Harbor is a framework developed by the U.S. Department of Commerce in consultation with the European Commission. It contains detailed rules of data protection. The standards of Safe Harbor are recognized by EU law (by way of the EU Directive on Data Protection) to grant an adequate level of data protection. Thus, by joining Safe Harbor, U.S. companies have the possibility to voluntarily comply with the standards on data protection of the EU. One consequence of this for example is that it that personal data can be transferred outside the EU to such U.S. companies without the necessity of a data transfer agreement.

Membership with Safe Harbor also allows the transfer of data from Switzerland to the respective U.S. Company under Swiss law. However, according to the view of the Swiss Data Protection Commissioner it is required in addition that the U.S. company contractually commits to the Safe Harbor principles to Swiss owner of the respective data.

Remedies of data subject

Most importantly, the data subject has a comprehensive remedy of disclosure: Whoever processes personal data must disclose the following to the data subject upon request:

All personal data of the respective person processed and all available information on the origin of the data,
The purpose and, if applicable, the legal basis for the processing,
The categories of data processed, of persons/entities involved in the data processing and of data recipient.

In addition, the data subject has a remedy for the rectification or destruction of the data or that the transfer of the data to third parties is intercepted. These rights can temporarily be enforced by way of injunctions. Finally, even though rare in practice, the data subject also has a claim for damages.

Enforcement of data protection

In practice only very few claims are made based on the data protection legislation in Switzerland. Also the fines, which can be imposed in case of willful non-compliance with certain obligations of the law, are very rare. Irrespective of this, the non-compliance with the data protection law can considerably affect the reputation of a company and this should not be underestimated.

Frequently asked questions

When does the Swiss data protection legislation apply?

The legislation applies as soon as data is processed that identifies a person or makes a person identifiable by the persons having access to such data.

What rules must I respect when I process personal data?

Most importantly personal data may only be processed if the processing party has a justification for it: (1) an overriding private or public interest, (2) the consent of the data subject, or (3) the law. Processing personal data for the purposes of entering into or implement an agreement is generally perceived as on overriding private interest. In addition, the law contains a number of good faith-obligations that generally must always be respected, e.g. the obligation to obtain personal data in a legitimate way, the obligation to process data only for the purposes they have been obtained for, etc.

Are there special rules for the processing of personal data of employees?

Yes, employers may only process personal data of their employees insofar as they relate to the eligibility for the job or as they are necessary for the execution of the employment contract. This is a compelling provision of Swiss privacy law that cannot be modified contractually.

The human resources department of our Group is operated by our holding company located in the United Kingdom. What measures have to be taken by the Swiss subsidiary of the Group in order to make the transfer of the HR data of our Swiss employees (= data collections) to the U.K. lawful under Swiss law?

Since the U.K. has a level of data protection similar to Switzerland, personal data can generally be transferred to the U.K. without any particular precautions. However, the regular disclosure of personal data to a third party obliges the processing party to register the respective data files with the Data Protection Commissioner. Also a company within the same group is considered to be a third party in this sense. Yet, the data exporter is dismissed of its registration obligation if it has appointed a data protection responsible, which supervises the internal corporate compliance with the law independently and which keeps a registry of the respective data collections, or if it has obtained a data protection quality seal of an accredited data protection audit institution and this has been notified to the Commissioner.

The human resources department of our Group is operated by our holding company located in the United States. What measures have to be taken by the Swiss subsidiary of the Group in order to make the transfer of the HR data of our Swiss employees (= data collections) to the U.S. lawful under Swiss law?

Other than the member countries of the European Union, the United States don’t provide of data protection similar to Switzerland. For that reason, the processing party can only transfer the data to the U.S. if one of the exceptions specified in the law is fulfilled. In the currently example, this could only be (1) the consent of the Swiss employees to this transfer, (2) guarantees, which are in place, especially a data transfer agreement with the receiving entity in the U.S. (or a Safe Harbor-Membership of the U.S. data recipient) or, (3) if the data transfer takes place within a group (as in this example), a group wide data protection guideline, which applies to the data transfer. Additionally, the Swiss data exporter would be under an obligation to register the respective data collection with the Commissioner (see answer #4 above). Finally, the transfer to the U.S. would also trigger an information obligation with the Commissioner in case the transfer is safeguarded through a data transfer agreement with the U.S. holding company or through group wide data protection guidelines.

What is the exposure if I don’t comply with the Swiss data protection legislation?

In civil law, the most important remedy of the data subject is a right to comprehensive disclosure. Additionally, claims for the correction or destruction of the personal data are available, and theoretically also a claim for damages. Willful non-compliance with some obligations of the law is punishably by fine. In practice civil proceedings and criminal fines are very rare. However, non-compliance with data protection legislation may affect the reputation of a company in Switzerland considerably.

Useful links

Swiss Data Protection Commissioner

European Commission on data protection

Website of the US Department of Commerce on Safe Harbor

December 2007

Data protection in Switzerland - Details

Applicable law

Detailed information

Frequently asked questions

Useful links