FDPIC – Requi­re­ments for a whist­le­b­lo­wing system

From the Acti­vi­ty Report 2012/2013, p. 65:

Requi­re­ments for a whist­le­b­lo­wing systemIn Switz­er­land, the­re are no spe­ci­fic legal requi­re­ments for the ope­ra­ti­on of a whist­le­b­lo­wing system in pri­va­te com­pa­nies. During our tele­pho­ne con­sul­ta­ti­on, we ans­we­red seve­ral inqui­ries on this topic. Often, the que­sti­on was also whe­ther the­re is an obli­ga­ti­on to regi­ster for the data coll­ec­tion of the whist­le­b­lo­wing system. Seve­ral times, com­pa­nies or their legal repre­sen­ta­ti­ves cont­ac­ted us by tele­pho­ne to find out whe­ther the­re is a spe­ci­fic legal basis in Switz­er­land for set­ting up and ope­ra­ting a whist­le­b­lo­wing system. Within the fede­ral admi­ni­stra­ti­on, Artic­le 22a of the Fede­ral Per­son­nel Act has applied sin­ce Janu­ary 2011. The­re are no spe­ci­fic regu­la­ti­ons for the pri­va­te sec­tor, but the pro­vi­si­ons of the Data Pro­tec­tion Act in par­ti­cu­lar must be observed.
Vir­tual­ly every inquiry also asked whe­ther a Obli­ga­ti­on to regi­ster the asso­cia­ted data coll­ec­tion exists. Pri­va­te indi­vi­du­als must regi­ster data coll­ec­tions with us if par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data or per­so­na­li­ty pro­files are regu­lar­ly pro­ce­s­sed or per­so­nal data is dis­c­lo­sed to third par­ties. When ope­ra­ting a whist­le­b­lo­wing system, it can­not be ruled out or is even high­ly pro­ba­ble that per­so­nal data requi­ring spe­cial pro­tec­tion is regu­lar­ly pro­ce­s­sed on the basis of the reports recei­ved. This may not be the operator’s inten­ti­on, but he can­not real­ly con­trol it eit­her.. Due to this cir­cum­stance, we have regu­lar­ly recom­men­ded the cal­ling per­sons to regi­ster the data coll­ec­tion.

Source: FDPIC – Requi­re­ments for a whist­le­b­lo­wing system