The currently applicable version of the DPA. The texts have been converted automatically – thank you for pointing out errors. The
Regulation to this (VDSG) can be found here, the revised version of the DSG
here.
Section 1: Purpose, Scope and Terms
Art. 1 Purpose
This law aims to protect the personality and fundamental rights of persons about whom data are processed.
Art. 2 Scope
1 This Act applies to the processing of data of natural and legal persons by:
a private persons;
b Federal bodies.
2 It is not applicable to:
a Personal data that a natural person processes exclusively for personal use and does not disclose to outsiders;
b deliberations in the Federal Councils and in the parliamentary commissions;
c pending civil proceedings, criminal proceedings, international legal assistance proceedings, and proceedings under state and administrative law, with the exception of first-instance administrative proceedings;
d public registers of private legal transactions;
e Personal data processed by the International Committee of the Red Cross.
Art. 3 Terms
The following expressions mean:
a. Personal data: all data relating to an identified or identifiable person;
b. Data subjects: natural or legal persons about whom data are processed;
c. Personal data requiring special protection: Data about:
1. religious, ideological, political, or trade union views or activities,
2. health, privacy, or race,
3. Social assistance measures,
4. administrative or criminal prosecutions and sanctions;
d. Personality profile: a set of data that allows an assessment of essential aspects of a natural person’s personality;
e. Processing: any handling of personal data, regardless of the means and procedures used, in particular obtaining, storing, using, reprocessing, disclosing, archiving or destroying data;
f. Disclosure: the making available of personal data such as the granting of access, passing on or publication;
g. Data collection: any set of personal data that is structured in such a way that the data is accessible by data subject;
h. Federal bodies: federal authorities and agencies as well as persons, insofar as they are entrusted with public tasks of the federal government;
i. Data collection owners: private persons or federal bodies that decide on the purpose and content of the data collection;
j. Law in the formal sense:
1. federal laws,
2. decisions of international organizations that are binding on Switzerland and international treaties with legislative content that have been approved by the Federal Assembly;
k. …
Section 2: General data protection provisions
Art. 4 Principles
1 Personal data may only be processed lawfully.
2 Their processing must be carried out in good faith and must be proportionate.
3 Personal data may only be processed for the purpose that was stated when it was obtained, is evident from the circumstances or is provided for by law.
4 The acquisition of personal data and in particular the purpose of its processing must be recognizable to the data subject.
5 If the consent of the data subject is required for the processing of personal data, this consent shall only be valid if it is given voluntarily after appropriate information. In the case of the processing of personal data or personality profiles requiring special protection, consent must also be given expressly.
Art. 5 Accuracy of the data
1 Anyone who processes personal data must ensure that it is accurate. He must take all reasonable measures to ensure that data which is inaccurate or incomplete with regard to the purpose for which it was obtained or processed is corrected or destroyed.
2 Any data subject may request that inaccurate data be corrected.
Art. 6 Cross-border disclosure
1 Personal data may not be disclosed abroad if this would seriously jeopardize the personality of the persons concerned, in particular because there is no legislation that ensures adequate protection.
2 In the absence of legislation that ensures adequate protection, personal data may be disclosed abroad only if:
a sufficient guarantees, in particular by contract, ensure adequate protection abroad;
b the data subject has consented in the individual case;
c the processing is directly related to the conclusion or execution of a contract and involves personal data of the contractual partner;
d the disclosure is indispensable in the individual case either for the protection of an overriding public interest or for the establishment, exercise or enforcement of legal claims in court;
e the disclosure is necessary in the individual case to protect the life or physical integrity of the data subject;
f the data subject has made the data generally accessible and has not expressly prohibited processing;
g the disclosure takes place within the same legal entity or company or between legal entities or companies under common management, provided that the parties involved are subject to data protection rules that ensure adequate protection.
3 The Federal Data Protection and Information Commissioner (Commissioner, Article 26) must be informed of the guarantees under paragraph 2 letter a and the data protection rules under paragraph 2 letter g. The Federal Council shall regulate the details of this duty to inform.
