FDPA

The articles are each assigned the corresponding text of the message, this without indication of the page numbers, general remarks and the message to omitted articles.

The message and the draft can be found here.

fold out | fold

Ingress message

The Federal Council considers it appropriate, Article 97(1) BV to be inserted in the ingress. This assigns the federal government the competence to regulate the protection of consumers. In fact, the e‑DSG contains some provisions that improve in particular the transparency of data processing, the control by the data subjects and the supervisory system of the commissioner. As a result, consumers are better protected.

Chapter 1: Purpose and Scope and Federal Supervisory Authority

Art. 1 Purpose

The purpose of this law is to protect the personality and fundamental rights of natural persons about whom personal data are processed.

Bot Art. 1 Purpose (count. acc. to draft)

The purpose of the future DPA corresponds to the purpose of the current law (Art. 1 DSG). The FADP gives concrete form at the statutory level to the principle set out in Article 13 paragraph 2 BV right to informational self-determination in connection with personal data, i.e. the right of the data subject to determine for himself or herself whether and for what purposes data about him or her may be processed. The provision is only editorially amended by explicitly limiting the protection to natural persons. This adjustment is made due to the changed scope of application (see the explanations on Art. 2 E‑DSG).

Art. 2 Personal and material scope of application

1 This Act applies to the processing of personal data of natural persons by:

a. private individuals;

b. Federal Entities.

2 It is not applicable to:

a. Personal data processed by a natural person exclusively for personal use;

b. Personal data processed by the Federal Assembly and parliamentary committees in the course of their deliberations;

c. personal data processed by institutional beneficiaries under Article 2(1) of the Host State Act of 22 June 2007 who enjoy immunity from jurisdiction in Switzerland.

3 The applicable procedural law governs the processing of personal data and the rights of the persons concerned in court proceedings and in proceedings under federal procedural codes. The provisions of this Act apply to first-instance administrative proceedings.

4 The public registers of private legal transactions, in particular access to these registers and the rights of the persons concerned, are governed by the special provisions of the applicable federal law. If the special provisions do not contain any regulation, this Act shall apply.

Bot Art. 2 Scope (count. acc. to draft)

The scope of application of the DPA is partially extended by the e‑DSA, in particular to meet the requirements of the E‑SEV 108 to meet the requirements of the data protection law. Thus, it is planned to adapt the exceptions relating to pending civil proceedings, criminal proceedings, international mutual legal assistance proceedings and proceedings under state and administrative law (Art. 2(2)(c) DPA) and the one relating to public registers of private legal transactions (Art. 2(2)(d) DPA). In addition, it should be noted that the e‑DSG, just like the previous law, regulates data protection law in general. If the processing of personal data falls within the scope of other federal laws, the area-specific data protection standards apply in principle due to the lex specialis rule (special standards take precedence over the general standard).
Par. 1 Application for natural persons
According to the preliminary draft, the FADP applies to the processing of data of natural persons by private persons and federal bodies.
Removal of protection for data of legal persons
The E‑DSG proposes to dispense with the protection of data of legal persons. No such protection is provided for in the data protection legislation of the European Union and the Council of Europe, or in the corresponding regulations of most foreign legislators. Such protection is of little practical importance, and the Commissioner has never made a recommendation in this area. Also, for legal persons, comprehensive protection remains unchanged, as it is guaranteed by Articles 28 et seq. of the Civil Code (CC) (violations of personality such as defamation of reputation), the Unfair Competition Act (UCA), the Copyright Act of October 9, 1992, or by the provisions on the protection of professional, commercial and industrial secrets, as well as Article 13 of the Federal Constitution at the constitutional level. However, the amendment allows to improve the protection in those areas where it is currently not sufficiently implemented and thus to increase the credibility of the law. This solution also has the advantage that the disclosure of data of legal persons abroad will no longer depend on whether adequate protection is guaranteed in the recipient country (Art. 13 E‑DSG). This is likely to contribute to an increase in disclosures abroad. It should also be noted that most of the experts consulted on the revision of the DPA as part of the RFA, as well as the majority of the participants in the consultation, were in favor of waiving the protection of data of legal persons. The same applies to Parliament, which did not approve a motion that wanted to retain the protection of data of legal entities.
In the area of data processing by federal bodies, the abolition of the protection of data of legal persons has the consequence that the federal legal bases authorizing federal bodies to process personal data are no longer applicable if they process data of legal persons. However, according to Article 5 of the Federal Constitution, the basis of state action is the law. The draft law therefore introduces a number of provisions in the RVOG for federal bodies that regulate their handling of data of legal persons (cf. Section 9.2.8). In addition, a transitional provision is intended to prevent possible legal loopholes for five years (cf. Art. 66 E‑DSG and the explanations under No. 9.1.11).
The Public Act of December 17, 2004 (BGÖ) grants all persons the right to inspect official documents of the federal authorities to which the principle of public access applies. The new scope of the E‑DSG means that access to official documents containing data of legal entities can no longer be restricted for data protection reasons, but only if this could disclose professional, business or manufacturing secrets (Art. 7 para. 1 let. g BGÖ) or if there is a risk that the privacy of the legal person will be affected, for example, its good reputation. In order to guarantee the rights of legal persons to access official documents when a request relates to documents where granting access could affect the privacy of the legal person, the draft law introduces some provisions of the BGÖ adjusted (see section 9.2.7).
The abolition of data protection for legal entities also means that they can no longer assert a right to information based on the e‑DSA. They can, however, assert their procedural rights and, if necessary, request access to public documents on the basis of the Freedom of Information Act if these contain information that concerns them.
Par. 2 Exceptions from the scope
As before, the FADP does not apply to personal data processed by a natural person exclusively for personal use (Art. 2(2)(a) E‑DSG); the editorial amendment does not involve any material changes.
Also excluded from the scope of application is the processing of personal data carried out by the Federal Assembly and parliamentary committees in the course of their deliberations (Art. 2 para. 2 let. b E‑DSG); this is for the same reasons as already stated by the Federal Council in the Message from March 23, 1988 has led.
According to letter c, institutional beneficiaries under Article 2(1) of the Host State Act of 22 June 2007 (HSA), who enjoy immunity from jurisdiction in Switzerland, are not subject to the E‑DSA. With regard to the ICRC, this maintains the current situation and explicitly mentions the other institutional beneficiaries concerned. These other institutional beneficiaries concerned also enjoy independence and freedom of action, based on international law and the GSG itself, so that they can fulfill their international functions. A state cannot be expected to submit to the rules of Swiss law with respect to data processed by its diplomatic or consular missions. For its part, Switzerland is not obliged to comply with foreign rules on data protection in relation to its network of representations abroad. Nor can an international organization, which by definition carries out activities in numerous states, be required to comply with the requirements of the national law of each state in which it operates, since this would make it impossible for it to perform the functions assigned to it by virtue of its statutes.
Par. 3 Processing of personal data in proceedings
Pursuant to Article 2(3) of the FADP, the applicable procedural law governs the processing of personal data and the rights of data subjects in court proceedings and in proceedings under federal procedural codes. The standard regulates the relationship between the FADP and procedural law and states as a general principle that only the applicable procedural law determines how personal data is processed in the context of the proceedings and how the rights of the data subjects are structured. Within the framework of its regulations, procedural law also ensures the protection of the personality and fundamental rights of all parties involved and thus guarantees protection equivalent to the DPA. If the DPA were to be applied in this area, there would be a risk of conflicting norms and contradictions that could disrupt the balanced system of the applicable procedural rules. For these reasons, Article 9(1)(a) also provides for E‑SEV 108 provides for a corresponding exception. Materially, the provision in the e‑DSG corresponds to the applicable law.
According to the wording, the exception in paragraph 3 initially covers “court proceedings”. These include all proceedings before cantonal and federal criminal, civil and administrative courts, but also before arbitration courts with their seat in Switzerland. Furthermore, the exception covers all proceedings under federal procedural codes, regardless of the authority before which they take place. Federal procedural codes include the Federal Supreme Court Act of June 17, 2005, the Administrative Court Act of June 17, 2005, the Patent Court Act of March 20, 2009, the Administrative Procedure Act (VwVG), insofar as it does not concern first-instance administrative proceedings, the Code of Civil Procedure (ZPO), the Federal Act of April 11, 1889 on Debt Collection and Bankruptcy (SchKG), the Code of Criminal Procedure (StPO), the Code of Criminal Procedure (VStrR), the Military Criminal Procedure Act of March 23, 1979, and the IMAC.
Unlike the previous law, the E‑DSG does not use the term “pending proceedings” because only civil procedural law refers to lis pendens and this term therefore sometimes led to demarcation problems. The decisive factor is now whether proceedings take place before a court or are governed by a federal procedural code. Proceedings take place before a court when the court is seized of a case for the first time, in that the proceedings have been instituted in accordance with the relevant rules of procedure. Proceedings are governed by federal rules of procedure as soon as a particular matter is dealt with by an authority in accordance with the provisions of one of these laws. The relevant procedural code remains applicable even after the conclusion of the proceedings. In order to ensure that the file situation cannot be subsequently changed by instruments outside the scope of the proceedings, procedural law provides for independent procedures for the maintenance of files, for the inspection of files and for the retention of files. In summary, the essential criterion for determining whether or not the DPA is inapplicable is whether or not there is a direct connection to a (court) proceeding from a functional point of view. Such a connection exists if the processing of personal data in question may have a concrete impact on these proceedings or their outcome or on the procedural rights of the parties.
If the provision in paragraph 3 applies, only the applicable procedural law governs the processing of personal data and the rights of the persons concerned. Both data processing by the court in relation to the parties to the proceedings and data processing carried out by the parties in relation to other parties to the proceedings are governed by the applicable procedural law. This applies in particular to the rights of the parties to take cognizance of the data involved in the proceedings and to correct certain data, if necessary, as well as to data processing in the context of judicial proceedings in general. This means in particular that the various legal remedies under the DPA do not apply either to data processing by the court in the course of the proceedings or to data processing by the other parties to the proceedings. For example, the parties to the proceedings cannot assert a right to information under the FADP in order to inspect files at the court or to obtain evidence from other parties to the proceedings (cf. Section 9.1.5). In other words, it is not possible to perform procedural acts towards the court or among the parties to the proceedings by way of the FADP, which would be excluded under the procedural law in question or, conversely, which must be performed under certain conditions according to certain rules and principles. Even after the conclusion of the proceedings, the files may be amended (correction, explanation, revision) only in accordance with the rules of procedural law, since the files must be consistent with the outcome of a proceeding. This does not preclude the applicable procedural law from declaring the DPA applicable after the conclusion of the proceedings (cf. Art. 99 Criminal Procedure Code). Insofar as the applicable procedural law does not contain any provisions with regard to the right of third parties to inspect files after the conclusion of the proceedings, the application of the law should be guided by the provisions of the DPA.
Unlike the consultation draft, paragraph 3 no longer merely excludes data processing by certain institutions from the scope of the FADP, which was the subject of considerable criticism in the consultation. Rather, data processing by the parties is also covered. In addition, the conflict of norms is resolved in a different way, in that the norm determines the applicable law. For the federal courts in particular, however, this still means that they are excluded from the scope of the FADP as far as data processing in the course of their judicial activities is concerned, which takes into account the separation of powers.
Conversely, however, it also follows from Article 2(3) that the FADP applies to data processing by the administrative services of courts and authorities, such as the processing of data on staff. Likewise, the courts must ensure data security when archiving evidence and decisions. However, there are exceptions to supervision by the Commissioner (cf. Art. 3 para. 2 DPA and the explanatory notes).
According to the second sentence, the provision of Article 2(3) of the e‑DSG does not apply to first-instance administrative proceedings. This provision from the previous law is retained unchanged.
Par. 4 Public registers of private legal transactions
The exception provided for in Article 2(2)(d) FADP concerning public registers of private transactions is consistent with the requirements of Article 3 E‑SEV 108 not compatible. Indeed, the future Convention does not provide for any exception for such registers. The same applies to the Regulation (EU) 2016/679.
Although it is in the interest of the data subjects that the public registers of private transactions comply with the principles of data protection, there is also a public interest in the maintenance of and access to these registers (see recital 73 of the Regulation [EU] 2016/679). In a judgment of March 9, 2017, the Court of Justice of the European Union had the opportunity to rule on the delimitation between data protection and publicity of a commercial register kept by the Italian authorities. In this case, a former administrator and liquidator of a bankrupt company requested the deletion of certain data concerning him from the aforementioned register. In order to settle this dispute, the Italian Court of Cassation asked the Court of Justice to examine whether the exception provided for in Article 6(1)(e) of the Directive 95/46/EC enshrined principle of data retention, as provided for in the first Directive 68/151/EEC, should take precedence over the regime of publicity of commercial registers. According to this principle, personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the realization of the purposes for which the data were collected or for which they are further processed.
According to the Court, the public nature of the Commercial Register is intended to ensure legal certainty between companies and third parties and to enable the latter to become aware of essential activities of the company concerned and of certain data concerning the persons authorized to represent it. The publicity of such information is justified even after the dissolution of a company. This is because it may prove necessary, for example, to verify the legality of actions taken by a company during its business activity in view of possible legal proceedings. According to the Court, however, the different statutes of limitation in the Member States make it impossible to establish a uniform time limit from the dissolution of the company, after the expiry of which the data recorded in the commercial register are no longer required. Against this background, the Court holds that, under Article 6(1)(e) of the Directive 95/46/EC cannot guarantee data subjects, for example, a right to have their personal data deleted after a certain period of time from the dissolution of the company. Nevertheless, if legal certainty and the protection of the interests of third parties prevail, it is not excluded that in specific and exceptional situations a person may claim an overriding interest worthy of protection in having access to his or her personal data restricted. The Court therefore concludes that it is for the Member States to determine whether data subjects may require the register-keeping authority to examine, on a case-by-case basis, whether, on the basis of an overriding interest worthy of protection, it is exceptionally justified to restrict access to their personal data after the expiry of a sufficient period following the dissolution of the undertaking concerned. Although the judgment of the Court of Justice is based on the Directive 95/46/EC, which will apply from the entry into force of the Regulation (EU) 2016/679 is no longer applicable, but the considerations of this judgment retain their validity for the new legislation as well.
According to the in Article 9 CC established principle, public registers provide full proof of the facts attested by them, as long as the incorrectness of their contents is not proven. In view of the purpose of these registers, the Federal Council is of the opinion that data protection reasons must not affect the public nature of registers of private legal transactions. The same applies to the registers in the area of intellectual property law: the legislator has already weighed up the interests and guarantees the public nature of these registers. In the view of the Federal Council, it is not the task of the FADP to regulate the rights of data subjects in this area. Therefore, a restriction is to be provided in paragraph 4 in favor of the special provisions of federal law. The amendment relates exclusively to public registers of private legal transactions kept by federal authorities, i.e. the electronic civil status register, Zefix, the aircraft register of the Federal Office of Civil Aviation and the registers of the Federal Institute of Intellectual Property (in particular the trademark register, the patent register and the design register).
The public registers of private legal transactions for which the cantons are responsible are subject to cantonal data protection law. This also applies if these data are processed as part of the enforcement of federal law. However, cantonal data protection law must not impede the correct and uniform application of federal private law and, in particular, the principle of the public nature of the registers. The repeal of Article 2(2)(d) DPA therefore has no effect on the following cantonal registers: the land register, the register of ships, the cantonal commercial registers, the debt enforcement and bankruptcy registers and the public register of reservations of title. Paragraph 4 also has no effect on public-law registers such as the register of medical professions, to which the special law in question applies, subsidiarily the DPA.
Spatial scope
In contrast to the Regulation (EU) 2016/679 (Art. 3), the e‑DSG does not contain any specific provision on the territorial scope of the law. In the view of the Federal Council, the existing law already offers the possibility of applying the DPA largely to situations with an international character. Based on the impact theory, this also applies to public law. The difficulties are less to be found in the territorial scope of application than in the implementation and enforcement of decisions, particularly in the area of the Internet. The Federal Council has examined whether the persons responsible and the order processors should be obliged to indicate a domicile for service in Switzerland in order to facilitate the enforcement of decisions affecting them. It finally refrained from doing so for the same reasons already presented in the report of 11 December 2015 concerning the civil liability of providers. Rather, a solution via bilateral or multilateral mutual legal assistance agreements that allow direct postal delivery of documents abroad would be preferable. Such agreements already exist in the area of civil law with some states in which well-known Internet companies have their headquarters, such as Ireland or the United States. The Federal Council confirmed this position in the area of criminal law in its statement on Motion Levrat 16.4082 “Facilitating access to data from social networks for law enforcement authorities”. Finally, it points out that the obligation to designate a domicile of service is provided for in the VwVG and the VGG.
The commissioner would have preferred that the bill contain a provision consistent with Article 3 of the Regulation (EU) 2016/679 would have contained a comparable provision and the data controllers would have been obliged to have a representation in Switzerland.

Art. 3 Territorial scope

1 This Act applies to matters that have an effect in Switzerland, even if they are initiated abroad.

2 The Federal Act of 18 December 1987 on Private International Law shall apply to claims under private law. The provisions on the territorial scope of the Criminal Code are also reserved.

Art. 4 Federal Data Protection and Information Commissioner

1 The Federal Data Protection and Information Commissioner (FDPIC) shall supervise the application of federal data protection regulations.

2 Excluded from supervision by the FDPIC are:

a. the Federal Assembly;

b. the Federal Council;

c. the federal courts;

d. the Office of the Attorney General of Switzerland: concerning the processing of personal data in the context of criminal proceedings;

e. Federal authorities: concerning the processing of personal data in the context of a judicial activity or of procedures of international mutual legal assistance in criminal matters.

Bot Art. 3 Federal Data Protection and Information Commissioner (count. acc. to draft)

Par. 1 Supervision by the commissioner
Paragraph 1 names the competent supervisory authority in the area of data protection. It states the principle that the Commissioner is the authority responsible for monitoring compliance with federal data protection regulations (cf. Art. 39 ff. E‑DSG).
In the German legal text, the masculine term is used exclusively when the commissioner is addressed as an institution in the provision in question. This is the case in the majority of the legal provisions. In contrast, the first section of Chapter 7 (with the exception of Art. 42 E‑DSG) refers to the person of the Commissioner. In these provisions, the masculine and feminine forms are used.
Par. 2 Exemptions from supervision
Paragraph 2 provides for various exceptions to the Commissioner’s supervision. The main reason for these exceptions is that placing the aforementioned authorities under the supervision of the Commissioner would impair the separation of powers and the independence of the judiciary.
The Federal Assembly (subparagraph (a)) and the Federal Council (subparagraph (b)) are exempt from the supervision of the Commissioner.
Insofar as the processing of personal data by the federal courts falls under the DPA, they are exempt from supervision by the Commissioner (subparagraph c). The exception must be considered in light of the fact that the Commissioner is newly given the authority in the e‑DSG to issue rulings vis-à-vis federal bodies. As a result, there would be a risk vis-à-vis the federal courts that the independence of the courts and the separation of powers would be impaired. In addition, the Federal Administrative Court and the Federal Supreme Court, in particular, are appeal bodies for rulings by the data protection commissioner. Therefore, they could be called upon to issue an appeal decision on their own merits. In order to meet the requirements of the Directive (EU) 2016/680 and the ESEV 108, each federal court will initiate its own independent data protection oversight. This will be analogous to that of the Commissioner, as appropriate. The establishment will take place via the adaptation of the relevant ordinances of the respective federal courts as soon as the revised DPA has entered into force.
Pursuant to letter d, the Office of the Attorney General of Switzerland is also exempt from supervision by the Commissioner insofar as it processes personal data within the framework of criminal proceedings. However, the federal police authorities remain subject to the Commissioner’s supervision, even if they act on behalf of the Office of the Attorney General. The Commissioner applies the data protection provisions of the applicable procedural law (cf. Art. 2 para. 3 E‑DSG).
Finally, under letter e, federal authorities are exempt from the Commissioner’s supervision insofar as they process personal data in the course of a judicial activity or in the course of procedures for international mutual legal assistance in criminal matters. This exemption mainly concerns the Office of the Attorney General of Switzerland and the Federal Office of Justice. According to the Federal Council’s declaration on Article 1 of the European Convention on Mutual Assistance in Criminal Matters of 20 April 1959, the Federal Office of Justice is to be considered a Swiss judicial authority within the meaning of the Convention. However, the exception is of limited scope. This is because the Commissioner may review the lawfulness of a data processing operation if a data subject asserts his or her rights under Article 11c E‑IRSG.

Chapter 2: General provisions

Section 1: Terms and principles

Art. 5 Terms

In this law mean:

a. Personal data: any information relating to an identified or identifiable natural person;

b. person concerned: natural person about whom personal data are processed;

c. personal data requiring special protection:

1. data on religious, ideological, political or trade union views or activities,

2. data concerning health, privacy or racial or ethnic affiliation,

3. genetic data,

4. biometric data that uniquely identify a natural person,

5. data on administrative and criminal prosecutions or sanctions,

6. data on social assistance measures.

d. Edit: any handling of personal data, regardless of the means and procedures used, in particular the acquisition, storage, retention, use, modification, disclosure, archiving, deletion or destruction of data;

e. Announce: transmitting or making available personal data;

f. Profiling: any automated processing of personal data consisting in using such data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or change of location;

g. High risk profiling: Profiling that entails a high risk for the personality or fundamental rights of the data subject by leading to a linkage of data that allows an assessment of essential aspects of the personality of a natural person;

h. Data security breach: a breach of security that results in personal data being inadvertently or unlawfully lost, deleted, destroyed, or altered, or disclosed or made available to unauthorized persons;

i. Federal body: Authority or agency of the Federal Government or person entrusted with public functions of the Federal Government;

j. Person responsible: private person or federal body that, alone or together with others, decides on the purpose and means of processing;

k. Order Processor: private person or federal body that processes personal data on behalf of the data controller.

Bot Art. 4 Terms (count. acc. to draft)

Let. a Personal data
It should be noted that the e‑DSG generally uses the term personal data. Within the same paragraph, the term data is also used synonymously, especially in the German text, when it is clear that personal data is meant.
The concept of personal data is changed compared to the previous law in that the FADP is no longer applicable to legal entities. Personal data is thus all information that relates to an identified or identifiable natural person. A natural person is identifiable if he or she can be identified directly or indirectly, for example by reference to information that can be deduced from the circumstances or context (identification number, location data, specific aspects relating to his or her physical, physiological, genetic, mental, economic, cultural or social identity). Identification may be possible through a single piece of information (telephone number, house number, AHV number, fingerprints) or through the matching of different pieces of information (address, date of birth, marital status). As under current law, the mere theoretical possibility that someone can be identified is not sufficient to assume that a person is identifiable. Thus, the Federal Council states in its Message on the DPA of 1988 fixed:
“If the effort to determine the persons concerned is so great that, according to general life experience, it cannot be expected that an interested party will take it upon himself […], there is no determinability.“
Rather, the totality of the means that can reasonably be used to identify a person must be considered. Whether the use of these means is reasonable must be assessed with regard to the circumstances, such as the time and financial effort required for identification. The technologies available at the time of processing and their further development must be taken into account.
The law does not apply to anonymized data if identification by third parties is impossible (the data has been completely and definitively anonymized) or if this would only be possible at great expense, which no interested party would take on. This also applies to pseudonymized data.
Bst. b Person concerned
Data subjects are natural persons about whom data is processed. The restriction to natural persons results from the removal of protection for data of legal persons (see the explanations on Art. 2 (1) E‑DSG under No. 9.1.2).
Letter c Particularly sensitive personal data
Item 1 is not changed.
Point 2 is supplemented: The concept of personal data requiring special protection is defined in line with the Directive (EU) 2016/680 (Art. 10) and the Regulation (EU) 2016/679 extended to ethnic origin data. The E‑DSG retains the reference to racial origin. Like the European Union, the Federal Council notes that the use of this term does not mean that it endorses theories that attempt to prove the existence of different human races. The bill also retains
the reference to data on health and privacy. Data relating to the privacy of the data subject are namely data relating to the sex life and sexual orientation of the data subject (see also Convention ETS 108 [Art. 6 para. 1], Directive [EU] 2016/680 [Art. 10] and the Regulation [EU] 2016/679 [Art. 9]). Depending on the circumstances, a person’s gender identity may also fall under this term (or under health data).
The term “personal data requiring special protection” is also expanded to include genetic data (item 3) and biometric data that uniquely identify an individual (item 4). With this amendment, the requirements of the E‑SEV 108 (Art. 6 para. 1) and the Directive (EU) 2016/680 (Art. 10) implemented. The Regulation (EU) 2016/679 (Art. 9) provides for a similar regulation.
Genetic data is information about a person’s genetic makeup obtained through genetic testing; this includes the DNA profile (Art. 3 let. l of the Federal Act of October 8, 2004 on Genetic Testing in Humans [GUMG]).
Biometric data in this context means personal data obtained by a specific technical process on the physical, physiological or behavioral characteristics of an individual that enables or confirms the unique identification of the person concerned. These are, for example, a digital fingerprint, facial images, images of the iris or recordings of the voice. These data must necessarily be based on a specific technical procedure that allows the unique identification or authentication of a person. This is not the case, for example, with ordinary photographs.
Let. d Edit
The term machining remains unchanged in terms of content. The term “processing” is also frequently used synonymously. However, “storing” and “deleting” have been added to the list with the aim of approximating the wording of European law (Art. 2 let. b E‑SEV 108, Art. 4 No. 2 of the Regulation [EU] 2016/679 and Art. 3 No. 2 of Directive [EU] 2016/680). As in the current law, the list of possible processing operations is not exhaustive, so that numerous operations may fall under it (organizing, sorting, modifying, evaluating data, etc.). The term “destroy” is stronger than the term “erase” and implies that the data is irretrievably destroyed. If the data exists on paper, this is to be burned or shredded. Data destruction is more difficult in the case of electronic data. If the data was transmitted by means of a CD or a USB stick, on the one hand the data carrier must be rendered unusable and on the other hand all copies must be treated in such a way that the data can no longer be made readable. In the case of personal data transmitted as an attachment to an e‑mail, any intermediate storage of this e‑mail must also be destroyed. Common deletion commands or mere reformatting do not constitute destruction, but deletion. Unlike Swiss law, the European Union uses the term processing instead of editing. For reasons of practicability, it was decided not to adapt Swiss law in this respect as well, especially since there is no difference in content.
Subparagraph f Profiling
The Federal Council proposes to abolish the term “personality profile”, which is defined in Article 3 letter d FADP. The term “personality profile” is a special feature of our legislation. Neither European law nor other foreign legislations know this term. After the entry into force of the DPA in 1992, it did not have much importance, and today it seems to be outdated due to the development of new technologies. In its place, the term “profiling” is used in the e‑DSG. The term is found in Article 3(4) of the Directive (EU) 2016/680 and Article 4 point 4 of the Regulation (EU) 2016/679. Although the two terms have similarities, they are not congruent. The personality profile is the result of a processing procedure and thus captures something static. Profiling, on the other hand, describes a specific form of data processing, i.e. a dynamic process. In addition, the profiling process is geared to a specific purpose.
Based on the comments received during the consultation process, the content of the term “profiling” has been adapted to the European terminology and now only covers the automated processing of personal data. Thus, profiling is defined as the assessment of certain characteristics of a person on the basis of personal data processed by automated means, in particular in order to analyze or predict work performance, economic circumstances, health, behavior, interests, place of residence or mobility. This analysis may be done, for example, to find out whether a person is suitable for a particular job. Profiling is, in other words, characterized by the fact that personal data are evaluated in an automated manner in order to assess the characteristics of a person on the basis of this evaluation, also in an automated manner. Profiling thus only exists if the evaluation process is fully automated. Any evaluation using computer-assisted analysis techniques is to be regarded as an automated evaluation. Algorithms can also be used for this purpose, but their use is not constitutive for the existence of profiling. Rather, all that is required is that an automated evaluation process takes place; if, on the other hand, there is merely an accumulation of data without it being evaluated, profiling is not yet taking place. The automated evaluation is carried out in particular in order to analyze or predict certain behaviors of this person. By way of example, the law mentions some characteristics of a person such as work performance, economic situation or health. However, other characteristics such as interests, trustworthiness or location are also conceivable. It is irrelevant whether the person responsible for profiling is doing so for his or her own purposes or for a third party.
Since the term personality profile is no longer used, the legal bases that allow federal bodies to process personality profiles must also be adapted (cf. Section 9.2.2).
Data that arise as a result of profiling are in principle personal data within the meaning of Article 4 letter a E‑DSG. Depending on the subject matter, this may also be personal data requiring special protection.
Letter g Data security breach
Unlike the preliminary draft, the e‑DSG contains a definition of data security breach because it became apparent during the consultation process that the term was not sufficiently clear. Accordingly, it is a data breach if a process results in personal data being lost, deleted or destroyed, modified or disclosed or made accessible to unauthorized persons. This applies regardless of whether the process is intentional or not, whether it is unlawful or not. The term ties in with Article 7, according to which the controller and the processor must take technical and organizational measures to ensure data security. In terms of content, the term corresponds to Article 7(2) E‑SEV 108, Article 3 point 11 of the Directive (EU) 2016/680 and Article 4 item 12 of the Regulation (EU) 2016/679.
The only decisive factor is whether the processes in question took place. It is also irrelevant for the existence of a breach of data security whether there was merely the possibility that the personal data was disclosed or made accessible to unauthorized persons or whether such access actually took place. If, for example, a data carrier is lost, it is often difficult to prove whether the data stored on it was actually viewed or used by unauthorized persons. Therefore, the loss as such already constitutes a breach of data security. The extent and significance of a data security breach are rather relevant for the measures to be taken, in particular the assessment of the risk pursuant to Article 22 (1).
Letter i Responsible person
The e‑DSG provides for the replacement of the term “data controller” with “data controller” in order to use the same terminology as in the E‑SEV 108 (Art. 2 let. d), in which Directive (EU) 2016/680 (Art. 3 No. 8) and in the Regulation (EU) 2016/679 (Art. 4 No. 7) is used. Apart from the fact that the reference to the data collection is removed, there is no material change here. The controller, like the owner of the data collection, is the person who decides on the purpose and means (material or automated processing, software used) of the processing. In the German legal text, only the masculine form is used, since the data controller is predominantly, but not exclusively, a legal entity.
Bst. j Order processor
This is the private person or federal body that processes data on behalf of the data controller. This term corresponds to that in the E‑SEV 108 (Art. 2 let. f), in which Directive (EU) 2016/680 (Art. 3 No. 9) and in the Regulation (EU) 2016/679 (Art. 4 item 8).
The contract between the person responsible and the order processor can be of different types. Depending on the obligations of the order processor, it may be an order (Art. 394 ff. CO), a contract for work (Art. 363 ff. CO) or a mixed contract. The order processor is no longer a third party from the moment it begins its contractual activity on behalf of the controller.
In the German legal text, only the masculine form is used, as the order processors are predominantly, but not exclusively, legal entities.
Unchanged terms
The following terms remain unchanged or undergo only editorial changes compared to the current law: Announce (subparagraph (e)) and federal body (subparagraph (h)).
Repealed terms
In addition to the terms personality profile and data collection owner, the bill repeals the following terms:

Data collection: The e‑DSG envisages dispensing with this term. This corresponds to the solution in the E‑SEV 108in which the term – editing data is used instead. Thanks to new technologies, data can now be used like a data collection, even if it is not stored centrally. An illustrative example is profiling, which involves accessing various sources that are not data collections in order to assess certain characteristics of an individual based on the data collected. Under current law, such activities are not covered by the legal provisions that require the existence of a data collection – such as the right of access (Art. 8 DSG) or the duty to inform (Art. 14 FADP) – while more transparency is required precisely in this context. Moreover, the Federal Council points out that part of the doctrine interprets the term data collection very broadly. The decisive criterion here is that the allocation of data to a person must not cause disproportionate effort. Law in the formal sense: The e‑DSG envisages dispensing with this definition of the term, as it is not necessary.
Law in the formal sense: The E‑DSG provides for dispensing with this definition of terms, as it is not necessary.

