DPO

Text of the DSV from 31 August 2022, wit­hout the Annex 2 (amend­ments to other decrees). The text has been con­ver­ted auto­ma­ti­cal­ly – thank you for poin­ting out errors.

The artic­les are each accom­pa­nied by the cor­re­spon­ding text of the Expl­ana­to­ry Report assi­gned, this wit­hout indi­ca­ti­on of page num­bers and gene­ral remarks of the report.

fold out | fold

Chap­ter 1: Gene­ral provisions

Sec­tion 1: Data security

Expl­ana­to­ry report

The guard rails for ensu­ring data secu­ri­ty are alre­a­dy stan­dar­di­zed in the law. Accor­ding to Artic­le 8 (1) nDSG, the con­trol­ler and the order pro­ces­sor are obli­ged to ensu­re data secu­ri­ty appro­pria­te to the risk by means of sui­ta­ble tech­ni­cal and orga­nizatio­nal mea­su­res. Accor­ding to para­graph 2, the­se mea­su­res must make it pos­si­ble to avo­id brea­ches of data secu­ri­ty. Para­graph 3 ins­tructs the Fede­ral Coun­cil to spe­ci­fy the mini­mum data secu­ri­ty requi­re­ments at ordi­nan­ce level.
With the pro­vi­si­ons on data secu­ri­ty, the Fede­ral Coun­cil ful­fills the legal man­da­te under Artic­le 8 para­graph 3 nDSG. The penal pro­vi­si­on in Artic­le 61 let­ter c nDSG is also lin­ked to the­se mini­mum requi­re­ments. The degree of secu­ri­ty that must be com­plied with in order for the cri­mi­nal stan­dard not to be vio­la­ted is deter­mi­ned in accordance with the prin­ci­ples and cri­te­ria of this sec­tion. Pur­su­ant to Artic­le 61 let­ter c nDSG, cri­mi­nal lia­bi­li­ty exists only in the case of inten­tio­nal com­mis­si­on. This requi­res that the respon­si­ble par­ty kno­wing­ly and willful­ly fails to com­ply with the mini­mum data secu­ri­ty requi­re­ments. For exam­p­le, someone who fails to install anti-virus soft­ware even though he knows (or at least accepts) that he is taking insuf­fi­ci­ent mea­su­res to com­ply with the mini­mum data secu­ri­ty requi­re­ments would be lia­ble to pro­se­cu­ti­on.
Sin­ce the law alre­a­dy fol­lows the approach of risk-based data secu­ri­ty and no gene­ral­ly appli­ca­ble mini­mum requi­re­ments can be defi­ned for any indu­stry, a rigid regime of mini­mum requi­re­ments was dis­pen­sed with in the Art. Instead, the approach of the Art. is based on the fact that it is pri­ma­ri­ly the respon­si­bi­li­ty of the respon­si­ble par­ty to deter­mi­ne and take the mea­su­res neces­sa­ry in each indi­vi­du­al case. The­se mea­su­res must be deter­mi­ned on a case-by-case basis, depen­ding on the risk invol­ved. For exam­p­le, in a hos­pi­tal, whe­re par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data is regu­lar­ly pro­ce­s­sed, the­re are gene­ral­ly more strin­gent requi­re­ments com­pared to the pro­ce­s­sing of cus­to­mer or sup­plier data in a bak­ery or butcher’s shop. The Art. the­r­e­fo­re inclu­des, in par­ti­cu­lar, the gui­de­lines for deter­mi­ning the mea­su­res to be taken (Art. 1, 2 and 3 Art.). In this way, the fle­xi­bi­li­ty neces­sa­ry in view of the varie­ty of pos­si­ble case con­stel­la­ti­ons can be ensu­red and over­re­gu­la­ti­on, espe­ci­al­ly for busi­nesses with minor and low-risk data pro­ce­s­sing, can be pre­ven­ted.
Unli­ke the GDPR, Swiss law does not have a gene­ral accoun­ta­bi­li­ty obli­ga­ti­on. Howe­ver, Swiss law alre­a­dy con­ta­ins mea­su­res in the appli­ca­ble law with which the accoun­ta­bi­li­ty obli­ga­ti­on can be ful­fil­led: log­ging (Art. 4) and the pro­ce­s­sing regu­la­ti­ons (Art. 5, 6). Both mea­su­res are adopted in the Art. They are cru­cial to ensu­re that Swiss law can pro­vi­de an ade­qua­te level of pro­tec­tion com­pared to EU law. In addi­ti­on, Direc­ti­ve (EU) 2016/680 requi­res log­ging. Both mea­su­res repre­sent mini­mum data secu­ri­ty requi­re­ments within the mea­ning of Artic­le 8 (3) nDSG. Here, too, the Fede­ral Coun­cil fol­lows a risk-based approach: the hig­her the thre­at to the per­so­nal rights and fun­da­men­tal rights of the indi­vi­du­al, the hig­her the requi­re­ments.
Under cur­rent law, the mini­mum requi­re­ments for data secu­ri­ty are set out in Artic­les 8 – 12 and Artic­les 20 – 21 of the Fede­ral Data Pro­tec­tion Act. The Fede­ral Coun­cil has deci­ded to fol­low the cur­rent data secu­ri­ty stan­dard. The sub­stan­ti­ve requi­re­ments are the­r­e­fo­re adopted in prin­ci­ple as they are. Adjust­ments will only be made whe­re this seems appro­pria­te due to digi­ta­lizati­on or tech­ni­cal pro­gress, the requi­re­ments in the revi­sed law or Direc­ti­ve (EU) 2016/680, which is rele­vant for Switz­er­land, name­ly its Artic­les 25 and 29. In addi­ti­on, the Fede­ral Coun­cil has also taken Regu­la­ti­on (EU) 2016/679 as a gui­de­line so that Swiss com­pa­nies ope­ra­ting in the EU and ensu­ring data secu­ri­ty that com­plies with the GDPR can also assu­me that they meet the mini­mum requi­re­ments in Switz­er­land.
From a syste­ma­tic point of view, data secu­ri­ty is now stan­dar­di­zed in a dedi­ca­ted sec­tion. In the cur­rent VDSG, data secu­ri­ty is regu­la­ted sepa­ra­te­ly for pri­va­te and fede­ral bodies; for rea­sons of cla­ri­ty and bet­ter rea­da­bili­ty, the pro­vi­si­ons are now com­bi­ned. Whe­re dif­fe­rent requi­re­ments app­ly to pri­va­te and fede­ral bodies, the­se are regu­la­ted in sepa­ra­te artic­les or paragraphs.

Art. 1 Principles

1 In order to ensu­re ade­qua­te data secu­ri­ty, the con­trol­ler and the pro­ces­sor must deter­mi­ne the need for pro­tec­tion of the per­so­nal data and spe­ci­fy the tech­ni­cal and orga­nizatio­nal mea­su­res that are appro­pria­te in view of the risk

2 The need for pro­tec­tion of per­so­nal data is asses­sed accor­ding to the fol­lo­wing criteria:

a. Type of data processed;
b. The pur­po­se, natu­re, scope and cir­cum­stances of the processing.

3 The risk to the per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject shall be asses­sed accor­ding to the fol­lo­wing criteria:

a. Cau­ses of risk;
b. main hazards;
c. mea­su­res taken or plan­ned to redu­ce the risk;
d. The likeli­hood and seve­ri­ty of a data breach despi­te the mea­su­res taken or pro­vi­ded for.

4 The fol­lo­wing cri­te­ria are also taken into account when deter­mi­ning the tech­ni­cal and orga­nizatio­nal measures:

a. Sta­te of the art;
b. Imple­men­ta­ti­on costs.
5 The need for pro­tec­tion of per­so­nal data, the risk and the tech­ni­cal and orga­nizatio­nal mea­su­res must be review­ed over the enti­re pro­ce­s­sing peri­od. The mea­su­res must be adapt­ed if necessary.

Expl­ana­to­ry report

Artic­le 1 Art. regu­la­tes the prin­ci­ples to be obser­ved when deter­mi­ning the mea­su­res. It essen­ti­al­ly adopts the regu­la­to­ry con­cept of Artic­le 8(2) and (3) of the Data Pro­tec­tion Act, with cer­tain aspects being regu­la­ted more pre­cis­e­ly. On the other hand, Artic­le 8(1) of the FADP has been dele­ted, as the objec­ti­ves for ensu­ring data secu­ri­ty are now loca­ted at the level of the law. Artic­le 8(2) nDSG spe­ci­fi­cal­ly sta­tes that data secu­ri­ty mea­su­res must make it pos­si­ble to avo­id data secu­ri­ty brea­ches. Accor­ding to Artic­le 5 let­ter h nDSG, a breach of data secu­ri­ty occurs when per­so­nal data is unin­ten­tio­nal­ly or unlawful­ly lost, dele­ted, destroy­ed or modi­fi­ed, or dis­c­lo­sed or made acce­s­si­ble to unaut­ho­ri­zed per­sons. The con­ven­tio­nal IT pro­tec­tion goals of con­fi­den­tia­li­ty, inte­gri­ty, avai­la­bi­li­ty and tracea­bi­li­ty can be deri­ved from this.
Accor­ding to Artic­le 8 (1) nDSG, the con­trol­ler and the pro­ces­sor must ensu­re data secu­ri­ty appro­pria­te to the risk. In Artic­le 1 Art. this pro­tec­tion goal is inclu­ded in a new para­graph 1. In addi­ti­on, various cri­te­ria for asses­sing the need for pro­tec­tion (para. 2) and for asses­sing the risk to the per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject (para. 3) are spe­ci­fi­ed. Para­graph 4 spe­ci­fi­es that fur­ther cri­te­ria may be taken into account when deter­mi­ning the tech­ni­cal and orga­nizatio­nal mea­su­res requi­red to ensu­re ade­qua­te data secu­ri­ty (para. 4). The list of cri­te­ria is based on cur­rent law.
Artic­le 1(2) Art. adopts Artic­le 8(2)(a) and (b) of the FADP in terms of con­tent and sup­ple­ments it to regu­la­te the pro­tec­tion needs ana­ly­sis. The need for pro­tec­tion is asses­sed on the basis of the type of data pro­ce­s­sed and the pur­po­se, natu­re, scope and cir­cum­stances of the data pro­ce­s­sing. In par­ti­cu­lar, this invol­ves the level of pro­tec­tion that must be ensu­red in view of the risk to the per­so­nal and fun­da­men­tal rights of the data sub­jects. The hig­her the need for pro­tec­tion, the stric­ter the requi­re­ments for the mea­su­res. The fol­lo­wing cri­te­ria should be taken into account when asses­sing the need for pro­tec­tion:
The type of data pro­ce­s­sed (a): For exam­p­le, it is decisi­ve whe­ther per­so­nal data requi­ring spe­cial pro­tec­tion (Art. 5 let. c nDSG) is pro­ce­s­sed.
Pur­po­se, natu­re, scope and cir­cum­stances of the data pro­ce­s­sing (lit. b): The pur­po­se rela­tes to the pur­po­se of the pro­ce­s­sing and, in par­ti­cu­lar, to the exami­na­ti­on of whe­ther the pur­po­se of the pro­ce­s­sing ent­ails an increa­sed risk to per­so­nal rights and fun­da­men­tal rights; in the case of the natu­re of the pro­ce­s­sing, it is of inte­rest how the data are pro­ce­s­sed. The need for pro­tec­tion may be hig­her, for exam­p­le, in the case of a ful­ly auto­ma­ted decis­i­on (use of arti­fi­ci­al intel­li­gence); the scope of the pro­ce­s­sing is rela­ted in par­ti­cu­lar to the num­ber of per­sons affec­ted by the pro­ce­s­sing (e.g., if exten­si­ve data is pro­ce­s­sed or exten­si­ve public are­as are syste­ma­ti­cal­ly moni­to­red). When using a cloud, the need for pro­tec­tion may be hig­her than when data is stored on an inter­nal ser­ver wit­hout exter­nal access. Let­ter b has been sup­ple­men­ted in accordance with Artic­le 22(2) nDSG with the expres­si­on of the “cir­cum­stances” of the data pro­ce­s­sing. The­se are aspects that may be of par­ti­cu­lar importance in indi­vi­du­al cases becau­se they have an impact on the other cri­te­ria. Thus, cri­te­ria can be inclu­ded that would not fit into the defi­ni­ti­on of the cri­te­ria alre­a­dy men­tio­ned.
Artic­le 1(3) Art. incor­po­ra­tes and cla­ri­fi­es Artic­le 8(2)(c) of the Data Pro­tec­tion Act. The pro­vi­si­on intro­du­ces the assess­ment of the risk of vio­la­ti­on of per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject. As in the pre­vious para­graph, a set of cri­te­ria is estab­lished. The para­graph is rewor­ded to make it clear that the cau­ses of the risk (sub­pa­ra­graph (a)), the main dan­gers (sub­pa­ra­graph (b)), the mea­su­res taken or envi­sa­ged to redu­ce the risk (sub­pa­ra­graph (c)) and the likeli­hood and seve­ri­ty of a data breach (sub­pa­ra­graph (d)) are decisi­ve. This is an assess­ment accor­ding to a cas­ca­de system: the result of the assess­ment accor­ding to one cri­ter­ion is decisi­ve for the fur­ther risk assess­ment. More detail­ed infor­ma­ti­on on the indi­vi­du­al points can be found here:
The cau­ses of the risk (a): It must be pos­si­ble to deter­mi­ne which per­sons (e.g., an IT offi­cer, a user, a com­pe­ti­tor) or events (e.g., fire, com­pu­ter virus) could under­lie the risk.
The main thre­ats (point b): This cri­ter­ion can be used to eli­cit thre­ats that could lead to data secu­ri­ty brea­ches (lost, dama­ged, alte­red, impro­per­ly or frau­du­lent­ly used data, etc.).
The mea­su­res taken or that may be taken to redu­ce the risk (sub­pa­ra­graph (c)): the various tech­ni­cal and orga­nizatio­nal mea­su­res that may be pro­vi­ded or taken to redu­ce the risk are spe­ci­fi­ed in Artic­le 3 Art.
The likeli­hood and seve­ri­ty of a data breach despi­te the mea­su­res taken or envi­sa­ged (sub­pa­ra­graph (d)): the poten­ti­al impact on data sub­jects must be iden­ti­fi­ed if, for exam­p­le, indi­vi­du­als unlawful­ly access (and dis­c­lo­se), modi­fy (lea­ding to incor­rect infor­ma­ti­on about the data sub­ject) or dele­te (run­ning the risk of losing neces­sa­ry data; for exam­p­le, con­sider a pati­ent dos­sier whe­re some data has been destroy­ed, pre­ven­ting appro­pria­te medi­cal tre­at­ment). Here, the more likely the occur­rence of a data breach and the grea­ter the impact on the affec­ted indi­vi­du­als, the hig­her the requi­re­ments for the mea­su­res. It should be noted at this point that not every breach of data secu­ri­ty within the mea­ning of Artic­le 5 let­ter h nDSG also con­sti­tu­tes a breach of the mini­mum requi­re­ments within the mea­ning of Artic­le 8 para­graph 3 nDSG and thus a breach of the due dili­gence obli­ga­ti­ons pur­su­ant to Artic­le 61 let­ter c nDSG. Abso­lu­te secu­ri­ty can­not and should not be requi­red. In par­ti­cu­lar, it is conceiva­ble that the con­trol­ler has taken all rea­sonable mea­su­res, but a data secu­ri­ty breach nevert­hel­ess occurs, name­ly becau­se the resi­du­al risk has mate­ria­li­zed. This can­not be bla­med on the respon­si­ble par­ty. Rather, within the frame­work of the mini­mum requi­re­ments, it must be exami­ned whe­ther the con­trol­ler and the pro­ces­sor have taken the appro­pria­te mea­su­res to ensu­re data secu­ri­ty in view of the spe­ci­fic situa­ti­on, regard­less of whe­ther a data breach occurs.
Fol­lo­wing Artic­le 8(2)(d) of the Data Pro­tec­tion Act, Artic­le 1(4) Art. intro­du­ces still fur­ther cri­te­ria that may be taken into account when deter­mi­ning the tech­ni­cal and orga­nizatio­nal mea­su­res to ensu­re ade­qua­te data secu­ri­ty. The term “deter­mi­na­ti­on” inclu­des the “assess­ment” and the “decis­i­on” (the French ver­si­on uses the term “déter­mi­na­ti­on”). The cri­te­ria are as fol­lows: the sta­te of the art (sub­pa­ra­graph (a)) and the imple­men­ta­ti­on costs (sub­pa­ra­graph (b)). The­se cri­te­ria only indi­rect­ly indi­ca­te whe­ther mea­su­res must be taken and whe­ther the mea­su­res to be taken are appro­pria­te.
Sta­te of the art (a): The mea­su­res are to be deter­mi­ned taking into account the sta­te of the art (tech­ni­cal and sci­en­ti­fic know­ledge) and adapt­ed if neces­sa­ry. The sta­te of the art means the con­side­ra­ti­on of the cur­rent sta­te of the art. It is the­r­e­fo­re suf­fi­ci­ent to take mea­su­res that are alre­a­dy available and have pro­ven them­sel­ves accor­din­gly. On the other hand, it can­not be deman­ded that brand-new unex­plo­red tech­ni­ques or tho­se that are still in the deve­lo­p­ment pro­cess be used.
Imple­men­ta­ti­on costs (b): The term “costs” is to be under­s­tood in a broad sen­se. It is not limi­t­ed to finan­cial costs, but also inclu­des the neces­sa­ry human and time resour­ces. This ter­mi­no­lo­gy cor­re­sponds to that of Euro­pean law (Direc­ti­ve [EU] 2016/680 and GDPR). The imple­men­ta­ti­on costs are – as can be seen from the “Com­men­ta­ry of the Fede­ral Office of Justi­ce on the Enforce­ment Ordi­nan­ce of June 14, 1993 (as of Janu­ary 1, 2008) on the Fede­ral Act on Data Pro­tec­tion (VDSG, SR 235.11)” (No. 6.1.1) – also a cri­ter­ion under cur­rent law when asses­sing the ade­qua­cy of the mea­su­res. Howe­ver, the pri­ma­ry focus must be on which tech­ni­cal and orga­nizatio­nal mea­su­res are requi­red in light of the cri­te­ria in let­ters a‑c. In par­ti­cu­lar, data con­trol­lers and pro­ces­sors can­not exempt them­sel­ves from the obli­ga­ti­on of ade­qua­te data secu­ri­ty on the grounds that this would ent­ail exce­s­si­ve costs; rather, they must in any case be in a posi­ti­on to ensu­re ade­qua­te data secu­ri­ty. Nor can it be argued that if the­re is no con­cept during deve­lo­p­ment, the imple­men­ta­ti­on costs for imple­men­ting data secu­ri­ty after going live will pro­ve to be too high. Rather, for lega­cy appli­ca­ti­ons, the plan­ned time to repla­ce­ment must be inclu­ded (life­cy­cle). Howe­ver, the cri­ter­ion of cost may mean that, if the­re are seve­ral mea­su­res available to ensu­re an appro­pria­te level of data pro­tec­tion at all times, the less expen­si­ve vari­ant may be pre­fer­red.
Various mea­su­res can be taken to ensu­re data secu­ri­ty. Three mea­su­res are men­tio­ned here as examp­les:
the anony­mizati­on, pseud­ony­mizati­on and encryp­ti­on of per­so­nal data: Anony­mizati­on con­tri­bu­tes in par­ti­cu­lar to redu­cing any nega­ti­ve effects for the data sub­jects that may result, for exam­p­le, from the unaut­ho­ri­zed dis­clo­sure of per­so­nal data. If anony­mizati­on exists, the FADP does not app­ly at all in accordance with its scope of appli­ca­ti­on.
Pro­ce­du­res for iden­ti­fy­ing, asses­sing and eva­lua­ting risks and revie­w­ing the appro­pria­ten­ess of the mea­su­res taken: Abo­ve a cer­tain level of risk, it will in many cases make sen­se or even be neces­sa­ry to imple­ment stan­dar­di­zed pro­ce­du­res and pro­ce­s­ses that not only regu­lar­ly review the risks and the appro­pria­ten­ess of the mea­su­res taken, but also assess and eva­lua­te them. Such mea­su­res are par­ti­cu­lar­ly important for auto­ma­ted systems. They help to ensu­re that data secu­ri­ty is per­ma­nent­ly gua­ran­teed and that it is also easier to pro­ve.
trai­ning and advice for the per­sons ent­ru­sted with imple­men­ta­ti­on: This mea­su­re is signi­fi­cant in the view of the Fede­ral Coun­cil becau­se the imple­men­ta­ti­on and effec­ti­ve­ness of data secu­ri­ty also depends in par­ti­cu­lar on whe­ther the per­sons invol­ved app­ly the spe­ci­fi­ed mea­su­res. Thus, a lack of trai­ning and gui­dance can lead to a data breach. For exam­p­le, employees should be made awa­re of the risk of ope­ning mal­wa­re.
Ulti­m­ate­ly, it goes wit­hout say­ing that the cir­cum­stances of the indi­vi­du­al case remain decisi­ve in deter­mi­ning the mea­su­res to be taken.
In accordance with Artic­le 1 (5), the mea­su­res are to be review­ed on an ongo­ing basis as under cur­rent law and adju­sted if neces­sa­ry. In par­ti­cu­lar, it must be checked whe­ther the mea­su­res are still appro­pria­te to the risk and effec­ti­ve. Instead of “peri­odi­cal­ly”, the review must now take place “over the enti­re pro­ce­s­sing peri­od”. The need for review depends in par­ti­cu­lar on the level of risk to the per­so­nal rights and fun­da­men­tal rights of tho­se affec­ted: the hig­her it is, the more fre­quent­ly the mea­su­res must be review­ed on a regu­lar basis. The new for­mu­la­ti­on moves in the direc­tion of a con­stant review. Howe­ver, it lea­ves the per­son in char­ge and the order pro­ces­sor a gre­at deal of dis­creti­on. A review may also be neces­sa­ry if the­re has been a breach of data secu­ri­ty or if the pro­ce­s­sing of per­so­nal data has been adapt­ed. Artic­le 1(5) fur­ther cla­ri­fi­es that not only the tech­ni­cal and orga­nizatio­nal mea­su­res must be review­ed during the enti­re dura­ti­on of the pro­ce­s­sing, i.e. during the enti­re “life­cy­cle” of the per­so­nal data, but also the need for pro­tec­tion and the risks. By revie­w­ing the need for pro­tec­tion and the risks, it is also (indi­rect­ly) checked whe­ther the tech­ni­cal and orga­nizatio­nal mea­su­res are suitable.