Art. 7 Data security
1 Personal data must be protected against unauthorized processing by appropriate technical and organizational measures.
2 The Federal Council shall issue more detailed provisions on the minimum requirements for data security.
Art. 7a
[lifted]
Art. 8 Right to information
1 Any person may request information from the controller of a data file as to whether data relating to them is being processed.
2 The data controller must inform the data subject:
a all data available about them in the data collection, including available information about the origin of the data;
b the purpose and, where applicable, the legal basis of the processing, as well as the categories of personal data processed, the parties involved in the collection and the data recipients.
3 Data relating to health may be communicated by the controller of the data file to the data subject by a physician designated by the data subject.
4 If the controller of the data file has personal data processed by a third party, the controller remains obliged to provide information. The third party is obliged to provide information if it does not disclose the data controller or the data controller is not domiciled in Switzerland.
5 As a rule, the information must be provided in writing, in the form of a printout or photocopy and free of charge. The Federal Council shall regulate the exceptions.
6 No one may waive the right to information in advance.
Art. 9 Limitation of the right to information
1 The controller of the data file may refuse, restrict or postpone the provision of information to the extent that:
a a law in the formal sense provides for this;
b it is necessary due to overriding interests of third parties.
2 A federal body may also refuse, restrict or postpone the provision of information to the extent that:
a it is necessary due to overriding public interests, in particular the internal or external security of the Confederation;
b the information calls into question the purpose of a criminal investigation or other investigative proceedings.
3 As soon as the reason for refusing, restricting or deferring information ceases to apply, the federal body must provide the information unless this is impossible or possible only at disproportionate expense.
4 The private owner of a data file may also refuse, restrict or postpone the provision of information insofar as his own overriding interests so require and he does not disclose the personal data to third parties.
5 The controller of the data file must state the reason for which he refuses, restricts or postpones the information.
Art. 10 Restrictions on the right to information for media professionals
1 The owner of a data file that is used exclusively for publication in the editorial section of a periodical medium may refuse, restrict or postpone the provision of information insofar as:
a the personal data provide information about the sources of information;
b insight into drafts for publications would have to be given;
c the public’s freedom of opinion would be jeopardized.
2 Media professionals may also refuse, restrict or postpone the provision of information if a data collection serves them exclusively as a personal work tool.
Art. 10a Data processing by third parties
1 The processing of personal data may be transferred to third parties by agreement or by law if:
a the data are processed only as the client himself would be allowed to do; and
b no legal or contractual confidentiality obligation prohibits it.
2 In particular, the Client must ensure that the third party guarantees data security.
3 Third parties may assert the same grounds for justification as the Client.
Art. 11 Certification procedure
1 In order to improve data protection and data security, manufacturers of data processing systems or programs and private individuals or federal bodies that process personal data may subject their systems, procedures and organization to an assessment by recognized independent certification bodies.
2 The Federal Council shall issue regulations on the recognition of certification procedures and the introduction of a data protection quality mark. In doing so, it shall take into account international law and internationally recognized technical standards.
Art. 11a Register of data collections
1 The Commissioner shall maintain a register of data collections that is accessible via the Internet. Any person may consult the register.
2 Federal bodies must register all data collections with the Commissioner for registration.
3 Private individuals must register data collections if:
a particularly sensitive personal data or personality profiles are regularly processed; or
b personal data is regularly disclosed to third parties.
4 Data collections must be registered before they are opened.
5 Contrary to the provisions of paragraphs 2 and 3, the owner of data collections need not declare his collections if:
a private persons process data on the basis of a legal obligation;
b the Federal Council has exempted a processing operation from the notification requirement because it does not jeopardize the rights of the persons concerned;
c it uses the data exclusively for publication in the editorial section of a periodically published medium and does not pass on any data to third parties without the persons concerned being aware of this;
d the data is processed by journalists who use the data collection exclusively as a personal work tool;
e it has designated a data protection officer who independently monitors internal compliance with data protection regulations and maintains a register of data collections;
f it has obtained a data protection quality mark on the basis of a certification procedure pursuant to Article 11 and the result of the assessment has been communicated to the Commissioner.