Art. 6 Principles

1 Personal data must be processed lawfully.

2 The processing must be carried out in good faith and be proportionate.

3 Personal data may only be obtained for a specific purpose that is apparent to the data subject; it may only be processed in a manner that is compatible with this purpose.

4 They are destroyed or made anonymous as soon as they are no longer required for the purpose of processing.

5 Anyone who processes personal data must ensure that it is accurate. He or she must take all reasonable measures to ensure that data which is inaccurate or incomplete in relation to the purpose for which it was obtained or processed is corrected, deleted or destroyed. The appropriateness of the measures depends in particular on the type and scope of the processing and the risk that the processing entails for the personality and fundamental rights of the data subjects.

6 If the consent of the data subject is required, this consent is only valid if it is given voluntarily for one or more specific processing operations after appropriate information has been provided.

7 Consent must be explicit for:

a. the processing of personal data requiring special protection;

b. high-risk profiling by a private person; or

c. profiling by a federal entity.

Bot Art. 5 Principles (count. acc. to draft)

Par. 2 Legality and proportionality
The French version of paragraph 2 undergoes an editorial change.
According to the principle of proportionality, only data that is suitable and necessary for the purpose of the processing may be processed. In addition, there must be a reasonable relationship between the purpose and the means used, and the rights of the data subjects must be preserved as far as possible (principle of proportionality in the narrower sense). The principles of data avoidance and data economy are both expressions of this. The first implies that this option is to be preferred if the purpose of the processing can be achieved without obtaining new data. The second requires that only data that are absolutely necessary for the purpose pursued be processed. These two principles are ber
eeds to be taken into account when planning new systems. Thus, they partly overlap with the principles of data protection by design and by privacy-friendly default settings (see explanations on Art. 6 E‑DSG).
Par. 3 Purpose limitation and recognizability
Paragraph 3 combines the principles of purpose limitation and identifiability currently contained in paragraphs 3 and 4 of the Act. In order to make federal law more consistent with the wording of the E‑SEV 108 (Art. 5(4)(b)), the e‑DSA provides that data may only be obtained for a specific purpose that is identifiable to the data subject. This new wording does not result in any material changes compared to the current law. Both the procurement of the data and the purpose of its processing must be recognizable. This is generally the case if the data subject is informed, the processing is provided for by law or is clearly evident from the circumstances. The definiteness of the purpose means that vague, undefined or imprecise processing purposes are not sufficient. This characteristic is assessed according to the circumstances, whereby a balance must be struck between the interests of the data subjects and those of the controller or the order processor and the company.
Paragraph 3 states that data may only be processed in a manner that is compatible with the initial purpose. This new wording allows for a terminological approximation of the law to the E‑SEV 108 (Art. 5(4)(b)). However, it does not entail any significant changes: as is already the case today, further processing is not permitted if the data subject can justifiably consider this to be unexpected, inappropriate or objectionable (see also paragraph 47 of the explanatory report on the E‑SEV 108 from CAHDATA). The following cases are conceivable:

the re-use for advertising purposes of addresses collected when collecting signatures for a political campaign;
obtaining and analyzing data on consumer habits (for purposes other than fraud prevention) based on payments made with a credit or debit card without the consent of the data subject;
the collection and use of e‑mail addresses provided by the data subject for a specific purpose via the Internet, in order to later send spam messages; the acquisition by a private company of IP addresses of connection holders offering pirated downloads. If, on the other hand, the data subject transmits his or her address with a view to obtaining a loyalty card or for placing an order (online or not), the continued use of this address by the company concerned for advertising purposes is within the scope of an initially identifiable purpose and can therefore be considered compatible with the initial purpose. If the change of the initial purpose is provided for by law, if it is required by a change in the law or if it is legitimized by another justification (e.g. by the consent of the data subject), the further processing is also deemed to be compatible with the initial purpose.

Par. 4 Duration of retention of personal data
According to paragraph 4, data must be destroyed or made anonymous as soon as it is no longer required for the purpose of processing. This complies with the requirements of the E‑SEV 108 (Art. 5 para. 4 let. e, cf. also para. 51 of the draft explanatory report to the E‑SEV 108 from CAHDATA), the Directive (EU) 2016/680 (Art. 4 para. 1 let. e) and the Regulation (EU) 2016/679 (Art. 5(1)(e)). The obligation also arises implicitly from the general principle of proportionality, which is set out in paragraph 2 of the provision. However, the Federal Council considers it important to explicitly state this obligation in view of the technological development and the almost unlimited storage possibilities. Compliance with this obligation requires the responsible party to specify retention periods. This is subject to special regulations that provide for special retention periods.
Par. 5 Correctness
Article 5(5) of the e‑DSG incorporates the principle of accuracy of data currently set out in Article 5 FADP is included. In this way, the most important data protection principles are combined in a single provision, as is also the case in Article 5 E‑SEV 108, in Article 4 of the Directive (EU) 2016/680 and in Article 5 of the Regulation (EU) 2016/679 is the case. In the French text, the term “correctes” is replaced by “exactes”; in German and Italian, the terminology used is already consistent.
The paragraph states that any person who processes data must ensure that it is accurate. It must take all reasonable measures to ensure that data which is inaccurate or incomplete in relation to the purpose for which it was obtained or processed is corrected, deleted or destroyed. Data that cannot be corrected or completed shall be deleted or destroyed. The scope of this duty to verify must be determined on a case-by-case basis. It depends in particular on the purpose and scope of the processing and on the type of data processed. Depending on the case, this obligation may mean that the data is kept up to date.
Certain legal obligations may prevent the correction, deletion or updating of data. In addition, the principle of accuracy and the associated obligations must be viewed in a differentiated manner with regard to the activities of archives, museums, libraries and other memory institutions. The task of such institutions is namely to collect, index, preserve and communicate documents (including digital ones) of all kinds (cf. Art. 2(1) of the National Library Act of 18 December 1992). The documents in question as such may not be changed in the process, because this would run counter to the purpose of archiving. The purpose of archives is to provide a snapshot of the past by means of documents, the “accuracy” of which relates solely to the fact that the documents in question are reproduced faithfully in their original form. In other words, archives reproduce how something was in the past, regardless of whether this is still considered accurate from a current perspective. There is a considerable public interest in this specific activity (in this regard, see Art. 28 Para. 1 Letter b and 37 Para. 5 E‑DSG as well as the corresponding explanations under Sections 9.1.6 and9.1.7).
Par. 6 Consent
If the data subject’s consent is required, such consent is only valid pursuant to paragraph 6 if it is given voluntarily and unambiguously for one or more specific processing operations after appropriate information has been provided. In this way, the data subject expresses his or her consent to an infringement of his or her personality, which in the present case occurs as a result of data processing.
The slightly modified wording allows a terminological approximation to the E‑SEV 108 (Art. 5(2)) in order to meet its requirements. However, this does not result in any fundamental change to the current legal situation. As is already the case under existing law, the processing, in particular its scope and purpose, must be sufficiently defined for consent to be valid. Consent can also be given for several similar or different processing operations. It is also possible that the purpose of processing requires different processing. For example, treatment by a doctor may require an exchange with pre- or post-treatment specialists and services, as may processing for billing purposes or clarifications with insurance companies. The consent must cover the purpose of the processing for which it serves as a justification. If the data is processed for other purposes for which consent was not given, this processing must be justified by other reasons. The consent must also be unambiguous. Accordingly, the data subject’s declaration must unequivocally state his or her intent. This depends on the specific circumstances of the individual case. According to the principle of proportionality, the more sensitive the personal data in question, the clearer the consent must be. Consent can still be given without a specific form and is therefore not bound to a written declaration. Unambiguous consent within the meaning of paragraph 6 can also be given by an implied declaration of intent (cf. Art. 1 CO). This is the case if the expression of the will does not result from the declaration itself, but from conduct which can be understood as an unambiguous expression of the will on the basis of the circumstances in which it occurs. This is the case with so-called implied (conclusive) conduct, in which the declaring person expresses his will by making it clear through a corresponding action, e.g. by fulfilling his contractual obligation. There must therefore be an expression of will, so that in principle mere silence or inactivity cannot be regarded as valid consent to an infringement of personality. The following remains reserved Article 6 COif the parties have agreed silence as consent.
According to the second sentence of paragraph 6, consent must be given explicitly when it comes to the processing of particularly sensitive personal data and profiling. Increased requirements are also placed on consent for profiling, as is already the case in current law for the processing of personality profiles. “Explicit” is a heightened requirement for “unambiguous” consent under the first sentence of this provision. The scope of this requirement is already partially disputed under current law. The Federal Council, however, sees no reason to deviate from the current legal situation. However, in order to clarify the terminology, the terms “explicite” and “esplicito” are replaced by the terms “exprès” and “espresso” in the French and Italian versions of the text, thus aligning them with the terminology of Article 1 CO adapted. The German text does not undergo any change. A declaration of intent is “express” if it is made by written or spoken words or a sign and the expressed intent is immediately clear from the words used or the sign. The expression of the will as such must already provide clarity about the will by the manner in which it is made. This is possible, in particular, by ticking a box, actively selecting certain technical parameters for the services of an information processing company or otherwise making a declaration. The same applies to the non-verbal expression by means of a sign that is clear in the specific context or a corresponding movement, which can frequently be the case in the context of a medical treatment relationship in particular. Examples include nodding one’s head in agreement or opening one’s mouth to remove buccal mucosa following clear explanation. Where express consent is required, this cannot be given by implication.

Art. 7 Data protection by design and privacy-friendly default settings

1 The controller is obliged to design the data processing technically and organizationally in such a way that the data protection regulations are complied with, in particular the principles according to Article 6. He shall take this into account from the planning stage.

2 The technical and organizational measures must in particular be appropriate to the state of the art, the nature and extent of the data processing and the risk that the processing entails for the personality or fundamental rights of the data subjects.

3 The controller is obliged to ensure, by means of suitable default settings, that the processing of personal data is limited to the minimum necessary for the purpose of use, unless the data subject specifies otherwise.

Bot Art. 6 Data protection through technology and data protection-friendly default settings (count. acc. to draft)

Article 6 E‑DSG introduces the obligation to protect data through technology as well as through data protection-friendly default settings. Because these obligations are closely related to the data protection principles, they have been transferred to the general data protection provisions. The standard implements the requirements of Article 8 numeral 3 E‑SEV 108 and of Article 20, paragraph 1 of the Directive (EU) 2016/680 um. The Article 25 of the Regulation (EU) 2016/679 contains a similar provision.
Par. 1 Data protection through technology
Paragraph 1 requires the controller to design data processing from the time of planning in such a way that the data protection regulations are implemented by the measures taken. This introduces the new obligation for so-called “data protection by technology” (Privacy by Design). The basic idea of technology-based data protection is that technology and law complement each other. Data protection-friendly technology can reduce the need for legal rules (or codes of conduct) by making it impossible to violate data protection regulations or at least significantly reducing the risk. At the same time, data protection-friendly technologies are indispensable for the practical implementation of data protection regulations. After all, data processing is already ubiquitous in many respects and will tend to increase further (ubiquitous computing). This creates volumes of data that are almost impossible to keep track of and that must be processed in compliance with data protection rules, for which technical precautions are central. Overall, technology-supported data protection does not target a specific technology. Rather, the aim is to design data processing systems technically and organizationally in such a way that they comply in particular with the principles set out in Article 5 of the e‑DSG. In other words, the legal requirements for data protection-compliant processing are already implemented in the system in such a way that it reduces or eliminates the risk of violations of data protection regulations. For example, it can be ensured that data is deleted at regular intervals or anonymized as standard. Particularly significant for
The most important aspect of technology-supported data protection is data minimization, which already results from the general principles set out in Article 5 of the e‑DSG. In accordance with the concept of data minimization, data processing is designed from the outset in such a way that as little data as possible is generated and processed or that data is at least retained for only as short a period as possible.
Federal bodies must already notify their designated data protection officer or, if no such officer exists, the Commissioner without delay of all projects involving the automated processing of personal data so that data protection requirements are taken into account at the planning stage (Art. 20 VDSG).
Par. 2 Adequacy of the arrangements
Paragraph 2 specifies the requirements for the precautions referred to in paragraph 1. In particular, these must be appropriate in view of the state of the art, the nature and scope of the data processing, and the likelihood and severity of the risks that the processing in question entails for the personality and fundamental rights of the data subject. The present provision refers to data processing by private processors and federal bodies, so that the risks to the personality and fundamental rights are referred to.
The standard expresses the risk-based approach. The risk associated with processing must be related to the technical possibilities for reducing it. The higher the risk, the greater the probability of occurrence and the more extensive the data processing, the higher the requirements for the technical precautions so that they can be considered appropriate in the sense of this provision.
Par. 3 Privacy-friendly default settings
According to paragraph 3, the controller is obligated to ensure by means of suitable default settings that, as a matter of principle, only as little personal data is processed as is possible with regard to the purpose of use, unless the data subject specifies otherwise. This introduces the new obligation to use data protection-friendly default settings (privacy by default). Default settings are those settings, in particular of software, which are applied by default, i.e. if no deviating input is made by the user. These default settings may be available at the factory or may be programmed accordingly, as is the case, for example, when a certain printer is defined as the default printer. In the context of data processing, this means that the processing operation in question is set up as data protection-friendly as possible by default, unless the data subject would change these default settings. For example, it would be conceivable for a website to basically allow purchases without having to create a user profile. Customers would only have to provide minimal information such as name and address. However, if customers want to benefit from other services offered by the website, such as access to all their past purchases or the creation of lists of shopping preferences, they will have to create a user profile, which will also involve more extensive processing of their personal data. This highlights the close connection with the use of data protection-friendly technology and the principle of data minimization. Thus, corresponding default settings are regularly part of the data protection-friendly design of an entire system. What is specific to data protection-friendly default settings, however, is the ability of the data subject to influence them. While the data subject can hardly influence the system as such, data protection-friendly default settings at best give him or her the opportunity to make a different choice. They are therefore closely related to the consent of the data subject (cf. Art. 5(6) E‑DSG). Thus, data protection-friendly default settings allow the data subject to consent to a certain data processing.
The principle of data protection by default plays a subordinate role in the public sector, since data processing there is based less on the consent of the data subject than on legal obligations.
The controller may demonstrate, in particular through certification or a data protection impact assessment, that it complies with the obligations of this provision.

Art. 8 Data security

1 The controller and the processor shall ensure data security appropriate to the risk by means of suitable technical and organizational measures.

2 The measures must make it possible to prevent breaches of data security.

3 The Federal Council shall issue provisions on the minimum requirements for data security.

Bot Art. 7 Data security (count. acc. to draft)

Article 7 E‑DSG adopts Article 7 DSG with some changes. The obligation to ensure data security is a requirement of the E‑SEV 108 (Art. 7) and the Directive (EU) 2016/680 (Art. 29). The Regulation (EU) 2016/679 (Art. 32) contains a similar regulation. The controller and the processor must take appropriate technical and organizational measures to ensure data security commensurate with the risk. This expresses the risk-based approach. The greater the risk of a data security breach, the higher the requirements for the measures to be taken.
Paragraph 2 defines the objective of these measures. These should make it possible to prevent breaches of data security, i.e. any breach of security which, regardless of intent or unlawfulness, results in personal data being lost, deleted, destroyed or altered, or disclosed or made accessible to unauthorized persons (Art. 4 let. g e‑DSG). Such precautions may include, for example: the pseudonymization of personal data, measures to maintain the confidentiality and availability of the system or its services, the development of procedures to regularly check, analyze and evaluate whether the security precautions taken are effective.
Although data privacy and data security interact, they must be distinguished from one another. Data protection is concerned with the protection of the personality of the individual. Data security, on the other hand, is generally aimed at the data held by a data controller or processor and encompasses the general technical and organizational framework for data processing. Accordingly, individual data protection is only possible if general technical precautions for data security are taken at the same time. This also results in the demarcation of the obligation for data security under Article 7 E‑DSG from data protection by technology under Article 6 (1) E‑DSG. Article 7 obligates both the controller and the processor to provide an appropriate security architecture for their systems and to protect them against malware or data loss, for example. Article 6(1), on the other hand, aims to ensure compliance with data protection regulations by technical means, e.g., that data processing remains proportionate. In this context, individual measures such as the anonymization of data can be significant for both obligations.
Paragraph 3 requires the Federal Council to define minimum data security requirements.

Art. 9 Processing by order processors

1 The processing of personal data may be entrusted by contract or by legislation to a processor if:

a. the data is processed as the data controller would be permitted to do; and

b. no legal or contractual confidentiality obligation prohibits the transfer.

2 In particular, the controller must ensure that the processor is able to guarantee data security.

3 The processor may only transfer the processing to a third party with the prior approval of the controller.

4 He may assert the same grounds for justification as the person responsible.

Bot Art. 8 Processing by order processor (count. acc. to draft)

Article 8 essentially takes over the current Article 10a DSG (data processing by third parties). In paragraphs 1, 2 and 4, terminological changes are made that are necessary as a result of the new terms (processor, controller). As under the previous law, it can be stated in particular that the order processing for personal data that is processed by Article 321 StGB (e.g. data covered by medical secrecy) is not excluded by the provision in Article 8 (1) letter bE-DSG if the third parties are to be qualified as auxiliaries within the meaning of Article 321 (1) (1) StGB. If the other requirements for order processing are met, this is thus permissible without the data subject having to give additional consent. Paragraph 1 establishes a duty of care for the controller to safeguard the rights of the data subject when processing the order. The controller must actively ensure that the order processor complies with the law to the same extent as he does himself. This applies in particular to compliance with the general principles, the rules regarding data security, which are explicitly mentioned in paragraph 2, and the rules regarding disclosure abroad. The data controller must, analogously to Article 55 CO prevent violations of the DPA. He is therefore obliged to select his processor carefully, to instruct him appropriately and to monitor him as far as necessary. Paragraph 3 is new and provides that the processor may only transfer the processing to a third party with the prior consent of the controller. In the private sector, the authorization is not tied to any particular form. However, the order processor must prove that the authorization has been obtained. It is therefore in his interest to document this. In the public sector, on the other hand, the authorization must be in writing. This is a requirement of the Directive (EU) 2016/680 (Art. 22 Para. 2). The Federal Council will specify this in an ordinance. In both the private and the public sector, the authorization may be specific or general. In the latter case, the processor shall inform the controller of any change (involvement or replacement of other processors) so that the controller can object to such changes.
Data processing within the same legal entity (branch, administrative unit, employees) does not constitute processing by order processors. If data is stored in a so-called cloud, this is basically an application of order processing, which must meet the corresponding requirements. If data is disclosed abroad for this purpose, the requirements of Articles 13 and 14 must also be met.

Art. 10 Data protection advisor

1 Private data controllers may appoint a data protection advisor.

2 The data protection advisor is the point of contact for data subjects and for the authorities responsible for data protection in Switzerland. He or she shall have the following tasks in particular:

a. Training and advising the private controller on privacy issues;

b. Participation in the application of data protection rules.

3 Private responsible parties may make use of the exemption under Article 23 paragraph 4 if the following conditions are met:

a. The data protection advisor shall exercise his or her function vis-à-vis the controller in a professionally independent manner and not bound by instructions.

b. She or he shall not engage in any activity that is incompatible with her or his duties as a privacy consultant.

c. She or he has the necessary expertise.

d. The data controller shall publish the contact details of the data protection advisor and communicate them to the FDPIC.

4 The Federal Council shall regulate the appointment of data protection advisors by federal bodies.

Bot Art. 9 Data protection adviser ‑adviser (count. acc. to draft).

Article 9 regulates the internal data protection advisor. The existing law uses the term data protection officer in German, responsabile in Italian, while in French it refers to the conseiller (Art. 11a (5) (e) FADP). In order to avoid confusion with the data controller under Article 4(i) DPA or with the responsabile under Article 4(j) DPA, the DPA introduces the term data protection advisor or consulente per la protezione dei dati in German and Italian. This makes the terminology consistent in all three languages.
The data protection advisor monitors compliance with data protection regulations within a company and advises the person responsible on data protection matters. However, the person responsible bears sole responsibility for ensuring that personal data is processed in compliance with data protection regulations.
The provision will be added to the e‑DSG as a result of the consultation. It has shown that an explicit mention of the data protection advisor in the law is desirable. However, the E‑DSG goes less far than European law, which provides for an obligation to appoint a data protection advisor in certain cases. This solution would also have been preferred by the Commissioner. Under the E‑DSG, on the other hand, it is left up to companies to decide whether they want to appoint a data protection advisor, while federal bodies are in principle obliged to appoint one.
Par. 1 and 2 Appointment
Private data controllers may in principle appoint a data protection advisor at any time, as stated in paragraph 1. However, the law provides for facilitations with regard to the data protection impact assessment for controllers who have appointed such an advisor.
Paragraph 2 defines the requirements that must be met for these facilitations to apply (subparagraph a). In this respect, the e‑DSG largely adopts existing law (cf. Art. 12a f. VDSG).
The responsible person may appoint a co-worker
The data controller may appoint an employee or a third party as data protection advisor. Pursuant to letter a, however, the person must exercise his or her function in a professionally independent manner; he or she is not bound by instructions vis-à-vis the controller. If the person is an employee, the hierarchical classification within the company must ensure that the data protection advisor remains independent. In principle, he or she should report directly to the management of the controller.
Letter b further specifies the independence of the data protection advisor. Accordingly, these persons may not take on any activities that are incompatible with their duties. This could be the case, for example, if the data protection advisor is a member of the management, exercises functions in areas of personnel management or information system management, or belongs to a department that itself processes personal data requiring special protection. On the other hand, it is conceivable, for example, to cumulate the task of the data protection advisor with that of the information security officer.
Finally, according to letter c, the data protection advisor must have the necessary expertise to take on this task. Thus, this activity requires expertise both in data protection legislation and in technical standards for data security.
The data protection advisor is an important contact person for both the data subject and the data controller with regard to the data processing activities carried out by the company in question. According to letter d, the controller must therefore publish the contact details of the data protection advisor and communicate them to the Commissioner. An analogous obligation is also to be provided for in the Ordinance for federal bodies.
Par. 3 Data protection advisor ‑advisor of federal bodies
Paragraph 3 requires the Federal Council to issue rules on the appointment of the data protection advisor by federal bodies. These are also predominantly in the ordinance under previous law.
The federal bodies are authorized to act in the Schengen area on the basis of Article 32 of the Directive (EU) 2016/680 required to appoint a data protection advisor.

Art. 11 Codes of conduct

1 Professional, branch and trade associations that are authorized by their statutes to safeguard the economic interests of their members, as well as federal bodies, may submit codes of conduct to the FDPIC.

2 The latter shall comment on the codes of conduct and publish its opinions.

Bot Art. 10 Codes of conduct (count. acc. to draft)

The Federal Council would like to promote the development of codes of conduct. These meet a need revealed by the regulatory impact assessment (cf. para. 1.8) in view of the general nature of the legislation and its extremely broad personal and material scope. In such codes, individual concepts such as high risk (Art. 20 E‑DSG) or the modalities of obligations such as the duty to inform (Art. 17 – 19 E‑DSG) and the duty to conduct a data protection impact assessment (Art. 20 E‑DSG) can be specified. In addition, more precise solutions are to be found in areas which today raise numerous questions, for example video surveillance, cloud computing or social networks.
By enabling interested parties to become active themselves and contribute to the regulation of individual areas, the Federal Council wishes to promote concerted and broad-based industry solutions. To promote self-regulation, it also proposes that data controllers who comply with codes of conduct can waive the requirement to conduct a data protection impact assessment under certain conditions (Art. 20 (5) E‑DSG).
Encouraging states and regulators to adopt codes of conduct is also important in the Regulation (EU) 2016/679 (Art. 40 and 57 para. 1 let. m).
In the private sector, the codes of conduct must come from professional or trade associations that are authorized by their statutes to protect the economic interests of their members. Individual responsible parties or contract processors cannot submit codes of conduct to the Commissioner because the purpose of codes of conduct is to achieve a degree of uniformity within a particular industry. In the public sector, however, codes of conduct may originate from a single federal body. This is justified in particular because of the numerous legal bases and the diversity of the tasks of the various bodies.
Paragraph 1 provides that the codes of conduct may be submitted to the Commissioner. The latter shall comment on them (paragraph 2). The period within which he must comment depends on the circumstances of the individual case.
The opinion does not constitute an order. Interested parties can therefore not derive any rights from a positive opinion or a waiver of an opinion. Nevertheless, in the event of a positive opinion by the Commissioner, it can be assumed that conduct in compliance with the Code of Conduct will not result in administrative measures. The commissioner publishes his opinion, irrespective of whether he assesses the submitted code of conduct positively or negatively.
The commissioner would have preferred it if the associations had been obliged to submit the codes to him for approval. The Federal Council refrained from doing so because of the results of the consultation, but also because the Commissioner would have had to decide on this by way of an order, which would have entailed additional costs.

Art. 12 List of processing activities

1 The persons responsible and the order processors shall each keep a register of their processing activities.

2 The list of the responsible person shall contain at least:

a. the identity of the person responsible;

b. the purpose of processing;

c. a description of the categories of data subjects and the categories of personal data processed;

d. the categories of recipients;

e. if possible, the retention period of the personal data or the criteria for determining this period;

f. if possible, a general description of the measures taken to ensure data security in accordance with Article 8;

g. if the data are disclosed abroad, the indication of the State and the guarantees referred to in Article 16, paragraph 2.

3 The list of the processor shall contain information on the identity of the processor and the controller, on the categories of processing carried out on behalf of the controller, and the information referred to in paragraph 2 letters f and g.

4 The federal bodies shall report their directories to the FDPIC.

5 The Federal Council provides for exceptions for companies that employ fewer than 250 employees and whose data processing entails a low risk of violations of the personality of the persons concerned.