Art. 2 Goals


The data con­trol­ler and the pro­ces­sor must take tech­ni­cal and orga­nizatio­nal mea­su­res to ensu­re that the pro­ce­s­sed data are hand­led in accordance with their pro­tec­tion requi­re­ments:
a. are only acce­s­si­ble to aut­ho­ri­zed per­sons (con­fi­den­tia­li­ty);
b. are available when they are nee­ded (avai­la­bi­li­ty);
c. not be chan­ged unaut­ho­ri­zed or unin­ten­tio­nal­ly (inte­gri­ty);
d. are pro­ce­s­sed in a com­pre­hen­si­ble man­ner (tracea­bi­li­ty).

Expl­ana­to­ry report

Artic­le 2 Art. sup­ple­ments Artic­le 1 nDSG in terms of the pur­po­se of the law and spe­ci­fi­es the objec­ti­ves for ensu­ring ade­qua­te data secu­ri­ty, which are now set out in Artic­le 8(2) nDSG. Accor­ding to this pro­vi­si­on, the mea­su­res must make it pos­si­ble to avo­id a breach of data secu­ri­ty. Abso­lu­te secu­ri­ty is an unat­tainable ide­al. The risk-based approach is inten­ded to iden­ti­fy the risks (Art. 1 Art.) so that the mea­su­res are ali­gned with the objec­ti­ves and sel­ec­ted accor­din­gly. The respon­si­ble par­ty and the order pro­ces­sor must deter­mi­ne the objec­ti­ves and the scope of pro­tec­tion.
In doc­tri­ne and prac­ti­ce, four pro­tec­tion objec­ti­ves are gene­ral­ly recor­ded, known in French by the acro­nym (C.A.I.D.): con­fi­den­tia­li­ty (con­fi­den­tia­li­té), authen­ti­ci­ty (authen­ti­fi­ca­ti­on), inte­gri­ty (inté­gri­té) and avai­la­bi­li­ty (dis­po­ni­bi­li­té) of the data. In line with Artic­le 32 of the GDPR and with a view to har­mo­nizati­on with the Fede­ral Act on Infor­ma­ti­on Secu­ri­ty at the Con­fe­de­ra­ti­on , which is to enter into force short­ly, Artic­le 2 is to regu­la­te con­fi­den­tia­li­ty (sub­pa­ra. a), avai­la­bi­li­ty (sub­pa­ra. b), inte­gri­ty (sub­pa­ra. c) and tracea­bi­li­ty (sub­pa­ra. d).
Con­fi­den­tia­li­ty (a): Per­so­nal data may only be acce­s­si­ble to aut­ho­ri­zed per­sons. The cir­cle of aut­ho­ri­zed per­sons is deter­mi­ned by the con­text of the task area and the con­tent and importance of the data. It can be very broad or extre­me­ly nar­row. Con­fi­den­tia­li­ty also inclu­des authen­ti­ca­ti­on, rela­ted methods, and systems for mana­ging and rest­ric­ting access to ensu­re data secu­ri­ty. Final­ly, the con­fi­den­tia­li­ty of the system and the data should be gua­ran­teed.
Avai­la­bi­li­ty (b): Accor­ding to this pur­po­se, the data con­trol­ler ensu­res that the data can be view­ed at any time. This requi­re­ment is even hig­her if the infor­ma­ti­on must be con­stant­ly available for the ful­fill­ment of essen­ti­al or even legal tasks.
Inte­gri­ty (c): This objec­ti­ve ensu­res the accu­ra­cy of the data. It is par­ti­cu­lar­ly important if the data are inten­ded for the public or are to be reu­sed. Inte­gri­ty is under­s­tood to mean the authen­ti­ci­ty, impu­ta­bi­li­ty and non-repu­dia­ti­on of the data. The­se terms are also used in prac­ti­ce or in tea­ching instead of inte­gri­ty.
Tracea­bi­li­ty (sub­pa­ra­graph d): Based on this objec­ti­ve, unaut­ho­ri­zed access or even misu­se can be iden­ti­fi­ed. In addi­ti­on, the cau­se of an inci­dent can be deter­mi­ned. The respon­si­ble par­ty ensu­res that events and data traces are recor­ded and that they can­not be chan­ged. Tracea­bi­li­ty of pro­ce­s­sing can be important to the pro­cess (evi­dence) and faci­li­ta­tes con­trols and moni­to­ring. Attri­bu­ta­bi­li­ty and non-repu­dia­ti­on of data are also tal­ked about in prac­ti­ce in con­nec­tion with tracea­bi­li­ty mecha­nisms.
Based on the­se objec­ti­ves, pro­ce­du­res are to be deve­lo­ped to regu­lar­ly moni­tor, ana­ly­ze and eva­lua­te the effec­ti­ve­ness of the mea­su­res taken (Art. 1 para. 5 and Art. 3 Art.).


Art. 3 Tech­ni­cal and orga­nizatio­nal measures

1 To ensu­re con­fi­den­tia­li­ty, the con­trol­ler and the pro­ces­sor must take appro­pria­te mea­su­res so that:

a. aut­ho­ri­zed per­sons have access only to the per­so­nal data they need to per­form their tasks (access control);
b. only aut­ho­ri­zed per­sons have access to the pre­mi­ses and faci­li­ties whe­re per­so­nal data is pro­ce­s­sed (access control);
c. unaut­ho­ri­zed per­sons can­not use auto­ma­ted data pro­ce­s­sing systems by means of data trans­mis­si­on equip­ment (user control).

2 To ensu­re avai­la­bi­li­ty and inte­gri­ty, the con­trol­ler and the pro­ces­sor must take appro­pria­te mea­su­res to ensu­re that:

a. unaut­ho­ri­zed per­sons can­not read, copy, modi­fy, move, dele­te or destroy data car­ri­ers (data car­ri­er control);
b. unaut­ho­ri­zed per­sons can­not store, read, modi­fy, dele­te or destroy per­so­nal data in the memo­ry (memo­ry control);
c. unaut­ho­ri­zed per­sons can­not read, copy, modi­fy, dele­te or destroy per­so­nal data when dis­clo­sing per­so­nal data or trans­port­ing data car­ri­ers (trans­port control);
d. the avai­la­bi­li­ty of and access to per­so­nal data can be quick­ly resto­red in the event of a phy­si­cal or tech­ni­cal inci­dent (reco­very);
e. all func­tions of the auto­ma­ted data pro­ce­s­sing system are available (avai­la­bi­li­ty), mal­func­tions are repor­ted (relia­bi­li­ty) and stored per­so­nal data can­not be dama­ged by mal­func­tions of the system (data integrity);
f. Ope­ra­ting systems and appli­ca­ti­on soft­ware are always kept up to date with the latest secu­ri­ty stan­dards and known cri­ti­cal gaps are clo­sed (system security).

3 To ensu­re tracea­bi­li­ty, the con­trol­ler and the pro­ces­sor must take appro­pria­te mea­su­res so that:

a. it is pos­si­ble to check which per­so­nal data is ente­red or modi­fi­ed in the auto­ma­ted data pro­ce­s­sing system, at what time and by which per­son (input control);
b. it is pos­si­ble to veri­fy to whom per­so­nal data is dis­c­lo­sed using data trans­mis­si­on equip­ment (dis­clo­sure control);
c. Data secu­ri­ty brea­ches can be detec­ted quick­ly (detec­tion) and mea­su­res can be taken to miti­ga­te or eli­mi­na­te the con­se­quen­ces (eli­mi­na­ti­on).