6 The Federal Council shall regulate the modalities for the registration of data files, the maintenance and publication of the register, as well as the position and duties of the data protection officers in accordance with paragraph 5 letter e and the publication of a list of data file owners who are exempt from the obligation to register in accordance with paragraph 5 letters e and f.
Section 3: Processing of personal data by private persons
Art. 12 Violation of personality rights
1 Anyone who processes personal data must not unlawfully infringe the personality of the persons concerned.
2 In particular, it may not:
a process personal data contrary to the principles of Articles 4, 5(1) and 7(1);
b process data of a person against his or her explicit will without justification;
c disclose sensitive personal data or personality profiles to third parties without justification.
3 As a rule, there is no violation of privacy if the data subject has made the data generally accessible and has not expressly prohibited processing.
Art. 13 Grounds for justification
1 An infringement of personality rights is unlawful if it is not justified by the consent of the person infringed, by an overriding private or public interest or by law.
2 An overriding interest of the person processing the data comes into consideration in particular if that person:
a processes personal data about its contractual partner in direct connection with the conclusion or performance of a contract;
b is or intends to be in economic competition with another person and processes personal data for this purpose without disclosing it to third parties;
c processes neither sensitive personal data nor personality profiles for the purpose of checking the creditworthiness of another person and only discloses data to third parties that they require for the conclusion or performance of a contract with the data subject;
d professionally processes personal data exclusively for publication in the editorial section of a periodical medium;
e processes personal data for non-personal purposes, in particular in research, planning and statistics, and publishes the results in such a way that the persons concerned cannot be identified;
f collects data about a public figure, provided that the data relates to that person’s activities in public.
Art. 14 Transparency and information when obtaining personal data and personality profiles requiring special protection
1 The controller of the data file is obliged to inform the data subject about the procurement of personal data or personality profiles requiring special protection; this duty to inform also applies if the data is obtained from third parties.
2 The person concerned must at least be informed of:
a the owner of the data collection;
b the purpose of editing;
c the categories of data recipients, if data disclosure is foreseen.
3 If the data are not obtained from the data subject, the data subject must be informed at the latest when the data are stored or, if the data are not stored, when they are first disclosed to third parties.
4 The duty of the controller of the data file to provide information shall not apply if the data subject has already been informed or, in cases under paragraph 3, if:
a the storage or disclosure of the data is expressly provided for by law; or
b the information is not possible or only possible with disproportionate effort.
5 The controller of the data file may refuse, restrict or postpone the provision of information under the conditions specified in Article 9 paragraphs 1 and 4.
Art. 15 Legal claims
1 Actions for the protection of personality shall be governed by Articles 28, 28a and 28l of the Civil Code. The complaining party may in particular demand that data processing be blocked, that no data be disclosed to third parties or that the personal data be corrected or destroyed.
2 If neither the accuracy nor the inaccuracy of personal data can be demonstrated, the complaining party may request that a corresponding note be added to the data.
3 The claimant may also request that the correction, the destruction, the blocking, namely the blocking of disclosure to third parties, the note of contest or the judgment be communicated to third parties or published.
4 The court shall decide on actions to enforce the right to information in simplified proceedings in accordance with the Code of Civil Procedure of 19 December 2008.
Section 4: Processing of Personal Data by Federal Bodies
Art. 16 Responsible body and control
1 The federal body that processes the personal data or has it processed in the performance of its duties is responsible for data protection.
2 If federal bodies process personal data together with other federal bodies, with cantonal bodies or with private persons, the Federal Council may specifically regulate the control of and responsibility for data protection.