Bot Art. 11 List of processing activities (count. acc. to draft)

Instead of the documentation obligation in the preliminary draft, the e‑DSG provides for the obligation to keep a register of processing activities. The consultation revealed that it was not clear enough what the documentation obligation covers. In addition, the directory of processing activities is now classified under the general data protection provisions. This clarifies the close connection with the data protection principles. The obligation to maintain a directory replaces the obligation to report data collections under the previous law. The Directive (EU) 2016/680 provides for such a list in Article 24; the Regulation (EU) 2016/679 contains an analogous provision in Article 30.
The obligation to maintain a register is incumbent on the controller and the processor in accordance with paragraph 1.
Paragraph 2 lists the minimum information that the directory must contain. First of all, this includes the identity (name) of the controller (a) and the purpose of the processing (b). A description of the categories of data subjects and the categories of personal data processed must also be provided (c). Categories of data subjects refer to typified groups that have certain common characteristics, such as “consumers”, “members of the armed forces” or “employees”. Categories of personal data processed refers to the type of data processed, e.g. personal data requiring special protection. The categories of recipients (letter d) to whom the personal data may be disclosed must also be listed. Again, this refers to typified groups with common characteristics, such as “supervisory authorities”. According to letter e, the directory must contain the retention period of the personal data. Since the retention period under Article 5(4) is based on the purpose of use, it is sometimes not possible to specify the retention period exactly, which is expressed by the phrase “if possible”. If precise information is not possible, the list must at least contain the criteria according to which this duration is determined. Finally, according to letter f, the inventory must contain a general description of the measures taken to ensure data security pursuant to Article 7, to the extent possible. By means of the description, the directory should make it possible to identify deficiencies in the security measures. The phrase “if possible” makes it clear that the description should only be given if the precautions can be described in sufficiently concrete terms. If these recipients are located abroad, it must also be clear from the list whether, in principle, the requirements for disclosure abroad are met. Therefore, according to letter g, the state must be indicated as well as the guarantees according to Article 13 paragraph 2.
The list in paragraph 2 makes it clear that the directory is a general description of the processing activity, from which the type and scope of processing results. On the other hand, the directory is not a journal of all data processing activities of the controller or the processor, in which individual actions are listed in the form of a protocol. The directory is therefore a written presentation of the essential information on all data processing activities of a data controller or processor. It thus allows significant conclusions to be drawn as to whether or not a data processing operation is designed to comply with data protection principles. In addition, the minimum information in the directory in paragraph 2 correlates in many respects with the information that the data subject must receive based on the duty to inform and the right to information.
Paragraph 3 contains an abbreviated list of minimum information to be provided by the processor. In particular, this must list the categories of processing carried out on behalf of each controller. The list of the commissioned processor shall also contain the identity of the controllers for whom it acts. Pursuant to paragraph 4, federal bodies shall report their directories to the Commissioner. The latter shall keep a register of the processing activities of the federal bodies in accordance with Article 50. This register is published. In principle, this will not result in any changes for federal bodies in relation to the previous law. This is because they already have to draw up processing regulations and register their data collection with the Commissioner.
Paragraph 5 gives the Federal Council the option of providing for exemptions from the obligation to keep a register for companies that employ fewer than 50 people. This serves in particular to relieve the burden on small and medium-sized enterprises. However, the Federal Council will not base this solely on the size of a company, but will also take into account the risks associated with data processing.

Art. 13 Certification

1 Manufacturers of data processing systems or programs and data controllers and processors may subject their systems, products and services to assessment by recognized independent certification bodies.

2 The Federal Council shall issue regulations on the recognition of certification procedures and the introduction of a data protection quality mark. In doing so, it shall take into account international law and internationally recognized technical standards.

Bot Art. 12 Certification (count. acc. to draft)

Article 12 of the e‑DSG governs the optional certification currently available in Article 11 DSG is regulated. In addition to data processing systems (procedures, organization) and products (programs, systems), it will also be possible to certify certain services in the future.
Certified data controllers are exempt from the obligation to conduct a data protection impact assessment (Art. 20 (5) E‑DSG).
The accreditation procedure for independent certification bodies by the Swiss accreditation body, with which the commissioner is also associated, remains unchanged. The commissioner would have preferred it if a certification requirement had been introduced for high-risk processing operations. The Federal Council has refrained from doing so because this is not a requirement of European law.

Section 2: Data Processing by Private Controllers with Seat or Residence Abroad

Art. 14 Representation

1 Private data controllers with their registered office or place of residence abroad shall designate a representative office in Switzerland if they process personal data of persons in Switzerland and the data processing meets the following requirements:

a. The processing is related to the offer of goods and services or the observation of the behavior of persons in Switzerland.

b. This is an extensive machining operation.

c. It is a regular processing.

d. Processing involves a high risk to the personality of the persons concerned.

2 The representation serves as a point of contact for the data subjects and the FDPIC.

3 The person responsible shall publish the name and address of the representative.

Art. 15 Duties of the representation

1 The Representation shall keep a register of the controller’s processing activities, which shall contain the information referred to in Article 12(2).

2 Upon request, it shall inform the FDPIC of the information contained in the directory.

3 Upon request, it shall provide the data subject with information on how to exercise his or her rights.
nn.

Section 3: Disclosure of personal data abroad

Art. 16 Principles

1 Personal data may be disclosed abroad if the Federal Council has established that the legislation of the state concerned or the international body guarantees adequate protection.

2 In the absence of a decision by the Federal Council in accordance with paragraph 1, personal data may be disclosed abroad if appropriate data protection is guaranteed by:

a. a treaty under international law;

b. Data protection clauses in a contract between the controller or processor and its contractual partner that have been notified in advance to the FDPIC;

c. specific guarantees drawn up by the competent federal body and communicated in advance to the FDPIC;

d. Standard data protection clauses that the FDPIC has previously approved, issued or acknowledged; or

e. binding internal company data protection regulations that have been approved in advance by the FDPIC or by an authority responsible for data protection in a state that ensures adequate protection.

3 The Federal Council may provide other suitable guarantees within the meaning of paragraph 2

Bot Art. 13 Principles (count. acc. to draft)

This provision meets the requirements of Article 12 E‑SEV 108, according to which data may in principle only be transferred abroad if an adequate level of data protection exists (paragraph 2). Article 12 (3) E‑SEV 108 defines the cases in which this requirement is met. The provision in Article 13 E‑DSG also aligns the law with that of the European Union (Art. 45 et seq. of the Regulation [EU] 2016/679).
The provisions on the disclosure of personal data abroad have been partially revised in light of the results of the consultation process. The principle according to which personal data may not be disclosed abroad if this would seriously endanger the personality of the persons concerned has been abolished, as it creates legal uncertainty with regard to the systematics of the regulation. The terminology regarding the disclosure of personal data abroad on the basis of appropriate safeguards is aligned with that of the Regulation (EU) 2016/679 adjusted. The exceptions in connection with the disclosure of personal data to a state whose legislation does not provide adequate data protection are also slightly relaxed. Finally, only the exceptions provided for by the E‑SEV 108 Maintain required duties to inform the commissioner and obtain the commissioner’s approval.
Par. 1 Determination by decision of the Federal Council
According to paragraph 1, data may be disclosed abroad if the Federal Council has determined that the legislation of the state concerned or the international body ensures adequate protection. This provision expressly confers on the Federal Council the responsibility to examine the adequacy of foreign legislation in the area of data protection.
The current situation is unsatisfactory because it is up to the owner of a data collection who wishes to disclose data to check whether the legislation of the state in question ensures adequate protection. If necessary, he must consult the Commissioner’s list of states that meet this requirement (Art. 7VDSG). In order to ensure uniform application of Article 13, the adequacy of foreign legislation will in future be examined by the Federal Council. In its examination, the Federal Council must not only examine whether the foreign state has legislation that materially meets the requirements of the E‑SEV 108 is sufficient, but also how this legislation is applied. The Federal Council may also examine whether the data protection guaranteed by an international body is adequate. The term “international body” refers to all international institutions, be they organizations or courts.
The result of this examination will be published in an ordinance of the Federal Council, which will be included in the Official Compilation. The future ordinance will specify that the Federal Council will periodically evaluate the situation and that the Commissioner will publish on his website a list of states or international bodies that, according to the Federal Council’s determination, ensure adequate data protection.
The ordinance is designed as a positive list and contains a list of those states that have legislation on the basis of which adequate protection is ensured. If a foreign state is not included in the ordinance of the Federal Council, this can have two reasons: Either the legislation of the state in question has not yet been examined, or the Federal Council has concluded that the state’s legislation does not meet the requirements of ensuring adequate protection. With the revision, the Federal Council’s determination becomes a legally binding criterion for those responsible for disclosing data abroad, whereas the previous list of the commissioner was merely intended as a tool to be made available to them. This solution serves legal certainty.
For its examination, the Federal Council can rely on the available sources, namely the evaluations carried out within the framework of Convention ETS 108 or by the European Union. It would also be conceivable to cooperate with foreign authorities and join their evaluation process.
If the Federal Council determines that the legislation of a state or an international body provides adequate protection, the free movement of personal data from Switzerland to that state or body is permitted both by private controllers and by federal bodies.
Par. 2 No decision of the Federal Council
If there is no decision by the Federal Council under paragraph 1, paragraph 2 provides that personal data may be disclosed abroad if appropriate data protection is guaranteed.
According to letter a, appropriate protection may be provided by an international treaty. By “international treaty” is meant not only an international data protection convention such as Convention ETS 108 and its Additional Protocol to which the recipient state is a party and whose requirements have been implemented by the contracting party in its domestic law, but also any other international treaty that provides for an exchange of data between the contracting parties and materially complies with the requirements of Convention ETS 108. This may also be an international treaty concluded by the Federal Council within the scope of Article 61 letter b E‑DSG.
Paragraph 2(b‑d) complies with the requirements of Article 12(3)(b) E‑SEV 108. This provides that an adequate level of data protection may be ensured by approved ad hoc and standardized safeguards based on legally binding and enforceable instruments agreed upon and implemented by the persons involved in the disclosure and further processing of the data. In Article 46 of the Regulation (EU) 2016/679 and in Article 37 of the Directive (EU) 2016/680 corresponding regulations are provided for.
Bst. b Data protection clauses in a contract
According to paragraph 2 letter b, personal data may be disclosed abroad if the controller and the contracting party have agreed on data protection clauses in their contract. The term “data protection clauses” corresponds to the terminology of Article 46(3)(a) of the Regulation (EU) 2016/679. The clauses must be communicated in advance to the person in charge. As soon as the person responsible has complied with this obligation, the personal data may be disclosed abroad. If necessary, the commissioner must open an investigation to determine whether the clauses meet the requirements. As is already the case today, it is up to the controller to demonstrate that it has taken all necessary measures to ensure that adequate protection exists and that the recipient complies with the contractual data protection clauses. In contrast to the standard data protection clauses (see point d), the data protection clauses in a contract only apply to the disclosure provided for in the relevant contract.
Let. c Specific guarantees
In the public sector, a federal body that grants a foreign state a commitment to cooperate may link the commitment to specific guarantees in the area of data protection. These may, for example, be corresponding agreements with the foreign state body in question. The federal organ must notify them to the Commissioner in advance. As soon as the officer has complied with this obligation, the personal data may be disclosed abroad.
Letter d Standard data protection clauses
According to paragraph 2 letter d, data may be disclosed abroad based on standard data protection clauses. The provision adopts the terminology of Article 46(2)(c) and (d) of the Regulation (EU) 2016/679. Standard clauses may be developed by private parties, interested parties, or federal bodies, or issued or recognized by the Commissioner. Federal bodies may also use these types of safeguards. For example, the term “standard privacy clause” refers to standardized contractual clauses that are inserted into the contract between the controller and the recipient. It may also refer to a code of conduct drawn up by private parties, to which private parties may voluntarily subscribe.
In the first case, the standard data protection clauses must be approved in advance by the commissioner. This condition represents a change from the current law, according to which the commissioner only has to be informed ( Art. 6 para. 3 DSG), constitutes a tightening. It corresponds to the requirement of Article 12(2)(b) E‑SEV 108. The Controller may not disclose any data abroad based on the standard data protection clauses until it has received from the Commissioner an appropriate appealable order (Art. 5 VwVG”>Art. 5 VwVG) has been received. During the duration of the procedure, he may rely on Article 13(2)(b) or (c). The time limit within which the responsible party must issue an order is governed by the Ordinance on Ordinary Time Limits of 25 May 2011 (OrFV). According to Article 4 OrFV, the period within which an authority issues its decision depends on the complexity of the decision, with a maximum period of three months. In the second case, the responsible party can also make use of standard data protection clauses issued or recognized by the commissioner, such as model contracts.
If a controller decides to disclose data abroad on the basis of standard data protection clauses within the meaning of paragraph 2 letter d, it shall be presumed that it has taken all necessary measures to ensure adequate protection. However, this presumption does not exempt him from liability for any disadvantages that may result from a breach of these clauses, in particular by the recipient of the data. The future regulation should therefore provide for the duty of the Commissioner to publish a list of the standard data protection clauses issued or recognized, as is otherwise provided for in the current law (Art. 6(3) DDPA).
Bst. e Binding corporate data protection regulations
According to paragraph 2 letter e, the disclosure of data abroad may also be based on binding internal company data protection regulations that have been approved in advance by the Commissioner or by a foreign authority responsible for data protection. This provision replaces Article 6(2)(g) DPA. Paragraph 2 letter e approximates the law of the European Union, which is set forth in Article 47 of the Regulation (EU) 2016/679 provides that data may be transferred between members of a corporate group based on binding internal data protection rules approved in advance by the data protection supervisory authority. The approval of binding corporate internal rules is provided for in Article 57(1)(s) of the Regulation (EU) 2016/679 noted. Paragraph 2(e) represents a tightening of the current law in that the binding corporate data protection rules must be newly approved. The controller may not disclose any data abroad on the basis of the binding corporate data protection rules until it has received an appealable order from the Commissioner. Art. 5 VwVG”>Art. 5 VwVG) has been received. During the duration of the proceedings, he may rely on Article 13(2)(b) or (c).
In order to take into account the needs of groups of companies that span several countries, paragraph 2(e) provides that a company established in Switzerland that is part of such a group may also comply with binding data protection rules that have been approved by a foreign authority that is competent for data protection and that belongs to a state that ensures adequate protection.
The instruments mentioned in paragraph 2 letter e must be “mandatory” in the sense that all companies belonging to the same group of companies must comply with and apply the rules. These standards shall specify at least the data disclosure in question, the categories of data disclosed, the purpose of the processing, the categories of data subjects and the recipient countries. Furthermore, the norms must regulate the rights of the data subjects and also contain information on the mechanisms that have been set up within the group of companies to check their compliance. If necessary, the Federal Council may define criteria in the implementing ordinance that the binding corporate group standards must meet.
Par. 3 Legislative delegation
In this provision, the Federal Council is authorized to provide for other suitable guarantees in accordance with paragraph 2. This is because it cannot be ruled out that other systems will be developed, such as self-certification schemes based on the model of the Swiss-US P
rivacy Shield (see Art. 46(2)(f) of the Regulation [EU] 2016/679).

Art. 17 Exceptions

1 By way of derogation from Article 16 paragraphs 1 and 2, personal data may be disclosed abroad in the following cases:

a. The data subject has expressly consented to the disclosure;

b. The disclosure is directly related to the conclusion or execution of a contract:

1. between the person responsible and the data subject, or

2. between the data controller and its contractual partner in the interest of the data subject.

c. Disclosure is necessary for:

1. the protection of an overriding public interest, or

2. the establishment, exercise or enforcement of legal claims before a court or other competent foreign authority.

d. The disclosure is necessary to protect the life or physical integrity of the data subject or a third party and it is not possible to obtain the data subject’s consent within a reasonable time.

e. The data subject has made the data generally accessible and has not expressly prohibited processing.

f. The data originate from a register provided for by law, which is accessible to the public or to persons with an interest worthy of protection, insofar as the legal requirements for inspection are met in the individual case.

2 The controller or the processor shall inform the FDPIC upon request of the disclosure of personal data pursuant to paragraph 1 letters b) 2, c) and d).

Bot Art. 14 Exceptions (count. acc. to draft)

Para. 1
In accordance with the applicable law (Art. 6 para. 2 DSG), Article 14 (1) E‑DSG regulates the cases in which data can be disclosed abroad even though adequate protection is lacking abroad. It essentially corresponds to Article 12(4) E‑SEV 108 and Article 49 of the Regulation (EU) 2016/679. The Directive (EU) 2016/680 contains a corresponding provision in Article 38.
Letter a corresponds to Article 6(2)(b) DPA, with the express consent of the data subject and the deletion of the expression “in individual cases”. The explicit consent is a requirement of the E‑SEV 108 (Art. 12 para. 4 let. a). In this regard, reference can be made to the explanations on Article 5 (6) E‑DSG. In particular, the data subject must know the name of the third country (Art. 17(4) E‑DSG) and be informed of the risks of disclosure in connection with the level of data protection in the foreign state. As far as the expression “in individual cases” is concerned, the Federal Council is of the opinion that it can be deleted. As can be seen from Article 5(6) of the e‑DSG, the data subject consents to one or more specific processing operations. The specification “in individual cases” is therefore superfluous.
Letter b corresponds to Article 6(2)(c) FADP, subject to the proviso that personal data may be disclosed abroad if the disclosure is directly related to the conclusion or performance of a contract between the controller and the data subject or between the controller and its contractual partner in the interest of the data subject. Article 49(1) of the Regulation (EU) 2016/679 provides for an analogous provision.
Point (c)(1) corresponds to the first part of the sentence of Article 6(2)(d) DPA. The term “indispensable” is replaced by “necessary” in the introductory sentence, following the European legal acts. The existence of an overriding public interest must be demonstrated in the specific circumstances. A purely hypothetical interest is not sufficient. The “safeguarding of an overriding public interest” is understood to mean, for example, the internal security of Switzerland or a third country. Based on this provision, personal data may also be disclosed abroad for humanitarian reasons, for example, if the controller discloses it in order to assist in the search for persons who are missing in an area of conflict or in a region where a natural disaster has occurred.
Point (c)(2) corresponds to the second sentence of Article 6(2)(d) of the FADP, except that the phrase “before a court”, which is found to be too narrow, is replaced by “before a court or other competent foreign authority”.
Letter d specifies that disclosure is also permitted if it is necessary to protect the life or physical integrity of the data subject or a third party, insofar as it is not possible to obtain the data subject’s consent within a reasonable period. This may be the case because the person is physically unable to do so or because he or she cannot be reached by the usual means of communication.
Letter e corresponds to Article 6(2)(f) FADP.
Letter f is a new provision. It specifies that the requirement of adequate protection does not apply if the data to be disclosed abroad originate from a public register regulated by law and certain legal requirements are met. Article 49(1)(g) of the Regulation (EU) 2016/679 follows the same thrust: it provides that the disclosure of data from a register is permissible despite the lack of adequate protection if the register is intended to provide information to the public in accordance with the law of the European Union or the Member States and if certain legal requirements are met.
Para. 2
According to this provision, the Commissioner may request the Controller or the Processor to notify him of the disclosures of personal data made under paragraph 1(b)(2), (c) and (d). The provision complies with the requirements of Article 12(5) E‑SEV 108. The penultimate sentence of Article 49(1) of the Regulation (EU) 2016/679 goes further than this provision, since it provides that data controllers shall inform the supervisory authority of their own accord of the transfers of personal data made pursuant to Article 47.

Art. 18 Publication of personal data in electronic form

If personal data is made generally available for the purpose of informing the public by means of automated information and communication services, this shall not be deemed to be disclosure abroad, even if the data is accessible from abroad.

Bot Art. 15 Publication of personal data in electronic form (count. acc. to draft)

This provision takes over the content of Article 5 VDSG. It regulates the publication of personal data via the Internet or other information and communication services for the purpose of informing the public. Thus, it is possible to access information on the Internet with or without personal data abroad – even in countries that do not ensure adequate data protection. The publication of personal data on the Internet for the purpose of informing the public, as in the case of the media, for example, is not considered to be the disclosure of personal data abroad.

Chapter 3: Obligations of the controller and the processor

Art. 19 Duty to provide information when obtaining personal data

1 The controller shall inform the data subject appropriately about the acquisition of personal data; this duty to inform shall also apply if the data are not acquired from the data subject.

2 It shall notify the data subject when obtaining such information as is necessary to enable him or her to assert his or her rights under this Act and to ensure transparent data processing; at a minimum, it shall notify him or her:

a. the identity and contact details of the person responsible;

b. the purpose of processing;

c. if applicable, the recipients or categories of recipients to whom personal data are disclosed.

3 If the data are not obtained from the data subject, the data subject shall also be informed of the categories of personal data processed.

4 If the personal data are disclosed abroad, it shall also notify the data subject of the state or international body and, where applicable, of the guarantees in accordance with Article 16 paragraph 2 or the application of an exception in accordance with Article 17.

5 If the data are not obtained from the data subject, he shall inform him of the information in accordance with paragraphs 2 – 4 no later than one month after he has obtained the data. If the data controller discloses the personal data before the expiry of this period, he shall inform the data subject at the latest at the time of disclosure.

Bot Art. 17 Duty to provide information when obtaining personal data (count. acc. to draft)

Article 17 of the e‑DSG now regulates the duty to provide information when data is procured. Articles 14, 18 and 18a of the FADP are thus merged into one standard. This avoids duplication and provides a uniform regulation for data processing by federal bodies and private data controllers. The provision meets the requirements of Article 7E‑SEV 108 as well as Article 13 of the Directive (EU) 2016/680. Articles 13 f. of the Regulation (EU) 2016/679 contain a similar provision.
The obligation to provide information improves transparency in data processing, which is a central goal of the revision. This is because, as a rule, the data subject cannot recognize that data about him or her is being processed without the appropriate information. At the same time, the data subject can only exercise his or her rights under the FADP if he or she is aware that data is being processed. Improved transparency in data processing therefore also strengthens the rights of the data subject, which is also a central concern of the revision. Finally, the obligation to provide information serves to raise public awareness of data protection, which is also the aim of the revision.
Par. 1 Principle
According to paragraph 1, the data controller must inform the data subject about the procurement of personal data. This also applies if the data is not obtained from the data subject.
The e‑DSG does not specify how the information must be provided. However, the data controller must ensure that the data subject can actually take note of the information. What must be ensured is the possibility of obtaining information in an easily accessible manner, but not that the data subject actually obtains information in the specific case. This possibility to take note of information essentially depends on whether the data is obtained from the data subject or not.
Thus, general information may be sufficient if the personal data is obtained from the data subject (for general terms and conditions, see Art. 18(1)). In this case, a privacy statement on a website is conceivable, but also symbols or pictograms, if applicable, insofar as they reflect the necessary information. If a general form is chosen, the information must be easily accessible, complete and made sufficiently visible. Multi-level access is also possible, containing, for example, an overview on a first level, which gives access to detailed information on a second level. On the other hand, it is not sufficient if simply a contact person is given. The person concerned should receive the information without having to ask for it first.
If, on the other hand, the data are not obtained from the data subject, the controller must check how the information must be provided so that the data subject can actually take note of it. If necessary, it is not sufficient in this case to merely provide information, but the data subject must be actively informed, whether in a suitable general form or by individual information. For example, a person who never buys books is unlikely to visit the website of an online bookseller and read its privacy policy. Accordingly, she will not learn on the basis of this general statement that the online bookseller processes data about her, because she does not expect it at all. The information obligation is thus also intended to prevent data about the data subject from being processed without his or her knowledge, subject to the exceptions in Article 18.
Although the information is not subject to any formal requirement, a form should be chosen overall that meets the purpose of transparent data processing. For reasons of proof, it is also advisable to document the information or to provide it in writing. The information must also be written in a comprehensible manner so that it actually serves the purpose of transparent data processing.
Par. 2 Information to be communicated
The introductory sentence of paragraph 2 sets out the principle that must guide the controller when communicating information. Accordingly, the data controller must provide the data subject with the information necessary to exercise his or her rights under the law and to ensure transparent data processing. Letters a‑c specify this principle by means of minimum information that must be provided to the data subject in any case. According to letter a, this is the identity, i.e. the name, and the contact details of the data controller, and according to letter b, the purpose of the processing. If applicable, the recipients or categories of recipients to whom the personal data are disclosed must also be indicated in accordance with letter c. The data subject may choose whether or not to disclose the personal data. The controller has a choice as to whether to specify the recipients or only the categories of recipients. As is also the case in the European Union (cf. Art. 4 No. 9 of the Regulation [EU] 2016/679), order processors are also recipients within the meaning of the provision. However, if the controller does not want to disclose their identity, he can make do with specifying the category. The commissioned processor would have preferred if, in addition, the legal basis of the processing also had to be disclosed.
Due to the combination of a
The information obligation can be handled flexibly between the general provision, which contains the basic requirements for the information to be provided, and specific minimum information. Depending on the type of data processed, the nature and scope of the data processing in question, the controller may or may not need to provide more information. For example, it may also be necessary to inform about the duration of the processing, or the anonymization of data. This flexibility is necessary because the FADP applies to a variety of different data processing operations. At the same time, a flexible regulation ensures that data controllers do not have to provide unnecessary information and that data subjects only receive necessary information. Likewise, this allows data controllers to specify the information obligation for their specific industry in codes of conduct.
Par. 3 Categories of personal data
Only if the data are not obtained from the data subject, paragraph 3 also requires the controller to inform the data subject of the categories of personal data it processes. This restriction results from the assumption that the data subject should at least be aware of the categories of data or even the data if they are obtained from him. If the data are not obtained from the data subject, the data subject has no way of knowing what categories of data are being processed about him or her and must therefore be informed accordingly.
Par. 4 Disclosure abroad
If the personal data are disclosed abroad, the controller must also inform the data subject about the state to which the data are transferred. If this state does not ensure adequate protection and the controller has recourse to guarantees pursuant to Article 13(2), he must also inform the data subject of these guarantees. The same applies if the disclosure is made on the basis of an exception under Article 14.
Par. 5 Time of information
If the data is obtained from the data subject, he or she must be informed at this time. This follows from paragraph 2.
Paragraph 5 regulates the timing of the information if the data is not obtained from the data subject. The provision sets a maximum period of one month within which the information must be provided. Sentence 2 contains a shorter period in the event that the controller discloses the personal data to recipients before the expiration of this one-month period. In this case, the data subject must be informed at the latest at the time of disclosure.
In summary, a basic deadline of one month applies after the data controller has received the data. This period applies regardless of what the personal data is used for. A shorter period applies only if the controller discloses the personal data to recipients.

Art. 20 Exceptions to the obligation to provide information and restrictions

1 The obligation to provide information in accordance with Article 19 shall not apply if one of the following conditions is met:

a. The data subject already has the relevant information.

b. The processing is provided by law.

c. The person responsible is a private person who is legally bound to secrecy.

d. The requirements under Article 27 are met.

2 If the personal data are not obtained from the data subject, the duty to provide information is also waived if one of the following conditions is met:

a. The information is not possible.

b. The information requires a disproportionate effort.

3 The responsible party may limit, defer or waive the communication of the information in the following cases:

a. Overriding interests of third parties require the measure.

b. The information defeats the purpose of the processing.

c. The responsible person is a private person and the following requirements are met:

1. overriding interests of the person responsible require the measure,

2. the person responsible does not disclose the personal data to third parties

d. The responsible party is a federal entity and one of the following conditions is met:

1. the measure is necessary because of overriding public interests, in particular the internal or external security of Switzerland.

2. communication of the information may jeopardize an investigation, inquiry, or administrative or judicial proceeding.

4 Companies belonging to the same group shall not be deemed to be third parties within the meaning of paragraph 3 letter c number 2.