Expl­ana­to­ry report

Artic­le 8(1) nDSG requi­res that ade­qua­te secu­ri­ty of per­so­nal data be ensu­red. Taking into account the results of the con­sul­ta­ti­on, Artic­le 3 pro­vi­des that orga­nizatio­nal and tech­ni­cal mea­su­res must be taken to achie­ve the objec­ti­ves of Artic­le 2. In appli­ca­ti­on of pro­por­tio­na­li­ty, the orga­nizatio­nal and tech­ni­cal mea­su­res of the indi­vi­du­al case are to be deter­mi­ned on this basis. The respon­si­ble par­ties and order pro­ces­sors must the­r­e­fo­re exami­ne which sui­ta­ble mea­su­res they can use to achie­ve the pro­tec­tion goals. It is quite conceiva­ble that not every pro­tec­tion goal is rele­vant in every case. Howe­ver, if a pro­tec­tion goal is not rele­vant in a case, the respon­si­ble par­ty and order pro­ces­sor must be able to justi­fy why this is the case. The “sui­ta­bi­li­ty” of the mea­su­res depends on the cir­cum­stances. The artic­le shows the respon­si­ble per­son and the order pro­ces­sor, in a didac­tic man­ner, a series of mea­su­res with which they can achie­ve the objec­ti­ves under Artic­le 2. A mea­su­re may, moreo­ver, con­tri­bu­te to the achie­ve­ment of various objec­ti­ves.
The artic­le is lar­ge­ly a take­over of Artic­le 9 of the Data Pro­tec­tion Act: The regu­la­ti­on is now under the tit­le “Tech­ni­cal and orga­nizatio­nal mea­su­res”. With Artic­le 3 Art. Switz­er­land also imple­ments the requi­re­ments of Artic­le 29 of Direc­ti­ve (EU) 2016/680.
Accor­ding to Artic­le 1(3)(c) Art. the con­trol­ler is obli­ged to take tech­ni­cal and orga­nizatio­nal mea­su­res to redu­ce the risk. In the text of the regu­la­ti­on, seve­ral tech­ni­cal and orga­nizatio­nal mea­su­res refer to “aut­ho­ri­zed” per­sons. This does not neces­s­a­ri­ly requi­re direct action by a per­son. This can also include cases in which per­so­nal data is pro­ce­s­sed in appli­ca­ti­ons or in an auto­ma­ted infor­ma­ti­on system.
Artic­le 3(1) Art. con­cre­ti­zes Artic­le 2(1)(a) Art. and spe­ci­fi­es mea­su­res for con­fi­den­tia­li­ty; i.e., mea­su­res to ensu­re access con­trol (sub­pa­ra. a), access con­trol (sub­pa­ra. b), and user con­trol (sub­pa­ra. c).
In the first place, let­ter a now stan­dar­di­zes access con­trol. The pro­tec­tion objec­ti­ve has been taken over from Artic­le 9 (1) (g) of the Data Pro­tec­tion Act. It is main­ly a mat­ter of deter­mi­ning the access aut­ho­rizati­ons that regu­la­te the type and scope of access. Care must be taken to ensu­re that aut­ho­ri­zed per­sons only have access to the per­so­nal data for which they are aut­ho­ri­zed. The mea­su­res to be taken are of an orga­nizatio­nal and tech­ni­cal natu­re.
Let­ter b stan­dar­di­zes the access con­trol ancho­red in Artic­le 9 para­graph 1 let­ter a of the Fede­ral Data Pro­tec­tion Act. Accor­din­gly, unaut­ho­ri­zed per­sons must be denied access to the pre­mi­ses and faci­li­ties in which per­so­nal data are pro­ce­s­sed. The pro­tec­tion objec­ti­ve now also inclu­des the term “faci­li­ties”. This is inten­ded to express in par­ti­cu­lar that access to mobi­le pro­ce­s­sing systems must also be pre­ven­ted. The term is very broad­ly defi­ned and inclu­des all devices for pro­ce­s­sing per­so­nal data, from fixed ser­ver systems and com­pu­ters to cell pho­nes and tablets. Due to tech­no­lo­gi­cal advan­ces, “faci­li­ty” can refer to faci­li­ties of both a phy­si­cal and vir­tu­al natu­re. Pos­si­ble mea­su­res include alarm systems and lockable ser­ver cabi­nets.
Let­ter c con­ta­ins the user con­trol regu­la­ted in Artic­le 9 (1) (f) of the Data Pro­tec­tion Act. This is desi­gned to pre­vent the use of auto­ma­ted data pro­ce­s­sing systems by means of data trans­mis­si­on equip­ment by unaut­ho­ri­zed per­sons. The mea­su­res ensu­re that data can­not be used or pas­sed on wit­hout aut­ho­rizati­on. Pos­si­ble mea­su­res include, for exam­p­le, regu­lar checks of aut­ho­rizati­ons (e.g., blocking aut­ho­rizati­ons due to per­son­nel chan­ges or new task assign­ments) and the use of soft­ware against virus­es or spy­wa­re, or rai­sing staff awa­re­ness of phis­hing methods.
With regard to avai­la­bi­li­ty and inte­gri­ty, the Artic­le 3(2) Art. takes over the objec­ti­ves of Artic­le 2(1)(b) and (c) Art. The mea­su­res in this regard are to ensu­re con­trol of the data car­ri­ers (sub­pa­ra. a), sto­rage (sub­pa­ra. b), trans­port (sub­pa­ra. c) and reco­very (sub­pa­ra. d). The mea­su­res must be sui­ta­ble to ensu­re avai­la­bi­li­ty, relia­bi­li­ty and inte­gri­ty (sub­pa­ra­graph e). Final­ly, the secu­ri­ty of the system must be kept up to date (sub­pa­ra. f).
Let­ter a regu­la­tes data car­ri­er con­trol, which is curr­ent­ly stan­dar­di­zed in Artic­le 9 (1) let­ter b VDSG. This means that unaut­ho­ri­zed per­sons are pre­ven­ted from rea­ding, copy­ing, modi­fy­ing, moving, dele­ting or destroy­ing data car­ri­ers. In par­ti­cu­lar, per­so­nal data must be pre­ven­ted from being trans­fer­red to data car­ri­ers (e.g. hard dri­ves, USB sticks) in an uncon­trol­led man­ner. Data car­ri­ers are not only phy­si­cal car­ri­ers, but also cloud ser­vices, for exam­p­le. Pos­si­ble mea­su­res include, for exam­p­le, encryp­ti­on and the pro­per des­truc­tion of data car­ri­ers. The let­ter cor­re­sponds to the requi­re­ment of Artic­le 29(2)(b) of Direc­ti­ve (EU) 2016/680.
Let­ter b cor­re­sponds to Artic­le 9 (1) (e) of the Data Pro­tec­tion Act and stan­dar­di­zes sto­rage con­trol. Accor­ding to the mea­su­re, unaut­ho­ri­zed per­sons may not store, view, modi­fy, dele­te or destroy per­so­nal data in the memo­ry. It must be made impos­si­ble for unaut­ho­ri­zed per­sons to access, view, modi­fy or dele­te the con­tents of the data store. Pos­si­ble mea­su­res include, for exam­p­le, defi­ning dif­fe­ren­tia­ted access aut­ho­rizati­ons for data, appli­ca­ti­ons and ope­ra­ting systems and log­ging access to appli­ca­ti­ons. The let­ter cor­re­sponds to the requi­re­ment of Artic­le 29(2)(c) of Direc­ti­ve (EU) 2016/680.
Let­ter c stan­dar­di­zes trans­port con­trol, which is curr­ent­ly regu­la­ted in Artic­le 9 (1) (c) of the Data Pro­tec­tion Act. Accor­din­gly, when per­so­nal data is dis­c­lo­sed and data car­ri­ers are trans­por­ted, it must be pre­ven­ted that the data can be read, copied, modi­fi­ed, dele­ted or destroy­ed wit­hout aut­ho­rizati­on. The per­son respon­si­ble and the pro­ces­sor must ensu­re that the desi­gna­ted reci­pi­ent recei­ves the data in its ori­gi­nal form and that no third par­ty can inter­cept the data wit­hout aut­ho­rizati­on. Par­ti­cu­lar­ly in the case of per­so­nal data requi­ring spe­cial pro­tec­tion, the­re are increa­sed requi­re­ments for the mea­su­res to be taken. For exam­p­le, the encryp­ti­on of data or data car­ri­ers may be con­side­red.
Let­ter d is about the pos­si­bi­li­ty of resto­ring the avai­la­bi­li­ty of and access to the per­so­nal data after a phy­si­cal or tech­ni­cal inci­dent. It has been new­ly inclu­ded in the cata­log based on Artic­le 32(1)(c) of Regu­la­ti­on (EU) 2016/679 and cor­re­sponds to the requi­re­ment in Artic­le 29(2)(i) of Direc­ti­ve (EU) 2016/680. One pos­si­ble mea­su­re is the pre­pa­ra­ti­on and appli­ca­ti­on of a back­up con­cept.
Let­ter e deter­mi­nes that all func­tions of the auto­ma­ted data pro­ce­s­sing system are available (avai­la­bi­li­ty), any mal­func­tions that occur are repor­ted (relia­bi­li­ty), and stored per­so­nal data can­not be dama­ged by mal­func­tions of the system (data inte­gri­ty). It was new­ly inclu­ded in the cata­log based on Artic­le 32(1)(b) of Regu­la­ti­on (EU) 2016/679 and cor­re­sponds to the requi­re­ment in Artic­le 29(2)(j) of Direc­ti­ve (EU) 2016/680. Here, the focus is in par­ti­cu­lar on ensu­ring that the sta­bi­li­ty or resi­li­ence of the systems used is per­ma­nent­ly gua­ran­teed. The noti­fi­ca­ti­on of mal­func­tions is to be made by the system its­elf, so that the per­son respon­si­ble or the order pro­ces­sor is auto­ma­ti­cal­ly made awa­re that a mal­func­tion has occur­red. If a mal­func­tion is repor­ted, this does not auto­ma­ti­cal­ly mean that the func­tions are relia­ble; rather, the mal­func­tion must also be cor­rec­ted for this.
Let­ter f is con­cer­ned with ensu­ring the secu­ri­ty of ope­ra­ting systems and appli­ca­ti­on soft­ware used in the pro­ce­s­sing of per­so­nal data. Sin­ce the pro­ce­s­sing of per­so­nal data is based on systems and various appli­ca­ti­ons run­ning on them, it is neces­sa­ry that the­se are kept up to date with the latest secu­ri­ty stan­dards and that cri­ti­cal gaps are clo­sed prompt­ly. Let­ter f thus sup­ple­ments the requi­re­ments in let­ters d and e, with the aim of ensu­ring holi­stic secu­ri­ty. It is not requi­red that every system and appli­ca­ti­on update be instal­led imme­dia­te­ly, but that a pro­cess for updating be in place (so-cal­led vul­nerabi­li­ty and patch manage­ment). The cor­re­spon­ding secu­ri­ty update can be imple­men­ted in a time-pha­sed man­ner, taking into account the cri­ti­cal­i­ty levels (high, medi­um, low). Howe­ver, until vul­nerabi­li­ties are reme­di­ed, mea­su­res must be taken to ensu­re that data secu­ri­ty is still gua­ran­teed. In con­trast to Artic­le 3 (3) (c), (f) is not about reac­ti­ve mea­su­res, but proac­ti­ve reme­dia­ti­on of vul­nerabi­li­ties for which no data secu­ri­ty breach has been iden­ti­fi­ed in the system to date.
Para­graph 3 lists the tracea­bi­li­ty mea­su­res (Art. 2(1)(d) Art.), i.e. mea­su­res inten­ded to ensu­re con­trol of the ent­ry (sub­pa­ra­graph (a)) and dis­clo­sure (sub­pa­ra­graph (b)), as well as mea­su­res for detec­tion and eli­mi­na­ti­on (sub­pa­ra­graph (c)).
Let­ter a now regu­la­tes input con­trol. This requi­res – in accordance with Artic­le 9 (2) (h) of the Data Pro­tec­tion Act – that it be pos­si­ble to sub­se­quent­ly veri­fy which per­so­nal data was ente­red or modi­fi­ed in the auto­ma­ted data pro­ce­s­sing system, at what time and by which per­son. The pro­tec­tion goal has been adapt­ed in such a way that it is now expli­ci­t­ly sta­ted that it must also be pos­si­ble to sub­se­quent­ly veri­fy the modi­fi­ca­ti­on of per­so­nal data. Log­ging is a pos­si­ble mea­su­re that can be con­side­red in par­ti­cu­lar.
Let­ter b con­cerns the dis­clo­sure con­trol. It has been taken over from Artic­le 9 (1) (d) of the Data Pro­tec­tion Act and the wor­ding has been slight­ly adapt­ed. Accor­ding to the new let­ter b, it is pos­si­ble to check to whom per­so­nal data has been dis­c­lo­sed using data trans­mis­si­on equip­ment. In par­ti­cu­lar, the mea­su­res should make it pos­si­ble to iden­ti­fy the data reci­pi­en­ts. In this con­text, it may be suf­fi­ci­ent that the insti­tu­ti­on as such is known, wit­hout the natu­ral per­son having to be iden­ti­fia­ble in every case. If neces­sa­ry, it must be pos­si­ble to deter­mi­ne, e.g. by means of pro­to­cols, which per­so­nal data was dis­c­lo­sed to whom.
Let­ter c requi­res that the con­trol­ler and the pro­ces­sor can quick­ly iden­ti­fy brea­ches of data secu­ri­ty within the mea­ning of Artic­le 5 let­ter h nDSG and initia­te mea­su­res to miti­ga­te or eli­mi­na­te their con­se­quen­ces. In con­trast to para­graph 2 let­ter e, this rela­tes in par­ti­cu­lar to reac­ti­ve mea­su­res taken by the con­trol­ler and the pro­ces­sor.
Artic­le 9(2) of the FADP has been dele­ted, as the Fede­ral Coun­cil no lon­ger con­siders it neces­sa­ry. The grounds for refu­sing, rest­ric­ting or defer­ring a request for infor­ma­ti­on are defi­ned at the level of the law (cf. Art. 26 nDSG). Thus, the data con­trol­lers and order pro­ces­sors are alre­a­dy obli­ged by vir­tue of the nDSG to ensu­re that the data sub­jects can effec­tively exer­cise their rights, and this irre­spec­ti­ve of the spe­ci­fic tech­no­lo­gies used to pro­cess the per­so­nal data.


Art. 4 Logging

1 If per­so­nal data requi­ring spe­cial pro­tec­tion is pro­ce­s­sed auto­ma­ti­cal­ly on a lar­ge sca­le or if high-risk pro­fil­ing is car­ri­ed out and pre­ven­ti­ve mea­su­res can­not gua­ran­tee data pro­tec­tion, the pri­va­te con­trol­ler and his pri­va­te pro­ces­sor must at least log the sto­rage, modi­fi­ca­ti­on, rea­ding, dis­clo­sure, dele­ti­on and des­truc­tion of the data. Log­ging must be car­ri­ed out in par­ti­cu­lar if it can­not other­wi­se be deter­mi­ned retro­s­pec­tively whe­ther the data was pro­ce­s­sed for the pur­po­ses for which it was obtai­ned or disclosed.
2 In the case of auto­ma­ted pro­ce­s­sing of per­so­nal data, the fede­ral body respon­si­ble and its pro­ces­sor shall at least record the sto­rage, modi­fi­ca­ti­on, rea­ding, dis­clo­sure, dele­ti­on and des­truc­tion of the data.
3 In the case of per­so­nal data that is gene­ral­ly acce­s­si­ble to the public, at least the sto­rage, modi­fi­ca­ti­on, dele­ti­on and des­truc­tion of the data must be logged.
4 The log must pro­vi­de infor­ma­ti­on on the iden­ti­ty of the per­son who car­ri­ed out the pro­ce­s­sing, the type, date and time of the pro­ce­s­sing and, if appli­ca­ble, the iden­ti­ty of the reci­pi­ent of the data.
5 The logs must be kept for at least one year sepa­ra­te­ly from the system in which the per­so­nal data are pro­ce­s­sed. They must be acce­s­si­ble only to the bodies and per­sons respon­si­ble for veri­fy­ing the appli­ca­ti­on of the data pro­tec­tion pro­vi­si­ons or for main­tai­ning or resto­ring the con­fi­den­tia­li­ty, inte­gri­ty, avai­la­bi­li­ty and tracea­bi­li­ty of the data, and may be used only for this purpose.

Expl­ana­to­ry report

Log­ging is gover­ned by Artic­le 10 of the VDSG, which also applies to fede­ral bodies due to the refe­rence in the first sen­tence of Artic­le 20(1) of the VDSG. Artic­le 4 adopts this regu­la­ti­on in amen­ded form. Log­ging con­sti­tu­tes a mea­su­re within the mea­ning of Artic­le 3 Art. This takes into account the fact that Swiss law, unli­ke the GDPR, does not pro­vi­de for a gene­ral “accoun­ta­bi­li­ty obli­ga­ti­on”. Moreo­ver, log­ging is also recom­men­ded by cer­tain Euro­pean data pro­tec­tion aut­ho­ri­ties. Fur­ther­mo­re, log­ging is a clas­sic, pre­ven­ti­ve means of ensu­ring cyber­se­cu­ri­ty.
The pur­po­se of log­ging is to ensu­re that the pro­ce­s­sing of per­so­nal data can be veri­fi­ed retro­s­pec­tively, so that it can be deter­mi­ned whe­ther data has been lost or dele­ted, destroy­ed, modi­fi­ed or dis­c­lo­sed. In addi­ti­on, it is also a que­sti­on of ensu­ring con­for­mi­ty with the pur­po­se of the data and appro­pria­te data secu­ri­ty. Log­ging can also pro­vi­de infor­ma­ti­on as to whe­ther per­so­nal data has been pro­ce­s­sed in accordance with its pur­po­se. Fur­ther­mo­re, log­ging can also ser­ve to unco­ver and cla­ri­fy brea­ches of data secu­ri­ty. Howe­ver, log­ging is not inten­ded to moni­tor the users who pro­cess per­so­nal data. Log­ging is an auto­ma­ted pro­cess. Nowa­days, the­re is hard­ly any infor­ma­ti­on system or auto­ma­ted data pro­ce­s­sing system in which data pro­ce­s­sing is not log­ged.
Artic­le 4(1) Art. requi­res log­ging for the pri­va­te con­trol­ler and its pri­va­te pro­ces­sor in the case of lar­ge-sca­le auto­ma­ted pro­ce­s­sing of data requi­ring spe­cial pro­tec­tion or high-risk pro­fil­ing, if the pre­ven­ti­ve mea­su­res can­not gua­ran­tee data pro­tec­tion and if, wit­hout this mea­su­re, it can­not be deter­mi­ned retro­s­pec­tively whe­ther the data were pro­ce­s­sed for the pur­po­ses for which they were obtai­ned or dis­c­lo­sed. At least the pro­ce­s­ses of sto­ring, modi­fy­ing, rea­ding, dis­clo­sing, dele­ting and destroy­ing data must be log­ged. The pro­cess of “rea­ding” is to be under­s­tood as access wit­hout “modi­fi­ca­ti­on”; it is the­r­e­fo­re suf­fi­ci­ent if the access to per­so­nal data and the modi­fi­ca­ti­on of this data are log­ged. The log­ging of “rea­ding” is thus satis­fied. The phra­se “pre­ven­ti­ve mea­su­res can­not gua­ran­tee data pro­tec­tion” has been taken over from cur­rent law. In prac­ti­ce, it is of secon­da­ry importance, sin­ce the pre­ven­ti­ve mea­su­res only rare­ly gua­ran­tee data pro­tec­tion.
Accor­ding to para­graph 2, the fede­ral body respon­si­ble and its com­mis­sio­ned pro­ces­sor must log at least the sto­rage, modi­fi­ca­ti­on, rea­ding, dis­clo­sure, dele­ti­on and des­truc­tion of data during the auto­ma­ted pro­ce­s­sing of per­so­nal data. The­se are the same pro­ce­s­sing ope­ra­ti­ons that the pri­va­te con­trol­ler must also log, but for fede­ral bodies, log­ging must take place in a lar­ger num­ber of cases (for each auto­ma­ted pro­ce­s­sing ope­ra­ti­on). This takes into account the requi­re­ments of Artic­le 25 of Direc­ti­ve (EU) 2016/680 appli­ca­ble in the con­text of Schen­gen coope­ra­ti­on in the area of cri­mi­nal law. As sta­ted abo­ve, with regard to “rea­ding”, it is suf­fi­ci­ent if the acce­s­ses to per­so­nal data and the modi­fi­ca­ti­on of the­se data are log­ged. For the imple­men­ta­ti­on of the log­ging obli­ga­ti­on, a tran­si­tio­nal peri­od of three years is pro­vi­ded for in Artic­le 46(1) for data pro­ce­s­sing ope­ra­ti­ons that do not fall within the scope of Direc­ti­ve (EU) 2016/680.
Para­graph 3 now sta­tes that in the case of per­so­nal data that is gene­ral­ly acce­s­si­ble to the public, at least the sto­rage, modi­fi­ca­ti­on, dele­ti­on and des­truc­tion of the data must be log­ged. This means, for exam­p­le, that the con­sul­ta­ti­on of the sta­te calen­dar, which is gene­ral­ly publicly acce­s­si­ble, does not neces­s­a­ri­ly have to be log­ged.
The regu­la­ti­on was sup­ple­men­ted with a new para­graph 4, whe­re the con­tents of the log­ging are spe­ci­fi­ed. The log must pro­vi­de infor­ma­ti­on about the iden­ti­ty of the per­son who car­ri­ed out the pro­ce­s­sing, the type, date and time of the pro­ce­s­sing and, if appli­ca­ble, the iden­ti­ty of the reci­pi­ent of the data.
In para­graph 5, Artic­le 10 para­graph 2 VDSG is taken over in a slight­ly modi­fi­ed form. The logs must be kept for at least one year sepa­ra­te­ly from the system in which the per­so­nal data is pro­ce­s­sed. Howe­ver, this does not mean that the logs may be kept for a dis­pro­por­tio­na­te­ly long peri­od. The reten­ti­on peri­od must be pro­por­tio­na­te to the goal of ade­qua­te data secu­ri­ty. Moreo­ver, the spe­cial legal pro­vi­si­ons remain reser­ved for fede­ral bodies in any case. In par­ti­cu­lar, the Ordi­nan­ce of 22 Febru­ary 2012 on the Pro­ce­s­sing of Per­so­nal Data Ari­sing from the Use of the Elec­tro­nic Infras­truc­tu­re of the Con­fe­de­ra­ti­on pro­vi­des in Artic­le 4(1)(b) that data rela­ting to the use of the elec­tro­nic infras­truc­tu­re may be retai­ned for a maxi­mum of two years. Sepa­ra­te sto­rage from the system is neces­sa­ry becau­se other­wi­se the log its­elf could also be mani­pu­la­ted or encrypt­ed in the event of cyber attacks. The logs are acce­s­si­ble only to the bodies or per­sons respon­si­ble for veri­fy­ing the appli­ca­ti­on of data pro­tec­tion regu­la­ti­ons or for main­tai­ning or resto­ring the con­fi­den­tia­li­ty, inte­gri­ty, avai­la­bi­li­ty and tracea­bi­li­ty of the data, and may be used only for this pur­po­se. With the lat­ter addi­ti­on, the text of the ordi­nan­ce now expres­ses that the logs should also be acce­s­si­ble to secu­ri­ty offi­cers so that they can resto­re the con­fi­den­tia­li­ty, inte­gri­ty, avai­la­bi­li­ty and tracea­bi­li­ty of the data. The term “pre­ser­va­ti­on” is also inten­ded to ensu­re that system admi­ni­stra­tors also have access to the logs gene­ra­ted in the system if they suspect that a secu­ri­ty vul­nerabi­li­ty exists. Con­se­quent­ly, this data may not be used for the pur­po­se of moni­to­ring users, espe­ci­al­ly their pro­fes­sio­nal acti­vi­ties. This is, of cour­se, wit­hout pre­ju­di­ce to use for pur­po­ses pro­vi­ded for in spe­cial legis­la­ti­on, such as pos­si­ble use in cri­mi­nal pro­ce­e­dings.
The third sen­tence of Artic­le 10(1) of the FADP has been dele­ted. It would be con­tra­ry to the system if the FDPIC could make recom­men­da­ti­ons in the area of data secu­ri­ty, which is sub­ject to cri­mi­nal lia­bi­li­ty under Artic­le 61(c). In addi­ti­on, the FDPIC can order log­ging in any case in the con­text of an inve­sti­ga­ti­on under Artic­le 51 nDSG in accordance with his gene­ral power of disposal.