Art. 17 Legal bases
1 Federal bodies may process personal data if there is a legal basis for doing so.
2 They may process personal data requiring special protection and personality profiles only if a law in the formal sense expressly provides for it or in exceptional cases:
a it is indispensable for a task clearly defined in a law in the formal sense;
b the Federal Council approves it in an individual case because the rights of the person concerned are not at risk; or
c the data subject has consented in the individual case or has made his/her data generally accessible and has not expressly prohibited processing.
Art. 17a Automated data processing within the scope of pilot tests
1 The Federal Council may, after obtaining the opinion of the Commissioner, authorise the automated processing of personal data or personality profiles requiring special protection in the formal sense before a law comes into force if:
a the tasks requiring such processing are regulated in a law in the formal sense;
b sufficient measures are taken to prevent violations of privacy;
c the practical implementation of data processing requires a test phase before the law comes into force in the formal sense.
2 The practical implementation of data processing may require a test phase if:
a the performance of a task requires technical innovations, the effects of which must first be evaluated;
b the performance of a task requires significant organizational or technical measures, the effectiveness of which must first be tested, particularly in the case of cooperation between federal and cantonal bodies; or
c it requires the transmission of particularly sensitive personal data or personality profiles to cantonal authorities by means of a retrieval procedure.
3 The Federal Council shall regulate the modalities of automated data processing in an ordinance.
4 The competent federal body shall submit an evaluation report to the Federal Council within two years of the pilot system going into operation. In this report, it shall propose the continuation or discontinuation of the processing.
5 Automated data processing must be discontinued in any case if, within five years of the pilot system going into operation, no law in the formal sense has come into force that includes the necessary legal basis.
Art. 18 Obtaining personal data
1 In the case of systematic surveys, namely with questionnaires, the federal body shall disclose the purpose and legal basis of the processing, the categories of persons involved in the data collection and the data recipients.
2 …
Art. 18a Transparency and information when obtaining personal data
1 Federal bodies are obliged to inform the data subject about the procurement of personal data; this duty to inform also applies if the data are obtained from third parties.
2 The person concerned must at least be informed of:
a the owner of the data collection;
b the purpose of editing;
c the categories of data recipients, if data disclosure is foreseen;
d the right to information under Article 8;
e the consequences of a refusal by the data subject to provide the requested personal data.
3 If the data are not obtained from the data subject, the data subject must be informed at the latest when the data are stored or, if the data are not stored, when they are first disclosed to third parties.
4 The duty of the federal bodies to provide information does not apply if the person concerned has already been informed or, in cases under paragraph 3, if:
a the storage or disclosure of the data is expressly provided for by law; or
b the information is not possible or only possible with disproportionate effort.
5 If the duty to provide information would impair the competitiveness of a federal body, the Federal Council may limit it to the procurement of personal data requiring special protection and of personality profiles.
Art. 18b Restriction of transparency and information
1 Federal bodies may refuse, restrict or postpone the provision of information under the conditions specified in Article 9 paragraphs 1 and 2.
2 As soon as the reason for the refusal, restriction or deferral ceases to apply, the federal bodies shall be bound by the duty to provide information, unless this is impossible or can be fulfilled only with disproportionate effort.
Art. 19 Disclosure of personal data
1 Federal bodies may disclose personal data only if there is a legal basis for doing so within the meaning of Article 17 or if:
a the data is indispensable for the recipient in the individual case for the fulfillment of its legal task;
b the data subject has consented in the individual case;
c the data subject has made his/her data generally available and has not expressly prohibited disclosure; or
d the recipient credibly demonstrates that the data subject refuses consent or blocks disclosure in order to prevent him/her from enforcing legal claims or protecting other interests worthy of protection; the data subject must be given the opportunity to comment beforehand, if possible.
1bis Within the framework of official information to the public, federal bodies may also disclose personal data ex officio or on the basis of the Public Information Act of 17 December 2004 if:
a the personal data concerned are related to the performance of public duties; and
b in the disclosure of which there is an overriding public interest.