Bot Art. 18 Exceptions to the obligation to provide information and restrictions (count. acc. to draft)

Article 18 E‑DSG regulates under which circumstances the duty to provide information does not apply at all (paras. 1 and 2), and when the information can be restricted, although the duty to provide information exists in principle (para. 3). The two constellations must be clearly distinguished from each other. The provision thereby partially adopts existing law (Art. 9, Art. 14 Para. 4 and 5, as well as 18b FADP), which is merged into one provision for the sake of clarity.
Par. 1 General exemptions from the obligation to provide information
Paragraph 1 specifies some constellations in which the information obligation does not apply at all and the controller therefore does not have to inform the data subject at all. According to letter a, the controller is exempt from the information obligation if the data subject already has the information pursuant to Article 17. This can be assumed in various cases. First of all, it is possible that the data subject has already been informed at an earlier point in time and that the information which must be communicated has not changed in the meantime. In principle, it must also be assumed that the data subject has already received the information in order to consent to data processing. This is because valid consent is only possible if the data subject has been adequately informed. The information required for this corresponds to or even exceeds that which must be provided under Article 17. As a rule, consent is given by means of general terms and conditions (GTC). These can thus in principle also serve to inform the data subject, insofar as they contain the necessary information. If the data subject has made the data accessible himself/herself without the assistance of the data controller, he/she shall also be deemed to have been informed about the data collection (e.g. delivery of application documents).
Pursuant to letter b, the obligation to provide information does not apply if the processing is provided for by law. This may include processing by both federal bodies and private individuals. In any case, federal bodies can only process data if there is a legal basis for doing so. The corresponding information can regularly be taken from this. The same applies to private parties who are obliged by law to process certain data, as is the case, for example, with regard to money laundering.
According to letter c, the private responsible party is released from the duty to provide information if it is subject to a statutory duty of confidentiality. This regulates a possible conflict of norms to the effect that, in principle, the duty of confidentiality takes precedence over the duty to provide information.
Finally, according to letter d, the duty to provide information does not apply if the requirements of Article 25 are met. This article regulates the restriction of the right to information with regard to periodically published media. For the same reasons, an analogous media privilege is also necessary for the duty to provide information in order to do sufficient justice to the special function of the media.
Par. 2 Specific restriction
Paragraph 2 provides for a specific restriction of the duty to inform in cases where data are not obtained from the data subject. The duty to inform the data subject does not apply if the information is not possible (subparagraph a) or requires disproportionate effort (subparagraph b).
The information is not possible if the person concerned cannot be identified at all, e.g. because the photo is of a stranger. However, it is not sufficient to merely assume that identification is impossible. Rather, investigations of a proportionate scope are required. The effort required to inform the data subject is disproportionate if the effort to be expended does not appear objectively justified in relation to the information gained by the data subject. In particular, it must be taken into account whether a very large number of persons are affected. For example, the information may involve a disproportionate effort if personal data is processed exclusively for archiving purposes in the public interest. It would regularly involve an extremely high effort to inform all data subjects, and their interest in the information is often likely to be limited, e.g. because the data in question is very old.
This exception must be interpreted narrowly. The responsible party may not be content with the assumption that the information is impossible or can only be provided with disproportionate effort. Rather, he must in principle take all measures that can be expected of him under the given circumstances in order to comply with the duty to inform. Only if these measures are unsuccessful may the responsible party assume that the information is impossible.
Par. 3 Restriction of information
Paragraph 3 specifies the conditions under which the controller may waive, limit or postpone the communication of information. In contrast to paragraphs 1 and 2, paragraph 3 thus covers constellations in which a balancing of interests takes place. In some cases, a distinction is made as to whether the person responsible is a federal body or a private person. Based on the balancing of interests, the responsible party must structure the information accordingly, i.e. depending on the case, it must restrict, postpone or completely waive its communication. The list of the various exceptions is exhaustive and the provision must be interpreted restrictively in principle. Information should be restricted only to the extent that it is really indispensable. The reason for the restriction of the duty to provide information and the interest in transparent data processing must be considered in relation to each other. In principle, the most favorable solution for the data subject should be chosen, which ensures transparent data processing as far as possible under the given circumstances.
Let. a
According to letter a, each data controller may restrict, postpone or waive the communication of information if this is necessary due to the overriding interests of third parties. The focus here is on constellations in which the data subject also receives information about third parties as a result of the information about the data processing and the interests of these third parties may be affected as a result.
Let. b
Pursuant to letter b, any data controller may limit, postpone or waive the communication of the information if the information frustrates the purpose of the data processing. This exception must be interpreted narrowly. The controller may only invoke it if the information completely precludes the data subject from simultaneously achieving the purpose of the processing. If several purposes are pursued with a processing, the central purpose is decisive. This must be a purpose that is of considerable importance and justifies such a far-reaching restriction of the duty to provide information. One can think, for example, of investigative journalism, which does not fall under the exception in Article 18(1)(d) E‑DSG. For example, a journalist working on uncovering a political scandal for a documentary film could be prevented by the duty to inform from investigating the facts in question without interference. There is also a considerable public interest in such activity, which justifies a far-reaching restriction of the duty to inform. It is also conceivable that data is processed in direct connection with proceedings with a high amount in dispute, which is only to be used in the course of the proceedings. In this case, too, the early disclosure of the data would completely frustrate the purpose of the processing. In addition, this is a processing that represents an individual case for both the data controller and the data subject, because it can be assumed that both are not involved in such legal proceedings on a daily basis. In both examples, there is a weighty interest in the data processing and the danger that the purpose of the processing will be completely thwarted by the information obligation is immediate and concrete. Finally, in both cases, the data subject learns about the data processing at the latest at the time of publication of the data in question or its use in the court proceedings.
In accordance with the systematic classification in paragraph 3, the duty to provide information remains in principle. The controller may only restrict, postpone or waive the information to the extent that it directly frustrates the purpose of the processing. In doing so, the controller must take the measure that is the mildest from the perspective of the data subject and restricts his or her right to transparent data processing as little as possible with regard to the reasons for restricting the information.
Finally, the exception under letter b must be distinguished from that under letter c. Letter b must be interpreted narrowly and can only be applied where informing the data subject would completely frustrate the purpose of the processing. On the other hand, the controller cannot invoke letter b if it would merely be more convenient or practical for him to dispense with the information. Likewise, a controller could not systematically invoke the exception for its entire processing activity. Finally, purely economic interests (e.g. use of the data for advertising purposes) do not generally fall within the scope of letter b. If necessary, such less weighty interests of the controller may, however, fall under letter c.
Let. c
Pursuant to paragraph 3, letter c, the private controller may limit, postpone or waive the communication of information if its own overriding interests so require and it does not disclose the data to third parties. Such an overriding interest is not to be assumed lightly. The interest of the data subject to be informed about a certain data processing in order to be able to assert his or her rights must be carefully weighed against any interests of the controller. The type of data processed and the manner in which it is processed may be of importance, as well as the risk of a violation of privacy, the purpose of the data processing and the nature of the data.
The purpose of the data collection and processing is to determine the purpose of the data collection and processing, the extent to which the information of the data subject may conflict with this purpose, and the significance of this purpose with regard to the activities of the data controller.
Let. d
In accordance with paragraph 3, letter d, a federal body may restrict, defer or waive notification if this is necessary because of overriding public interests (para. 1). An overriding public interest is deemed to be, in particular, the internal or external security of the Confederation. The concept of external security includes, in addition to the observance of obligations under international law, the maintenance of good relations with other countries. The federal body may also restrict, postpone or waive notification if this could jeopardize investigations, inquiries or official or judicial proceedings (para. 2). This is to ensure that the provisions on the right to be heard etc. under the procedural laws cannot be circumvented via the detour of the FADP.

Art. 21 Duty to provide information in the case of automated individual decision-making

1 The controller shall inform the data subject of a decision which is based exclusively on automated processing and which involves a legal consequence for him or her or significantly affects him or her (automated individual decision).

2 It shall give the data subject the opportunity to state his or her position on request. The data subject may request that the automated individual decision be reviewed by a natural person.

3 Paragraphs 1 and 2 do not apply if:

a. the automated individual decision is directly related to the conclusion or performance of a contract between the controller and the data subject and the data subject’s request is granted; or

b. the data subject has expressly consented to the decision being automated.

4 If the automated individual decision is taken by a federal body, it must mark the decision accordingly. Paragraph 2 is not applicable if the person concerned does not have to be heard before the decision is taken in accordance with Article 30 paragraph 2 of the Administrative Procedure Act of 20 December 1968 (VwVG) or in accordance with another federal act.

Bot Art. 19 Duty to provide information in the case of an automated individual decision (count. as per draft).

According to Article 19 of the e‑DSG, there is an obligation to provide information in the case of an automated individual decision. This corresponds to the requirements of Article 8(a) E‑SEV 108 as well as Article 11 of the Directive (EU) 2016/680. Article 22 of the Regulation (EU) 2016/679 contains a similar provision. The introduction of this new term occurs because, due to technological development, such decisions will occur more and more frequently.
Par. 1 Information
According to paragraph 1, the controller must inform the data subject of a decision based solely on automated processing, including profiling, which involves a legal consequence for the data subject or significantly affects him or her.
If necessary, the Federal Council will specify in the ordinance when a decision exists that is based exclusively on automated processing. This is the case when no substantive assessment and decision based on it has taken place by a natural person. In other words, the substantive assessment of the facts on which the decision is based was made without the intervention of a natural person. Furthermore, the decision that is made on the basis of this assessment of the facts is also not made by a natural person. An automated individual decision can exist even if it is subsequently communicated by a natural person if the natural person can no longer influence the automatically made decision. The decisive factor is therefore the extent to which a natural person can carry out an examination of the content and, based on this, make the final decision. However, it is necessary that the decision has a certain complexity. Pure if-then decisions are not covered by the term, as is the case, for example, with an ATM withdrawal (requested amount of money is spent if there is sufficient coverage in the account).
The data subject does not have to be informed about every automated individual decision. Rather, this is only required if the decision involves a legal consequence for the data subject or significantly affects him or her. The decision is associated with a legal consequence if it entails direct, legally foreseen consequences for the data subject. In the area of private law, this is the case when a contract is concluded or terminated. Here, a differentiated consideration is necessary. For example, the conclusion of an insurance contract has a legal consequence for the person concerned. If, on the other hand, the person concerned is subsequently sent a premium invoice at regular intervals, each individual premium invoice is not in itself a further individual decision with a legal consequence, because the invoicing results from the conclusion of the contract. It is also not associated with a legal consequence if no contract is concluded with the person concerned. In the area of public law, a legal consequence exists in particular if decisions are made on the basis of an automated individual decision, e.g. an automated tax assessment.
A significant impairment of the person concerned is assumed if he or she is restricted in a lasting way, e.g. in his or her economic or personal interests. Mere harassment is not sufficient for this. The concrete circumstances of the individual case are decisive. In particular, it must be taken into account how important the good in question is for the person concerned, how lasting the effects of the decision are and whether alternatives are available. Depending on the specific effects, a failure to conclude a contract may or may not therefore constitute a significant impairment. A significant impairment may also exist if medical services are allocated on the basis of automated decisions.
The controller must also inform the data subject about profiling if it leads to a decision that has a legal consequence for the data subject or significantly affects him or her. For example, it is possible that the data subject may not be able to enter into a credit card agreement solely on the basis of a negative credit score. This example in particular also highlights the problem of automated individual decisions. A negative credit score may well reflect the actual financial circumstances of a person. However, it is equally possible that this credit scoring is based on incorrect or outdated data that completely contradicts the actual financial circumstances of the person concerned. In this case, the automated decision results in unjustified impairment for them.
Par. 2 Presentation of the position
The data controller must give the data subject in accordance with paragraph 2 the opportunity to state his or her point of view if he or she so requests. In particular, he or she shall be given the opportunity to express his or her view on the outcome of the decision and, if necessary, to ask how the decision was reached. This is intended, among other things, to prevent data processing from being based on incomplete, outdated or inaccurate data. This is also in the interest of the data controller, because inaccurate automated individual decisions can also have negative consequences for him, for example by not concluding a contract with a person because he was wrongly classified as not creditworthy. This does not affect the freedom of contract.
The law does not specify when the data subject must be informed and when he or she is given the opportunity to state his or her position. Accordingly, this can take place before or after the decision. Thus, information and consultation is also possible, for example, by sending the data subject an automated decision that is marked accordingly and then giving him or her the opportunity to express his or her views within the framework of the legal hearing or by filing an appeal. However, this must not be associated with such high costs for the data subject (e.g. procedural costs) that he or she refrains from doing so.
Par. 3 Exceptions
According to paragraph 3, the obligation to provide information and to be heard does not apply if the automated individual decision is directly related to the conclusion or performance of a contract between the data subject and the controller, insofar as the data subject’s request is granted (subparagraph a). In such a case, it shall be assumed that the data subject no longer has an interest in the information. The data subject’s request will be granted if the contract is concluded exactly on the terms that were presented in the offer, for example, or that the data subject requested. For example, their request will be granted if a leasing contract is concluded at the interest rate stated in the offer; this is not the case if the leasing contract is concluded but at a less favorable interest rate than stated in the offer due to the data subject’s poor credit rating. The decisive factor is whether the requests of the person concerned have been granted in their entirety. It is not sufficient if this is the case only with regard to individual elements.
The obligation to provide information and to be heard also does not apply if the data subject has expressly consented to a decision being made automatically (subparagraph b). This exception is logical because the data subject must already be informed in order to give valid consent.
Par. 4 Individual decisions by federal bodies
Paragraph 4 concerns automated individual decisions issued by a federal body. In principle, these are orders. According to paragraph 4, the federal body must label them as automated individual decisions so that the data subject can recognize that the decision was not processed by a natural person. In principle, the data subject has a right of appeal against rulings, in which the data subject can state his or her position and a natural person reviews the decision. In other words, the rights under Article 19(2) of the e‑Data Act are already guaranteed by the legal process. Therefore, sentence 2 of the provision provides that paragraph 2 of Article 19 does not apply if the data subject can take legal recourse.

Art. 22 Data protection impact assessment

1 The controller shall prepare a data protection impact assessment in advance if a processing operation may entail a high risk to the personality or fundamental rights of the data subject. If several similar processing operations are planned, a joint assessment may be prepared.

2 The high risk results, in particular when new technologies are used, from the type, scope, circumstances and purpose of the processing. It is present in particular:

a. in the case of extensive processing of personal data requiring special protection;

b. when extensive public areas are systematically monitored.

3 The data protection impact assessment shall contain a description of the planned processing, an assessment of the risks to the personality or fundamental rights of the data subject and the measures to protect the personality and fundamental rights.

4 Private controllers are exempt from preparing a data protection impact assessment if they are required by law to process the data.

5 The private controller may waive the requirement to prepare a data protection impact assessment if it uses a system, product or service that is certified for its intended use under Article 13 or if it complies with a code of conduct under Article 11 that meets the following requirements:

a. The Code of Conduct is based on a data protection impact assessment.

b. It provides for measures to protect the personality and fundamental rights of the person concerned.

c. It was submitted to the FDPIC.

Bot Art. 20 Data protection impact assessment (count. acc. to draft)

Article 20 E‑DSG introduces a new obligation to prepare a data protection impact assessment. This provision implements the requirements of Article 8(2) E‑SEV 108 and of Article 27 f. of the Directive (EU) 2016/680. Articles 35 f. of the Regulation (EU) 2016/679 contain similar provisions.
The term and function of the data protection impact assessment are derived from Article 20(3). A data protection impact assessment is a tool to identify and evaluate risks that may arise for the data subject from the use of certain data processing activities. Based on this assessment, appropriate measures should be defined, if necessary, to manage these risks for the data subject. Such an assessment is therefore also beneficial for the data controller, because it allows him to address any data protection problems preventively and, not least, to save costs as a result.
The federal bodies are already obliged to notify the data protection officer or, if there is no such officer, the commissioner of projects involving the automated processing of data (Art. 20 Para. 2 VDSG). The procedure according to the Hermes project management method should largely correspond to the requirements of a data protection impact assessment.
Paras. 1 and 2 Reasons for the data protection impact assessment
According to paragraph 1, the controller must conduct a data protection impact assessment if the intended data processing is likely to result in a high risk to the personality or fundamental rights of the data subject. This provision applies to both private data controllers and federal bodies, which is why it refers not only to a risk to the personality of the data subject, but also to his or her fundamental rights. Accordingly, the controller is obliged to make a prognosis as to what consequences a planned data processing will have for the data subject. The decisive factor here is, in particular, in what way and to what extent processing will affect the personality or fundamental rights of the data subject.
In concretizing this risk, the right to informational self-determination and the right to privacy are in the foreground. These protect both the autonomy of the individual and his or her dignity and id
entity. With regard to data, autonomy means in particular being able to dispose of personal data independently and not having to assume that it is in unknown quantities in the hands of a large number of third parties who can dispose of it without restriction. This is because data is closely linked to a person’s identity. Anyone who has data about a person and links them together can obtain a very intimate and comprehensive picture of a person, which he or she would perhaps voluntarily disclose only to particularly close people. This is not only problematic in terms of freedom of disposal. Rather, information about another person can influence his or her relationships with the environment in many ways, possibly without the person concerned knowing the reasons (e.g. stigmatization because of an illness, restrictions on concluding contracts because of a credit rating, etc.). The data subject may also feel compelled to change his or her behavior, for example, because he or she knows that his or her behavior is being monitored. Finally, such information can also invite abuse, which can have a sensitive impact on the dignity of the individual.
To evaluate the risk, informational self-determination and the right to privacy must be related to the data processing in question. In other words, the processing must be considered with regard to the self-determination, identity and dignity of a data subject. In principle, a high risk must be assumed if the specific characteristics of the planned data processing suggest that the data subject’s freedom of disposal over his or her data will or may be restricted to a high degree. The high risk may arise, for example, from the type of data processed or its content (e.g. data requiring special protection), the type and purpose of the data processing (e.g. profiling), the amount of data processed, the transfer to third countries (e.g. if foreign legislation does not ensure adequate protection) or if a large or even unlimited number of persons can access the data.
Paragraph 2 further specifies this and states that the high risk results from the type, scope, circumstances and purpose of the processing. The more extensive the processing, the more sensitive the processed data, the more extensive the purpose of the processing, the more likely a high risk is to be assumed. By way of example, the provision lists two cases in which a high risk exists. According to letter a, such a risk exists if particularly sensitive personal data is processed in an extensive form, as may be the case in medical research projects, for example. According to letter b, there is also a high risk in the case of profiling. The same may apply in the case of decisions based exclusively on automated processing, including profiling, which entail a legal consequence for the data subject or significantly affect him or her. Where applicable, such decisions may be associated with significant consequences for the data subject. In such cases, a data protection impact assessment is also required. Finally, according to letter c, there is a high risk if extensive public areas are systematically monitored. For example, the monitoring of a train station concourse comes to mind.
Sentence 2 of paragraph 1 allows the person responsible to make a joint estimate if he plans several similar processing operations. This refers in particular to processing operations that have an overarching common purpose. Accordingly, individual processing steps of a processing platform do not have to be examined separately, but the data protection impact assessment can cover the entire processing platform.
Par. 3 Content of the data protection impact assessment
According to paragraph 3, the data protection impact assessment must first set out the planned processing. For example, the various processing operations (e.g. the technology used), the purpose of the processing or the retention period must be listed. Furthermore, according to paragraph 3, it must be shown what risks to the personality or fundamental rights of the data subject the processing operations in question may entail. This is a deepening of the risk assessment, which must already be carried out with regard to the necessity of a data protection impact assessment. It must be shown in which respect the data processing in question poses a high risk to the personality or fundamental rights of the data subject and how this risk is to be assessed. Finally, the data protection impact assessment in accordance with paragraph 3 must explain which measures are to be used to manage these risks. The principles set out in Article 5 of the Data Protection Act are particularly relevant here, but the obligation to protect data by technology and by data protection-friendly default settings (privacy by design/by default; Article 6 of the Data Protection Act) may also be relevant. These measures may also involve a balancing of the interests of the data subject and those of the controller. This balancing of interests must also be listed in the data protection impact assessment and justified accordingly.
Par. 4 Exceptions for legal obligations
According to paragraph 4, private controllers processing data in fulfillment of a legal obligation do not have to prepare a data protection impact assessment. This includes, for example, the processing of data to combat terrorism or money laundering. If data is processed solely for such purposes on the basis of a legal obligation, it must be assumed that the legislator has weighed up any risks for the data subject in comparison to the purpose of the processing and, if necessary, issued appropriate regulations.
However, paragraph 4 does not cover processing by private individuals that is not carried out exclusively to fulfill a legal obligation. In this case, a data protection impact assessment must be prepared.
Par. 5 Exceptions
Private controllers may refrain from preparing a data protection impact assessment if they have undergone certification pursuant to Article 12. The certification must cover the processing in question, which would have to be assessed by means of the data protection impact assessment. The Commissioner would have preferred that the exemption be limited to certification only.
In addition, they may waive this if they comply with a code of conduct that fulfills the requirements of paragraph 5 letters a‑c. This is a code of conduct pursuant to Article 10, which must be based on a data protection impact assessment in which the processing in question has been examined (subpara. a). The code of conduct must provide for measures to protect the personality or fundamental rights of the data subject (subparagraph b). In addition, the code of conduct must have been submitted to the commissioner (subparagraph c). For example, it is conceivable that a professional organization for lawyers has a platform developed for the management of client data, carries out a data protection impact assessment for this and develops a code of conduct based on the result of this assessment. If a private controller now complies with this code when using the platform, it is exempt from preparing a data protection impact assessment.
The Commissioner would have preferred that this exception be limited to the case of certification.

Art. 23 Consultation of the FDPIC

1 If the data protection impact assessment shows that the planned processing still entails a high risk to the personality or fundamental rights of the data subject despite the measures envisaged by the controller, the controller shall obtain the opinion of the FDPIC in advance.

2 The FDPIC shall notify the data controller of his objections to the planned processing within two months. This period may be extended by one month if the data processing is complex.

3 If the FDPIC has objections to the planned processing, he shall propose appropriate measures to the person responsible.

4 The private controller may refrain from consulting the FDPIC if it has consulted the data protection advisor pursuant to Article 10.

Bot Art. 21 Consultation of the commissioner (count. acc. to draft)

In contrast to the consultation draft, the notification of the result of a data protection impact assessment to the Commissioner is regulated in a separate provision in the e‑DSG.
Par. 1 Duty to consult
Pursuant to paragraph 1, the controller must obtain the opinion of the Commissioner in advance if the data protection impact assessment shows that the planned processing would result in a high risk to the personality or fundamental rights of the data subject if the controller did not take measures. This consultation shall be carried out by the E‑SEV 108 not prescribed, but it complies with European regulations (Art. 28 of Directive [EU] 2016/680 and Art. 36 of the Regulation [EU] 2016/679). It is included in the e‑DSG by name because it allows the officer to act preventively and in an advisory capacity. Last but not least, this is also more efficient for the controller, as possible data protection difficulties can be resolved at an early stage of data processing.
Par. 2 and 3 Objections of the commissioner
Pursuant to paragraph 2, the commissioner has two months to notify the person responsible of his or her objections to the planned processing. In particularly complex cases, this period may be extended by one month. If the responsible party does not receive any message from the commissioner within the two-month period, he can basically assume that the commissioner has no objections to the proposed measures.
After being notified of a data protection impact assessment, the officer checks whether the proposed measures are sufficient to protect the fundamental rights and personality of the data subject. If he concludes that the planned processing in the proposed form would violate data protection regulations, he proposes appropriate measures to the controller to mitigate the identified risks.
The data protection officer is nevertheless free to open an investigation at a later point in time if the requirements under Article 43 e‑DSG are met. This may be the case, in particular, if the risks were not correctly assessed as part of the data protection impact assessment and, accordingly, the measures in question also prove to be inaccurate or insufficient.
Par. 4 Consultation of the data protection advisor
The private controller may refrain from consulting the Commissioner if it has appointed a data protection advisor pursuant to Article 9 of the e‑DSG and has consulted the advisor with regard to the data protection impact assessment. The data protection advisor must have actually dealt with the data protection impact assessment. This means that it is not sufficient for the privilege that the controller merely appoints a data protection advisor. Rather, the latter must be actively involved in the development of the data protection impact assessment. In particular, he or she must review the risk assessment and the proposed measures to address these risks. The provision is intended to relieve companies and at the same time give them an incentive to appoint a data protection advisor.
Such an exception was discussed at the European level, but was ultimately rejected in the Regulation (EU) 2016/679 not provided for. It seems sensible to the Federal Council to provide for more far-reaching simplifications on this point, in particular to reduce the administrative burden. The Commissioner would have preferred that this provision had not been included in the draft.

Art. 24 Notification of data security breaches

1 The controller shall notify the FDPIC as soon as possible of a data breach that is likely to result in a high risk to the personality or fundamental rights of the data subject.

2 In the notification, it shall state at least the nature of the data security breach, its consequences and the measures taken or planned.

3 The Order Processor shall report a data security breach to the Responsible Party as soon as possible.

4 The controller shall inform the data subject if it is necessary for his or her protection or if the FDPIC so requests.

5 It may restrict, postpone or waive the provision of information to the data subject if:

a. there is a reason under Article 26(1)(b) or (2)(b) or a statutory duty of confidentiality prohibits this;

b. the information is impossible or requires a disproportionate effort; or

c. the information of the person concerned is ensured by a public announcement in a comparable manner.

6 A report made on the basis of this article may be used in criminal proceedings against the person required to make the report only with that person’s consent.

Bot Art. 22 Notification of data security breaches (count. acc. to draft)

Article 22 E‑DSG introduces the obligation to report data security breaches. This provision implements the requirements of Article 7(2) E‑SEV 108 as well as Article 30 f. of the Directive (EU) 2016/680. Articles 33 f. of the Regulation (EU) 2016/679 contain a similar provision.
Par. 1 Term and principle
According to paragraph 1, the data controller shall notify the data protection commissioner as soon as possible of a data breach that is likely to result in a high risk to the personality or fundamental rights of the data subject. This provision applies to both private data controllers and federal bodies, which is why it refers not only to a risk to the personality of the data subject, but also to his or her fundamental rights.
The breach of data security is defined in Article 4 letter g E‑DSG. According to this, it is a breach of security which, regardless of intent or unlawfulness, results in personal data being lost, deleted or destroyed, altered, or disclosed or made accessible to unauthorized persons. The breach may be caused by third parties, but also by employees who abuse their authority or act negligently. A data breach can cause the data subject to lose control over his or her data, or that data may be misused. In addition, it can also lead to a violation of the data subject’s personality, for example by revealing secret information about him or her. Accordingly,
According to Article 26(2)(a) of the e‑Data Act, a breach of data security is considered a personal data breach.
The data subject can only react to these threats if he or she is aware of the data security breach. Therefore, in principle, the controller must report unauthorized processing, with the report first going to the officer and only to the data subject under the conditions of paragraph 4. The notification must be made as soon as possible from the moment it becomes known. In principle, the officer must act quickly, but the provision gives some discretion. The decisive factor is, among other things, the extent of the risk to the person concerned. The more significant the risk, the greater the number of persons affected, the faster the responsible person must act.
However, notification to the Commissioner is only necessary if the data breach is likely to result in a high risk to the personality or fundamental rights of the data subject. This is to prevent even insignificant breaches from having to be reported. For this purpose, the data controller must make a prognosis regarding the possible effects of the breach on the data subject.
Par. 2 Content of the message
Paragraph 2 contains the minimum requirements for a notification to the officer. The data controller must first state the nature of the data security breach, insofar as he or she is able to do so. Four types of breach can be distinguished: destruction or deletion, loss, modification and disclosure of data to unauthorized persons. The consequences of the data security breach must also be described as far as possible. The focus here is on the consequences for the data subject; this does not mean those for the controller itself. Finally, the responsible party must state what measures it has taken as a result of the breach or what measures it proposes for the future. This involves measures that eliminate the violation or mitigate its consequences. Overall, the notification should allow the officer to intervene as promptly and effectively as possible.
Par. 3 Notification by the order processor
A breach of data security can also occur at the order processor. Therefore, according to paragraph 3, the latter is obliged to report any unauthorized data processing to the data controller as soon as possible. It is up to the data controller to subsequently carry out a risk assessment and decide to what extent there is an obligation to notify the data processor and the data subject.
Par. 4 Information to the data subject
In principle, the data subject does not have to be notified. However, according to paragraph 4, he or she must be informed of the data breach if it is necessary for his or her protection or if the commissioner requests it. There is a certain degree of discretion in this regard. In particular, it is significant whether the information can reduce the risks to the personality or fundamental rights of the data subject. This is particularly the case if the data subject must take appropriate precautions to protect him or herself, for example by changing his or her access data or passwords.
Par. 5 Limitation of the obligation to inform the data subject
Pursuant to paragraph 5, the controller may restrict, postpone or waive the provision of information to the data subject if one of the grounds of Article 24(1)(b) or (2)(b) of the e‑Data Act applies or if a statutory duty of confidentiality prohibits this (subparagraph a.). According to paragraph 5 letter b, the restriction is also permissible if the information is impossible or requires a disproportionate effort. Information is impossible if the controller does not even know which individuals are affected by the data breach, for example because the log files from which this would be evident are no longer available. A disproportionate effort would exist, for example, if, in the case of a large number of data subjects, these would have to be informed individually and the costs thereby incurred appeared disproportionate in relation to the gain in information for the data subject. Particularly in such constellations, paragraph 5(c) may apply, which allows the controller to inform the data subjects by means of a public notice if this informs them in a comparable manner. This is the case if the information of the data subject is not substantially improved by individual information.
Par. 6 Consent of the person obliged to notify
The reporting obligation under Article 22 E‑DSG may come into conflict with the principle that no one need incriminate themselves. Paragraph 6 provides for this constellation that a report made in fulfillment of the reporting obligation under Article 22 E‑DSG may only be used in criminal proceedings against the person required to report if that person agrees. The provision covers both data controllers and order processors who report a data breach.
Chapter 4 regulates the rights of the data subject. Specific claims against private data controllers are set out in Chapter 5, and those against federal bodies in Chapter 6.

Chapter 4: Rights of the data subject

Art. 25 Right to information

1 Any person may request information from the person responsible as to whether personal data relating to him or her is being processed.