Art. 5 Pro­ce­s­sing regu­la­ti­ons of pri­va­te persons

1 The pri­va­te con­trol­ler and its pri­va­te pro­ces­sor must draw up regu­la­ti­ons for auto­ma­ted pro­ce­s­sing ope­ra­ti­ons if they:

a. pro­cess per­so­nal data requi­ring spe­cial pro­tec­tion on a lar­ge sca­le; or
b. per­form high-risk profiling.
2 The regu­la­ti­ons must in par­ti­cu­lar con­tain details of the inter­nal orga­nizati­on, the data pro­ce­s­sing and con­trol pro­ce­du­re and the mea­su­res to ensu­re data security.
3 The pri­va­te con­trol­ler and its pri­va­te com­mis­sio­ned pro­ces­sor must update the regu­la­ti­ons regu­lar­ly. If a data pro­tec­tion advi­sor has been appoin­ted, the regu­la­ti­ons must be made available to him or her.

Expl­ana­to­ry report

Pro­ce­s­sing regu­la­ti­ons had to be drawn up by the “con­trol­ler of an auto­ma­ted data file sub­ject to noti­fi­ca­ti­on” under Artic­le 11a (3) FADP, who was not exempt from the obli­ga­ti­on to noti­fy his data files on the basis of Artic­le 11a (5) let­ters b‑d FADP (Art. 11 (1) FADP). Sin­ce the noti­fi­ca­ti­on obli­ga­ti­on for pri­va­te data con­trol­lers (Art. 11a FADP) no lon­ger exists in the nDSG, Artic­le 11 FADP can­not be adopted unch­an­ged. Accor­ding to the prin­ci­ple of accoun­ta­bi­li­ty pro­vi­ded for in the GDPR, the con­trol­ler must be able to demon­stra­te com­pli­ance with the data pro­ce­s­sing prin­ci­ples (Art. 5(2) GDPR). Swiss law does not have a gene­ral accoun­ta­bi­li­ty obli­ga­ti­on, but the obli­ga­ti­on to draw up pro­ce­s­sing regu­la­ti­ons ser­ves the same pur­po­se.
The duty to draw up pro­ce­s­sing regu­la­ti­ons is incum­bent on the per­son respon­si­ble and his or her pro­ces­sor. Pri­va­te order pro­ces­sors acting on behalf of fede­ral bodies fall under Artic­le 6. If, excep­tio­nal­ly, a fede­ral body acts as an order pro­ces­sor of a pri­va­te per­son in char­ge, it does not fall under Artic­le 5, whe­re only pri­va­te order pro­ces­sors are cover­ed, but under the stric­ter Artic­le 6. This is justi­fi­ed by the spe­cial posi­ti­on and respon­si­bi­li­ty resul­ting from the legal natu­re of the fede­ral body. The pro­ce­s­sing regu­la­ti­ons must be drawn up sepa­ra­te­ly.
In accordance with the risk-based approach of the data secu­ri­ty requi­re­ment, pro­ce­s­sing regu­la­ti­ons should always be drawn up if the­re is an increa­sed risk. Thus, pri­va­te data con­trol­lers must draw up pro­ce­s­sing regu­la­ti­ons for auto­ma­ted pro­ce­s­sing if they pro­cess per­so­nal data requi­ring spe­cial pro­tec­tion on a lar­ge sca­le (sub­pa­ra­graph a) or car­ry out high-risk pro­fil­ing (sub­pa­ra­graph b). Let­ter a cor­re­sponds to the requi­re­ment in Artic­le 22 para­graph 2 let­ter a nDSG and refers to the pro­ce­s­sing of par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data on a lar­ge sca­le. This exclu­des cases in which per­sons requi­ring spe­cial pro­tec­tion are only pro­ce­s­sed on an iso­la­ted basis. Many com­pa­nies, espe­ci­al­ly “tra­di­tio­nal” SMEs, do not car­ry out such pro­ce­s­sing. They are the­r­e­fo­re not affec­ted by this pro­vi­si­on.
Para­graph 2 con­ta­ins a list of the con­tents which must at least be spe­ci­fi­ed in the pro­ce­s­sing regu­la­ti­ons. The con­tents have been taken over and sup­ple­men­ted from Artic­le 11 (1) and Artic­le 21 (2) VDSG in a slight­ly adapt­ed form. As befo­re, the pro­ce­s­sing regu­la­ti­ons are to be desi­gned as docu­men­ta­ti­on or a manu­al and should also ser­ve as such for the per­son respon­si­ble.
As befo­re, the pri­va­te respon­si­ble par­ty and order pro­ces­sor must descri­be the inter­nal orga­nizati­on in the pro­ce­s­sing regu­la­ti­ons. This also inclu­des the descrip­ti­on of the archi­tec­tu­re and the func­tio­ning of the systems.
Para­graph 2 spe­ci­fi­es that the data pro­ce­s­sing pro­ce­du­res, i.e. in par­ti­cu­lar the pro­ce­du­res for sto­ring, cor­rec­ting, dis­clo­sing, retai­ning, archi­ving, pseud­ony­mi­zing, anony­mi­zing, dele­ting or destroy­ing the data, must be con­tai­ned in the pro­ce­s­sing regu­la­ti­ons. This also inclu­des mea­su­res for data mini­mizati­on. The prin­ci­ple of data mini­mizati­on is a cen­tral prin­ci­ple of data pro­tec­tion and, as can be seen from the dis­patch DPA of Sep­tem­ber 15, 2017 , impli­ci­t­ly fol­lows from the prin­ci­ple of pro­por­tio­na­li­ty pur­su­ant to Artic­le 6(2) nDSG. In par­ti­cu­lar, it should be spe­ci­fi­ed which data pro­ce­s­sing pro­ce­du­res are to be under­ta­ken and how they are to be car­ri­ed out. The regu­la­ti­ons must also con­tain the pro­ce­du­re for exer­cis­ing the right of access and the right to issue or trans­fer data. The con­trol pro­ce­du­res must make it pos­si­ble to deter­mi­ne the access aut­ho­rizati­ons, the type and scope of access. Final­ly, it is essen­ti­al that the pro­ce­s­sing regu­la­ti­ons also include the tech­ni­cal and orga­nizatio­nal mea­su­res to ensu­re appro­pria­te data secu­ri­ty. For exam­p­le, it must be sta­ted which mea­su­res are used to take account of the pro­tec­tion objec­ti­ves pur­su­ant to Artic­le 2. The infor­ma­ti­on should also pro­vi­de infor­ma­ti­on on the con­fi­gu­ra­ti­on of the IT resour­ces, sin­ce this is a tech­ni­cal mea­su­re. The pre­vious Artic­le 21(2)(h) of the Data Pro­tec­tion Act, which still expli­ci­t­ly men­ti­ons the con­fi­gu­ra­ti­on of the IT resour­ces, was the­r­e­fo­re not adopted. It is suf­fi­ci­ent that the most important basic con­fi­gu­ra­ti­ons of the IT resour­ces are explai­ned in the pro­ce­s­sing regu­la­ti­ons. Howe­ver, they do not have to be ela­bo­ra­ted down to the tech­ni­cal details.
Para­graph 3 repres­ents an adop­ti­on of Artic­le 11 para­graph 2 VDSG. Com­pared to the cur­rent law, the addi­ti­on that the pro­ce­s­sing regu­la­ti­ons must be made available to the advi­sor in a form that he or she can under­stand has been dis­pen­sed with. Sin­ce the advi­sor hims­elf or hers­elf is invol­ved in the pre­pa­ra­ti­on of the regu­la­ti­ons, they are gene­ral­ly com­pre­hen­si­ble to him or her. The obli­ga­ti­on that the pro­ce­s­sing regu­la­ti­ons must also be made available to the agent upon request has been dele­ted. Howe­ver, as with the list of pro­ce­s­sing acti­vi­ties, the FDPIC can request this as part of an inve­sti­ga­ti­on (Art. 50 para. 1 let. a nDSG).


Art. 6 Pro­ce­s­sing regu­la­ti­ons of fede­ral bodies

1 The respon­si­ble fede­ral body and its com­mis­sio­ned pro­ces­sor shall draw up pro­ce­s­sing regu­la­ti­ons for auto­ma­ted pro­ce­s­sing ope­ra­ti­ons if they:

a. pro­cess per­so­nal data requi­ring spe­cial protection;
b. car­ry out profiling;
c. pro­cess per­so­nal data in accordance with Artic­le 34 para­graph 2 let­ter c FADP;
d. make per­so­nal data acce­s­si­ble to can­tons, for­eign aut­ho­ri­ties, inter­na­tio­nal orga­nizati­ons or pri­va­te persons;
e. Link data files tog­e­ther; or
f. ope­ra­te an infor­ma­ti­on system or mana­ge data resour­ces tog­e­ther with other fede­ral bodies.
2 The regu­la­ti­ons must in par­ti­cu­lar con­tain infor­ma­ti­on on the inter­nal orga­nizati­on, the data pro­ce­s­sing and con­trol pro­ce­du­re and the mea­su­res to ensu­re data security
3 The fede­ral body respon­si­ble and its com­mis­sio­ned pro­ces­sor must regu­lar­ly update the regu­la­ti­ons and make them available to the data pro­tec­tion advisor

Expl­ana­to­ry report

Artic­le 6 cor­re­sponds, with some modi­fi­ca­ti­ons, to Artic­le 21 VDSG.
The obli­ga­ti­on to draw up pro­ce­s­sing regu­la­ti­ons is incum­bent on the respon­si­ble fede­ral body as well as its order pro­ces­sor. As men­tio­ned abo­ve, Artic­le 6 con­cerns both pri­va­te order pro­ces­sors and fede­ral bodies that act as order pro­ces­sors by way of excep­ti­on. The pro­ce­s­sing regu­la­ti­ons must be drawn up sepa­ra­te­ly.
In the intro­duc­to­ry sen­tence of para­graph 1, the term “data coll­ec­tions” occur­ring in Artic­le 21(1) intro­duc­to­ry sen­tence of the FADP is repla­ced by “pro­ce­s­sing ope­ra­ti­ons” becau­se it is no lon­ger used in the nDSG. This pro­vi­si­on now sti­pu­la­tes that the respon­si­ble fede­ral bodies must draw up pro­ce­s­sing regu­la­ti­ons in the cases refer­red to in para­graph 1 let­ters a‑f.
The nDSG abo­lishes the term “per­so­na­li­ty pro­fi­le” and intro­du­ces the term “pro­fil­ing”. Accor­din­gly, Artic­le 21(1)(a) FADP must be amen­ded and Artic­le 6(1) Art. must pro­vi­de that the fede­ral body respon­si­ble and its com­mis­sio­ned pro­ces­sor must draw up pro­ce­s­sing regu­la­ti­ons if it pro­ce­s­ses per­so­nal data requi­ring spe­cial pro­tec­tion (sub­pa­ra­graph a), car­ri­es out pro­fil­ing in accordance with Artic­le 5(f) nDSG (sub­pa­ra­graph b) or pro­ce­s­ses data in accordance with Artic­le 34(2)(c) nDSG (sub­pa­ra­graph c). The case under let­ter a cor­re­sponds to the pre­vious right under the FADP. Let­ters b and c are new. They replace Artic­le 21(1)(a) FADP, which requi­res the fede­ral body respon­si­ble to draw up pro­ce­s­sing regu­la­ti­ons for all auto­ma­ted data coll­ec­tions that con­tain per­so­na­li­ty pro­files.
Artic­le 6(1)(d) Art. under­goes only a few edi­to­ri­al chan­ges com­pared to Artic­le 21(1)(c) of the GDPR.
In Artic­le 6(1)(e), the term “data coll­ec­tions” used in the cor­re­spon­ding Artic­le 21(1)(d) of the Data Pro­tec­tion Act is repla­ced by “data files”.
Based on Artic­le 6 para­graph 1 let­ter f Art. a pro­ce­s­sing regu­la­ti­on must also be drawn up if the fede­ral body respon­si­ble ope­ra­tes an infor­ma­ti­on system or mana­ges data files tog­e­ther with other fede­ral bodies. This pro­vi­si­on replaces Artic­le 21 para­graph 1 let­ter b VDSG, accor­ding to which such an obli­ga­ti­on exists if an auto­ma­ted data coll­ec­tion is used by seve­ral fede­ral bodies.
Para­graph 2 cor­re­sponds to the con­tent of the pro­ce­s­sing regu­la­ti­ons for pri­va­te per­sons accor­ding to Artic­le 5 Para­graph 2 Art. Refe­rence should the­r­e­fo­re be made at this point to the expl­ana­ti­ons given abo­ve.
Para­graph 3 has been taken over in slight­ly adapt­ed form from Artic­le 21(3) VDSG. As in Artic­le 5(3) Art. the pro­vi­si­on in intel­li­gi­ble form has also been dele­ted here. The term “super­vi­so­ry bodies” is repla­ced by “data pro­tec­tion advi­sor”. The men­ti­on of the FDPIC has been omit­ted for the rea­sons men­tio­ned abo­ve in con­nec­tion with Artic­le 5(3) Art.

Sec­tion 2: Pro­ce­s­sing by Order Processors

Art. 7

1 The pri­or aut­ho­rizati­on of the con­trol­ler allo­wing the pro­ces­sor to ent­rust the data pro­ce­s­sing to a third par­ty may be of a spe­ci­fic or gene­ral nature
2 In the case of a gene­ral aut­ho­rizati­on, the Order Pro­ces­sor shall inform the Respon­si­ble Par­ty of any inten­ded chan­ge regar­ding the invol­vement or sub­sti­tu­ti­on of other third par­ties. The per­son respon­si­ble may object to this change

Expl­ana­to­ry report

Artic­le 7 Art. regu­la­tes the type of pri­or aut­ho­rizati­on by which a con­trol­ler may aut­ho­ri­ze a pro­ces­sor to trans­fer data pro­ce­s­sing to a third par­ty. This pro­vi­si­on is based on Artic­le 22(2) of Direc­ti­ve (EU) 2016/680 or Artic­le 28(2) of the GDPR. For rea­sons of legal cer­tain­ty, it expli­ci­t­ly sta­tes what the Fede­ral Coun­cil has alre­a­dy sta­ted in the Dis­patch on the Total Revi­si­on of the Data Pro­tec­tion Act regar­ding the aut­ho­rizati­on of sub­con­trac­ted pro­ce­s­sing (see BBl 2017 6941, 7032). The pri­or aut­ho­rizati­on of the con­trol­ler may be of a spe­ci­fic or gene­ral natu­re (Art. 7(1) Art.). In the case of a gene­ral aut­ho­rizati­on, the order pro­ces­sor must inform the respon­si­ble per­son of any inten­ded chan­ge regar­ding the addi­ti­on or repla­ce­ment of ano­ther sub­or­der pro­ces­sor. The con­trol­ler may object to this chan­ge (Art. 7 par. 2 Art.).