2 Federal bodies may also disclose the surname, first name, address and date of birth of a person on request if the requirements of paragraph 1 are not fulfilled.
3 Federal bodies may make personal data accessible by means of a retrieval procedure if this is expressly provided for. Personal data requiring special protection and personality profiles may only be made accessible by means of a retrieval procedure if a law in the formal sense expressly provides for this.
3bis Federal bodies may make personal data accessible to anyone by means of automated information and communication services if a legal basis provides for the publication of this data or if they make information accessible to the public on the basis of paragraph 1bis. If the public interest in making the data accessible no longer exists, the data concerned shall be removed from the automated information and communication service.
4 The federal body shall refuse, restrict or impose conditions on disclosure if:
a essential public interests or interests of a data subject which are manifestly worthy of protection so require, or
b statutory confidentiality obligations or special data protection regulations require it.
Art. 20 Blocking of disclosure
1 A data subject who credibly demonstrates an interest worthy of protection may request the federal body responsible to block the disclosure of specific personal data.
2 The federal body shall refuse to block or shall unblock if:
a there is a legal obligation to disclose; or
b the fulfillment of its task would otherwise be jeopardized.
3 The blocking is subject to Article 19 paragraph 1bis.
Art. 21 Offer of documents to the Federal Archives
1 In accordance with the Archiving Act of 26 June 1998, federal bodies shall offer to the Federal Archives all personal data that they no longer require on a permanent basis.
2 The federal bodies shall destroy personal data designated by the Federal Archives as not being of archival value, unless:
a are anonymized;
b must be retained for evidentiary or security purposes or to protect the legitimate interests of the data subject.
Art. 22 Edit for research, planning and statistics
1 Federal bodies may process personal data for non-personal purposes, in particular for research, planning and statistics, if:
a the data will be anonymized as soon as the purpose of the processing allows it;
b the recipient discloses the data only with the consent of the federal entity; and
c the results are published in such a way that the persons concerned cannot be identified.
2 The requirements of the following provisions need not be met:
a Article 4(3) on the purpose of processing
b Article 17(2) on the legal basis for the processing of personal data and personality profiles requiring special protection;
c Article 19(1) on disclosure of personal data.
Art. 23 Activities of federal bodies under private law
1 If a federal body acts under private law, the provisions for the processing of personal data by private persons apply.
2 Supervision shall be governed by the provisions applicable to federal bodies.
Art. 24
[lifted]
Art. 25 Claims and procedure
1 Anyone who has an interest that is worthy of protection may demand that the responsible federal body:
a refrains from unlawful processing of personal data;
b eliminates the consequences of unlawful processing;
c establishes the unlawfulness of the processing.
2 If neither the accuracy nor the inaccuracy of personal data can be proven, the federal body must make a corresponding note with the data.
3 The applicant may in particular request that the federal body:
a corrects or destroys personal data or blocks disclosure to third parties;
b notifies or publishes its decision, namely the correction, destruction, blocking or the note of contestation to third parties.
4 The procedure shall be governed by the Federal Act of 20 December 1968 on Administrative Procedure (Administrative Procedure Act). The exceptions in Articles 2 and 3 of the Administrative Procedure Act do not apply.
Art. 25bis Procedure in the case of disclosure of official documents containing personal data
As long as a procedure concerning access to official documents within the meaning of the Public Access Act of 17 December 2004, which contain personal data, is in progress, the person concerned may, within the framework of this procedure, assert the rights to which he or she is entitled under Article 25 of this Act in relation to those documents which are the subject of the access procedure.
Section 5: Federal Data Protection and Information Commissioner
Art. 26 Election and position
1 The Commissioner shall be elected by the Federal Council for a term of four years. The election shall be approved by the Federal Assembly.
2 Unless otherwise provided for in this Act, the employment relationship of the Commissioner shall be governed by the Federal Personnel Act of 24 March 2000.
3 The Commissioner shall exercise his function independently, without receiving instructions from any authority. He is administratively assigned to the Federal Chancellery.