2 The data subject shall be provided with the information required to enable him or her to assert his or her rights under this Act and to ensure transparent data processing. In any case, the following information shall be communicated to him:

a. the identity and contact details of the person responsible;

b. the processed personal data as such;

c. the purpose of processing;

d. the retention period of the personal data or, if this is not possible, the criteria for determining this period;

e. the available information on the origin of the personal data, insofar as it has not been obtained from the data subject;

f. where applicable, the existence of an automated individual decision and the logic on which the decision is based.

g. where applicable, the recipients or categories of recipients to whom personal data are disclosed and the information pursuant to Article 19 paragraph 4.

3 Personal data relating to health may be communicated to the data subject with his or her consent by a health professional designated by the data subject.

4 If the controller has personal data processed by a processor, he remains obliged to provide information.

5 No one may waive the right to information in advance.

6 The person responsible must provide information free of charge. The Federal Council may provide for exceptions, in particular if the expense is disproportionate.

7 The information is usually provided within 30 days.

Bot Art. 23 Right to information (count. acc. to draft)

The right to information supplements the data controller’s duty to provide information and forms the central basis for the data subject to be able to exercise his or her rights under this law at all. The right to information is a subjective, highly personal right that can also be exercised independently by persons incapable of acting without the consent of their legal representative. It also follows from the nature of the highly personal right that no one can waive the right to information in advance (Art. 23 (5) E‑Data Act).
Par. 1 Principle
According to paragraph 1, any person may request information free of charge from the controller as to whether data relating to him or her is being processed. Apart from editorial adjustments, the provision remains unchanged in relation to the previous law.
Par. 2 Information to be communicated
Paragraph 2 states that, based on a request for information, the data subject receives the information that must also be disclosed to him or her based on the duty to inform (cf. Art. 17 (2) E‑DSG). This is basically the information that is required to enable the data subject to assert his or her rights under the law and thus to ensure transparent data processing. This illustrates the close connection between the right to information and the duty to provide information. At the same time, the central purpose of the right to information is emphasized in this way, as also stated by the Federal Supreme Court, namely to enable the data subject to assert his or her rights in the area of data protection. The clarification is made against the background of the numerous comments in the consultation as well as in the doctrine, which criticize that the right to information is often used for other, non-data protection purposes. This refers in particular to cases in which the right to information is used exclusively to obtain evidence for civil proceedings that have no connection with data protection. This makes it possible to obtain evidence that is also to be designated as personal data under the FADP in a form that is not provided for in the applicable procedural law. Other evidence that does not constitute personal data, on the other hand, must be obtained through the usual procedural channels. This results in differences in the procurement of evidence that are not objectively justified.
Letters a to g contain a list of the information that must be communicated to the data subject in any case. The non-exhaustive list basically covers all information that the data controller must provide to the data subject. Subsidiarily, the general clause in the introductory sentence allows to request further information, if necessary, if this is required for the data subject to assert his rights under this Act and to ensure transparent data processing. If it processes large amounts of data about the data subject, the party responsible for providing information may, if necessary, request that the data subject specify to which information or which processing operations its request for information relates. In any case, the data subject will first receive information about the identity and contact details of the controller (subparagraph a). Depending on the case, she will already have this information (e.g. due to the duty to inform) and it will be confirmed to her. However, it is also conceivable that the data subject will only learn of a data controller at this point, e.g. if there are several data controllers. In addition, the data subject must be informed of the personal data processed (subparagraph b) and the purpose of the processing (subparagraph c). The data subject must also be informed about how long the data will be retained or, if this is not possible, about the criteria used to determine the retention period (subparagraph d). In particular, this information allows him or her to understand whether the data controller is processing the data in accordance with the principles in Article 5 of the e‑Data Protection Act. Since the retention period does not usually have to be disclosed due to the obligation to provide information, the data subject should receive it in any case as part of the right to information. The data subject shall also receive the available information on the origin of the data, insofar as it was not collected from him or her (subparagraph e). If applicable, the data subject will be informed whether an automated individual decision has been made (subparagraph f). In this case, he or she will also receive information about the logic on which the decision is based. In this context, the algorithms that form the basis of the decision do not necessarily have to be communicated, because these are regularly business secrets. Rather, the basic assumptions of the algorithm logic on which the automated individual decision is based must be stated. This means, for example, that the data subject must be informed that, due to a negative scoring result, he or she may conclude a contract on worse terms than those offered. In addition, the data subject must also be informed about the amount and type of information used for scoring and how it is weighted. Finally, the data subject receives information about the recipients or categories of recipients to whom the personal data are disclosed (subparagraph g). If the recipients are located abroad, the party required to provide information shall also state the country to which the data are disclosed and, if applicable, the guarantees pursuant to Article 13 (2) E‑DSG or the application of an exception pursuant to Article 14 E‑DSG.
Para. 3 and 4
Paragraph 3 has been taken over unchanged from the current law, according to which the responsible person may communicate information about the health of the data subject through a health professional designated by the data subject. The health professional must have the qualifications required in the case in question. However, provision is now made for the consent of the data subject to have the data communicated to him or her through another person. This improves the choice of the person concerned. The circle of possible persons is also expanded by referring to a health professional. Both amendments are based on the consultation.
Sentence 1 of paragraph 4 remains unchanged. Accordingly, the controller is always obligated to provide information, even if he delegates the processing to a processor. If the data subject inadvertently sends a request for information to the processor, the processor must name the data controller or forward the request accordingly. In such a case, the processor does not have to provide information himself, but he may also not hinder the data subject in exercising his right to information. Sentence 2 of the provision, on the other hand, is deleted.
Par. 5
This provision corresponds to the previous Article 8 paragraph 6 DPA.
Par. 6
Paragraph 6 gives the Federal Council the option of providing for exceptions to the free-of-charge requirement in the ordinance. This possibility already exists in the previous law (cf. Art. 2 VDSG). In the consultation draft, it was deleted, which was criticized considerably, among other things on the grounds that exceptions to the free-of-charge rule were a way of preventing abuse of the right to information. Due to the criticism in the consultation, this provision will now be retained. In doing so, the Federal Council will take into account the fact that certain requests for information involve a great deal of effort on the part of the person responsible.

Art. 26 Restrictions on the right to information

1 The responsible party may refuse, limit or postpone the information if:

a. a law in the formal sense provides for this, namely in order to protect a professional secret;

b. this is necessary due to the overriding interests of third parties; or

c. the request for information is manifestly unfounded, namely if it pursues a purpose contrary to data protection or is manifestly querulous.

2 Darbe
r addition, it is possible to refuse, limit or postpone the information in the following cases:

a. The responsible person is a private person and the following requirements are met:

1. overriding interests of the person responsible require the measure.

2. the person responsible does not disclose the personal data to third parties

b. The responsible party is a federal entity and one of the following conditions is met:

1. the measure is necessary because of overriding public interests, in particular the internal or external security of Switzerland.

2. communication of the information may jeopardize an investigation, inquiry, or administrative or judicial proceeding.

3 Companies belonging to the same group shall not be deemed to be third parties within the meaning of paragraph 2 letter a number 2.

4 The person responsible must state why he refuses, restricts or postpones the information.

Bot Art. 24 Restrictions on the right to information (count. acc. to draft)

Article 24 governs the restrictions on the right to information. They have been taken over unchanged from the previous law with a few editorial adjustments.
Para. 1 let. c
The only new provision is Article 24(1)(c). According to this provision, the controller may refuse, limit or postpone the provision of information if the request for information is manifestly unfounded or querulous. The provision was included as a result of the consultation. In terms of content, it is based on Article 12(5) of the Regulation (EU) 2016/679but uses Swiss terminology, such as that found in Article 108 BGG and Articles 132 and 253 ZPO. This is a serious restriction of fundamental rights, which is why it must be provided for in the law itself and not in the ordinance.
The exception under paragraph 1(c) must be interpreted narrowly. This applies in two respects. On the one hand, the controller may not lightly assume that a request for information is manifestly unfounded or that it is querulous. On the other hand, even in the event that such a request is made, he must choose the most favorable solution for the person concerned. Therefore, as far as possible, he must only limit the information, may postpone it if necessary and may only refuse it in absolutely clear, obvious cases. In any case, the data subject must be informed of the refusal, restriction or postponement of the information (see paragraph 3).
The right to information may be asserted without proof of an interest and without a statement of reasons. Mere curiosity is also sufficient. This is made clear by the reference to transparent data processing in Article 23 (2) E‑DSG. In principle, the controller may therefore not demand a statement of reasons for an information request. However, the Federal Supreme Court held that the party responsible for providing information may demand a statement of reasons for the request for information if, in the specific case, a legal abuse of the right to information is in question. The Federal Supreme Court considered the use of the right to information for purposes contrary to data protection, for example to save the costs of obtaining evidence or to find out about a possible counterparty, to be a possible abuse of rights. If the data subject who requests information subsequently puts forward a reason that already proves to be groundless without in-depth examination and without doubt, the controller may restrict the right to information. Only under these circumstances can there be an obviously unfounded request for information. In other words, it must be obvious that the request for information was made for reasons that have nothing to do with its purpose under the FADP, or that this was done with other (e.g. fraudulent) intent. If there are doubts as to whether this is the case, the request is not obviously unfounded.
Querulous are requests for information that are, for example, frequently repeated without plausible justification, or that are addressed to a data controller of whom the applicant already knows that he or she does not process any data about him or her. The data controller may also not lightly assume that a request is querulous.
Overall, the controller may not already make use of the restriction under paragraph 1(c) if he merely wishes to protect his own interests. For this, the requirements of Article 24(2)(a) must be met. Rather, the provision in paragraph 1(c) is intended to allow the controller to deal reasonably with requests for information that are obviously made in complete isolation from the purpose served by the right of information.
The Commissioner is of the opinion that the exception to the right of access provided for in Article 24(1)(c) E‑DSA is not compatible with Convention ETS 108.
Para. 3
If the data controller refuses, restricts or postpones the information, he must inform the data controller accordingly and give reasons in accordance with paragraph 3. In principle, only the requirements under paragraphs 1 and 2 may be considered as grounds. In this case, federal bodies must issue a contestable ruling. Private responsible parties, on the other hand, are not subject to any formal requirements. For reasons of proof, however, the reasons should be sent to the person concerned in writing.
On the basis of the statement of reasons, the data subject must be able to verify whether the information was rightly refused, restricted or postponed. However, the requirements for the statement of reasons cannot be too high if they conflict with the reason for the refusal of information.

Art. 27 Restrictions on the right to information for the media

1 If personal data are processed exclusively for publication in the editorial section of a periodical medium, the person responsible may refuse, restrict or postpone disclosure for one of the following reasons:

a. The data provide information on the sources of information.

b. The information would provide access to drafts of publications.

c. Publication would jeopardize the public’s freedom of expression.

2 Media professionals may also refuse, restrict or postpone the provision of information if the personal data serves them exclusively as a personal working tool.

Bot Art. 25 Restrictions on the right to information for media professionals (count. acc. to draft)

Article 25 E‑DSG adopts the current Article 10 DSG concerning the restriction of the right to information for media professionals. No material changes are made. The criterion of publication in the editorial section of a medium remains. This means that only data collected with regard to the publication of a journalistic work in the part of a medium reserved for editorial contributions is covered. In addition, it must be a periodically published medium. This includes, in particular, newspapers, magazines, radio and television broadcasts, press agencies and online news services that are updated continuously and with a regularity known to the public.
Chapter 5 regulates specific claims against private data controllers. The regulations on the processing of personal data by private persons concretize the protection of personality in accordance with Article 28 CC with regard to data protection and thus serve to realize informational self-determination among private individuals (see Art. 35(1) and (3) BV). The three provisions of this section should be read together: Article 26 E‑DSG specifies personality violations in the area of data protection, Article 27 E‑DSG defines specific grounds for justification, and Article 28 E‑DSG regulates the legal claims that can be asserted on the basis of a personality violation caused by data processing. The present draft largely retains the existing regulation. However, some editorial changes have been made with the aim of making the provisions clearer and more accessible overall.
The evaluation has also shown that the persons concerned hardly exercise their rights, especially in the private sector. This is mainly attributed to the cost risks of litigation, which are to be offset by adjustments to the cost regulation in civil proceedings (cf. Section 9.2.15).

Art. 28 Right to issue and transfer data

1 Any person may request from the controller the release of his or her personal data that he or she has disclosed to him or her in a commonly used electronic format if:

a. the data controller processes the data automatically; and

b. the data is processed with the consent of the data subject or in direct connection with the conclusion or performance of a contract between the controller and the data subject.

2 The data subject may also request the controller to transfer his or her personal data to another controller if the conditions in paragraph 1 are met and this does not require disproportionate effort.

3 The controller must provide or transfer the personal data free of charge. The Federal Council may provide for exceptions, in particular if the expense is disproportionate.

Art. 29 Restrictions on the right to issue and transfer data

1 The controller may refuse, restrict or postpone the release or transfer of personal data for the reasons listed in Article 26 paragraphs 1 and 2.

2 The responsible party must state why it refuses, restricts or postpones the surrender or transfer.

Chapter 5: Special provisions on data processing by private persons

Art. 30 Violation of personality rights

1 Anyone who processes personal data must not unlawfully infringe the personality of the persons concerned.

2 A violation of personality rights exists in particular if:

a. personal data is processed contrary to the principles set out in Articles 6 and 8;

b. personal data is processed contrary to the express declaration of intent of the data subject;

c. third parties are provided with personal data that is particularly worthy of protection.

3 As a rule, there is no violation of privacy if the person concerned has made the personal data generally accessible and has not expressly prohibited processing.

Bot Art. 26 Personality violations (count. acc. to draft)

The concept of violation of personality is defined in Article 28 CC not defined. Article 26 of the draft concretizes this term for violations of personality through the processing of personal data.
Par. 1 Principle
Paragraph 1 states that data processing must not unlawfully infringe the personality of the data subject. The wording remains unchanged. The individual right to dispose of personal data, which is protected by informational self-determination, is quickly severely restricted by data processing. Compliance with the principles of data processing by private data controllers is therefore central to the protection of the personality of the data subject, especially since private processing accounts for a large proportion of data processing operations in general.
Par. 2 Cases of violation of personality rights
Paragraph 2 refers, among other things, to compliance with the principles of data processing and provides that a violation of privacy exists in three constellations.
According to letter a, a violation of privacy occurs if data is processed contrary to the principles of Articles 5 and 7 of the e‑DSG.
According to letter b, it is also a violation of privacy if data is processed contrary to the data subject’s express declaration of intent. This provision thus gives the data subject the right to explicitly prohibit a particular data controller from processing data without having to meet specific requirements (opting out). This possibility already existed under the previous law and is also provided by Article 8 letter d E‑SEV 108 required. A declaration of intent is “explicit” if it is made by written or spoken words or a sign and the expressed intent is directly apparent from the words or sign used. Accordingly, the data subject must directly express in words or signs that he or she does not consent to a certain data processing. The expression of the will as such must already create clarity about the will through the manner in which it is made. In the present case, for example, the data subject would have to terminate a service that involves data processing or make an oral or written declaration to a data controller that he or she does not want him or her to process data about him or her. In contrast, an “implied” declaration of intent is not sufficient in the present case (cf. the explanations on Article 5(6) E‑DSG in Section 9.1.3.1). For example, it would not be sufficient for the data subject to stop using a service that involves data processing.
Pursuant to letter c, a violation of privacy also occurs if particularly sensitive data is disclosed to third parties.
The list is not exhaustive. This means that a violation of privacy through the processing of data can also occur in a way other than through the realization of these three elements. In letters b and c, the reference to the justification ground has been removed, as was already done for letter a in the 2003 revision. This, too, is merely for the sake of clarity and corresponds Article 28 CCin which the violation of personality and the grounds for justification are also dealt with in two sub-provisions. In the e‑DPA, the grounds for justification are now exclusively regulated in Article 27.
Par. 3 No violation of personality
According to paragraph 3, on the other hand, there is generally no violation of privacy if the data subject has made the data generally accessible and has not expressly prohibited its processing (for the expressiveness, see the commentary above on paragraph 2 letter b). This provision, which was adopted identically from the previous law, is consistent. This is because the individual’s freedom of disposal over personal data is not violated in principle under these circumstances. The wording “as a rule” expresses that the
s this is a legal presumption and not an incontrovertible fiction. The person concerned is thus free to prove that in individual cases there may nevertheless be a violation of privacy. This possibility is appropriate and important because the demarcation between public and private sphere is increasingly difficult.

Art. 31 Grounds for justification

1 A violation of personality rights is unlawful if it is not justified by the consent of the person concerned, by an overriding private or public interest or by law.

2 An overriding interest of the person responsible is considered in particular in the following cases:

a. The data controller processes personal data about the contracting party in direct connection with the conclusion or performance of a contract.

b. The data controller is or will be in economic competition with another person and processes personal data for this purpose that is not disclosed to third parties; companies that belong to the same group as the data controller are not considered third parties for the purposes of this provision.

c. The data controller processes personal data to check the creditworthiness of the data subject, subject to the following conditions:

1. it is neither personal data requiring special protection nor high-risk profiling.

2. the data will only be disclosed to third parties if they require the data for the conclusion or performance of a contract with the data subject.

3. the data are not older than ten years.

4. the person concerned is of age.

d. The person responsible processes the personal data professionally and exclusively for publication in the editorial section of a periodically published medium or, if no publication takes place, the data serve him/her exclusively as a personal work tool.

e. The data controller processes the personal data for non-personal purposes, in particular for research, planning or statistics, subject to the following conditions:

1. it shall anonymize the data as soon as the purpose of the processing permits; if anonymization is impossible or requires disproportionate effort, it shall take appropriate measures to prevent the data subjects from being identified.

(2) In the case of personal data requiring special protection, it shall disclose such data to third parties in such a way that the data subject cannot be identified; if this is not possible, it must be ensured that the third parties process the data only for non-personal purposes.

3. the results are published in such a way that the persons concerned cannot be identified.

f. The responsible person collects personal data about a public figure that relates to that person’s activities in public.

Bot Art. 27 Justifications (count. acc. to draft)

Article 27 specifies the grounds for justification for data processing that violates personal privacy. Apart from minor changes, the standard remains unchanged.
Par. 1 Principle
Paragraph 1 establishes the principle that any violation of privacy – i.e. any data processing that violates privacy – is in principle unlawful unless it is justified by the consent of the data subject, by law or by an overriding private or public interest. This provision corresponds to Article 28(2) of the Civil Code. If the consent of the person concerned or a legal justification exists, there is in principle no balancing of interests and the grounds for balancing under paragraph 2 do not come into play. Legal justification grounds include, for example, processing or clarification obligations (e.g. Art. 28 et seq. of the Federal Act of 23 March 2001 on Consumer Credit, Art. 3 et seq. of the Anti-Money Laundering Act of 10 October 1997) or storage obligations. On the other hand, an overriding private or public interest requires a weighing of the conflicting interests. On the part of the data subject, there is, among other things, an interest in preserving his or her freedom to dispose of his or her data. On the part of the data controller, there is an interest in data processing. Paragraph 2 contains an exemplary list of processing operations for which an overriding interest of the data controller can be considered. Only if the interest in data processing outweighs the interest of the data subject is the violation of privacy justified.
Par. 2 Overriding interests of the responsible person
Paragraph 2 specifies when an overriding interest of the controller comes into consideration. The wording, which has been retained unchanged, makes it clear that these are not absolute grounds for justification. Rather, as in the previous law, it is ultimately the weighing of interests in the individual case that is decisive. In contrast to the previous law, the reference is no longer to the person processing the data, but to the person responsible. The adjustment is made due to the introduction of the concept of the person responsible. The justification grounds under Article 27(2) are tailored to persons who, as data controllers, can decide on the purpose and means of data processing. Other defendants may invoke justification grounds under paragraph 1. Based on Article 8(4) E‑DSG, the commissioned processor can assert the same grounds for justification as the controller. Passive legitimacy is also unaffected by the amendment.
The reasons listed largely correspond to the previous law. The list is not exhaustive, so that other reasons than those listed here can also be used as an overriding interest of the controller. The enumeration lists various purposes that justify the processing of data and may outweigh the interest of the data subject. Essentially, the catalog covers three groups of data processing: those for certain economic activities, those for the media and data processing for non-personal purposes such as research. For individual processing purposes, the stated purpose alone is not sufficient to justify the violation of privacy. Rather, the processing must additionally fulfill certain requirements so that the justification of the overriding interest can be asserted at all. This applies in particular with regard to letters b, c, e and f. In these cases, it must first be examined whether the processing in question meets the specific requirements before the interests of the specific individual case are weighed against each other. If these specific conditions are not met, the data processing is only justified if there is a justification according to paragraph 1. Only letters c and e, where the legal text has been amended, are commented on below.
Para. 2 let. c Creditworthiness check
With regard to the activity of economic information services, reference should first be made to the recent ruling of the Federal Administrative Court A‑4232/2015 of April 18, 2017 (Moneyhouse). Moneyhouse AG is a business information service and obtains data in electronic form from various public private sources. This multitude of personal data is published on www.moneyhouse.ch and used to offer various services, in particular a company and person search. While this service is free of charge for the public after registration, so-called “premium users” are additionally offered creditworthiness and payment subscriptions, details on payment problems, debt enforcement, land register, business and tax information as well as services concerning company portraits. For additional services and in order to access data of natural persons who are not entered in the commercial register or in an electronic telephone directory, proof of interest must be provided. With regard to the premium subscriptions, which are subject to a fee, the Federal Administrative Court came to the conclusion that Moneyhouse AG in part creates a biographical image of individuals in the process. The Federal Administrative Court held that in this initial situation, the processing of a personality profile was to be affirmed, which is why the justification ground of the credit check pursuant to Article 13 paragraph 2 letter c FADP did not apply. For the Federal Administrative Court, no legal basis was apparent as a justification, nor was it possible to prove that the data subjects had explicitly consented to the creation of a personality profile. Finally, an overall weighing of interests also showed that the interest of the persons concerned in the protection of their personal rights predominated. As a result, the Federal Administrative Court found that the processing of personality profiles was unlawful and ordered Moneyhouse AG to obtain the express consent of the data subjects for such data processing, otherwise the corresponding data had to be deleted insofar as conclusions could be drawn about significant aspects of the personality. In addition, the court obliged Moneyhouse AG to conduct an annual review of its data inventory to ensure its accuracy in the ratio of 5 % to the queries made on the platform. In addition, the Federal Council will examine specific measures relating to credit reporting services as part of the report for Postulate Schwaab 16.3682 “Restricting the activities of credit reporting agencies”.
However, the e‑DSG already addresses certain concerns regarding the activities of credit reporting services. For example, four conditions must be met in order for the creditworthiness check to be considered an overriding interest. The provision is slightly tightened in relation to the previous law, in particular to take into account the high risk associated with this type of data processing.
Paragraphs 1 and 2 correspond to the applicable law, with the term “personality profile” being replaced by the term “profiling”. The processing of personal data requiring special protection also remains inadmissible. This also includes the processing of data on criminal prosecutions and sanctions. This is logical, as third parties are also not allowed to inspect the criminal register. Contrary to the suggestions of various participants in the consultation process, the FADP should not contain any additional rights for business information services.
Items 3 and 4 have been newly added.
Paragraph 3 requires that the data must not be older than five years. Such a reinforcement was suggested by various participants in the consultation process and appears justified in view of the scope of a credit report for the person concerned. The Federal Administrative Court also stated that the greater the risk of a violation of personality rights, the higher the requirements to be met with regard to the quality of the content and thus also the accuracy of the data processed. The very low verification rate of 5 percent imposed by the Federal Administrative Court on Moneyhouse AG also shows the difficulties of keeping such databases up to date. Therefore, the Federal Council considers a general regulation on the duration during which data may be used to be useful. Such a restriction can also be implemented in particular with appropriate technical precautions (privacy by design, cf. Art. 6 E‑DSG and the explanations thereto), for example by automatically deleting data after a certain period. The retention period of five years is based on the fact that, pursuant to Article 8a (4) SchKG, private third parties can only inspect the debt collection register up to five years after the conclusion of the proceedings. Here, the rights of business information services are not to go any further.
Paragraph 4 requires the person concerned to be of age. This requirement is inserted in order to improve the protection of minors, which is one of the objectives of the revision. The scope of this amendment is likely to be limited due to the limited capacity of minors to act.
Par. 2 (e) Processing for research, planning or statistics
The justification for processing for non-personal purposes, in particular in research, planning or statistics, is slightly tightened in letter e. The use of data for these purposes is now only permissible if the requirements of numbers 1 – 3 are met. This provision is intended to strengthen the protection of personal data requiring special protection. This is done in particular with a view to the possibilities of big data and the increasing digitalization of everyday life, which also leads to an ever greater number of personal data requiring special protection being processed.
According to item 1, data must be anonymized as soon as the purpose of processing permits. If it is no longer necessary to have personal data for the purpose of data processing for research, planning or statistics, the data must be anonymized. This requirement is also met if the disclosure is made in pseudonymized form and the key remains with the person disclosing the data (de facto anonymization).
This already follows in principle from the provision in Article 5 (4) E‑DSG. According to Article 26 (2) (a) E‑DSG, a breach of the same leads to a violation of privacy that can be justified by one of the grounds in Article 27 E‑DSG. As a result of the provision in Article 27(2)(e)(1) E‑DSG, it is now no longer possible to justify a breach of Article 5(4) E‑DSG on the grounds of processing for the purposes of research, planning or statistics, unless one of the grounds for justification in Article 27(1) E‑DSG applies.
If personal data requiring special protection is disclosed to third parties, this must be done in such a way that the persons concerned cannot be identified (Section 2). According to Article 26(2)(c) of the Federal Data Protection Act, the disclosure of personal data requiring special protection to third parties leads to a violation of privacy that can be justified on one of the grounds in Article 27. The provision in Section 2 now rules out justifying the disclosure of non-anonymized personal data requiring special protection on the grounds that it is being processed for the purposes of research, planning or statistics.
Finally, as before, the results may only be published in such a way that the persons concerned cannot be identified (item 3).

Art. 32 Legal claims

1 The data subject may request that inaccurate personal data be corrected unless:

a. a statutory provision prohibits the change;

b. the personal data are processed for archival purposes in the public interest.

2 Actions for the protection of personality shall be governed by Articles 28, 28a and 28g-28l of the Civil Code. The party bringing the action may in particular demand that:

a. a specific data processing is prohibited;

b. prohibit a specific disclosure of personal data to third parties.
ated;

c. Personal data is deleted or destroyed.

3 If neither the accuracy nor the inaccuracy of the personal data in question can be established, the claimant may request that a note of dispute be made.

4 The complaining party may also request that the correction, the deletion or the destruction, the prohibition of processing or disclosure to third parties, the notice of dispute or the judgment be communicated to third parties or published.

Bot Art. 28 Legal claims (count. acc. to draft)

Article 28 regulates the legal claims that the data subject may assert against private persons.
Par. 1 Correction
Paragraph 1 states that any person may request the correction of inaccurate personal data. This entitlement has so far been Article 5 paragraph 2 DPA contained. It is combined with all other legal claims in one provision in the e‑DSG. Correction can mean that the missing data is supplemented or the incorrect data is deleted and, if necessary, replaced by new, correct data.
As is clear from the separate paragraph, the right to rectification exists independently of a violation of personality rights under Article 26 E‑Data Act. Likewise, the justification grounds of Article 27 E‑Data Act cannot be invoked. Rather, paragraph 1 provides for two independent exceptions that exclude rectification.
According to letter a, the correction of inaccurate data is excluded if a legal provision precludes the modification of personal data. This refers to legal processing and storage obligations according to which private data controllers must leave data unchanged.
Letter b allows a balancing of interests with regard to data archive holdings that are processed exclusively for this purpose and where there is an overriding public interest in the data remaining unchanged. This exception covers private libraries, for example.
Par. 2 Actions
Paragraph 2 contains the reference to actions under Articles 28 et seq. ZGB, which already exists in the previous law. By analogy with Article 28a (1) CC, this paragraph also sets out individual specific claims that the person concerned can assert. For the sake of clarity, these are now better highlighted in the draft with an enumeration. In particular, this enumeration specifies the action for injunction and removal pursuant to Article 28a paragraph 1 items 1 and 2 CC with regard to data protection. According to letter a, the data subject may request that the data processing be prohibited. According to letter b, he or she may request that the disclosure of data to third parties be prohibited. Finally, according to letter c, he or she may request that data be deleted or destroyed.
Although it already arises implicitly from the previous law, a right to deletion is explicitly formulated in the e‑DSG. It meets the requirements of Article 8 letter e E‑SEV 108. The article 17 of the Regulation (EU) 2016/679 contains a similar provision. In the area of data protection, this right to deletion corresponds to the “right to be forgotten” as it is generally derived from the protection of personality under civil law. Accordingly, a decision similar to that made by the European Court of Justice against Google would also be possible in Switzerland, for example. However, such a right to be forgotten does not apply absolutely. Rather, in the case law on the protection of personality, the interest of the person concerned is weighed against the freedom of opinion and information, which regularly result in an overriding interest in the continued existence or use of the information. Such an interest may exist, for example, in the case of archives or libraries whose task it is to collect, index, preserve and communicate documents unchanged. If there is an overriding interest, the violation of privacy is justified and any claim for deletion is not applicable. The necessary weighing of interests in individual cases is possible and necessary on the basis of Article 28 (2) E‑DSG and the reference to actions under Article 28 f. ZGB are possible and necessary, so that no specific reservations need to be inserted in the legal text. The Commissioner would have preferred it if a right to delist (“right to be forgotten”) had been explicitly inserted.
Par. 3 Note of denial
Paragraph 3 contains the so-called denial note, which is taken over unchanged from the previous law. Accordingly, a corresponding note can be added to data if neither the correctness nor the incorrectness of the data can be determined. This provision should be viewed against the background that it is sometimes not possible to adequately prove the incorrectness of factual claims, especially if they are linked to value judgments. In this way, the person concerned receives at least partial legal protection.
Par. 4 Communication to third parties or publication
Paragraph 4, like the previous law, provides that the judgment, the correction, the deletion or destruction, the prohibition of processing or disclosure to third parties or the notice of contestation shall be communicated to third parties or published. This provision concretizes Article 28a (2) CC in the area of data protection.
However, the provision concerning the simplified procedure for requests for information is repealed. This provision has become obsolete with the introduction of the CCP because all provisions on civil proceedings are now contained in the CCP. The latter regulates the applicable procedure (Art. 243 para. 2 let. d E‑ZPO) as well as the place of jurisdiction (Art. 20 let. d E‑ZPO).