Sec­tion 3: Dis­clo­sure of per­so­nal data abroad

Expl­ana­to­ry report

In accordance with the system of the Act, the pro­vi­si­ons on the dis­clo­sure of per­so­nal data abroad have been pla­ced among the gene­ral pro­vi­si­ons in Chap­ter 1. Seve­ral terms rela­ted to the dis­clo­sure of data abroad need to be cla­ri­fi­ed. In the Art. this is done in five dif­fe­rent artic­les: A first artic­le spe­ci­fi­es the cri­te­ria that the Fede­ral Coun­cil must take into account when asses­sing whe­ther a sta­te, a ter­ri­to­ry, a spe­ci­fic sec­tor in a sta­te, or an inter­na­tio­nal orga­nizati­on ensu­res ade­qua­te data pro­tec­tion; a second artic­le sets out what the data pro­tec­tion clau­ses in a trea­ty and the spe­ci­fic safe­guards to ensu­re ade­qua­te data pro­tec­tion must regu­la­te; a third artic­le deals with stan­dard data pro­tec­tion clau­ses; a fourth artic­le focu­ses on bin­ding inter­nal com­pa­ny data pro­tec­tion rules; based on the com­pe­tence assi­gned to the Fede­ral Coun­cil in Artic­le 16(3) nDSG, a final pro­vi­si­on pro­vi­des for fur­ther appro­pria­te safeguards.

Art. 8 Assess­ment of the ade­qua­cy of data pro­tec­tion of a Sta­te, a ter­ri­to­ry, a spe­ci­fic sec­tor in a Sta­te or an inter­na­tio­nal body.

1 The Sta­tes, ter­ri­to­ries, spe­ci­fic sec­tors in a Sta­te and inter­na­tio­nal bodies with ade­qua­te data pro­tec­tion are listed in Annex 1.

2 In asses­sing whe­ther a Sta­te, a ter­ri­to­ry, a spe­ci­fic sec­tor in a Sta­te or an inter­na­tio­nal body ensu­res ade­qua­te data pro­tec­tion, the fol­lo­wing cri­te­ria in par­ti­cu­lar shall be taken into account:

a. the inter­na­tio­nal obli­ga­ti­ons of the sta­te or inter­na­tio­nal body, espe­ci­al­ly in the field of data protection;
b. the rule of law and respect for human rights;
c. the appli­ca­ble legis­la­ti­on, in par­ti­cu­lar on data pro­tec­tion, as well as its imple­men­ta­ti­on and the rele­vant case law;
d. the effec­ti­ve gua­ran­tee of the rights of data sub­jects and legal protection;
e. the effec­ti­ve func­tio­ning of one or more inde­pen­dent aut­ho­ri­ties respon­si­ble for data pro­tec­tion in the Sta­te con­cer­ned or to which an inter­na­tio­nal body is ans­werable and which have suf­fi­ci­ent powers and competences.
3 The Fede­ral Data Pro­tec­tion and Infor­ma­ti­on Com­mis­sio­ner (FDPIC) shall be con­sul­ted on any assess­ment. The assess­ments of inter­na­tio­nal bodies or for­eign aut­ho­ri­ties respon­si­ble for data pro­tec­tion may be taken into account.
4 The ade­qua­cy of data pro­tec­tion shall be reas­ses­sed periodically.
5 The assess­ments are published.
6 If the assess­ment under para­graph 4 or other infor­ma­ti­on shows that ade­qua­te data pro­tec­tion is no lon­ger gua­ran­teed, Annex 1 shall be amen­ded; this shall have no effect on the data dis­clo­sures alre­a­dy made.

Expl­ana­to­ry report

If cer­tain cri­te­ria are met, the Fede­ral Coun­cil may assess that a sta­te or ter­ri­to­ry, a spe­ci­fic sec­tor in a sta­te or an inter­na­tio­nal body gua­ran­tees ade­qua­te pro­tec­tion. Accor­ding to Artic­le 7 para­graph 1 let­ter d of the Orga­nizati­on Ordi­nan­ce of 17 Novem­ber 1999 for the Fede­ral Depart­ment of Justi­ce and Poli­ce (OV-FJPD), the task of ensu­ring ade­qua­te data pro­tec­tion of a sta­te, a ter­ri­to­ry, a spe­ci­fic sec­tor in a sta­te or an inter­na­tio­nal body falls within the com­pe­tence of the Fede­ral Office of Justi­ce.
Accor­ding to Artic­le 8(1) DPA, the sta­tes, ter­ri­to­ries, spe­ci­fic sec­tors in a sta­te and inter­na­tio­nal bodies who­se data pro­tec­tion has been dee­med ade­qua­te are listed in the Annex to the Regu­la­ti­on. As explai­ned in the mes­sa­ge, this is a “posi­ti­ve list”. If a sta­te is not inclu­ded, this does not neces­s­a­ri­ly mean that it does not have data pro­tec­tion legis­la­ti­on that ensu­res ade­qua­te data pro­tec­tion; rather, it is conceiva­ble that the sta­te has not (yet) been asses­sed by the Fede­ral Coun­cil. Only sta­tes that are inclu­ded in the list in the Annex can the­r­e­fo­re be con­side­red to ensu­re ade­qua­te data pro­tec­tion. This approach dif­fers some­what from the approach of the FDPIC. Inde­ed, the FDPIC has so far indi­ca­ted for each sta­te whe­ther it ensu­res ade­qua­te pro­tec­tion, ade­qua­te pro­tec­tion under cer­tain con­di­ti­ons, or insuf­fi­ci­ent pro­tec­tion. It should also be noted that the FDPIC’s list is not bin­ding and, in par­ti­cu­lar, does not bind the courts in the event of a dis­pu­te. Befo­re dis­cus­sing in detail the fac­tors that the Fede­ral Coun­cil must take into account in its assess­ment, it should first be cla­ri­fi­ed what is meant by a “ter­ri­to­ry” or a “spe­ci­fic sec­tor in a Sta­te”. The term “ter­ri­to­ry” refers to cases whe­re the coun­try is not sub­ject to a sin­gle legis­la­ti­on. This con­cerns name­ly the case of fede­ral sta­tes, name­ly when the legis­la­ti­on of the cen­tral sta­te does not ensu­re ade­qua­te pro­tec­tion, while a fede­ral sta­te has ade­qua­te data pro­tec­tion legis­la­ti­on, but this only applies on its own ter­ri­to­ry. Regar­ding the noti­on of “spe­ci­fic sec­tor in a sta­te”, for exam­p­le, the list of the FDPIC can be cited, which takes into account, under Cana­da, that on the basis of a spe­ci­fic data pro­tec­tion law for the pri­va­te sec­tor, an ade­qua­te level of pro­tec­tion can only be reco­gnized for this sec­tor. Until July 2020, this also applied to the USA due to the Pri­va­cy Shield CH-US, which only allo­wed the free trans­fer of data to com­pa­nies that had com­mit­ted to com­ply with the bin­ding prin­ci­ples of the Pri­va­cy Shield. Other spe­ci­fic sec­tors such as the finan­cial or insu­rance sec­tor or data pro­ce­s­sing by order pro­ces­sors should be men­tio­ned. The term inter­na­tio­nal body was cla­ri­fi­ed in the mes­sa­ge on the Data Pro­tec­tion Act. It refers to “all inter­na­tio­nal insti­tu­ti­ons, be they orga­nizati­ons or courts” (BBl 2017 6941, 7038) .
When deci­ding whe­ther a sta­te, a ter­ri­to­ry, a spe­ci­fic sec­tor in a sta­te or an inter­na­tio­nal body ensu­res ade­qua­te data pro­tec­tion, the fol­lo­wing cri­te­ria, among others, must be taken into account (Art. 8 para. 2 DPA):
The inter­na­tio­nal obli­ga­ti­ons of the sta­te or inter­na­tio­nal body con­cer­ned, in par­ti­cu­lar in the area of data pro­tec­tion (para. 2 let. a): This refers in par­ti­cu­lar to the revi­sed ETS 108 Con­ven­ti­on. Howe­ver, not only agree­ments in the area of data pro­tec­tion are rele­vant, which is why the term “in par­ti­cu­lar” is used (see also the expl­ana­ti­on to let. c). For exam­p­le, agree­ments regu­la­ting the exch­an­ge of infor­ma­ti­on may also play a role.
The rule of law and respect for human rights (para. 2(b)): In sub­pa­ra­graph (b), the term “human rights” is used in order to use the same ter­mi­no­lo­gy as in the ECHR and UN Covenant II. The Fede­ral Coun­cil has the neces­sa­ry dis­creti­on to deter­mi­ne whe­ther a sta­te ensu­res ade­qua­te data pro­tec­tion even if it does not ful­ly com­ply with inter­na­tio­nal­ly reco­gnized human rights. What is important here is that pro­tec­tion against dis­pro­por­tio­na­te inter­fe­rence with pri­va­te life is gua­ran­teed, even if the sta­te does not, for exam­p­le, meet the requi­re­ments of the ECHR in all respects.
The appli­ca­ble legis­la­ti­on, in par­ti­cu­lar on data pro­tec­tion, as well as its imple­men­ta­ti­on and the rele­vant case law (para. 2 let. c): Due to the term “in par­ti­cu­lar”, sec­to­ral legis­la­ti­on is also meant. The­se often con­tain (direct and/or indi­rect) regu­la­ti­ons on data pro­tec­tion. This applies, for exam­p­le, to sta­tes that do not have a frame­work law on data pro­tec­tion, but only a civil code. In some cases, the­se sta­tes have sec­to­ral laws that con­tain data pro­tec­tion pro­vi­si­ons. It is important that the appli­ca­ble laws app­ly. The­r­e­fo­re, the focus will be on the rele­vant gene­ral and spe­ci­fic legis­la­ti­on of the sta­te, inclu­ding tho­se on public secu­ri­ty, defen­se, natio­nal secu­ri­ty, cri­mi­nal law, and access to per­so­nal data by public aut­ho­ri­ties.
The effec­ti­ve gua­ran­tee of the rights of the data sub­jects and legal pro­tec­tion (para. 2 let. d): It is not only a mat­ter of checking whe­ther the rights of the data sub­jects are con­tai­ned in legal bases, but also of ensu­ring that the­se rights are actual­ly imple­men­ted.
The effec­ti­ve func­tio­ning of one or more inde­pen­dent aut­ho­ri­ties in char­ge of data pro­tec­tion in the sta­te con­cer­ned or to which an inter­na­tio­nal body is sub­or­di­na­te and which have suf­fi­ci­ent powers and com­pe­ten­ces. In this sen­se, the mini­mum requi­re­ments of the revi­sed con­ven­ti­on ETS 108 must be met (para. 2 let. e).
The third para­graph sti­pu­la­tes that the FDPIC is con­sul­ted in any ade­qua­cy assess­ment. Its opi­ni­on is not bin­ding on the Fede­ral Coun­cil, but must be taken into account, espe­ci­al­ly in the con­text of the office con­sul­ta­ti­on. The FDPIC may also publish its opi­ni­on. The Fede­ral Coun­cil may also take into account an assess­ment of the level of pro­tec­tion made by a for­eign aut­ho­ri­ty respon­si­ble for data pro­tec­tion (and belon­ging to a sta­te with an ade­qua­te level of pro­tec­tion) or by an inter­na­tio­nal body. An inter­na­tio­nal body within the mea­ning of this para­graph may be, inter alia, the Com­mit­tee of the Par­ties estab­lished by the revi­sed Con­ven­ti­on ETS 108. Assess­ments made by the Euro­pean Com­mis­si­on may also ser­ve as a source of infor­ma­ti­on.
The fourth para­graph pro­vi­des for peri­odic reas­sess­ment of the level of pro­tec­tion in the Sta­te or insti­tu­ti­on con­cer­ned.
Based on the various comm­ents recei­ved during the con­sul­ta­ti­on pro­ce­du­re, a new para­graph 5 pro­vi­des that the assess­ments car­ri­ed out by the Fede­ral Office of Justi­ce are to be published. The term assess­ment inclu­des both the assess­ment and the reas­sess­ment of sta­tes, ter­ri­to­ries, spe­ci­fic sec­tors in a sta­te or inter­na­tio­nal bodies that are alre­a­dy on the list and are being reas­ses­sed. A new tran­si­tio­nal pro­vi­si­on (Art. 46 para. 2) cla­ri­fi­es that assess­ments car­ri­ed out befo­re the ent­ry into force of the DSV will not be published.
The Regu­la­ti­on intro­du­ces a new requi­re­ment to car­ry out a balan­cing of inte­rests, which makes it pos­si­ble to act in urgent cases when it can be con­clu­ded that ade­qua­cy can no lon­ger be gua­ran­teed. Accor­ding to para­graph 6, Annex 1 shall be amen­ded if it is deter­mi­ned that data pro­tec­tion can no lon­ger be gua­ran­teed in a Sta­te, a ter­ri­to­ry, a spe­ci­fic sec­tor in a Sta­te or an inter­na­tio­nal body. In the case of the U.S., for exam­p­le, the July 2020 “Schrems II” ruling by the ECJ cau­sed the FDPIC to recon­sider its assess­ment and amend its list. If infor­ma­ti­on sug­gests that a sta­te con­cer­ned no lon­ger ensu­res ade­qua­te data pro­tec­tion (e.g. due to a sta­te cri­sis), the Fede­ral Coun­cil may urgen­tly amend the list wit­hout having car­ri­ed out a for­mal and com­ple­te exami­na­ti­on. This is becau­se urgent publi­ca­ti­ons are pos­si­ble under Artic­le 7(3) PublG. Howe­ver, this only applies in the case of a dele­ti­on from the list. In the case of an addi­ti­on to the list, the assess­ment pro­ce­du­re must be fol­lo­wed (paras. 1 and 2). The amend­ment has no effect on data dis­clo­sures that have alre­a­dy been made.


Art. 9 Data pro­tec­tion clau­ses and spe­ci­fic safeguards

1 The data pro­tec­tion clau­ses in a con­tract under Artic­le 16(2)(b) FADP and the spe­ci­fic gua­ran­tees under Artic­le 16(2)(c) FADP must con­tain at least the fol­lo­wing points:

a. the appli­ca­ti­on of the prin­ci­ples of lega­li­ty, good faith, pro­por­tio­na­li­ty, trans­pa­ren­cy, pur­po­se limi­ta­ti­on and accuracy;
b. the cate­go­ries of per­so­nal data dis­c­lo­sed and the per­sons concerned;
c. the natu­re and pur­po­se of the dis­clo­sure of per­so­nal data;
d. whe­re appli­ca­ble, the names of the sta­tes or inter­na­tio­nal bodies to which or to which per­so­nal data are dis­c­lo­sed and the requi­re­ments for disclosure;
e. the requi­re­ments for the reten­ti­on, dele­ti­on and des­truc­tion of per­so­nal data;
f. the reci­pi­en­ts or cate­go­ries of recipients;
g. the mea­su­res to ensu­re data security;
h. the obli­ga­ti­on to report brea­ches of data security;
i. if the reci­pi­en­ts are data con­trol­lers: the obli­ga­ti­on to inform the data sub­jects about the processing;

j. the rights of the data sub­ject, in particular:

1. the right of access and the right to issue or trans­fer data,
2. the right to object to the dis­clo­sure of data,
3. the right to rec­ti­fi­ca­ti­on, era­su­re or des­truc­tion of their data,
4. the right to seek legal pro­tec­tion from an inde­pen­dent authority.
2 The con­trol­ler and, in the case of data pro­tec­tion clau­ses in a con­tract, the pro­ces­sor must take rea­sonable mea­su­res to ensu­re that the reci­pi­ent com­plies with the­se clau­ses or the spe­ci­fic safeguards

3 If the FDPIC has been infor­med of the data pro­tec­tion clau­ses in a con­tract or of the spe­ci­fic safe­guards, the infor­ma­ti­on obli­ga­ti­on shall be dee­med to have been ful­fil­led for all fur­ther dis­clo­sures that:

a. take place under the same data pro­tec­tion clau­ses or safe­guards, pro­vi­ded that the cate­go­ries of reci­pi­en­ts, the pur­po­se of the pro­ce­s­sing and the cate­go­ries of data remain sub­stan­ti­al­ly unch­an­ged; or
b. take place within the same legal enti­ty or com­pa­ny or bet­ween com­pa­nies belon­ging to the same group.