4 It shall have a permanent secretariat and its own budget. He hires his staff.
5 The appointee shall not be subject to the appraisal system pursuant to Article 4 paragraph 3 of the Federal Personnel Act of 24 March 2000.
Art. 26a Re-election and termination of the term of office
1 If the Federal Council does not order non-re-election at the latest six months before the expiry of the term of office for objectively sufficient reasons, the Commissioner shall be re-elected for a new term of office.
2 The Commissioner may request the Federal Council to dismiss him or her with effect from the end of a month, subject to six months’ notice.
3 The Federal Council may remove the Commissioner from office before the expiry of the term of office if the Commissioner:
a has seriously violated official duties intentionally or through gross negligence; or
b has permanently lost the ability to hold office.
Art. 26b Other employment
The Federal Council may permit the Commissioner to engage in other employment if this does not impair the Commissioner’s independence and reputation.
Art. 27 Supervision of federal bodies
1 The Commissioner shall supervise compliance by federal bodies with this Act and the other federal data protection regulations. The Federal Council is exempt from this supervision.
2 The commissioner shall clarify the facts in more detail on his own initiative or on notification by third parties.
3 In the course of the investigation, it may request the production of files, obtain information and be shown data processing. The federal bodies must cooperate in establishing the facts. The right to refuse to testify in accordance with Article 16 of the Administrative Procedure Act52 shall apply mutatis mutandis.
4 If the clarification reveals that data protection regulations are being violated, the Commissioner shall recommend to the federal body responsible that the processing be modified or discontinued. He shall inform the responsible department or the Federal Chancellery of his recommendation.
5 If a recommendation is not followed or is rejected, he may submit the matter to the Department or the Federal Chancellery for a decision. The decision shall be communicated to the persons concerned in the form of an order.
6 The Commissioner shall be entitled to appeal against the order under paragraph 5 and against the decision of the appeal authority.
Art. 28 Advice to private parties
The Commissioner advises private persons on data protection issues.
Art. 29 Clarifications and recommendations in the area of private law
1 The commissioner shall clarify the facts in more detail on his own initiative or on notification by a third party if:
a processing methods are likely to violate the personality of a larger number of persons (system error);
b data collections must be registered (Article 11a);
c there is an obligation to provide information pursuant to Article 6(3).
2 In doing so, it may request files, obtain information and be shown data processing. The right to refuse to testify in accordance with Article 16 of the Administrative Procedure Act shall apply mutatis mutandis.
3 The commissioner may, on the basis of his or her investigations, recommend that the editing be changed or omitted.
4 If such a recommendation of the Commissioner is not followed or is rejected, he may submit the matter to the Federal Administrative Court for a decision. He shall be entitled to appeal against this decision.
Art. 30 Information
1 The Commissioner shall report to the Federal Assembly periodically and as required. He shall simultaneously transmit the report to the Federal Council. The periodic reports shall be published.
2 In cases of general interest, it may inform the public of its findings and recommendations. It may publish personal data that is subject to official secrecy only with the consent of the competent authority. If the latter refuses to give its consent, the president of the division of the Federal Administrative Court responsible for data protection shall take the final decision.
Art. 31 Other tasks
1 The commissioner shall have the following additional duties in particular:
a It supports federal and cantonal bodies in matters of data protection.
b It comments on proposals for federal decrees and measures that are relevant to data protection.
c It cooperates with domestic and foreign data protection authorities.
d It assesses the extent to which data protection legislation abroad ensures adequate protection.
e It shall examine the guarantees and data protection rules notified to it in accordance with Article 6(3).
f It shall examine the certification procedures referred to in Article 11 and may make recommendations thereon in accordance with Article 27(4) or 29(3).
g It shall perform the duties assigned to it by the Public Information Act of December 17, 2004.
2 It may also advise organs of the Federal Administration if this Act is not applicable in accordance with Article 2 paragraph 2 letters c and d. The organs of the Federal Administration may allow him to inspect their business.