Chapter 6: Special Provisions on Data Processing by Federal Bodies

Art. 33 Control and responsibility in the case of joint processing of personal data

The Federal Council shall regulate the control procedures and responsibility for data protection if a federal body processes personal data together with other federal bodies, with cantonal bodies or with private persons.

Bot Art. 29 Control and responsibility in case of joint processing of personal data (count. acc. to draft)

Compared to Article 16 FADP Article 29 E‑DSG undergoes few changes.
Article 16 paragraph 1 FADP is repealed. The responsibility of the federal body that processes personal data or has personal data processed results from the definition of the term “person responsible” (Art. 4 let. i E‑DSG).
Article 29 of the e‑DSG also changes, for editorial reasons, the term “specifically regulate” from Article 16 paragraph 2 FADP omitted. In addition, the Federal Council should not only have the possibility to issue special rules on control and responsibility for data protection when federal bodies process data together with other authorities or private persons, but should be obliged to do so. With this amendment, Article 21 of the Directive (EU) 2016/680 implemented. Article 26 of the Regulation (EU) 2016/679 provides for an analogous regulation.

Art. 34 Legal bases

1 Federal bodies may process personal data only if there is a legal basis for doing so.

2 A basis in a law in the formal sense is required in the following cases:

a. It is the processing of personal data requiring special protection.

b. It is profiling.

c. The purpose of processing or the manner in which the data is processed may lead to a serious interference with the fundamental rights of the data subject.

3 For the processing of personal data in accordance with paragraph 2 letters a and b, a basis in a law in the substantive sense is sufficient if the following requirements are met:

a. The processing is indispensable for a task specified in a law in the formal sense.

b. The purpose of the processing does not pose any particular risks to the fundamental rights of the data subject.

4 In derogation from paragraphs 1 – 3, federal bodies may process personal data if one of the following conditions is met:

a. The Federal Council has approved the processing because it does not consider the rights of the person concerned to be at risk.

b. The data subject has consented to the processing in the individual case or has made his/her personal data generally accessible and has not expressly prohibited processing.

c. The processing is necessary to protect the life or physical integrity of the data subject or a third party and it is not possible to obtain the data subject’s consent within a reasonable time.

Bot Art. 30 Legal bases (count. acc. to draft)

In order to counter the criticism in the doctrine concerning the delimitation of the exceptions in Article 17 paragraph 2 FADP and Article 19 paragraph 2 FADP to take account of this, the e‑DSG regulates the legal basis for certain data processing in Article 30(2). Paragraph 4 provides for the exceptions to the requirements for the legal basis.
Par. 1 Legal basis
Paragraph 1 adopts the principle of Article 17 paragraph 1 FADPwhich stipulates that, subject to certain exceptions, federal bodies may only process personal data if there is a legal basis for doing so.
Par. 2 Basis in law in the formal sense
As under current law, paragraph 2(a) requires that a basis in a law in the formal sense is required for the processing of data requiring special protection.
Pursuant to paragraph 2 letter b, federal bodies are exclusively authorized to carry out profiling within the meaning of Article 4 letter f E‑DSG if this is provided for in a basis in a law in the formal sense. The provision replaces in this respect Article 17 paragraph 2 FADPaccording to which personality profiles may only be processed if a law in the formal sense expressly provides for it. Due to the risk of interference with the fundamental rights of the data subjects, the Federal Council is of the opinion that the legal basis for profiling must exist at the same level as in the case of the processing of data requiring special protection. As explained in the comments on paragraph 3, the requirement of a basis in a law in the formal sense does not apply absolutely to such data processing. Consequently, it will be up to the legislator to determine in each area whether a formal legal basis must be created in an area-specific law or whether a basis in a law in the substantive sense is sufficient. It is conceivable that profiling in certain cases does not pose any particular risks to the fundamental rights of the data subject.
According to paragraph 2 letter c, a basis in a law in the formal sense is required if the purpose of the processing or the manner in which the data are processed may lead to a serious interference with the fundamental rights of the data subject. This case is defined in Article 17 paragraph 2 FADP not explicitly stated. However, this is not a new requirement, because according to Article 36(1) BV serious restrictions of fundamental rights require a legal basis in a law in the formal sense. Letter c is necessary, however, because the term “personality profile” and the corresponding legal bases are repealed in several federal laws. This is because, in the view of the Federal Council, the abolition of the term “personality profile” must not lead to a lowering of the requirements for the level of the legal basis.
A serious interference with the fundamental rights of the data subject may result from the purpose of the processing of personal data (first application of subparagraph (c)). This is because in certain areas, federal bodies may need to process certain personal data in order to assess, for example, the dangerousness, the potential for a function, the suitability for fulfilling a legal duty or the lifestyle of a person. Depending on the purpose of the processing by the federal body, it may – regardless of the type of data processed – seriously restrict the fundamental rights of the data subject. If this is the case, it is justified that a legal basis must exist for the processing of personal data at the same level as for the processing of personal data requiring special protection.
A serious encroachment on the fundamental rights of the data subject may also result from the manner in which the data is processed (second application of subparagraph c). This applies in particular to automated individual decisions pursuant to Article 19 (1) of the e‑Data Protection Act. It is true that not every automated individual decision involves a serious risk to the fundamental rights of the data subject, so that a basis in a law in the substantive sense may also suffice for certain such decisions. An authorization by a law in the formal sense is generally required if the automated individual decision is made on the basis of personal data that is particularly worthy of protection. This also meets the requirements of Article 11 of the Directive (EU) 2016/680 taken into account.
Par. 3 Exceptions to the requirement of a basis in a law in the formal sense.
This provision authorizes the Federal Council to issue a basis in a law in the substantive sense for the processing of personal data requiring special protection and profiling if two conditions are cumulatively met. According to letter a, the processing must be indispensable for a task specified in a law in the formal sense. For this requirement to be met, the nature of the tasks requiring the processing of personal data must be sufficiently specified at the level of the law. The second requirement (paragraph 3 letter b) is new. It has the advantage of limiting the scope of paragraph 3 in a more precise manner than the current provision in Article 17(2)(a) DPA. The latter is only applicable by way of exception, which can also lead to the discretion being used to assume exceptional cases where none exist.
The reduction of the requirements for the level
of the legal basis is appropriate in particular for personal data requiring special protection that is exceptionally processed in Federal Council, departmental and official business (e.g. appeal decisions; state liability cases; federal personnel business). Strictly speaking, this also requires, according to the applicable Article 17 paragraph 1 FADP a formal legal basis. However, according to Article 30 (3) of the e‑Data Protection Act, a basis in a law in the substantive sense should suffice if the processing is indispensable for the fulfillment of a task provided for by formal law and the purpose of the processing does not pose any particular risks to the fundamental rights of the data subject. Insofar as these criteria are met and access to this data is severely restricted, a basis in a law in the substantive sense will in principle suffice in the future.
Par. 4 Exceptions
According to paragraph 4, the requirement of the legal basis (paras. 1 – 3) may be deviated from if one of the conditions according to letters a to c is fulfilled.
Letter a regulates the decision of the Federal Council that exceptionally allows the federal body to process personal data without a legal basis. Letter a corresponds to the exception under Article 17 paragraph 2 letter b FADP.
According to letter b, federal bodies may process personal data without a legal basis if the data subject gives consent in individual cases in accordance with Article 5 paragraph 6 FADP or if he or she has made his or her personal data generally accessible and has not expressly prohibited processing. This provision essentially corresponds to the exception under Article 17(2)(c) FADP.
Subparagraph (c) is a new exception that is included in Article 17 paragraph 2 FADP is not included. It corresponds to Article 10(b) of the Directive (EU) 2016/680 and Article 6(1)(d) of the Regulation (EU) 2016/679. Accordingly, processing is also permitted if it is necessary to protect the life or physical integrity of the data subject or a third party if it is not possible to obtain the data subject’s consent within a reasonable period of time.

Art. 35 Automated data processing in the context of pilot trials

1 Before the entry into force of a law in the formal sense, the Federal Council may authorise the automated processing of personal data requiring special protection or other data processing in accordance with Article 34 paragraph 2 letters b and c if:

a. the tasks on the basis of which the processing is required are regulated in a law already in force in the formal sense;

b. sufficient measures are taken to minimize interference with the fundamental rights of the persons concerned; and

c. a test phase prior to entry into force is indispensable for the practical implementation of data processing, in particular for technical reasons.

2 It shall first obtain the opinion of the FDPIC.

3 The competent federal body shall submit an evaluation report to the Federal Council no later than two years after the start of the pilot scheme. In this report, it shall propose the continuation or discontinuation of the trial.

4 Automated data processing must be discontinued in any case if no law in the formal sense containing the required legal basis has entered into force within five years of the start of the pilot test.

Bot Art. 31 Automated data processing within the scope of pilot tests (count. acc. to draft)

The present amendments to the current Article 17a FADP are not intended to weaken the conditions under which a federal body can process data automatically in a pilot test before a law in the formal sense enters into force. It is merely intended to reduce the regulatory density. This is because, since this norm came into force, federal bodies have rarely resorted to it. Certain provisions of Article 17a FADP may also be included in the future implementing regulation.
Apart from replacing the term “personality profiles” with “other data processing pursuant to Article 30(2)(b) and (c)”, the requirements under paragraphs 1 and 2 are largely consistent with those of Article 17a(1) FADP. Furthermore, letter c specifies that a test phase is required “in particular for technical reasons”. This change is justified by the repeal of Article 17a(2) FADP, which lists the cases in which the practical implementation of a data processing operation may necessarily require a test phase. For the reasons set out above, these cases can be regulated in an implementing ordinance.
Paragraphs 3 and 4 remain unchanged from the current law, except for the removal of the term “personality profiles” and some editorial changes.

Art. 36 Disclosure of personal data

1 Federal bodies may disclose personal data only if there is a legal basis for doing so in accordance with Article 34 paragraphs 1 – 3.

2 In derogation from paragraph 1, they may disclose personal data in individual cases if one of the following conditions is met:

a. The disclosure of the data is indispensable for the person responsible or for the recipient to fulfill a legal task.

b. The data subject has consented to the disclosure.

c. The disclosure of the data is necessary to protect the life or physical integrity of the data subject or a third party and it is not possible to obtain the data subject’s consent within a reasonable time.

d. The data subject has made his/her data generally available and has not expressly prohibited disclosure.

e. The recipient shall make a credible case that the data subject refuses consent or objects to disclosure in order to prevent him or her from asserting legal claims or protecting other interests worthy of protection; the data subject shall be given the opportunity to state his or her position in advance, unless this is impossible or would involve disproportionate effort.

3 In addition, the federal bodies may disclose personal data within the framework of official information to the public ex officio or on the basis of the Public Information Act of 17 December 2004 if:

a. the data are related to the performance of public tasks; and

b. there is an overriding public interest in disclosure.

4 They may also disclose the surname, first name, address and date of birth of a person on request if the requirements under paragraph 1 or 2 are not met.

5 They may make personal data generally accessible by means of automated information and communication services if a legal basis provides for the publication of such data or if they disclose data on the basis of paragraph 3. If there is no longer any public interest in making the data generally accessible, the data concerned shall be deleted from the automated information and communication service.

6 The federal bodies shall refuse disclosure, restrict it or attach conditions to it if:

a. essential public interests or interests of the data subject that are obviously worthy of protection require it; or

b. statutory confidentiality obligations or special data protection regulations require it.

Bot Art. Art. 32 Disclosure of personal data (count. acc. to draft)

Article 32 E‑DSG retains the principle of Article 19 DSG according to which federal bodies may in principle only disclose personal data if there is a legal basis for doing so. However, it specifies that the term legal basis corresponds to the term under Article 30(1 – 3) E‑DSA. It follows from this specification that Article 32 does not refer to the exceptions provided for in Article 30(4). Accordingly, the cases in which federal bodies are authorized to disclose personal data without a legal basis are enumerated exhaustively in Article 32(2)(a‑e) E‑DSG. This amendment responds to criticism in the doctrine regarding the delimitation of the exceptions in Article 17 paragraph 2 FADP and Article 19 paragraph 2 FADP taken into account.
The term “personal data” in paragraph 1 also includes particularly sensitive personal data. If Article 30 requires a basis in a law in the formal sense for the processing of a certain category of personal data (particularly sensitive personal data) or certain processing operations (profiling, processing operations pursuant to Article 30(2)(c)), this also applies to the provisions governing the disclosure of the personal data in question. The disclosure of personal data is in itself a particularly sensitive process, so that in this area it may not be irrelevant how the disclosed data is obtained. Therefore, if disclosure takes place subsequent to one of the particularly sensitive types of processing, this must be provided for in a law in the formal sense. The exceptions to paragraph 2 also apply if a federal body intends to disclose this type of data.
The exception under paragraph 2 letter a is expanded. Previously, federal bodies were allowed to disclose data in individual cases without a legal basis if the disclosure of the data was indispensable for the recipient to fulfill a legal task. Now they may also do so if this is indispensable for them to fulfill a statutory task.
Subparagraph (c) is a new exception that is included in Article 19 paragraph 1 FADP is not provided for. It is also inserted in the Article 30(4)(c) E‑DSA.
Article 32(3) of the e‑Data Protection Act corresponds to Article 19(1) of the Data Protection Act, with the exception of a selective amendment. The purpose of adapting the wording of Article 32(3) is to facilitate coordination between BGÖ and FADP should be improved. With regard to the requirement of overriding public interest in the disclosure of data (Art. 32(3)(b) DPA), it should be clarified that this requirement applies not only in addition to (as an alternative to) Article 32(1) and (2), but also independently. It is proposed to replace the term “also” (for which there is no equivalent in the French version) with “furthermore/en outre” in the introductory sentence of Article 32(3) E‑DSG in order to make it clear that the legal basis under paragraph 3 is in addition to those in paragraphs 1 and 2.
Article 32(4) remains unchanged compared to Article 19 paragraph 2 FADP unchanged. The explanations in the Federal Council Message of March 23, 1988 retain their validity.
In contrast, the legal basis for “call-off procedures” (Art. 19 para. 3 FADP) in the case of federal bodies has been repealed because it appears to be outdated in the digital age. This amendment does not lead to a weakening of the protection of personal data, because disclosure must always take place within the framework of the statutory data protection provisions. The adjustments to the area-specific data protection provisions resulting from the repeal of Article 19 (3) will be made on an ongoing basis as part of revisions to the respective enactments.
Paragraphs 5 and 6 correspond to paragraphs 3 and 4 of Article 19 DSG.

Art. 37 Objection to the disclosure of personal data

1 The data subject who can credibly demonstrate an interest worthy of protection may object to the disclosure of certain personal data by the federal body responsible.

2 The federal body shall reject the request if one of the following conditions is met:

a. There is a legal obligation to disclose.

b. The fulfillment of its task would otherwise be jeopardized.

3 Article 36 paragraph 3 remains reserved.

Bot Art. 33 Objection to disclosure of personal data (Zählg. gem. Entwurf)

This provision, apart from some editorial changes, remains unchanged compared to the current law (Article 20 FADP) unchanged. In the German version, the term “blocking of disclosure” is replaced by “objection to disclosure” in line with European terminology.
In the opinion of the Commissioner, the right to object should apply not only to data disclosure, but also to data processing.

Art. 38 Offer of documents to the Federal Archives

1 In accordance with the Archiving Act of 26 June 1998, federal bodies shall offer to the Federal Archives all personal data that they no longer require on a permanent basis.

2 They shall destroy the personal data designated by the Federal Archives as not being of archival value unless:<

a. these are anonymized;

b. these must be retained for evidentiary or security purposes or to protect the legitimate interests of the data subject.

Bot Art. 34 Offer of records to the Federal Archives (count. as per draft).

This provision corresponds Article 21 FADP. It remains materially unchanged.

Art. 39 Data processing for non-personal purposes

1 Federal bodies may process personal data for non-personal purposes, in particular for research, planning or statistics, if:

a. the data will be anonymized as soon as the purpose of processing permits;

b. the federal body discloses personal data requiring special protection to private persons only in such a way that the persons concerned cannot be identified;

c. the recipient discloses the data to third parties only with the consent of the federal body that disclosed the data; and

d. the results are published only in such a way that the persons concerned cannot be determined s
ind.

2 Articles 6 paragraph 3, 34 paragraph 2 and 36 paragraph 1 are not applicable.

Bot Art. 35 Edit for research, planning and statistics This provision largely corresponds to Article 22DSG. (count. acc. to draft)

In addition, a new letter b is added to paragraph 1, according to which federal bodies must disclose personal data requiring special protection to private third parties in such a way that the person concerned cannot be identified. This is intended to strengthen the protection of particularly sensitive personal data. This requirement is also met if the disclosure is made in pseudonymized form and the key remains with the person disclosing the data (de facto anonymization).
Paragraph 2 is also amended regarding the references to Articles 5(3), 30(2) and 32(1) E‑DSG.

Art. 40 Activities of federal bodies under private law

If a federal body acts under private law, the provisions for data processing by private persons apply.

Bot Art. 36 Private law activities of federal bodies (count. acc. to draft)

This provision corresponds Article 23 paragraph 1 FADP. Article 23 paragraph 2 FADP can be repealed, since the same supervisory system is provided for in the E‑DSG for private persons and federal bodies.

Art. 41 Claims and procedure

1 Anyone who has an interest that is worthy of protection may demand that the responsible federal body:

a. refrains from unlawful processing of the personal data concerned;

b. eliminates the consequences of unlawful processing;

c. establishes the unlawfulness of the processing.

2 The applicant may in particular request that the federal body:

a. corrects, deletes or destroys the personal data concerned;

b. communicates or publishes its decision to third parties, in particular on the correction, deletion or destruction, the objection to disclosure in accordance with Article 37 or the note of objection in accordance with paragraph 4.

3 Instead of deleting or destroying the personal data, the federal body shall restrict processing if:

a. the person concerned disputes the accuracy of the personal data and neither the accuracy nor the inaccuracy can be established;

b. overriding interests of third parties require this;

c. an overriding public interest, in particular the internal or external security of Switzerland, so requires;

d. the deletion or destruction of the data may jeopardize an investigation, inquiry or administrative or judicial proceedings.

4 If neither the accuracy nor the inaccuracy of the personal data concerned can be established, the federal body shall attach a note of dispute to the data.

5 The correction, deletion or destruction of personal data may not be requested in respect of the holdings of publicly accessible libraries, educational institutions, museums, archives or other public memory institutions. If the applicant credibly demonstrates an overriding interest, he or she may request that the institution restrict access to the disputed data. Paragraphs 3 and 4 are not applicable.

6 The procedure is governed by the VwVG. The exceptions under Articles 2 and 3 VwVG are not applicable.

Bot Art. 37 Claims and procedures (count. acc. to draft)

In comparison with Article 25 DSG Article 37 E‑DSG undergoes some changes, which are explained below.
Para. 1 Request
This provision regulates the requests that the persons concerned may address to federal bodies. In comparison with Article 25 paragraph 1 FADP it is not changed.
Par. 2 Further requests
Today, the right of the data subject to request the deletion of his or her data arises implicitly from Article 25 DSG. In order to comply with the requirements of Article 8(e) E‑SEV 108 and of Article 16 of the Directive (EU) 2016/680 to take into account, this entitlement is now explicitly mentioned in Article 37(2)(a) and (b). Article 17 of the Regulation (EU) 2016/679 in turn provides for the right of the data subject to request the deletion of data concerning him or her under certain conditions (“right to be forgotten”). The same right is introduced in Article 28 of the e‑Data Protection Act, so that the regulation is the same for private and public data controllers (see Section 9.1.6). However, the actual legal situation does not change.
In paragraph 2(a), in comparison with Article 25(3)(3) FADP, the last sub-sentence concerning the blocking of disclosure to third parties is deleted because the objection to the disclosure of data is exhaustively regulated by Article 33 FADP. The objection under Article 33 FADP is not linked to unlawful processing, which is the case with the claims under Article 37.
However, letter b of this provision retains the possibility that the data subject may request the federal body to publish the decision on the objection to disclosure under Article 33. Article 33 does not provide for this, but it seems reasonable that the person concerned can demand this at least in the case of unlawful disclosure.
Par. 3 Restriction of processing
Paragraph 3 provides for a measure that is less radical than the deletion or destruction of the disputed personal data: the restriction of processing.
This regulation corresponds to Article 16(3) of the Directive (EU) 2016/680, according to which the controller may restrict the processing instead of deleting the disputed data if the data subject disputes the accuracy of the data and the accuracy or inaccuracy cannot be established or if data must be further retained for evidentiary purposes.
Article 18 of the Regulation (EU) 2016/679 goes further, since according to this provision the data subject has a right to request the restriction of processing.
At E‑SEV 108 on the other hand, the restriction of machining is not included.
Paragraph 3 is to be interpreted in the sense that the data may continue to be processed, but only for specific purposes. It is not a question of excluding any kind of data processing. According to recital 47 of the Directive (EU) 2016/680 the restriction of processing is to be understood as meaning that the federal body may process the data concerned only for the purpose that prevented their deletion. Paragraph 3 provides four constellations for this.
According to paragraph 3 letter a, the federal body must restrict the processing of personal data if the person concerned disputes the accuracy of the personal data and neither its accuracy nor inaccuracy can be established. In this case, the restriction of processing means that the federal body may process the disputed data solely for the purpose of establishing its accuracy or inaccuracy. As soon as the accuracy of the data is established, the federal body may continue processing without restrictions. However, if the personal data prove to be inaccurate, the federal body must delete or destroy them, unless letter b or c applies in the case in question.
Paragraph 3(b) stipulates that the federal body must restrict processing if the overriding interests of a third party so require, for example if the deletion or destruction of certain data could prevent a third party from exercising his or her rights in court. This means that the data may continue to be processed, but only so that the third party concerned can exercise his or her rights. Any processing for any other purpose is excluded.
Under paragraph 3(c), the federal body does not have to delete or destroy the disputed data if this could jeopardize an overriding public interest, namely Switzerland’s internal or external security.
Finally, paragraph 3 letter d states that the federal body need not delete or destroy the data if this may jeopardize an investigation, inquiry or administrative or judicial proceedings. In this case, the federal body may continue to process the personal data, but only for the purpose that prevented its deletion, i.e. to continue an investigation, inquiry or proceedings.
Restriction of processing means that the disputed data are marked so that their future processing is carried out exclusively for the purpose that prevented their deletion or destruction. The marking must be clear. In practice, it may mean that the disputed data is temporarily moved to another processing system or that users are prevented from accessing the data. In systems for automated data processing, the restriction of processing should in principle be guaranteed by technical means so that the data cannot be further processed or modified for purposes other than those specified in paragraph 3.
Par. 4 Note of denial
This provision contains the so-called denial note, which remains unchanged from the previous law (Art. 25 Para. 2 FADP) has been taken over. Accordingly, data may be annotated accordingly if neither the accuracy nor the inaccuracy of the data can be definitively determined.
Par. 5 Holdings of public memory institutions
According to paragraph 5, the correction, deletion or destruction of data cannot be requested in relation to the holdings of publicly accessible libraries, educational institutions, museums, archives or other public memory institutions. The exception has limited scope in that many of these institutions are covered by cantonal data protection law. The provision refers to public institutions whose activity consists in particular in collecting, indexing, preserving and communicating documents of all kinds (including digital ones). This specific processing purpose would be opposed to rectification, deletion or destruction insofar as it relates to the archive holdings of such institutions. The denial notice under paragraph 4 of this article does not apply either. This is because these holdings are intended to depict a moment in the past by means of documents, which is only possible if these documents are contained in the archive true to the original and thus unchanged. There is a considerable public interest in this, which arises from the freedom of information (Art. 16 Para. 3 BV).
However, the second sentence in paragraph 5 allows the data subject to request that the institution in question restrict access to the disputed data. For this, however, the data subject must credibly demonstrate an overriding interest. This exception should be considered in particular in light of the increasing tendency to make extensive holdings of publicly accessible memory institutions available to anyone on the Internet. This reduces the effort required for targeted searches, while at the same time considerably expanding the group of people who can access the holdings in question. The law must therefore permit a differentiated weighing of interests for such cases. Here, the public interest in unaltered and unrestricted access to documents and the interest of the person concerned that information about him that is untrue or violates his personality is not generally accessible are opposed. As is clear from sentence 1 of paragraph 5, the public interest in free and unaltered access generally takes precedence with regard to archives and similar institutions. An overriding interest of the person concerned, on the other hand, can only be assumed if he or she suffers significant personal disadvantages as a result of free access, which may also significantly restrict him or her in the future (e.g. in his or her professional advancement). These disadvantages must also be put in relation to the archival value of the disputed data, which may result, for example, from the historical significance, nature or content of the document. An overriding interest on the part of the person concerned is to be assumed, in particular, if the archival value of the data and thus also the importance of unrestricted public access appears to be low in relation to the considerable restrictions on the person concerned. In this case, the data subject may request that the institution restrict access to the disputed data. The restriction must be designed in the individual case in such a way that it appears proportionate with regard to the interests at stake. For example, it may often be sufficient that a document is not accessible on the Internet, but only in physical archives. In individual cases, it would also be conceivable to grant access to a document only to persons who need it for their scientific or journalistic activities.
However, paragraph 5 does not cover data processing by such institutions that is not related to the collections and is carried out for other purposes, such as library user accounts or personnel files. For these processing operations, the rights in Article 37 are fully available to the data subject.

Art. 42 Procedure in case of disclosure of official documents containing personal data

If proceedings concerning access to official documents containing personal data are pending within the meaning of the Public Access Act of 17 December 2004, the person concerned may assert in these proceedings the rights to which he or she is entitled under Article 41 of this Act in respect of those documents that are the subject of the access proceedings.

Bot Art. 38 Procedure in case of disclosure of official documents containing personal data (count. acc. to draft)

This provision corresponds Article 25 DSG. It remains materially unchanged.

Chapter 7: Federal Data Protection and Information Commissioner

Section 1: Organization

Art. 43 Election and position

1 The association
te Federal Assembly elects the head of the FDPIC (the Commissioner).

2 Anyone who is entitled to vote on federal matters may be elected.

3 The employment relationship of the appointee is governed by the Federal Personnel Act of March 24, 2000 (FPL), unless this Act provides otherwise. The appointee is insured with the Federal Pension Fund PUBLICA against the economic consequences of old age, disability and death until the age of 65. If the employment relationship is continued after the completion of the 65th year of age, then, at the request of the appointee, the old-age pension scheme shall be continued until the termination of the employment relationship, but at most until the end of the year in which he or she reaches the age of 68. The FDPIC shall finance the employer’s savings contributions.

3bis The Federal Assembly shall issue implementing provisions on the employment relationship of the Commissioner in an ordinance.

4 The Commissioner shall exercise his or her function independently, without seeking or accepting instructions from any authority or third party. He or she is administratively assigned to the Federal Chancellery.