Expl­ana­to­ry report

Accor­ding to Artic­le 16 (2) nDSG, per­so­nal data may be dis­c­lo­sed to a sta­te that is not listed in Annex 1 of the Ordi­nan­ce – i.e. wit­hout the Fede­ral Coun­cil having reco­gnized the ade­qua­cy of data pro­tec­tion as appro­pria­te – if appro­pria­te data pro­tec­tion is gua­ran­teed. In the pri­va­te sec­tor, this may be gua­ran­teed by a data pro­tec­tion clau­se in a con­tract bet­ween the con­trol­ler or pro­ces­sor and its con­trac­tu­al part­ner (Art. 16 para. 2 let. b nDSG), and in the public sec­tor by spe­ci­fic gua­ran­tees drawn up by the com­pe­tent fede­ral body (Art. 16 para. 2 let. c nDSG).
Unli­ke the other instru­ments men­tio­ned in para­graph 2 of Artic­le 16 nDSG, data con­trol­lers and pro­ces­sors do not need to have the­se safe­guards appro­ved by the FDPIC, but only to noti­fy him of them befo­re dis­clo­sing data abroad. The­re is a cer­tain risk that the data con­trol­lers and the data pro­ces­sors will assess the level of pro­tec­tion to be achie­ved by the­se safe­guards dif­fer­ent­ly, this being true for the pri­va­te sec­tor as well as for the public sec­tor.
The Fede­ral Coun­cil the­r­e­fo­re con­siders it appro­pria­te to lay down cer­tain data pro­tec­tion stan­dards and spe­ci­fi­es in Artic­le 9(1) Art. what the­se data pro­tec­tion clau­ses or spe­ci­fic gua­ran­tees must regu­la­te as a mini­mum.
The­se are as fol­lows:
The appli­ca­ti­on of the prin­ci­ples of lega­li­ty, good faith, pro­por­tio­na­li­ty, trans­pa­ren­cy, pur­po­se limi­ta­ti­on, and accu­ra­cy (sub­pa­ra­graph (a)).
The cate­go­ries of per­so­nal data dis­c­lo­sed and the data sub­jects (let. b).
The natu­re and pur­po­se of the dis­clo­sure of per­so­nal data (sub­pa­ra­graph c).
Whe­re appli­ca­ble, the names of the Sta­tes or inter­na­tio­nal bodies to which or to which per­so­nal data are dis­c­lo­sed and the requi­re­ments for dis­clo­sure (sub­pa­ra­graph (d)): the expres­si­on “whe­re appli­ca­ble” pro­vi­des the pos­si­bi­li­ty of adap­ting to the cir­cum­stances of a trea­ty. In cer­tain very nar­row­ly defi­ned con­tracts, this sub­pa­ra­graph does not qua­li­fy. For exam­p­le, if no data are dis­c­lo­sed to an inter­na­tio­nal body under the con­tract, such a refe­rence would obvious­ly be super­fluous.
The requi­re­ments for reten­ti­on, dele­ti­on and des­truc­tion of per­so­nal data (sub­pa­ra­graph e).
The reci­pi­en­ts or cate­go­ries of reci­pi­en­ts (sub­pa­ra­graph (f)): The cate­go­ries of reci­pi­en­ts may be useful, albeit in a gene­ric form, as neces­sa­ry (e.g..: Repre­sen­ta­ti­ves and agents, order pro­ces­sors, co-respon­si­ble par­ties, trea­ting phy­si­ci­ans, muni­ci­pa­li­ties, exter­nal part­ner orga­nizati­ons, etc.).
The mea­su­res to ensu­re data secu­ri­ty (sub­pa­ra­graph g).
The obli­ga­ti­on to report data secu­ri­ty brea­ches (sub­pa­ra­graph (h)).
If the reci­pi­en­ts are respon­si­ble par­ties: the obli­ga­ti­on to inform the data sub­jects about the pro­ce­s­sing (sub­pa­ra­graph (i)): The reci­pi­ent as pro­ces­sor can­not be respon­si­ble and com­ply with this obli­ga­ti­on.
The rights of the data sub­ject (point j), in par­ti­cu­lar: the right of access and the right to have data dis­c­lo­sed or trans­fer­red (point 1), the right to object to the dis­clo­sure of data (point 2), the right to have their data cor­rec­ted, dele­ted or destroy­ed (point 3) and the right to seek legal pro­tec­tion from an inde­pen­dent aut­ho­ri­ty (data pro­tec­tion aut­ho­ri­ty or court) (point 4).
All of the­se points cor­re­spond to the fun­da­men­tals of the nDSG. Para­graph 2 also cla­ri­fi­es that if per­so­nal data is dis­c­lo­sed abroad, the con­trol­ler must take appro­pria­te mea­su­res to ensu­re that the reci­pi­ent com­plies with the data pro­tec­tion clau­ses in a con­tract or the spe­ci­fic safe­guards; the pro­ces­sor must also ensu­re this in the case of data pro­tec­tion clau­ses in a con­tract (con­tract pro­ce­s­sing is not appli­ca­ble to the spe­ci­fic safe­guards). Thus, this para­graph (which essen­ti­al­ly adopts Art. 6(2) and (4) of the FADP) can be used to ensu­re that the reci­pi­ent of the dis­c­lo­sed data com­plies with the data pro­tec­tion frame­work appli­ca­ble in Switz­er­land.
A third para­graph takes over Artic­le 6(2) of the Data Pro­tec­tion Act on the controller’s duty to inform. It is only edi­to­ri­al­ly adapt­ed (e.g. the term “maît­re du fichier” is repla­ced in the French ver­si­on) by dele­ting the second sub-sen­tence in Artic­le 6(2)(b) DDPA. In any case, dis­clo­sure abroad is only per­mit­ted if the data pro­tec­tion clau­ses or safe­guards ensu­re appro­pria­te pro­tec­tion, name­ly by mee­ting the requi­re­ments of Artic­le 9(1) Art. It is the­r­e­fo­re not neces­sa­ry to men­ti­on this again in Artic­le 9(3)(b) Art.


Art. 10 Stan­dard data pro­tec­tion clauses 

1 If the con­trol­ler or pro­ces­sor dis­c­lo­ses per­so­nal data abroad by means of stan­dard data pro­tec­tion clau­ses in accordance with Artic­le 16 para­graph 2 let­ter d FADP, it shall take appro­pria­te mea­su­res to ensu­re that the reci­pi­ent com­plies with these
2 The FDPIC shall publish a list of stan­dard data pro­tec­tion clau­ses which he has appro­ved, issued or reco­gnized. It shall com­mu­ni­ca­te the result of the exami­na­ti­on of the stan­dard data pro­tec­tion clau­ses sub­mit­ted to it within 90 days

Expl­ana­to­ry report

As in the case of data dis­clo­sure abroad, which is based on data pro­tec­tion clau­ses in a con­tract and on spe­ci­fic gua­ran­tees, Swiss data pro­tec­tion regu­la­ti­ons must also be com­plied with in the case of data dis­clo­sure by means of stan­dard data pro­tec­tion clau­ses (Art. 16 para. 2 let. d nDSG). Thus, Artic­le 10(1) Art. which cor­re­sponds in prin­ci­ple to Artic­le 6(4) nDSG spe­ci­fi­es that the con­trol­ler or pro­ces­sor must take appro­pria­te mea­su­res to ensu­re that the reci­pi­ent actual­ly com­plies with the stan­dard clau­ses. In the Fede­ral Office of Justice’s com­men­ta­ry on the VDSG, this duty of care is spe­ci­fi­ed as fol­lows: “The appro­pria­ten­ess of the requi­red mea­su­res depends on the cir­cum­stances in the spe­ci­fic case and the sta­te of the art. If it is a mat­ter of par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data or per­so­na­li­ty pro­files, the requi­re­ments are hig­her than if it is a mat­ter of simp­le per­so­nal data.” Alt­hough the term “per­so­na­li­ty pro­files” is no lon­ger used in the nDSG, the expl­ana­ti­on is still rele­vant for under­stan­ding that the mea­su­res must be adapt­ed to the spe­ci­fic cir­cum­stances. This is a duty of care and the con­trol­ler or pro­ces­sor must ensu­re that the mea­su­res are taken and moni­tor their imple­men­ta­ti­on.
Para­graph 2 con­cerns the appr­oval by the FDPIC of stan­dard data pro­tec­tion clau­ses drawn up by a pri­va­te per­son or a fede­ral body. The FDPIC issues an opi­ni­on and publishes on its web­site a list of stan­dard data pro­tec­tion clau­ses that it has appro­ved, issued or reco­gnized. The stan­dard clau­ses must com­ply with Swiss data pro­tec­tion requi­re­ments and be capa­ble of being inter­pre­ted in accordance with Swiss data pro­tec­tion law. The FDPIC “shall com­mu­ni­ca­te the result of the review of the stan­dard data pro­tec­tion clau­ses sub­mit­ted to it within 90 days”.


Art. 11 Bin­ding cor­po­ra­te data pro­tec­tion regulations

1 Bin­ding cor­po­ra­te data pro­tec­tion regu­la­ti­ons pur­su­ant to Artic­le 16 para­graph 2 let­ter e FADP app­ly to all com­pa­nies belon­ging to the same group of companies

2 They shall include at least the items refer­red to in Artic­le 9(1) and the fol­lo­wing information:

a. the orga­nizati­on and cont­act details of the Group and its companies;
b. the mea­su­res taken within the Group to com­ply with bin­ding inter­nal cor­po­ra­te data pro­tec­tion regulations.
3 The FDPIC shall com­mu­ni­ca­te the result of the review of the bin­ding cor­po­ra­te data pro­tec­tion rules sub­mit­ted to it within 90 days

Expl­ana­to­ry report

Bin­ding cor­po­ra­te data pro­tec­tion regu­la­ti­ons app­ly to all com­pa­nies belon­ging to the same cor­po­ra­te group and must be com­plied with by them. The­se regu­la­ti­ons must include not only the items men­tio­ned in Artic­le 9 (1) Art. but also infor­ma­ti­on on the orga­nizati­on and cont­act details of the group and each of its enti­ties (para. 2 let. a) as well as infor­ma­ti­on on the mea­su­res taken within the group to ensu­re com­pli­ance with the cor­po­ra­te inter­nal regu­la­ti­ons (para. 2 let. b).
The­se bin­ding inter­nal com­pa­ny regu­la­ti­ons must also be sub­mit­ted to the FDPIC in accordance with Artic­le 16 para­graph 2 let­ter e nDSG.
Artic­le 11 Art. inclu­des a new para­graph 3, accor­ding to which the FDPIC “shall com­mu­ni­ca­te the result of the review of the bin­ding cor­po­ra­te data pro­tec­tion rules sub­mit­ted to it within 90 days”.


Art. 12 Codes of con­duct and certifications

1 Per­so­nal data may be dis­c­lo­sed abroad if a code of con­duct or cer­ti­fi­ca­ti­on ensu­res appro­pria­te data protection
2 The code of con­duct must be sub­mit­ted in advan­ce to the FDPIC for approval.
3 The code of con­duct or cer­ti­fi­ca­ti­on must be accom­pa­nied by a bin­ding and enforceable com­mit­ment by the con­trol­ler or pro­ces­sor in the third coun­try to app­ly the mea­su­res con­tai­ned therein

Expl­ana­to­ry report

Accor­ding to Artic­le 16(3) nDSG, the Fede­ral Coun­cil may pro­vi­de for other sui­ta­ble safe­guards that allow data to be dis­c­lo­sed abroad. For exam­p­le, appro­pria­te data pro­tec­tion can also be gua­ran­teed by a code of con­duct or cer­ti­fi­ca­ti­on (para. 1).
With this new mea­su­re, com­pa­nies are given an incen­ti­ve to intro­du­ce such a code or to have their systems, pro­ducts or ser­vices cer­ti­fi­ed. As in the case of stan­dard data pro­tec­tion clau­ses and bin­ding inter­nal com­pa­ny regu­la­ti­ons, for rea­sons of con­si­sten­cy it is also sti­pu­la­ted that codes of con­duct must be appro­ved by the FDPIC (para. 2). This is becau­se the­se instru­ments must be exami­ned for their sui­ta­bi­li­ty. For its exami­na­ti­on, the FDPIC may be gui­ded by the cri­te­ria of Artic­le 9(1) Art. The appr­oval of the codes of con­duct by the FDPIC does not con­tra­dict Artic­le 11 nDSG, which pro­vi­des in gene­ral terms that the FDPIC shall give an opi­ni­on on the codes of con­duct sub­mit­ted to him, but shall not appro­ve them. In the spe­ci­fic case whe­re a con­trol­ler reli­es on its code of con­duct when dis­clo­sing data abroad, it is appro­pria­te, as in the case of stan­dard data pro­tec­tion clau­ses and bin­ding cor­po­ra­te rules, for the FDPIC to appro­ve this instru­ment. Accor­ding to the ordi­nan­ce of 28 Sep­tem­ber 2007 on data pro­tec­tion cer­ti­fi­ca­ti­ons, only for­eign cer­ti­fi­ca­ti­ons must be reco­gnized by the FDPIC. This is main­tai­ned in this way with the total­ly revi­sed ordi­nan­ce. Howe­ver, this does not mean that the cer­ti­fi­ca­ti­on does not have to meet the requi­re­ments of the Ordi­nan­ce on Data Pro­tec­tion Cer­ti­fi­ca­ti­ons.
In addi­ti­on, the con­trol­ler or pro­ces­sor loca­ted in a third coun­try must make a bin­ding and enforceable com­mit­ment to app­ly the mea­su­res con­tai­ned in the code of con­duct or cer­ti­fi­ca­ti­on (para. 3).
Repeal of Artic­les 5 and 7 VDSG
Artic­les 5 and 7 VDSG are not taken over. The for­mer pro­vi­si­on was inser­ted into the nDSG (Art. 18). The second, which assi­gned the FDPIC the com­pe­tence to draw up a list of count­ries with an ade­qua­te level of data pro­tec­tion, is obso­le­te becau­se the Fede­ral Coun­cil now has this com­pe­tence (Art. 16 para. 1 nDSG).

Chap­ter 2: Obli­ga­ti­ons of the respon­si­ble person

Art. 13 Moda­li­ties of the infor­ma­ti­on obligation


The data con­trol­ler must pro­vi­de the data sub­ject with the infor­ma­ti­on on the acqui­si­ti­on of per­so­nal data in a pre­cise, trans­pa­rent, com­pre­hen­si­ble and easi­ly acce­s­si­ble form.
Expl­ana­to­ry report

The duty of the data con­trol­ler to pro­vi­de infor­ma­ti­on is enshri­ned in Artic­le 19 nDSG. Excep­ti­ons and limi­ta­ti­ons are set out in Artic­le 20 nDSG. Artic­le 19(1) nDSG pro­vi­des that the data sub­ject must be pro­vi­ded with “ade­qua­te” infor­ma­ti­on. This means that, as far as pos­si­ble, the infor­ma­ti­on is com­mu­ni­ca­ted in a pre­cise, trans­pa­rent, com­pre­hen­si­ble and easi­ly acce­s­si­ble form.
In other words, when choo­sing the form of infor­ma­ti­on, the con­trol­ler must ensu­re that the data sub­ject always recei­ves the most important infor­ma­ti­on at the first level of com­mu­ni­ca­ti­on when obtai­ning his or her per­so­nal data. If the com­mu­ni­ca­ti­on takes place via a web­site, for exam­p­le, a good prac­ti­ce may be that all essen­ti­al infor­ma­ti­on is available at a glan­ce, e.g. in the form of an orga­ni­zed over­view. To obtain fur­ther infor­ma­ti­on, the data sub­ject can then click on this infor­ma­ti­on dis­play­ed first, whereu­pon a win­dow opens with more detail­ed infor­ma­ti­on. It should be noted, howe­ver, that com­mu­ni­ca­ti­on via a web­site is not always suf­fi­ci­ent: The data sub­ject must know that he or she will find the infor­ma­ti­on on a spe­ci­fic web­site. In the case of a tele­pho­ne con­ver­sa­ti­on, the infor­ma­ti­on can also be com­mu­ni­ca­ted oral­ly and, if neces­sa­ry, sup­ple­men­ted by a link to a web­site. In the case of recor­ded infor­ma­ti­on, the data sub­ject must have the oppor­tu­ni­ty to listen to more detail­ed infor­ma­ti­on. In the event that the per­son is film­ed using a video sur­veil­lan­ce system or a dro­ne, he or she must be made awa­re of this, for exam­p­le, by means of a sign or as part of an infor­ma­ti­on cam­paign.
In accordance with Artic­le 19 (1) nDSG, Artic­le 13 Art. is addres­sed sole­ly to the con­trol­ler and not to the pro­ces­sor. Howe­ver, it should be noted at this point that the infor­ma­ti­on pro­vi­ded to the data con­trol­ler in accordance with Artic­le 19 (2) (c) nDSG must also con­tain details of the reci­pi­en­ts or cate­go­ries of reci­pi­en­ts. Accor­ding to the expl­ana­ti­ons in the Dis­patch on the Data Pro­tec­tion Act, the com­mis­sio­ned pro­ces­sor is also one of the reci­pi­en­ts within the mea­ning of Artic­le 19(2)(c) nDSG (BBl 2017 6941, 7051). When obtai­ning per­so­nal data, the con­trol­ler must the­r­e­fo­re also inform the data sub­ject that the data will be dis­c­lo­sed to a com­mis­sio­ned processor.