Art. 32
[lifted]
Section 6: Legal protection
Art. 33
1 Legal protection shall be governed by the general provisions relating to the administration of federal justice.
2 If, during a fact-finding investigation in accordance with Article 27 paragraph 2 or Article 29 paragraph 1, the Commissioner establishes that the persons concerned are threatened with a disadvantage that cannot be easily remedied, he may apply for precautionary measures to the president of the division of the Federal Administrative Court responsible for data protection. The procedure shall be governed mutatis mutandis by Articles 79 – 84 of the Federal Act of 4 December 1947 on Federal Civil Procedure.
Section 7: Penal provisions
Art. 34 Violation of the duties to provide information, to report and to cooperate
1 Private persons shall be punished by a fine on application:
a who violate their obligations under Articles 8 – 10 and 14 by intentionally providing false or incomplete information;
b who intentionally fail to do so:
<
1. inform the data subject in accordance with Article 14(1), or
2. provide it with the information referred to in Article 14(2).
2 Private persons who intentionally:
a fail to provide the information referred to in Article 6(3) or the notification referred to in Article 11a or intentionally provide false information in doing so;
b provide the commissioner with false information or refuse to cooperate when clarifying a matter (Article 29).
Art. 35 Violation of the professional duty of confidentiality
1 Anyone who intentionally discloses without authorization secret personal data or personality profiles requiring special protection of which he has learned in the course of his profession requiring knowledge of such data shall be liable on complaint to a fine.
2 Anyone who intentionally discloses, without authorization, secret personal data or personality profiles that are particularly worthy of protection and that he or she learned about while working for the person required to maintain secrecy or during training with that person shall be punished in the same way.
3 The unauthorized disclosure of secret personal data or personality profiles requiring special protection is a punishable offence even after the professional practice or training has ended.
Section 8: Final Provisions
Art. 36 Enforcement
1 The Federal Council shall issue the implementing provisions.
2 …
3 It may provide for derogations from Articles 8 and 9 for the provision of information by Swiss diplomatic and consular representations abroad.
4 It may also determine:
a which data collections require processing regulations;
b under which conditions a federal body may have personal data processed by a third party or process it for a third party;
c how the means of identification of persons may be used.
5 It may conclude international treaties on data protection if they comply with the principles of this Act.
6 It regulates how data collections are to be secured whose data could endanger the life and limb of the persons concerned in the event of war or crisis.
Art. 37 Enforcement by the cantons
1 Insofar as no cantonal data protection regulations exist that guarantee adequate protection, Articles 1 – 11a, 16, 17, 18 – 22 and 25 paragraphs 1 – 3 of this Act shall apply to the processing of personal data by cantonal bodies when implementing federal law.
2 The cantons shall designate a supervisory body to ensure compliance with data protection. Articles 27, 30 and 31 shall apply mutatis mutandis.
Art. 38 Transitional provisions
1 The owners of data files must register existing data files that are to be registered in accordance with Article 11 no later than one year after the entry into force of this Act.
2 Within one year of the entry into force of this Act, they must take the necessary steps to enable them to provide the information in accordance with Article 8.
3 Federal bodies may continue to use an existing data file containing personal data requiring special protection or personality profiles until 31 December 2000 without the requirements of Article 17 paragraph 2 being met.
4 In the area of asylum and foreign nationals, the period in accordance with paragraph 3 shall be extended until the entry into force of the totally revised Asylum Act of 26 June 1998 and the amendment to the Federal Act of 26 March 1931 on the Residence and Settlement of Foreign Nationals.
Art. 38a Transitional provision to the amendment of March 19, 2010
The election of the Commissioner and the termination of his employment shall be governed by the previous law until the end of the legislative term in which this amendment enters into force.
Art. 39 Referendum and entry into force
1 This Act is subject to an optional referendum.
2 The Federal Council shall determine the date of entry into force.
Effective date: July 1, 1993