5 She or he has a permanent secretariat and his or her own budget. She or he hires his or her staff.

6 He or she is not subject to the appraisal system in accordance with Article 4 paragraph 3 BPG.

Bot Art. 39 Appointment and position (count. acc. to draft)

Par. 1 Appointment procedure
The appointment process of the appointee remains unchanged under paragraph (1) because it is consistent with the requirements of the Directive (EU) 2016/680 and of the E‑SEV 108 matches. The E‑SEV 108 does not contain any provision on the mode of election or appointment of the supervisory authority. Article 43 of the Directive (EU) 2016/680 obliges the Schengen States to regulate the appointment procedure, but leaves them the choice between appointment by the Parliament, the Government, the Head of State or by an independent body. In Article 53 of the Regulation (EU) 2016/679 the same solution is provided for the member states of the European Union.
The Federal Council has examined the proposal of various consultation participants to introduce an election by Parliament. For the following reasons, it has come to the conclusion that this change is not appropriate. The current procedure provides sufficient guarantees for the independence of the appointee vis-à-vis the executive branch. This is because the Federal Assembly can refuse to approve the appointment of the Federal Council. The Federal Council is also not convinced that an election by parliament would strengthen the independence of the appointee. This is because it could be influenced by interest groups. Moreover, appointment by the Federal Council, subject to approval by parliament, offers the possibility that the appointee can remain administratively attached to the Federal Chancellery. This would no longer be possible in the case of an election by parliament. If the commissioner were no longer part of the federal administration, it cannot be ruled out that it would be more difficult for him or her to supervise federal bodies and to persuade them to cooperate in an investigation. Finally, if the commissioner were elected by parliament, he or she would also have to be financially independent, such as the Swiss Federal Audit Office.
Par. 3 Position
Paragraph 3, first sentence, specifies the independence of the commissioner by specifying that he or she may not seek or receive instructions from an authority or a third party. This amendment takes into account the requirements of Article 12(4). E‑SEV 108 and of Article 42 paragraphs 1 and 2 of the Directive (EU) 2016/680, which has the same wording as Article 52(1) and (2) of the Regulation (EU) 2016/679.
Para. 2, 4 and 5
These provisions remain materially unchanged in relation to the current law (Art. 26(2), (4) and (5) FADP).
The Commissioner believes that the regulation of his budget should be aligned with the regulation for the Federal Audit Office because of his supervisory role.

Art. 44 Term of office, re-election and termination of the term of office

1 The term of office of the Commissioner shall be four years and may be renewed twice. It shall commence on 1 January following the start of the legislative period of the National Council.

2 The appointee may terminate the employment relationship at the end of any month subject to six months’ notice. The Judicial Commission may grant the appointee a shorter period of notice in individual cases if there are no significant conflicting interests.

3 The United Federal Assembly may remove the Commissioner from office before the expiry of the term of office if the Commissioner:

a. has seriously violated official duties intentionally or through gross negligence; or

b. has permanently lost the ability to hold office.

Bot Art. 40 Reappointment and termination of term of office (count. acc. to draft)

Currently, the Commissioner may be re-elected for an unlimited number of terms. This principle is amended in paragraph 1 to implement the requirements of Article 44(1)(e) of the Directive (EU) 2016/680 amended. This provides that the Schengen States must regulate whether and, if so, how often the member or members of the supervisory authority may be reappointed. According to this provision, the Schengen States therefore have a choice as to whether and how often the supervisory authority may be reappointed. Article 54(1)(e) of the Regulation (EU) 2016/679 contains a similar provision.
In accordance with the room for maneuver provided by Article 44 of the Directive (EU) 2016/680 granted, the Federal Council proposes that the appointee may be reappointed twice. He or she may therefore remain in office for a maximum of twelve years. This measure is intended to strengthen the independence of the appointee as an authority. She or he shall not be restrained in fulfilling the statutory mandate for fear of not being reelected. If the appointee reaches retirement age during the term of office, the employment relationship shall automatically terminate upon reaching the age specified in Article 21 of the Federal Law of 20 December 1946 on Old Age and Survivors’ Insurance (AHVG) (Art. 10 para. 1 of the Federal Personnel Act of 24 March 2000 (BPG)in conjunction with Art. 14 para. 1 BPG). Paragraphs 2, 3 and 4 shall remain in force in relation to Article 26a FADP materially unchanged.

Art. 44a Warning

The judicial commission may issue a warning if it finds that
the commissioner has violated official duties.

Art. 45 Budget

The FDPIC submits its draft budget annually to the Federal Council via the Federal Chancellery. The latter forwards it unchanged to the Federal Assembly.

Art. 46 Incompatibility

The commissioner may not be a member of the Federal Assembly or the Federal Council and may not be employed by the Confederation.

Art. 47 Secondary employment

1 The commissioner may not engage in any secondary employment.

2 The judicial commission may permit the appointee to engage in secondary employment if this does not impair the exercise of the function or the independence and reputation of the FDPIC. The decision shall be published.

Bot Art. 41 Secondary employment (count. acc. to draft)

Article 41 tightens the requirements for the commissioner to engage in secondary employment. This provision implements the requirements of Article 42(3) of the Directive (EU) 2016/680 implemented, which has the same wording as Article 52(3) of the Regulation (EU) 2016/679. The provision applies only to the appointee. The deputy and the secretariat are subject to the BPG.
According to Article 26b FADP merely provides that the Federal Council may permit the Commissioner to engage in other employment if this does not impair his or her independence and reputation. The first sentence of Article 41(1), on the other hand, lays down the principle that the Commissioner may not engage in any additional gainful activity. The second sentence specifies that he or she may also not hold an office of the Confederation or of a canton. The term canton is to be understood in a broad sense and also includes the municipalities, districts, counties and corporations under public law. Paragraph 1, second sentence further stipulates that the appointee may also not serve as a member of the management, the board of directors, or the supervisory or auditing body of a commercial enterprise. This applies regardless of whether such activity would be remunerated or not.
Paragraph 2 limits the scope of paragraph 1, providing that the Federal Council may permit the appointee to engage in secondary employment under certain conditions. The decision of the Federal Council shall be published.

Art. 47a Standoff

If the Commissioner’s recusal is disputed, the President of the division of the Federal Administrative Court responsible for data protection shall decide on the matter.

Art. 48 Self-regulation of the FDPIC

The FDPIC ensures that the legally compliant enforcement of federal data protection regulations is guaranteed within its authority by means of appropriate control measures, in particular with regard to data security.

Bot Art. 42 Self-regulation of the commissioner (count. acc. to draft)

This provision obliges the Commissioner to take appropriate control measures, in particular with regard to the security of personal data and the legally compliant enforcement of federal data protection regulations. The Federal Council will specify the measures to be taken in the future ordinance.

Section 2: Investigation of Data Protection Breaches

Art. 49 Investigation

1 The FDPIC shall open an investigation ex officio or on complaint against a federal body or a private person if there are sufficient indications that a data processing operation could violate the data protection provisions.

2 It may refrain from opening an investigation if the breach of the data protection provisions is of minor importance.

3 The federal body or the private person shall provide the FDPIC with all information and make available to him all documents that are necessary for the investigation. The right to refuse to provide information is governed by Articles 16 and 17 of the Administrative Procedure Act, unless Article 50 paragraph 2 of this Act provides otherwise.

4 If the data subject has filed a complaint, the FDPIC shall inform him or her of the steps taken on the basis of this complaint and the result of any investigation.

Bot Art. 43 Investigation (count. acc. to draft)

Under current law, the process differs depending on whether it involves the commissioner’s oversight activities in the private sector or the public sector. While Article 27 DSG entrusts the Commissioner with the task of monitoring data processing by federal bodies, Article 29(1)(a‑c) FADP stipulates that the Commissioner shall open an investigation against a private individual if processing methods are likely to infringe the personality of a large number of individuals, data collections pursuant to Article 11a DSG must be registered or there is an obligation to provide information under Article 6(3). The monitoring powers of the Commissioner vis-à-vis the private sector do not currently meet the requirements of the E‑SEV 108. Thus, its Article 12 does not provide for any limitation of the supervisory authority’s powers of investigation and intervention vis-à-vis the data controllers.
Par. 1 Opening of the investigation
According to Article 43 (1) E‑DSG, the Commissioner shall open an investigation ex officio or upon notification if there are indications that a data processing operation may violate data protection regulations. The report may be made by a third party or by the data subject. However, the person making the report does not have party status in the proceedings (Art. 46 para. 2 e contrario). If, on the other hand, the person concerned has filed a complaint, the commissioner must inform him or her of his or her further course of action and the outcome of any investigation (para. 4). The data subject must assert his or her rights through the applicable legal remedies, i.e., he or she may file a complaint with a civil court if the responsible party is a private person, or he or she may file a complaint against the decision of the responsible federal body. This is in accordance with the applicable law.
Par. 2 Waiver of the opening of an investigation
The Commissioner may refrain from opening an investigation if the violation of data protection regulations is of minor importance. This would be the case, for example, if a sports or cultural club sends an e‑mail message to all its members without concealing the identity of the recipients. Paragraph 2 may also apply if the Commissioner considers that the advice given to the controller is sufficient to remedy a situation that is hardly problematic in itself.
Par. 3 Duties to cooperate
Paragraph 3 regulates the duties of cooperation of the private person and the federal body by adopting the regulation under Articles 27(3) and 29(2) FADP. The party to the proceedings must provide the commissioner with all information and make all documents available to the
which the latter requires for the investigation. The second sentence of paragraph 3 states that the right to refuse information is governed by Articles 16 and 17 VwVG. Article 16 paragraph 1 VwVG refers to Article 42 paragraphs 1 and 3 of the Federal Act of 4 December 1947 on Federal Civil Procedure. According to this provision, the persons questioned may refuse to testify if answering the question may expose them to the risk of criminal prosecution. This concerns the persons who must keep the secrets according to Articles 321, 321 and 321StGB. For example, doctors may refuse to provide the Commissioner with personal data about their patients if the patients do not consent to this. The same applies to lawyers and their clients. Article 90 of the Regulation (EU) 2016/679 also provides that Member States shall regulate the powers of supervisory authorities with respect to controllers or processors who are subject to professional secrecy or an equivalent obligation of confidentiality under national law.

Art. 50 Powers

1 If the federal body or the private person fails to comply with the obligations to cooperate, the FDPIC may in particular order the following as part of the investigation:

a. Access to all information, documents, records of processing activities and personal data necessary for the investigation;

b. Access to premises and facilities;

c. Witness interviews;

d. Appraisals by experts.

2 Professional secrecy is reserved.

3 The FDPIC may involve other federal authorities and the cantonal or communal police authorities in the implementation of the measures under paragraph 1.

Bot Art. 44 Powers (count. acc. to draft)

This provision fulfills the requirements of Article 12(2)(a). E‑SEV 108, according to which the supervisory authority must have powers of investigation and intervention. Article 47(1) of the Directive (EU) 2016/680 stipulates that Schengen States must provide effective investigative powers for the supervisory authority, namely the power to obtain from the controller access to all data being processed and to all information necessary for the performance of its tasks. The Regulation (EU) 2016/679 in turn, provides for an analogous rule in Article 58(1)(e) and (f).
Par. 1 Investigation measures
The measures under paragraph 1 may only be ordered if an investigation has been opened and insofar as the private person or the federal body fails to comply with its obligations to cooperate. In other words, the commissioner may only order the measures under letters a‑d if he has tried in vain to obtain the cooperation of the person responsible.
The catalog of measures according to paragraph 1 is similar to that according to Article 12 VwVG. This is a non-exhaustive list. The commissioner is authorized, among other things, to demand access to all information, documents, processing lists and personal data required for the investigation (subparagraph a) or to demand access to premises and facilities (subparagraph b). Like all federal authorities, it must comply with the applicable legal provisions, in particular those relating to data protection and the protection of industrial and commercial secrets. It is also subject to official secrecy pursuant to Article 22 BPG. Consequently, the confidential treatment of personal data to which he has access in the exercise of his supervisory duties is guaranteed, namely when he informs the person who filed the report of the outcome of any investigation (Art. 43 para. 4) or when he publishes his activity report in accordance with Art. 51 FADP.
Par. 2 Precautionary measures
This provision gives the Commissioner the authority to order precautionary measures for the duration of the investigation and to have them enforced by a federal authority or the cantonal or municipal police bodies. The currently applicable Article 33 paragraph 2 FADP provides that the Commissioner may request the President of the Division of the Federal Administrative Court responsible for data protection to take precautionary measures if, in the course of an investigation against a private person or against a federal body, he determines that the persons concerned are threatened with a disadvantage that cannot be easily remedied. Since Article 45 of the Draft Data Protection Act grants the Commissioner the authority to issue orders, the Federal Administrative Court is no longer required to order precautionary measures and the corresponding provision can therefore be deleted. The procedure for appeals against precautionary measures is governed by Article 44 et seq. VwVG. The suspensive effect of the appeal shall be suspended by Article 55 VwVG regulated.
The new investigative powers of the commissioner are in view of Article 45 of the Regulation (EU) 2016/679 a crucial element in ensuring that the European Commission renews or upholds the adequacy decision vis-à-vis Switzerland.

Art. 51 Administrative measures

1 If there is a breach of data protection regulations, the FDPIC may order that the processing be adapted, interrupted or terminated in whole or in part and that the personal data be deleted or destroyed in whole or in part.

2 It may postpone or prohibit disclosure abroad if it contravenes the requirements of Articles 16 or 17 or provisions relating to the disclosure of personal data abroad in other federal acts.

3 It may order in particular that the federal body or the private person:

a. informs him in accordance with Articles 16 paragraph 2 letters b and c and 17 paragraph 2;

b. takes the precautions in accordance with Articles 7 and 8;

c. in accordance with Articles 19 and 21, informs the persons concerned;

d. carries out a data protection impact assessment in accordance with Article 22;

e. consults him in accordance with Article 23;

f. informs him or, as the case may be, the persons concerned in accordance with Article 24;

g. provides the data subject with the information pursuant to Article 25.

4 It may also order the private responsible party domiciled or resident abroad to designate a representative office in accordance with Article 14.

5 If the federal body or the private person has taken the necessary measures during the investigation to restore compliance with the data protection regulations, the FDPIC may confine himself to issuing a warning.

Bot Art. 45 Administrative measures (count. acc. to draft)

Article 45 of the e‑DSG implements Article 47(2) of the Directive (EU) 2016/680 and complies with the recommendations of the Schengen evaluators to grant the Commissioner powers of disposal. Article 58 paragraph 2 of the Regulation (EU) 2016/679 lists all the powers to take measures that the supervisory authority should have. In addition to the measures pursuant to Article 47 paragraph 2 of the Directive (EU) 2016/680 According to the ordinance, these are namely the imposition of administrative fines (Art. 58 (2) (i)) and the order to suspend the transfer of data to a recipient in a third country or to an international organization ((j)).
Article 45 E‑DSA largely corresponds to the requirements of Article 12(2)(c) and (6) E‑SEV108.
However, the Federal Council proposes not to give the Commissioner the authority to issue administrative sanctions, but rather to give him the authority to order certain administrative measures, non-compliance with which can be punished under criminal law (Art. 57 E‑DSG).
Article 45 E‑DSG leaves the Commissioner a great deal of room for maneuver. This is because it is an optional provision and he is not obliged to take administrative measures. The provision includes two categories of measures.
The first category consists of a series of measures against data processing that violates data protection regulations (paras. 1, 2 and 4). The measures range from a simple warning (para. 4) to an order to destroy personal data (para. 1) to a ban on disclosing personal data abroad (para. 2). The principle of this regulation is the preservation of proportionality. Thus, instead of ordering the termination of the processing, the commissioner may order its modification and limit the measure only to the problematic part of the processing. If the party to the investigation proceedings has taken the necessary measures during the investigation to restore compliance with data protection regulations, the commissioner may also limit himself to issuing a warning (para. 4).
The second category of measures relates to cases in which regulatory provisions or obligations towards the data subject are not observed (para. 3). Among other things, the Commissioner may order the federal body or the private person to carry out a data protection impact assessment in accordance with Article 20 (let. d) or to provide the data subject with the information in accordance with Article 23 (let. g). The list under paragraph 3 is not exhaustive.
The Commissioner shall inform only the parties to the investigation proceedings of his decision. If necessary, he shall inform the public in accordance with Article 51 (2) E‑DSG. The measure taken must be sufficiently justified. In particular, the controller must be able to determine which data processing operations fall under the decision of the appointee. The parties involved are entitled to appeal in accordance with the general provisions on the administration of federal justice (cf. Art. 46). If necessary, the commissioner may attach a penalty to the measure ordered against the data controller (Art. 57).

Art. 52 Procedure

1 The investigation procedure and rulings in accordance with Articles 50 and 51 are governed by the VwVG.

2 Only the federal body or private person against whom an investigation has been opened is a party.

3 The FDPIC may appeal against decisions of the Federal Administrative Court.

Bot Art. 46 Procedure (count. acc. to draft)

Pursuant to paragraph 1, the investigation procedure and the procedure for adopting measures under Articles 44 and 45 are governed by the Administrative Procedure Act. The private person or federal body that is a party to the investigation is entitled to be heard (Art. 29 et seq. VwVG).
Paragraph 2 specifies that only the federal body or private person against whom an investigation has been opened may be a party to the proceedings. Accordingly, only the latter may appeal against rulings and measures taken against them by the Commissioner. The person concerned is not a party, even if the commissioner has opened the investigation on his or her report. If he or she wishes to assert legal claims against a private controller, he or she must do so in accordance with Article 28 E‑DSG, i.e. before the competent civil court. In the public sector, the data subject must take action against the responsible federal body (Art. 37) by challenging its decision before the competent appeal authority. This remains unchanged from the current law.
Pursuant to paragraph 3, the Commissioner may challenge appeal decisions of the Federal Administrative Court, as he can already do currently under Articles 27(6) and 29(4) FADP.

Art. 53 Coordination

1 Federal administrative authorities that supervise private persons or organizations outside the federal administration in accordance with another federal law shall invite the FDPIC to submit an opinion before issuing a ruling that concerns data protection issues.

2 If the FDPIC conducts its own investigation against the same party, the two authorities shall coordinate their proceedings.

Bot Art. 47 Coordination (count. acc. to draft)

Certain federal authorities supervise private individuals or organizations outside the federal administration. This is the case, for example, of the Federal Office of Public Health with regard to health insurance companies or the Swiss Financial Market Supervisory Authority (FINMA) with regard to banks or other financial service providers. The term “organizations outside the Federal Administration” corresponds to the term used in Article 1 paragraph 2 letter e VwVG.
Data protection issues may arise in the course of a supervisory procedure, which may lead to a decision by the competent authority. To take this issue into account, paragraph 1 provides that the supervisory authority shall invite the appointee to comment. If the Commissioner has also opened proceedings under Article 43 E‑DSG against the same party, the supervisory authority and the Commissioner must coordinate at two levels (paragraph 2): on the one hand, to clarify whether the two proceedings can be conducted in parallel or whether one of the proceedings should be suspended or discontinued, and on the other hand, for the content of their respective decision if the proceedings are conducted in parallel. In the case of conflicts of competence, the Federal Council decides (Art. 9 para. 3 VwVG). Coordination must be ensured in a simple and quick manner. The units concerned must be informed of the outcome of this coordination and the applicable legislation so that they are aware of their rights and obligations as quickly as possible.

Section 3: Administrative assistance

Art. 54 Administrative assistance between Swiss authorities

1 Federal and cantonal authorities shall provide the FDPIC with the information and personal data required for the performance of his statutory duties.

2 The FDPIC shall disclose to the following authorities the information and personal data required for the performance of their statutory duties:

a. the authorities responsible for data protection in Switzerland;

b. the competent criminal prosecution authorities, if it is a matter of reporting an offence in accordance with Article 65 paragraph 2;

c. the federal authorities and the cantonal and communal police authorities for the enforcement of the measures in accordance with Articles 50 paragraph 4 and 51.

Bot Art. 48 Administrative assistance between Swiss authorities (count. acc. to draft)

D
his new provision regulates administrative assistance between the Commissioner and the federal and cantonal authorities. The current Article 31(1)(c) DPA is limited to obliging the Commissioner to cooperate with the Swiss data protection authorities.
Paragraph 1 of the new article establishes the principle that the Swiss and cantonal authorities must provide the Commissioner with the information and personal data necessary for the performance of his statutory duties. This is a standard provision on administrative assistance, which is also found in many other federal laws.
Paragraph 2 stipulates that the Commissioner must disclose information and data to the cantonal authorities responsible for data protection (subparagraph (a)), to the competent criminal authorities if it is a matter of reporting a criminal offense pursuant to Article 59 paragraph 2 E‑DSG (subparagraph (b)), and to the federal authorities and the cantonal and municipal police authorities for the enforcement of measures pursuant to Articles 44 paragraph 2 and 45 E‑DSG (subparagraph (c)).
The disclosure of information referred to in paragraphs 1 and 2 may be spontaneous or upon request.

Art. 55 Administrative assistance to foreign authorities

1 The FDPIC may exchange information or personal data with foreign authorities responsible for data protection for the purpose of fulfilling their respective tasks provided for by law in the area of data protection if the following conditions are met:

a. Reciprocity of administrative assistance is ensured.

b. The information and personal data shall be used only for the procedure relating to data protection on which the request for assistance is based.

c. The receiving authority undertakes to maintain professional secrecy as well as business and manufacturing secrets.

d. The information and personal data shall be disclosed only if the authority that provided them so authorizes in advance.

e. The receiving authority undertakes to comply with the conditions and restrictions imposed by the authority that provided it with the information and personal data.

2 In order to justify its request for administrative assistance or to comply with the request of an authority, the FDPIC may in particular provide the following information:

a. Identity of the controller, processor or other third party involved;

b. Categories of data subjects;

c. Identity of the persons concerned, if:

1. the data subjects have consented, or

2. the communication of the identity of the data subjects is indispensable for the fulfillment of the legal tasks by the FDPIC or the foreign authority;

d. processed personal data or categories of processed personal data;

e. Processing purpose;

f. Recipients or the categories of recipients;

g. technical and organizational measures.

3 Before the FDPIC discloses to a foreign authority information that may contain a professional secret, business secret or trade secret, it shall inform the natural or legal persons concerned who are the bearers of these secrets and invite them to submit their comments, unless this is not possible or would require a disproportionate effort.

Bot Art. 49 Administrative assistance to foreign authorities (count. acc. to draft)

This new provision regulates administrative assistance between the Commissioner and foreign data protection authorities. The current Article 31(1)(c) DPA is limited to obliging the Commissioner to cooperate with the foreign data protection authorities.
The new provision transfers Article 50 of the Directive (EU) 2016/680 into Swiss law. It also meets the requirements of Articles 15 and 16 E‑SEV 108. The Regulation (EU) 2016/679 provides for an analogous regulation in Article 61.
The Commissioner would have favored an addition to the provision authorizing him to regulate the modalities of cooperation with foreign data protection authorities within the framework of an agreement. The Federal Council, on the other hand, prefers to stick to the delegation of authority pursuant to Article 61 E‑DPA.
Par. 1 Prerequisites
Pursuant to this provision, the Commissioner may, under certain conditions (subparagraphs a‑e), exchange information or personal data with foreign authorities responsible for data protection for the performance of their respective data protection tasks provided for by law.
According to the first requirement (subpara. a), reciprocity of administrative assistance in the area of data protection must be ensured between Switzerland and the foreign state. Secondly, in accordance with the principle of speciality, the information and personal data exchanged may only be used for the data protection proceedings in question on which the request for administrative assistance is based (subpara. b). If the data are subsequently to be used in criminal proceedings, the principles of international mutual legal assistance in criminal matters apply. The third and fourth requirements ensure that professional secrecy and commercial and industrial confidentiality are maintained (subparagraph (c)) and prohibit the disclosure of information and personal data without the prior consent of the authority that transmitted it (subparagraph (d)). Finally, the receiving authority must comply with the conditions and restrictions imposed by the authority that transmitted the information and personal data to it (subparagraph e).
The Commissioner may refuse a foreign authority’s request for administrative assistance, for example, if the requirements of Article 13 E‑DSG have not been met or if one of the reasons provided for in Article 32(6) E‑DSG precludes disclosure of personal data.
Par. 2 Disclosure of personal data
Paragraph 2(a‑g) determines what information the Commissioner may disclose to the foreign authority in order to substantiate his request for administrative assistance or to comply with the request of a foreign authority. In order to be allowed to forward the identity of the persons concerned, the commissioner requires the consent of each individual person (subparagraph c). The requirements of Article 5(6) E‑DSG apply to the consent (para. 2(c)(1)). Without consent, the identity may only be disclosed if this is indispensable for the fulfillment of the statutory tasks of the commissioner or the foreign authority (para. 2 let. c no. 2). These requirements correspond to those under Article 32 (2) letters a and b E‑DSG.
Par. 3 Opinion
Before the Commissioner discloses information in an administrative assistance procedure to a foreign authority responsible for data protection that may contain professional, business or trade secrets, he shall inform the persons concerned and invite them to comment. However, he shall be released from this obligation if the information is not possible or involves a disproportionate burden.

Section 4: Other tasks of the FDPIC

Art. 56 Register

The FDPIC maintains a register of the processing activities of federal bodies. The register is published.

Bot Art. 50 Register (count. acc. to draft)

The provision stipulates that the Commissioner shall keep a register of the data processing activities reported to him by the federal bodies (Art. 11(4)). This register is to be published as it is today.

Art. 57 Information

1 The FDPIC shall report annually to the Federal Assembly on his activities. At the same time, it shall forward it to the Federal Council. The report shall be published.

2 In cases of general interest, the FDPIC informs the public of his findings and rulings.

Bot Art. 51 Information (count. acc. to draft)

Apart from the fact that the Commissioner must now submit an annual activity report to the Federal Assembly and the Federal Council, paragraph 1 corresponds to the current Article 30 paragraph 1 FADP.
Paragraph 2 reinforces active information by the commissioner. The commissioner shall inform the public about his findings and rulings if there is a general public interest in doing so. The second sentence of Article 30(2) FADP is repealed. As an independent body, the commissioner must be able to determine for himself what he informs the public about. Data must be made anonymous unless there is an overriding public interest in its disclosure (Article 32 paragraphs 3 and 5 FADP). In addition, the requirements of Art. 32 Para. 6E-DSG apply.
The supervisory authority’s obligation to prepare an activity report is set out in Article 49 of the Directive (EU) 2016/680 and in Article 12(5)E‑SEV 108 provided. The Regulation (EU) 2016/679 contains an analogous provision in Article 59.

Art. 58 Other tasks

1 In addition, the FDPIC shall perform the following tasks in particular:

a. Provides information, training, and advice to federal agencies and private persons on privacy issues.

b. It shall support the cantonal bodies and cooperate with Swiss and foreign authorities responsible for data protection.

c. It shall raise awareness among the population, especially vulnerable persons, regarding data protection.

d. It shall provide data subjects, upon request, with information on how to exercise their rights.

e. It shall comment on draft decrees and measures of the Confederation that result in data processing.

f. It shall perform the duties assigned to it by the Public Information Act of 17 December 2004 or other federal laws.

g. It shall develop working tools as recommendations of good practice for the attention of controllers, order processors and data subjects; for this purpose, it shall take into account the specifics of the respective area as well as the protection of vulnerable persons.

2 It may also advise federal bodies that are not subject to its supervision in accordance with Articles 2 and 4. The federal bodies may allow him to inspect files.

3 The FDPIC is authorized to declare to foreign authorities responsible for data protection that direct service is permissible in the area of data protection in Switzerland, provided that Switzerland is granted reciprocal rights.

Bot Art. 52 Other tasks (count. acc. to draft)

In order to comply with Article 46(1)(d) and (e) of the Directive (EU) 2016/680 implement, the list of the commissioner’s competences is extended compared to the current law (Art. 31 FADP) supplemented. The new tasks also meet the requirements of Article 12(2)(e). E‑SEV 108. Pursuant to paragraph 1, the Commissioner has in particular the task of informing, training and advising federal bodies and private persons on data protection issues. This also includes appropriate information events or further training, namely for responsible persons in the public sector (subparagraph a). Another task is to raise awareness of data protection among the general public, especially vulnerable persons such as minors or the elderly (subpara. c). In addition, upon request, it provides information to data subjects on how to exercise their rights (subpara. d).
According to letter e, the Commissioner must be consulted on all proposals for federal decrees and measures that affect data processing, and not only on those that significantly affect data protection. This amendment corresponds to current practice.
Letter g provides that the Commissioner shall also develop guidelines and working tools for the attention of data controllers, processors and data subjects. He already performs this task today as part of his advisory activities (Art. 28, 30 and 31 FADP). It is also specified that he takes into account the special features of the individual data processing areas as well as the increased need for protection of particularly vulnerable persons such as minors, disabled persons or the elderly.
Paragraph 2 corresponds Article 31 paragraph 2 FADP.
Repeal of Art. 33 FADP
This provision may be repealed. Paragraph 1, according to which legal protection is governed by the general provisions on the administration of federal justice, is merely declaratory. Paragraph 2, in turn, is superfluous due to Article 44(2) E‑DSG.

Section 5: Fees

Art. 59

1 The FDPIC collects fees from private persons for:

a. the opinion on a code of conduct in accordance with Article 11 paragraph 2;

b. the approval of standard data protection clauses and binding corporate data protection rules pursuant to Article 16(2) letters d and e;

c. the consultation based on a data protection impact assessment pursuant to Article 23(2);

d. precautionary measures and measures under Article 51;

e. Consultations on data protection matters pursuant to Article 58(1)(a).