Art. 14 Reten­ti­on of the data pro­tec­tion impact assessment


The con­trol­ler must keep the data pro­tec­tion impact assess­ment for at least two years after the end of data pro­ce­s­sing.
Expl­ana­to­ry report

The stan­dard spe­ci­fi­es the reten­ti­on peri­od for the data pro­tec­tion impact assess­ment within the mea­ning of Artic­le 22 nDSG. It must be retai­ned for at least 2 years. The rea­son for retai­ning the data pro­tec­tion impact assess­ment bey­ond the time the data pro­ce­s­sing is car­ri­ed out is that it repres­ents a cen­tral instru­ment under data pro­tec­tion law. It can be of par­ti­cu­lar importance when cla­ri­fy­ing brea­ches of data secu­ri­ty or asses­sing the punis­ha­bi­li­ty of con­duct. Thus, the data pro­tec­tion impact assess­ment pro­vi­des infor­ma­ti­on on how the risks to per­so­na­li­ty or fun­da­men­tal rights have been asses­sed and what mea­su­res have been taken. In the case of fede­ral bodies, which in prin­ci­ple can only pro­cess data on the basis of legal foun­da­ti­ons, it may be the case that a data pro­tec­tion impact assess­ment must be retai­ned for a very long peri­od of time due to the per­ma­nence of cer­tain legal foun­da­ti­ons.<
In the case of fede­ral bodies, it will also be neces­sa­ry to regu­la­te how the data pro­tec­tion impact assess­ment is to be coor­di­na­ted with the legis­la­ti­ve pro­cess for crea­ting the legal basis for data pro­ce­s­sing. It is to be sti­pu­la­ted that the fede­ral bodies must attach the data pro­tec­tion impact assess­ment to the appli­ca­ti­on to the Fede­ral Coun­cil tog­e­ther with the draft enact­ments and that they must record the results of the data pro­tec­tion impact assess­ment in the Fede­ral Council’s mes­sa­ge. Howe­ver, sin­ce the regu­la­ti­on is only of a direc­ti­ve natu­re within the fede­ral admi­ni­stra­ti­on, it is not to be regu­la­ted at ordi­nan­ce level. It is plan­ned to imple­ment the regu­la­ti­on in the gui­de­lines for Fede­ral Coun­cil busi­ness (“red fol­der”) and in the embas­sy gui­de.
For the imple­men­ta­ti­on of the data pro­tec­tion impact assess­ment, the FDPIC may make use of his com­pe­tence to deve­lop working instru­ments as recom­men­da­ti­ons of good prac­ti­ce for the atten­ti­on of data con­trol­lers within the mea­ning of Artic­le 58(1)(g) nDSG. In doing so, it has a cer­tain degree of discretion.


Art. 15 Noti­fi­ca­ti­on of data secu­ri­ty breaches

1 The noti­fi­ca­ti­on of a data breach to the FDPIC must con­tain the fol­lo­wing information:

a. the natu­re of the injury;
b. as far as pos­si­ble, the time and duration;
c. as far as pos­si­ble, the cate­go­ries and appro­xi­ma­te num­ber of per­so­nal data concerned;
d. as far as pos­si­ble, the cate­go­ries and appro­xi­ma­te num­ber of per­sons concerned;
e. the con­se­quen­ces, inclu­ding any risks, for the per­sons concerned;
f. what mea­su­res have been taken or are plan­ned to reme­dy the defect and miti­ga­te the con­se­quen­ces, inclu­ding any risks;
g. the name and cont­act details of a cont­act person.
2 If it is not pos­si­ble for the per­son respon­si­ble to report all the infor­ma­ti­on at the same time, he or she shall pro­vi­de the miss­ing infor­ma­ti­on as quick­ly as possible
3 If the con­trol­ler is obli­ged to inform the data sub­ject, he shall inform him in plain and intel­li­gi­ble lan­guage of at least the infor­ma­ti­on refer­red to in para­graph 1 let­ters a and e‑g
4 The per­son respon­si­ble must docu­ment the vio­la­ti­ons. The docu­men­ta­ti­on must con­tain the facts rela­ting to the inci­dents, their effects and the mea­su­res taken. It must be kept for at least two years from the time of noti­fi­ca­ti­on in accordance with para­graph 1

Expl­ana­to­ry report

Artic­le 24(2) nDSG con­ta­ins the mini­mum requi­re­ments for a noti­fi­ca­ti­on of data secu­ri­ty brea­ches by the data con­trol­ler to the FDPIC: this inclu­des the natu­re of the data secu­ri­ty breach, its con­se­quen­ces and the mea­su­res taken or envi­sa­ged. The con­tent of this noti­fi­ca­ti­on to the FDPIC is spe­ci­fi­ed in Art. 15 para. 1 Art. (for­mer Art. 19 para. 1 Elec­tro­nic Data Pro­tec­tion Act) is fur­ther spe­ci­fi­ed. It should be noted that, accor­ding to Artic­le 24(1) nDSG, noti­fi­ca­ti­on to the FDPIC is limi­t­ed to data secu­ri­ty brea­ches that are likely to result in a high risk to the per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject. Only noti­fia­ble brea­ches must be repor­ted.
Para­graph 1 con­ta­ins the fol­lo­wing cata­log of infor­ma­ti­on: In addi­ti­on to the type of data breach alre­a­dy men­tio­ned in the law (sub­pa­ra­graph a), it is fur­ther pro­vi­ded that, to the ext­ent pos­si­ble, the time and dura­ti­on of the data breach must also be noti­fi­ed (sub­pa­ra­graph b). Fur­ther, to the ext­ent pos­si­ble, the cate­go­ries and appro­xi­ma­te num­ber of per­so­nal data affec­ted by the data breach (sub­pa­ra­graph (c)) must also be repor­ted, as well as the cate­go­ries and appro­xi­ma­te num­ber of indi­vi­du­als affec­ted (sub­pa­ra­graph (d)). This infor­ma­ti­on is of fun­da­men­tal importance so that the ext­ent of the breach can be asses­sed. In par­ti­cu­lar, it is neces­sa­ry to know which cate­go­ries of per­so­nal data are affec­ted by the breach (e.g. addres­ses, cre­dit card infor­ma­ti­on, health data) so that the expl­ana­ti­ons of the con­se­quen­ces, risks and mea­su­res can be under­s­tood at all. In con­nec­tion with the noti­fi­ca­ti­on of con­se­quen­ces and risks for the data sub­jects (sub­pa­ra­graph (e)) and the mea­su­res taken by the data con­trol­ler (sub­pa­ra­graph (f)), the data con­trol­ler must, when informing the data sub­ject, also spe­ci­fy, among other things, which cate­go­ries of per­so­nal data are affec­ted by the breach in his or her case. This allo­ws the data sub­ject to take con­cre­te mea­su­res hims­elf (e.g. imme­dia­te pass­word chan­ge if log­in data has been sto­len or cre­dit card blocking). Final­ly, the respon­si­ble par­ty must noti­fy the name and cont­act details of a cont­act per­son (g) who will act as a point of cont­act for com­mu­ni­ca­ti­on with the FDPIC as well as the data sub­jects.
Para­graph 2 enables the data con­trol­ler to pro­vi­de the FDPIC with the infor­ma­ti­on step by step if it is not pos­si­ble for the data con­trol­ler to pro­vi­de all of the infor­ma­ti­on pur­su­ant to para­graph 1 at the same time as the data breach is dis­co­ver­ed. Sin­ce the data con­trol­ler must sub­mit the noti­fi­ca­ti­on “as soon as pos­si­ble” pur­su­ant to Artic­le 24(1) nDSG, the pro­blem will regu­lar­ly ari­se in prac­ti­ce, par­ti­cu­lar­ly with regard to the infor­ma­ti­on pur­su­ant to para­graph 1 let­ters b‑d, that this infor­ma­ti­on is often not even available imme­dia­te­ly after the data secu­ri­ty breach is dis­co­ver­ed. The­r­e­fo­re, the respon­si­ble par­ty is enab­led to pro­vi­de only the basic infor­ma­ti­on known to it in a first step upon dis­co­very of the breach. For the sub­se­quent noti­fi­ca­ti­on, it applies – as accor­ding to Artic­le 24 para­graph 1 nDSG – that the respon­si­ble par­ty must report the remai­ning infor­ma­ti­on “as soon as pos­si­ble”. As soon as the miss­ing infor­ma­ti­on is available, the respon­si­ble par­ty must pro­vi­de it to the FDPIC with a sub­se­quent noti­fi­ca­ti­on. If the infor­ma­ti­on still has to be obtai­ned, he must take care of it wit­hout delay.
Para­graph 3 spe­ci­fi­es the infor­ma­ti­on that must be pro­vi­ded to the data sub­ject if infor­ma­ti­on is to be pro­vi­ded to him or her pur­su­ant to Artic­le 24 para­graph 4 nDSG. Fur­ther­mo­re, this infor­ma­ti­on must be pro­vi­ded in the simp­lest and most com­pre­hen­si­ble lan­guage pos­si­ble – in com­pa­ri­son to the noti­fi­ca­ti­on to the Com­mis­sio­ner – as it can­not be assu­med that an avera­ge data sub­ject is fami­li­ar with the tech­ni­cal jar­gon of this tech­ni­cal sub­ject mat­ter. The con­tent of the noti­fi­ca­ti­on to the FDPIC is some­what broa­der than that of the infor­ma­ti­on to the data sub­jects, sin­ce the for­mer must be able to obtain an idea of the ext­ent of a data secu­ri­ty breach.
Para­graph 4 pro­vi­des that the facts rela­ted to the repor­ted data breach, its effects and the mea­su­res taken must be docu­men­ted. The docu­men­ta­ti­on must be retai­ned for at least two years from the date of noti­fi­ca­ti­on of the data breach.
In con­nec­tion with the prac­ti­cal imple­men­ta­ti­on of the noti­fi­ca­ti­on obli­ga­ti­on under Artic­le 24 nDSG, it should be noted that a lar­ge num­ber of annu­al noti­fi­ca­ti­ons can be expec­ted based on the expe­ri­ence of for­eign super­vi­so­ry aut­ho­ri­ties in imple­men­ting the simi­lar­ly struc­tu­red noti­fi­ca­ti­on obli­ga­ti­on in Artic­le 33 of Regu­la­ti­on (EU) 2016/679. For exam­p­le, the exch­an­ge with the Bava­ri­an Sta­te Office for Data Pro­tec­tion Super­vi­si­on, who­se figu­res can be rough­ly pro­jec­ted to Switz­er­land, has shown that around 6000 noti­fi­ca­ti­ons could be recei­ved per year. In order to offer tho­se respon­si­ble a struc­tu­red report­ing opti­on and to pro­cess the mass of reports as effi­ci­ent­ly as pos­si­ble, the FDPIC is curr­ent­ly working on the deve­lo­p­ment of a web-based report­ing inter­face, pro­ba­b­ly in the form of an inter­ac­ti­ve form. As part of this pro­ject, the FDPIC is also curr­ent­ly exami­ning the pos­si­bi­li­ty of a joint report­ing por­tal tog­e­ther with other fede­ral bodies that pro­vi­de for simi­lar report­ing obli­ga­ti­ons or pos­si­bi­li­ties in the area of data secu­ri­ty (e.g., for cri­ti­cal infras­truc­tu­re report­ing). Such a report­ing por­tal would redu­ce the workload for the per­son respon­si­ble if he or she has to sub­mit reports to seve­ral fede­ral agencies.

Chap­ter 3: Rights of the data subject

Expl­ana­to­ry report

The chap­ter on the rights of the data sub­ject in the e‑DSG only inclu­ded the right of access and its rest­ric­tions. Par­lia­ment has added a right to data issu­an­ce and trans­fer. Accor­din­gly, the regu­la­ti­on spe­ci­fi­es the­se two types of data sub­ject rights in sepa­ra­te sec­tions.
Sec­tion 1 deals with the right to infor­ma­ti­on. After con­sul­ta­ti­on with the Fede­ral Depart­ment of For­eign Affairs and the Fede­ral Depart­ment of Defen­se, Civil Pro­tec­tion and Sport, the con­tent of Artic­le 14 of the Fede­ral Data Pro­tec­tion Act was not inclu­ded in the Art. becau­se it is no lon­ger up to date. The­r­e­fo­re, the right to infor­ma­ti­on for both sec­tors, pri­va­te and public, is now regu­la­ted in the same chap­ter. This fol­lows the syste­ma­tics of the nDSG and con­nects to the pro­vi­si­ons on the duties of the data con­trol­ler.
The various aspects of the right to infor­ma­ti­on are now spread over seve­ral artic­les. A first artic­le focu­ses on the moda­li­ties of the right to infor­ma­ti­on, in par­ti­cu­lar the form in which infor­ma­ti­on is to be pro­vi­ded. A second artic­le regu­la­tes the right of access when seve­ral data con­trol­lers joint­ly pro­cess per­so­nal data or when data is pro­ce­s­sed by a pro­ces­sor. A third artic­le spe­ci­fi­es the time limits, and a fourth artic­le regu­la­tes the excep­ti­ons to the right of access being free of char­ge.
The 2nd sec­tion deals with the right to issue or trans­fer data. It inclu­des the fol­lo­wing artic­les: Artic­le 20 Art. deals with the scope of the right, Artic­le 21 Art. with the tech­ni­cal requi­re­ments for imple­men­ta­ti­on, and Artic­le 22 Art. (for­mer Art. 24 E‑VDSG) spe­ci­fi­es under time limit, moda­li­ties and com­pe­tence to what ext­ent the pro­vi­si­ons on the right to infor­ma­ti­on are appli­ca­ble to the right to data sur­ren­der or transfer.

Sec­tion 1: Right to information

Art. 16 Modalities

1 Anyo­ne who requests infor­ma­ti­on from the per­son respon­si­ble as to whe­ther per­so­nal data rela­ting to him or her is being pro­ce­s­sed must do so in wri­ting. If the per­son respon­si­ble agrees, the request may also be made orally.
2 The infor­ma­ti­on shall be pro­vi­ded in wri­ting or in the form in which the data is available. With the agree­ment of the data con­trol­ler, the data sub­ject may inspect his or her data on site. The infor­ma­ti­on may be pro­vi­ded oral­ly if the data sub­ject agrees to
3 The request for infor­ma­ti­on and the pro­vi­si­on of infor­ma­ti­on may be made by elec­tro­nic means
4 The infor­ma­ti­on must be pro­vi­ded to the data sub­ject in an intel­li­gi­ble form
5 The per­son respon­si­ble must take appro­pria­te mea­su­res to iden­ti­fy the data sub­ject. This per­son is obli­ged to cooperate