2 The Federal Council shall determine the amount of the fees.

3 It may specify the cases in which it is possible to waive or reduce the charge.

Bot Art. 53 (count. acc. to draft)

Pursuant to Article 33 (1) of the Data Protection Act, a fee is charged for the appraisals of the Commissioner for Private Persons. The provisions of the General Fees Ordinance of 8 September 2004 (AllgGebV) are applicable.
Pursuant to paragraph 1, the principle is established at the legislative level that the Commissioner must charge a fee for certain services provided to private persons. These include the opinion on a code of conduct (subparagraph a), the approval of standard data protection clauses and binding corporate data protection regulations (subparagraph b), consultation based on a data protection impact assessment (subparagraph c), measures pursuant to Articles 44(2) and 45 E‑DSG (subparagraph d), and consultations on data protection issues (subparagraph e). Conversely, it follows from paragraph 1 that no fee is charged for an investigation that is concluded without ordering precautionary measures or administrative measures.
Paragraph 2 instructs the Federal Council to determine the amount of the fees. In accordance with the requirements of Article 46a paragraph 1 RVOG it may only charge fees for the services pursuant to Article 53 paragraph 1 E‑DSG. In addition, he must set the amount of the fees so that they cover the costs of the activities (cost recovery principle). It is therefore not intended to finance the entire activity of the commissioner through fees. Only the costs of the activities referred to in paragraph 1 are to be covered. When regulating the tariff, the Federal Council may set a flat rate or an hourly rate depending on the service.
Under paragraph 3, the Federal Council may also specify the cases in which it is possible to waive or reduce the charging of a fee. For example, charging may be waived if there is an overriding public interest in the service and it contributes to the observance of data protection. Article 3(2)(a) AllgGebV contains a similar solution. The Commissioner may also defer, reduce or waive the fee if the controller or processor is a natural person or a small or medium-sized enterprise.
Fees are only charged in relation to private persons. With regard to advice to cantonal authorities, Article 3 paragraph 1 AllgGebV is applicable: The Federal Administration does not charge fees to intercantonal bodies, cantons and communes insofar as they grant reciprocal rights. Services for federal and cantonal bodies are provided free of charge.
Due to numerous critical comments on the preliminary draft, the Federal Council has fundamentally revised the penal provisions.
In the consultation (with reference to the Regulation [EU] 2016/679) called for the introduction of financial administrative sanctions. However, financial administrative sanctions of a punitive nature are an exception in Switzerland. They classically belong to areas where companies are subject to administrative supervision because they engage in an economic activity for which they require a license or permit or for which they receive government subsidies (e.g., in the postal system or for gambling). They were also introduced in antitrust law at a time when there was no corporate criminal liability in the StGB. Such administrative financial sanctions have a punitive character, which is why certain guarantees of criminal procedure must be observed. However, the basically applicable administrative procedure does not regulate these issues. Moreover, such sanctions involve the direct imputation of third-party fault to a company. This is what the legislator has done with corporate criminal liability under Article 102 StGB but rejected: The responsibility according to Article 102 StGB is not causal or strict liability, but requires specific organizational culpability. The introduction of administrative penalties in the DPA would greatly relativize this fundamental decision under criminal law through the back door of administrative law.
Moreover, in the area of data protection, such administrative sanctions would be particularly sensitive. The personal scope of the DPA is significantly broader than that of laws in areas where financial administrative sanctions are classically found and where economic activity is carried out by companies. Although the FADP is also directed at large companies, it equally covers SMEs and natural persons. Because there is no codified procedural law for administrative sanctions of a penal nature, there would be a risk, among other things, that the procedural position of natural persons would be undermined. This is particularly true because there are procedural differences between legal entities and natural persons in ancillary criminal law. In summary, the introduction of financial administrative sanctions in the DPA would thus create great legal uncertainty, which is hardly justifiable (not only in the area of data protection).
The Federal Council therefore wants to build on established structures with consolidated practice. In Switzerland, compliance with basic obligations under administrative law is ensured by means of administrative criminal law or ancillary criminal law. The norm addressees are natural persons. Although the obligation under administrative law is incumbent on the company, its violation is attributed to the management persons (cf. Art. 29 StGB and Art. 6 VStR). The concern expressed in the consultation that any employee of a company could be punished therefore proves to be unfounded. Sanctioning by criminal means also means that profits derived from DPA offenses and offense tools can thus be confiscated according to the provisions of the SCC (Art. 69 et seq. SCC). Moreover, the Commissioner should not issue criminal sanctions, because otherwise the organization of the Commissioner would have to be fundamentally changed and significantly expanded. The Federal Council therefore prefers the existing criminal prosecution system.
The criminal law provisions of the DPA must be strengthened compared to the current law. The sanctions must be dissuasive, as required by the E‑SEV 108 (Art. 10) and the Directive (EU) 2016/680 (Art. 57) is required. A penalty system that is too lenient may result in the EU deeming the Swiss regulation no longer appropriate. The main features of the proposed penalty system are as follows:

The penalization of negligent breaches of duty is waived in accordance with the most recent decisions of Parliament (cf. e.g. the draft on the Money Gaming Act). The Commissioner, on the other hand, would have preferred that negligence also be punishable.
The administrative duties were specified and the penalization was limited to essential duties.
To compensate, the Commissioner is given the authority to order compliance with the DPA obligations and to attach a threat of disobedience penalty. This model is widely used in ancillary criminal law (e.g., in the Federal Act of June 22, 2007 on the Swiss Financial Market Supervisory Authority [FINMASA]) and corresponds to the mechanism of Article 292 Criminal Code. If necessary, the commissioner may participate in cantonal criminal proceedings as a private plaintiff.
The upper limit of the fine is set by the Federal Council at a maximum of 250,000 Swiss francs. The increase is made in particular to comply with the Swiss law of the Regulation (EU) 2016/679 to approximate. However, it would be questionable to set the upper fine limit against natural persons even higher on the grounds that companies would not be deterred by low fines. The penal provisions of the E‑DSG are primarily directed at natural persons, in this case in particular at managers (cf. Article 29 StGB and Article 6 VStrR). It should be noted that under FINMASA, for example, negligent breaches of duty are punishable by a fine of up to 250,000 Swiss francs (Art. 44 et seq. FINMASA), while failure to comply with an order is punishable by a fine of up to 100,000 Swiss francs (Art. 48 FINMASA). The Commissioner, on the other hand, is of the opinion that the fines are not sufficiently dissuasive, especially as far as their amount is concerned.
Violation of professional confidentiality is a misdemeanor as before.
Insofar as data is processed by a company, the obligations derived from the DPA are generally incumbent on its managers. These are legally obligated to ensure compliance with these duties within the company. Violation of duties or disobedience of an order of the commissioner directed at the company will therefore be prosecuted in application of Art. 29 StGB and Art. 6 of the Corporate Governance Code are charged to the managers of the company and not to the employees who merely carry out the work.
Insofar as the fine does not exceed 50,000 Swiss francs, companies may, in application of Art. 7 VStrR be fined directly. This also takes into account the criticism voiced in the consultation.

Chapter 8: Penal provisions

Art. 60 Violation of information, disclosure and cooperation obligations

1 A fine of up to 250,000 francs shall be imposed on private persons on application:

a. who violate their obligations under Articles 19, 21 and 25 – 27 by intentionally providing false or incomplete information;

b. who intentionally fail to do so:

1. inform the data subject in accordance with Articles 19(1) and 21(1); or

2. provide it with the information referred to in Article 19(2).

2 A fine of up to 250,000 Swiss francs shall be imposed on private persons who, in breach of Article 49 paragraph 3, intentionally provide false information to the FDPIC in the course of an investigation or intentionally refuse to cooperate.

Bot Art. 54 Violation of information, disclosure and cooperation obligations (count. as per draft).

Article 54 E‑DSG adopts Article 34 FADPwith the exception of Article 34(2)(a) FADP, because the obligations regulated there are no longer included in the e‑DSG. In turn, however, the standard also refers to the new duty to provide information in the case of an automated individual decision (Art. 19 E‑DSG).
Paragraph 1(a) covers the intentional provision of false information, but also the intentional provision of incomplete information while creating the impression that the information is complete. The complete refusal to provide information, on the other hand, is not punishable under letter a, but under letter b, if applicable. However, a private person who untruthfully claims not to have any information on the data subject is liable to prosecution under paragraph 1(a).
Paragraph 1 letter b applies in cases where a private person completely fails to inform the data subject in accordance with Articles 17 paragraph 1 and 19 paragraph 1 or to provide him with the information in accordance with Article 17 paragraph 2. On the other hand, a private person who claims that he or she is not obliged to provide information by invoking Article 18 or 25 is not liable to prosecution. In such a case, the data subject knows that data processing is taking place. He or she is therefore in a position to assert his or her rights and to initiate civil proceedings in which it can be decided whether the refusal or restriction of the right to information or the obligation to provide information is justified. Paragraph 2 adopts Art. 34(2)(b) FADP, which makes it a criminal offense to provide false information or refuse to cooperate in an investigation by the Commissioner.
The violation of these duties shall continue to be an infraction, but the upper limit of the fine provided for this purpose shall be raised significantly and increased to 250,000 Swiss francs. The actual penalty shall be determined taking into account the economic situation of the offender (Art. 106 para. 3 SCC in conjunction with Art. 47 StGB). In minor cases, the company may be ordered to pay the fine instead of the responsible person. Furthermore, according to Article 52 StGB refrain from prosecution or punishment in minor cases.

Art. 61 Violation of duties of care

Fines of up to 250,000 francs shall be imposed on private persons, upon application, who intentionally:

a. disclose personal data abroad in breach of Article 16 paragraphs 1 and 2 and without the requirements of Article 17 being met;

b. hand over the data processing to a commissioned processor without the requirements of Article 9 paragraphs 1 and 2 being met;

c. fail to comply with the minimum data security requirements issued by the Federal Council in accordance with Article 8 paragraph 3.

Bot Art. 55 Violation of due diligence (count. acc. to draft)

This provision is new. It is necessary because the e‑DSG provides for new elementary obligations that are not covered by the current penal provisions. Effective protection of the personality of the data subjects is possible if the data controllers and the order processors meet their obligations. To encourage them to comply with the DPA, the Federal Council proposes this addition to the penalty provisions.
By its nature, the provision is likely to be directed primarily at persons with authority to issue directives, because the decision-making authority for the fulfillment of these duties is a management task (cf. also Art. 29 StGB).

Art. 62 Violation of professional secrecy

1 Any person who wilfully discloses secret personal data of which he or she has become aware in the exercise of his or her profession requiring knowledge of such data shall be liable on complaint to a fine of up to 250,000 francs.

2 Anyone who intentionally discloses secret personal data of which he or she has become aware while working for a person subject to the obligation of secrecy or during training with that person shall be liable to the same penalty.

3 The disclosure of secret personal data is punishable even after the end of the professional practice or training.

Bot Art. 56 Violation of professional secrecy (count. as per draft).

Since the DPA came into force, information and communication technology has developed immensely and its importance has increased markedly. Not least due to the mass distribution of smartphones, more and more data is being stored and processed by more and more people on more and more systems. Against this background, it is appropriate to extend the protection of secrets to all types of personal data. The decisive factor is that the data is secret. This corresponds to Article 320 and 321 StGBwhich are also based solely on whether the information in question is secret or not. The material concept of secrecy under criminal law thus applies. A secret protected by criminal law exists if
if the fact is not generally known or accessible, if the owner of the secret has an interest worthy of protection in the limited disclosure and if he also has the will to do so. Not every disclosure of personal data thus fulfills this element of the offense. The term “disclose” corresponds to that used in Articles 320 and 321 StGB and creates coherence with regard to the offense. Article 56 closes gaps left by the restricted scope of offenses in Articles 320 and 321 StGB (special offenses) arise. Article 56 E‑DSG therefore provides for a duty of confidentiality also for persons who are not covered by Article 320 or 321 StGB fall. Violation of the professional duty of confidentiality is a misdemeanor (application offense) and is punishable by a fine of up to 250,000 Swiss francs.
Paragraph 2 extends criminal liability to auxiliary persons (commissioned data processors) and trainees. The extension corresponds to the current DPA and, in substance, also to the regulation in Article 321 StGB (“auxiliary persons”). With the adoption of the Dispatch on the Information Security Act, the Federal Council has submitted to Parliament a corresponding amendment of Article 320 StGB proposed.
Disclosure may be justified by the consent of the person entitled. The general rules and the principles developed by case law and dogmatics within the framework of Article 321 item 2 SCC apply mutatis mutandis.
In practice, competition issues may arise, in particular with regard to Article 320 StGB (federal civil servants) and Art. 321 StGB (lawyers, doctors, etc.). However, this is already the case under current law, so this circumstance should not present any particular problems.

Art. 63 Disregarding orders

A fine of up to 250,000 Swiss francs shall be imposed on private individuals who wilfully fail to comply with an order of the FDPIC or a decision of the appellate authorities issued with reference to the threat of punishment under this article.

Bot Art. 57 Disregard of orders (count. acc. to draft)

Article 57 has been newly inserted by the Federal Council after the consultation. Analogous provisions are widespread in the ancillary criminal law of the Confederation. On the one hand, the article serves as compensation for the omission of numerous criminal provisions compared to the VE-DSG. On the other hand, this provision takes into account the questions relating to the principle nulla poena sine lege, which were frequently raised in the consultation. The same questions would have arisen in connection with administrative sanctions, because these are criminal in nature. The present solution allows the relevant provisions of the e‑DSG to continue to be drafted in a sufficiently general form without at the same time coming into conflict with the criminal law requirements for the precision of a legal regulation. In addition, this model facilitates the work of the competent law enforcement authorities and thus takes into account the concerns that were partially expressed in the consultation.
With Article 57 E‑DSG, the Commissioner has the option of ordering compliance with obligations under the E‑DSG (see Art. 45 (3) E‑DSG) and linking this to a threat of punishment. One advantage of this model is that the obligation can be specified in the order to the extent that there is no doubt for the addressee as to what he must or must not do. This also facilitates the work of the cantonal prosecution authority, which, in the event of non-compliance, must investigate the facts of the case upon notification by the commissioner and pass a judgment or issue a penalty order.
If the commissioner’s order is directed to an enterprise, criminal liability arises by virtue of Article 29 StGB with a management person: The duty that gives rise to the penalty, which is incumbent on the company, is attributed to the natural person. This also takes into account the criticism voiced in some cases during the consultation process.

Art. 64 Offenses in business establishments

1 Articles 6 and 7 of the Federal Act of 22 March 1974 on Administrative Criminal Law (VStrR) shall apply to offences committed in business establishments.

2 If a fine of no more than 50,000 Swiss francs is in question and if the determination of the amount of the fine in accordance with Article 6 VStrR If the prosecution of persons liable to prosecution would require investigative measures that would be disproportionate to the punishment imposed, the authorities may refrain from prosecuting such persons and instead continue the business (Art. 7 VStrR) to pay the fine.

Bot Art. 58 Offenses in business establishments (count. acc. to draft)

Article 58 incorporates Articles 6 and 7 of the Federal Act of 22 March 1974 on Administrative Criminal Law (VStrR). An explicit reference is necessary because the VStrR is in principle not applicable in the matter.
Article 6 paragraph 2 of the Criminal Code allows for the liability of the principal also in the area of the DPA. The obligations of the DPA are likely to be regularly addressed to the principal. Article 6 paragraph 2 of the DFR thus fulfills a similar function as Article 29 StGB and addresses criminal responsibility to the management level of the company, i.e. to executives who have decision-making and directive powers. This allows for an appropriate allocation of criminal responsibility in companies.
The amount of the fine, up to the upper limit of which it is possible to be fined after Article 7 VStrR to sentence a company to pay a fine instead of a natural person is increased to 50000 francs. This adjustment is necessary because the upper fine limit in the DPA is not 10,000 francs (Art. 106 para. 1 SCC), but 250,000 francs.

Art. 65 Competence

1 The prosecution and adjudication of criminal acts are the responsibility of the cantons.

2 The FDPIC may file a complaint with the competent prosecuting authority and exercise the rights of a private plaintiff in the proceedings.

Bot Art. 59 Competence (count. acc. to draft)

As is the case today, the prosecution and adjudication of criminal acts is fundamentally the responsibility of the cantons.
The Commissioner has the right to file a complaint and may participate in cantonal criminal proceedings as a private plaintiff (Art. 118 ff. StPO). He can therefore challenge discontinuation orders and appeal against cantonal judgments if this appears necessary in the interests of uniform application of the DPA. However, it cannot appeal against penalty orders and the sentence, which does not appear to be necessary in view of its duties.

Art. 66 Limitation period for prosecution

The statute of limitations for criminal prosecution is five years.

Bot Art. 60 Limitation of prosecution (count. acc. to draft)

The statute of limitations for violations is as follows Article 109 StGB three years. Data protection investigations require technological knowledge and can be costly. To ensure that criminal proceedings in the data protection area do not fail because the statute of limitations is too short, the Federal Council is proposing an increase to five years.

Chapter 9: Conclusion of State Treaties

Art. 67

The Federal Council may conclude state treaties concerning:

a. international cooperation between data protection authorities;

b. the mutual recognition of adequate protection for the disclosure of personal data abroad.

Bot Art. 61 (count. acc. to draft)

This provision replaces Article 36(5) FADPwhich is too vague, taking into account the applicable principles regarding the delegation of authority. According to Article 61 of the Federal Data Protection Act, the Federal Council may conclude international treaties with one or more subjects of international law (state, international organization) in two cases. According to letter a, the Federal Council may conclude state treaties that concern international cooperation between data protection authorities. This provision refers, for example, to cooperation agreements on the model of the Agreement of 17 May 2013 between the Swiss Confederation and the European Union on cooperation in the application of their competition laws. Pursuant to letter b, the Federal Council may also conclude state treaties on the mutual recognition of an adequate level of protection for the cross-border disclosure of data.
The remaining paragraphs of Article 36 FADP are repealed. Paragraphs 1 and 4 are superfluous insofar as the practice of expressly stating that the Federal Council must issue implementing provisions has been abandoned. Paragraph 3, according to which the Federal Council may provide for derogations from Articles 8 and 9 for the provision of information by Swiss diplomatic and consular representations abroad, can also be repealed. Paragraph 6, in turn, is obsolete, since the Federal Council has never exercised its authority to regulate how to secure data collections whose data could endanger the life and limb of the persons concerned in the event of war or crisis.
Repeal of Art. 37 FADP
The consultation process has shown that Article 37 FADP is superfluous and must be repealed. Today, all cantons have data protection regulations that ensure adequate protection with regard to the requirements of Convention ETS 108 and the corresponding additional protocol.

Chapter 10: Final Provisions

Art. 68 Repeal and amendment of other enactments

The repeal and amendment of other enactments are regulated in Annex 1.

Bot Art. 62 Repeal and amendment of other enactments (count. acc. to draft)

The repeal and amendment of other enactments is commented on in section 9.2.

Art. 69 Transitional provisions concerning current processing operations

Articles 7, 22 and 23 are not applicable to data processing that was started before the entry into force of this Act, if the purpose of processing remains unchanged and no new data is obtained.

Bot Art. 64 Transitional provisions concerning processing (count. acc. to draft)

Article 64 contains various transitional rules concerning processing.
Para. 1
Paragraph 1 concerns data processing that has been completed at the time this Act enters into force. This concerns data processing that was carried out entirely in accordance with the old law and which also does not continue after the entry into force. Such processing will continue to be carried out entirely in accordance with the previous law. For example, completed processing that is lawful under the previous law cannot become unlawful when the new law comes into force. However, this does not apply to the right to information (Art. 23 – 25); after the new law comes into force, this is governed exclusively by the new law, even with regard to data and data processing that took place entirely under the old law.
Para. 2
Paragraph 2 concerns data processing that was started under the previous law and continues after the law comes into force, but for which the new law has tightened the requirements. One example of this is the case where a violation of privacy exists under the new law because the requirements for the justification reason have been changed. In principle, such processing may be continued for 2 years without further adjustments. During this time, the person responsible must ensure that these processing operations are converted to a lawful state in accordance with the new law.
Paragraph 2 does not concern the obligations under Articles 6, 20 and 21, which are covered by paragraph 3.
Para. 3
Paragraph 3 relates to data processing that was commenced under the previous law and continues after the Act comes into force. Articles 6, 20 and 21 do not apply to such processing if the purpose of the processing remains unchanged and no new data are obtained. In this case, the processing may be continued without meeting the requirements of Article 6. Likewise, a data protection impact assessment does not have to be subsequently prepared for these processing operations. This regulation is based in particular on the fact that the obligations in Articles 6 and 20 f. are primarily to be fulfilled in advance of data processing. The data controllers should not be obliged to fulfill these obligations retrospectively.
If the requirements of paragraph 3 are not met, the obligations under Articles 6, 20 and 21 shall also apply to processing that was commenced under the previous law and continues after the Act comes into force. With the exception of the scope of Directive (EU) 2016/680 however, these provisions do not come into force until two years after the law comes into force, so there is a two-year transition period to comply with these obligations.
Para. 4
Paragraph 4 concerns all data processing that is not covered by paragraphs 1 to 3. In particular, this includes data processing that was not started until after the law came into force, but also data processing that is lawful under both the previous law and the new law. For these data processing operations, the new law applies from the time the provisions in question come into force.

Art. 70 Transitional provision concerning ongoing proceedings

This Act does not apply to investigations by the FDPIC that are pending at the time of its entry into force; it also does not apply to pending appeals against first-instance decisions issued before its entry into force. These cases are subject to the previous law.

Bot Art. 65 Transitional provision concerning ongoing procedures (count. acc. to draft)

In order to ensure legal certainty and compliance with the principle of good faith, this provision requires that investigations by the Commissioner, which are conducted in the
pending at the time of the entry into force of the future FADP, as well as appeals against pending first-instance decisions are subject to the previous law. This concerns both the substantive data protection provisions and the powers of the Commissioner and the other applicable procedural provisions.

Art. 71 Transitional provision concerning data of legal entities

For federal bodies, provisions in other federal decrees relating to personal data shall continue to apply to data relating to legal persons for five years after this Act comes into force. In particular, for five years after this Act comes into force, federal bodies may continue to disclose data relating to legal persons in accordance with Article 57s paragraphs 1 and 2 of the Government and Administration Organisation Act of 21 March 1997 if they are authorised to disclose personal data on the basis of a legal foundation.

Bot Art. 66 Transitional provision concerning data of legal entities (count. acc. to draft)

The abolition of the protection of data of legal persons in the E‑DSG and the restriction of the concept of personal data in Article 4 letter a E‑DSG to information that relates to an identified or identifiable natural person has various implications for data processing by federal bodies. In particular, this innovation means that the federal legal bases authorizing federal bodies to process and disclose personal data will in future no longer be applicable if data relating to legal persons is processed or disclosed. Due to the in Article 5 paragraph 1 BV However, in accordance with the principle of legality, every government action – and thus also every government data processing or data disclosure – requires a legal basis (cf. also Article 13 para. 2, Article 27 and Article 36 of the Federal Constitution). The draft law therefore introduces a number of provisions in the RVOG for federal bodies that regulate their handling of data of legal persons (cf. Section 9.2.8). Particular mention should be made of Article 57r E‑RVOG, which creates a general legal basis for the processing of data of legal persons by federal bodies, and Article 57s E‑RVOG, which – analogous to Article 32 E‑DSG concerning the disclosure of personal data – contains the requirements for the legal basis for the disclosure of data of legal persons. Unlike Article 57r E‑RVOG, Article 57s E‑RVOG thus does not constitute a legal basis for specific data disclosures by federal bodies, which is why a disclosure of data of legal persons must always be able to be based on a special legal basis in the future as well. An amendment of all previous legal bases (which, due to the amendments in the E‑DSA, will largely only be applicable to natural persons) would not be appropriate in the context of this bill, as this would considerably lengthen the draft bill and the dispatch. It therefore seems more expedient to the Federal Council to thoroughly review the special data protection provisions after the parliamentary deliberations on this bill and to examine which provisions that currently relate to the handling of data of legal persons by federal bodies should continue to be retained or must be adapted or repealed. In order to avoid any legal gaps in the meantime, a transitional provision is introduced for federal bodies in Article 66 of the e‑DSG, which provides for the continued application of such special-law federal provisions (in laws in both the formal and substantive sense) relating to the data of legal persons for five years after the e‑DSG comes into force for federal bodies. In particular, during this period federal bodies should be able to rely on the previous legal basis for the disclosure of personal data for the disclosure of data of legal persons.
Only in very isolated cases, where this is already appropriate today for reasons of practicability and legal certainty, will special legal provisions relating to the data of legal persons be reviewed and adapted within the framework of this bill. This concerns the following enactments:

the BGÖ (cf. item 9.2.7: Art. 3 par. 2, 9, 11, 12 par. 2 and 3, 15 par. 2 letter b);
the RVOG (cf. item 9.2.8: Art. 57h, 57h, 57i, 57j, 57k introductory sentence, 57l subject heading and introductory sentence, 57r, 57s and57t);
the Audit Supervision Act of December 16, 2005 (cf. Section 9.2.12: Art. 15b);
the Federal Statistics Act of 9 October 1992 (cf. para. 9.2.24: arts. 5 para. 2 let. a and para. 4 let. a, 14 para. 1, 14a para. 1, 15 para. 1, arts. 16 para. 1 and 19 para. 2);
the Federal Act of 17 June 2005 against Undeclared Work (cf. para. 9.2.56: Art. 17 subject heading, paras. 1, 2 and 4 as well as Art. 17a);
the National Bank Law of October 3, 2003 (cf. para. 9.2.66: art. 16 par. 5 and art. 49a);
the Federal Law of 19 March 1976 on International Development Cooperation and Humanitarian Aid (cf. para. 9.2.69: Art. 13a para. 1);
the Energy Act of September 30, 2016 (cf. item 13.7: articles 56 par. 1, 58 subject heading, par. 1 and 3, and article 59 subject heading, par. 1 and 2) and the Electricity Supply Act to be amended by the Energy Act of September 30, 2016(cf. item 13.7: articles 17c par. 1 and 27 par. 1)

Art. 72 Transitional provision concerning the election and termination of the term of office of the commissioner

1 The election of the Commissioner and the termination of his or her term of office shall be governed by the previous law until the end of the legislative period in which this Act enters into force.
2 If, when the Commissioner is elected for the first time by the United Federal Assembly, the previous incumbent is elected, the new term of office of the Commissioner shall begin on the day after the election.

Art. 72a Transitional provision concerning the employment relationship of the commissioner

The employment relationship of the appointee established under the previous law shall be governed by the previous law.

Art. 73 Coordination

Coordination with other decrees is regulated in Annex 2.

Art. 74 Referendum and entry into force

1 This Act is subject to an optional referendum.

2 The Federal Council shall determine the date of entry into force.

FDPA

Content

Ingress mes­sa­ge

Chap­ter 1: Pur­po­se and Scope and Fede­ral Super­vi­so­ry Authority

Art. 1 Purpose

Bot Art. 1 Pur­po­se (count. acc. to draft)

Art. 2 Per­so­nal and mate­ri­al scope of application

Bot Art. 2 Scope (count. acc. to draft)

Art. 3 Ter­ri­to­ri­al scope

Art. 4 Fede­ral Data Pro­tec­tion and Infor­ma­ti­on Commissioner

Bot Art. 3 Fede­ral Data Pro­tec­tion and Infor­ma­ti­on Com­mis­sio­ner (count. acc. to draft)

Chap­ter 2: Gene­ral provisions

Sec­tion 1: Terms and principles

Art. 5 Terms

Bot Art. 4 Terms (count. acc. to draft)

Art. 6 Principles

Bot Art. 5 Prin­ci­ples (count. acc. to draft)

Art. 7 Data pro­tec­tion by design and pri­va­cy-fri­end­ly default settings

Bot Art. 6 Data pro­tec­tion through tech­no­lo­gy and data pro­tec­tion-fri­end­ly default set­tings (count. acc. to draft)

Art. 8 Data security

Bot Art. 7 Data secu­ri­ty (count. acc. to draft)

Art. 9 Pro­ce­s­sing by order processors

Bot Art. 8 Pro­ce­s­sing by order pro­ces­sor (count. acc. to draft)

Art. 10 Data pro­tec­tion advisor

Bot Art. 9 Data pro­tec­tion advi­ser ‑advi­ser (count. acc. to draft).

Art. 11 Codes of conduct

Bot Art. 10 Codes of con­duct (count. acc. to draft)

Art. 12 List of pro­ce­s­sing activities

Bot Art. 11 List of pro­ce­s­sing acti­vi­ties (count. acc. to draft)

Art. 13 Certification

Bot Art. 12 Cer­ti­fi­ca­ti­on (count. acc. to draft)

Sec­tion 2: Data Pro­ce­s­sing by Pri­va­te Con­trol­lers with Seat or Resi­dence Abroad