Expl­ana­to­ry report

This pro­vi­si­on spe­ci­fi­es the moda­li­ties of the right to infor­ma­ti­on pro­vi­ded for in Artic­le 25 nDSG. It par­ti­al­ly incor­po­ra­tes Artic­le 8(5) FADP and Artic­le 1(1 – 3) FADP.
Para. 1
Artic­le 16 Art. (for­mer Art. 20 E‑DPA) focu­ses in para­graph 1 on the form of the request for infor­ma­ti­on. “In wri­ting” within the mea­ning of Artic­le 16(1) Art. inclu­des any form that enables pro­of by text. Not meant, howe­ver, is the so-cal­led simp­le writ­ten form accor­ding to Artic­les 13 – 15 of the Code of Obli­ga­ti­ons . This requi­res a hand signa­tu­re or a qua­li­fi­ed elec­tro­nic signa­tu­re lin­ked with a qua­li­fi­ed time stamp in accordance with the Fede­ral Act of 18 March 2016 on Elec­tro­nic Signa­tures. Artic­le 16 para. 1 Art. on the other hand only requi­res the pre­sence of a writ­ten text. Art. 16 para. 1 Art. essen­ti­al­ly adopts the con­tent of Art. 1 para. 1 VDSG, accor­ding to which the per­son must “as a rule, app­ly for his right to infor­ma­ti­on in wri­ting”. The com­men­ta­ry on the FADP by the Fede­ral Office of Justi­ce alre­a­dy spe­ci­fi­es that in cer­tain cases and sub­ject to the con­sent of the owner of the data coll­ec­tion (now the data con­trol­ler), the oral form is suf­fi­ci­ent. For the sake of increa­sed cla­ri­ty, Artic­le 16 Art. has been rewor­ded accor­din­gly. In addi­ti­on, Artic­le 1 (1) of the Data Pro­tec­tion Act has been edi­to­ri­al­ly adapt­ed.
Para. 2
Com­pared to the cur­rent law, Artic­le 16 (2) Art. (for­mer Art. 20 para. 2 E‑Data Pro­tec­tion Act) now expli­ci­t­ly sta­tes that infor­ma­ti­on may be pro­vi­ded not only in wri­ting but also in the form in which the data is available. As a rule, this is per­so­nal data in writ­ten form. If, on the other hand, the data is available in the form of visu­al or audio recor­dings, for exam­p­le, the data sub­ject will recei­ve the data in this form. As explai­ned abo­ve, “in wri­ting” in the pre­sent con­text is to be under­s­tood as requi­ring the exi­stence of a writ­ten text.
As pro­vi­ded for in Artic­le 1(3) of the FADP, per­so­nal data may also be inspec­ted on the spot, in par­ti­cu­lar if they are dis­tri­bu­ted among various files or are par­ti­cu­lar­ly volu­mi­nous or if the infor­ma­ti­on reque­sted requi­res expl­ana­ti­on. In con­trast to Artic­le 1 (3) of the Data Pro­tec­tion Act, the pas­sa­ge accor­ding to which on-site inspec­tion takes place at the sug­ge­sti­on of the per­son respon­si­ble has been dele­ted. On-site inspec­tion always requi­res the con­sent of the data con­trol­ler and the data sub­ject. On who­se pro­po­sal the on-site inspec­tion takes place, howe­ver, is not decisi­ve. In the case of on-site inspec­tion, the data sub­ject must nevert­hel­ess have the pos­si­bi­li­ty to request a pho­to­co­py of cer­tain files in his or her dos­sier. As the Fede­ral Supre­me Court sta­ted in BGE 119 III 141, the han­ding over of writ­ten (inclu­ding elec­tro­nic) docu­ments can be extre­me­ly signi­fi­cant for the per­son con­cer­ned. The oral com­mu­ni­ca­ti­on of infor­ma­ti­on, for exam­p­le on the tele­pho­ne, is also pos­si­ble, pro­vi­ded the data sub­ject has con­sen­ted. Infor­ma­ti­on in sum­ma­ri­zed (“aggre­ga­ted”) form is not per­mit­ted.
Para. 3
Para­graph 3 adopts Artic­le 1(2) of the Data Pro­tec­tion Act in an adapt­ed form. It spe­ci­fi­cal­ly regu­la­tes the form of trans­mis­si­on of the request for infor­ma­ti­on and the pro­vi­si­on of infor­ma­ti­on. Thus, the request for infor­ma­ti­on and the pro­vi­si­on of infor­ma­ti­on may also be made elec­tro­ni­cal­ly. The data sub­ject may sub­mit his or her request, for exam­p­le, by e‑mail or via an online plat­form of a com­pa­ny (e.g. the wide­spread cus­to­mer accounts). Accor­ding to the gene­ral rules, the sen­der bears the bur­den of pro­of that his or her mes­sa­ge has rea­ched the reci­pi­ent. Sin­ce elec­tro­nic trans­mis­si­on is also per­mit­ted wit­hout a legal basis, para­graph 3 is a decla­ra­to­ry pro­vi­si­on.
Para. 4
If per­so­nal data are pro­vi­ded in a tech­ni­cal form, for exam­p­le in a non-stan­dard file for­mat, that is not rea­da­ble and/or under­stan­da­ble by the data sub­ject, the data con­trol­ler must be able to pro­vi­de him or her with sup­ple­men­ta­ry expl­ana­ti­ons, for exam­p­le ver­bal­ly.
Par. 5
The con­trol­ler must take appro­pria­te mea­su­res to ensu­re the iden­ti­fi­ca­ti­on of the data sub­ject. The data sub­ject must the­r­e­fo­re coope­ra­te in their iden­ti­fi­ca­ti­on. In order for the con­trol­ler to be able to ensu­re the iden­ti­fi­ca­ti­on of the data sub­ject, he needs the neces­sa­ry infor­ma­ti­on from the data sub­ject. In the case of oral infor­ma­ti­on, the per­son respon­si­ble shall ensu­re in advan­ce (e.g. by pro­vi­ding the AHV no.) that he/she is pro­vi­ding the infor­ma­ti­on to the cor­rect per­son. Artic­le 16 para. 5 Art. (for­mer Art. 20 para. 4 E‑VDSG) replaces the requi­re­ment under Art. 1 para. 1 VDSG that the data sub­ject must pro­ve his iden­ti­ty.
Other aspects
Para­graph 4 of Artic­le 1 FADP, which con­cerns the time limit for pro­vi­ding infor­ma­ti­on, is con­ver­ted into a stand-alo­ne artic­le (see Art. 18 Art., ex-Art. 22 Draft FADP below). The same applies to Artic­le 1(5) and (6) of the FADP (see Art. 17 Art., for­mer Art. 21 Draft FADP below).


Art. 17 Competence

1 If seve­ral data con­trol­lers pro­cess per­so­nal data joint­ly, the data sub­ject may assert his or her right of access with each data controller
2 If the request rela­tes to data pro­ce­s­sed by a pro­ces­sor, the pro­ces­sor shall assist the con­trol­ler in pro­vi­ding the infor­ma­ti­on, unless the con­trol­ler is respon­ding to the request on behalf of the controller.

Expl­ana­to­ry report

A sepa­ra­te artic­le has been pro­vi­ded to cla­ri­fy the respon­si­bi­li­ty in cases whe­re seve­ral data con­trol­lers joint­ly pro­cess per­so­nal data.
Para. 1
Para­graph 1 takes over para­graph 5 of Artic­le 1 of the Data Pro­tec­tion Act in an adapt­ed form. From a ter­mi­no­lo­gi­cal point of view, the term “data con­trol­ler” has been repla­ced by “data pro­ces­sor”. The excep­ti­on to the pos­si­bi­li­ty of asser­ting the right of access with any data con­trol­ler has been remo­ved. Thus, the data sub­ject may now always assert his or her right of access with any data con­trol­ler. In con­trast to Artic­le 1(5) of the FADP, Artic­le 17(1) no lon­ger obli­ges data con­trol­lers to for­ward the requests; rather, they must pro­vi­de infor­ma­ti­on in any case. The para­graph cor­re­sponds to Artic­le 21(2) of Direc­ti­ve (EU) 2016/680 and Artic­le 26(3) GDPR.
Para. 2
Para­graph 2 adopts Artic­le 1(6) of the FADP in an adapt­ed form. The term “order pro­ces­sor” intro­du­ced in the nDSG (Art. 5 let. k nDSG) is adopted and the term “data con­trol­ler” is repla­ced by “data con­trol­ler”. Accor­ding to Artic­le 25(4) nDSG, the con­trol­ler remains obli­ged to pro­vi­de infor­ma­ti­on even if he has the per­so­nal data pro­ce­s­sed by a com­mis­sio­ned pro­ces­sor. The pro­ces­sor is the­r­e­fo­re not requi­red by law to respond to requests for infor­ma­ti­on hims­elf. The­r­e­fo­re, in con­trast to the VDSG, Artic­le 17(2) Art. now pro­vi­des that the order pro­ces­sor shall assist the con­trol­ler in respon­ding, pro­vi­ded that he does not respond to the request on behalf of the con­trol­ler. This means that the pro­ces­sor must pro­vi­de the data to the con­trol­ler if the con­trol­ler does not have it himself.


Art. 18 Time limit

1 The infor­ma­ti­on must be pro­vi­ded within 30 days of rece­ipt of the request
2 If the infor­ma­ti­on can­not be pro­vi­ded within 30 days, the con­trol­ler must inform the data sub­ject the­reof and indi­ca­te the peri­od within which the infor­ma­ti­on will be provided
3 If the per­son respon­si­ble refu­ses, rest­ricts or post­po­nes the infor­ma­ti­on, he or she must noti­fy the fol­lo­wing within the same time limit

Expl­ana­to­ry report

Artic­le 18 Art. (for­mer Art. 22 E‑DPA) takes over the fourth para­graph of Art. 1 FADP wit­hout any signi­fi­cant chan­ge. It cla­ri­fi­es the para­graph 7 inser­ted by Par­lia­ment in Artic­le 25 nDSG, which sets the 30-day peri­od pre­vious­ly pro­vi­ded for in the ordi­nan­ce at the level of the law. The spe­ci­fi­ca­ti­on that the decis­i­on on the rest­ric­tion of the right of access must be justi­fi­ed has been dele­ted, as this pro­vi­si­on has alre­a­dy been inclu­ded in Artic­le 26(4) nDSG. Fur­ther­mo­re, the term “appli­cant” is repla­ced by “data sub­ject” so that the ter­mi­no­lo­gy is con­si­stent with the nDSG.
In essence, the pro­vi­si­on means that the data con­trol­ler must pro­vi­de the data sub­ject with the reque­sted infor­ma­ti­on within 30 days or noti­fy him or her within this peri­od that he or she is refu­sing, rest­ric­ting or defer­ring the infor­ma­ti­on. In the public sec­tor, the pro­vi­si­on of infor­ma­ti­on as well as the refu­sal, rest­ric­tion or defer­ral of infor­ma­ti­on is an order within the mea­ning of Artic­le 5 VwVG . Para­graph 2 is only appli­ca­ble if the data con­trol­ler is unable to pro­vi­de the infor­ma­ti­on within 30 days of rece­ipt of the request (and not in the case whe­re he rest­ricts the right to infor­ma­ti­on within the mea­ning of Art. 26 nDSG): In that case, the respon­si­ble par­ty must com­mu­ni­ca­te in a time­ly man­ner, i.e. wit­hout unre­a­sonable delay, the peri­od within which the infor­ma­ti­on will be provided.


Art. 19 Excep­ti­on from free of charge

1 If the pro­vi­si­on of the infor­ma­ti­on invol­ves a dis­pro­por­tio­na­te effort, the con­trol­ler may requi­re the data sub­ject to make a rea­sonable con­tri­bu­ti­on to the costs incurred
2 The par­ti­ci­pa­ti­on amounts to a maxi­mum of 300 Swiss francs
3 The data con­trol­ler must inform the data sub­ject of the amount of the par­ti­ci­pa­ti­on befo­re pro­vi­ding the infor­ma­ti­on. If the data sub­ject does not con­firm the request within ten days, it shall be dee­med to have been with­drawn wit­hout incur­ring any costs. The time limit in accordance with Artic­le 18 para­graph 1 beg­ins to run after expiry of the ten-day coo­ling-off period

Expl­ana­to­ry report

The tit­le of the pro­vi­si­on is edi­to­ri­al­ly chan­ged com­pared to Artic­le 2 of the Data Pro­tec­tion Act.
Para. 1
Artic­le 2(1)(a) of the FADP, which con­cerns que­ru­lous requests for infor­ma­ti­on, is repea­led. Such cases are now regu­la­ted in the nDSG, which pro­vi­des in Artic­le 26(1)(c) that the con­trol­ler may refu­se, rest­rict or post­po­ne the infor­ma­ti­on if the request for infor­ma­ti­on is obvious­ly que­ru­lous.
Artic­le 2(1)(b) and (2) of the Data Pro­tec­tion Act are taken over in a slight­ly adapt­ed form. The term “excep­tio­nal­ly” is dele­ted, as the tit­le of the artic­le alre­a­dy refers to “excep­ti­on”; the term “appli­cant” (new para­graph 3) is repla­ced by “data sub­ject” for rea­sons of ter­mi­no­lo­gi­cal con­si­sten­cy with the nDSG. The term “par­ti­cu­lar­ly hea­vy workload” is repla­ced by “dis­pro­por­tio­na­te effort” so that the wor­ding is con­si­stent with the chan­ges made by the Natio­nal Coun­cil in Artic­le 25(6) nDSG. For exam­p­le, it does not con­sti­tu­te a dis­pro­por­tio­na­te effort if the con­trol­ler has to grant access to a lar­ge num­ber of per­so­nal data if its inte­rest is pre­cis­e­ly to coll­ect as much data as pos­si­ble. The same applies if the workload is lar­ge becau­se the data con­trol­ler is not orga­ni­zed in a suf­fi­ci­ent­ly struc­tu­red man­ner (dis­re­gard of the prin­ci­ple of “pri­va­cy by design”; becau­se accor­ding to this prin­ci­ple, data con­trol­lers or pro­ces­sors must have a system that allo­ws easy access to the pro­ce­s­sed data).
Para. 2
The amount of 300 francs remains unch­an­ged. Accor­ding to the natio­nal con­su­mer pri­ce index, the amount has chan­ged only slight­ly sin­ce its intro­duc­tion in the ordi­nan­ce. Moreo­ver, it is not inten­ded to have a deter­rent effect on the per­son con­cer­ned.
Para. 3
The per­son respon­si­ble must inform the data sub­ject of the amount of the par­ti­ci­pa­ti­on befo­re pro­vi­ding the infor­ma­ti­on. If the appli­cant does not con­firm the request within ten days, it shall be dee­med to have been with­drawn wit­hout incur­ring any costs. The time limit pur­su­ant to Art. 18 para. (for­mer Art. 22 para. 1 E‑VDSG) beg­ins to run after the 10-day coo­ling-off peri­od has expired.

Sec­tion 2: Right to issue or trans­fer data

Expl­ana­to­ry report

The­se artic­les spe­ci­fy which various requi­re­ments app­ly to the right to data sur­ren­der or trans­fer as intro­du­ced in Artic­le 28 nDSG. In light of the fact that it was the legislator’s goal to crea­te a simi­lar regu­la­ti­on as in Euro­pean law, the rules appli­ca­ble in Artic­le 20 GDPR on the right to data por­ta­bi­li­ty are taken into account.
On the one hand, the right to data dis­clo­sure or data trans­fer gives the data sub­jects the right, under cer­tain con­di­ti­ons, to demand that the data sub­ject dis­c­lo­ses the per­so­nal data he or she has pro­vi­ded to the data con­trol­ler in a form that can be reu­sed.
The reque­sted per­so­nal data can be used for various pur­po­ses: for exam­p­le, for purely per­so­nal use (e.g., to store the data on a per­so­nal sto­rage space), to for­ward it to ano­ther online ser­vice pro­vi­der, or to chan­ge the plat­form.
The right to request the trans­fer of their per­so­nal data, on the other hand, gives data sub­jects the right to request that the data con­trol­ler trans­fer that per­so­nal data direct­ly to ano­ther data con­trol­ler (e.g., so that a new online ser­vice pro­vi­der can expand that per­so­nal data or offer new ser­vices to the data sub­ject, or to main­tain its own “histo­ry” in the event of a chan­ge of pro­vi­der), pro­vi­ded that this does not requi­re a dis­pro­por­tio­na­te effort.
The right to dis­clo­sure or trans­fer of data must be distin­gu­is­hed from the right to infor­ma­ti­on under Artic­le 25 nDSG. The right of access entit­les the data sub­ject to request infor­ma­ti­on from the con­trol­ler as to what per­so­nal data the con­trol­ler is pro­ce­s­sing about him or her. This enables the data sub­ject to request the cor­rec­tion or dele­ti­on of his/her per­so­nal data in the event of unlawful data pro­ce­s­sing.
In con­trast, the new right to data release or data trans­fer aims to streng­then the con­trol of the data sub­jects over their per­so­nal data and over its fur­ther use. It thus allo­ws them to dis­po­se of the issued or trans­fer­red per­so­nal data them­sel­ves, to reu­se it or to pass it on to other data con­trol­lers. In addi­ti­on, this new right also makes it easier for the data sub­jects to switch bet­ween dif­fe­rent offers, which also pro­mo­tes com­pe­ti­ti­on and inno­va­ti­on.
For the respon­si­ble par­ties, this new requi­re­ment crea­tes the obli­ga­ti­on to make the reque­sted per­so­nal data available in aggre­ga­ted form within a rea­sonable time and to enable it to be embedded in a new system wit­hout dis­pro­por­tio­na­te effort. This requi­res that they use com­mon file for­mats and imple­ment com­mon, stan­dar­di­zed data manage­ment systems so that the data can con­ti­n­ue to be used.
The data con­trol­lers must take into account the prin­ci­ples of data pro­tec­tion law and their obli­ga­ti­ons under data pro­tec­tion law both when issuing the reque­sted per­so­nal data and when trans­fer­ring it.

Art. 20 Scope of the claim

1 Per­so­nal data that the data sub­ject has dis­c­lo­sed to the data con­trol­ler shall be dee­med to be:

a. Data that it kno­wing­ly and wil­lingly makes available to it;
b. Data coll­ec­ted by the data con­trol­ler about the data sub­ject and his or her beha­vi­or in the cour­se of using a ser­vice or device.
2 Per­so­nal data gene­ra­ted by the data con­trol­ler through its own eva­lua­ti­on of the per­so­nal data pro­vi­ded or obser­ved shall not be dee­med to be per­so­nal data that the data sub­ject has dis­c­lo­sed to the data controller

Expl­ana­to­ry report

Para. 1
This pro­vi­si­on spe­ci­fi­es which per­so­nal data are cover­ed by the entit­le­ment to data sur­ren­der or trans­fer. The entit­le­ment inclu­des per­so­nal data rela­ting to the data sub­ject hims­elf and pro­ce­s­sed auto­ma­ti­cal­ly and on the basis of con­sent or in con­nec­tion with a con­tract (Art. 28 para. 1 nDSG).
First and fore­most, per­so­nal data that is stored in paper form is exclu­ded from the cla­im.
The cla­im does not app­ly to data con­trol­lers who pro­cess per­so­nal data in the per­for­mance of a public task or in the public inte­rest. This is in line with the pro­vi­si­ons of Artic­le 20(3) of the GDPR and the pri­ma­ri­ly eco­no­mic pur­po­se of the right to dis­clo­sure or trans­fer of data. Fede­ral bodies that pro­cess per­so­nal data within the scope of their legal duties and on the basis of a legal foun­da­ti­on are the­r­e­fo­re in prin­ci­ple not affec­ted by the right to data sur­ren­der or trans­fer. Howe­ver, if fede­ral bodies pro­cess per­so­nal data in com­pe­ti­ti­on with pri­va­te indi­vi­du­als, for exam­p­le, it is conceiva­ble that this per­so­nal data may be cover­ed by the cla­im. In any case, it is up to the data con­trol­ler to deter­mi­ne to which per­so­nal data it pro­ce­s­ses the cla­im could app­ly and which are exclu­ded.
Fur­ther­mo­re, anony­mi­zed per­so­nal data or data that does not con­cern the data sub­ject is not cover­ed by the cla­im. Pseud­ony­mi­zed per­so­nal data that can be unam­bi­guous­ly lin­ked to the data sub­ject, on the other hand, are cover­ed by Artic­le 20(1). In prac­ti­ce, infor­ma­ti­on that inclu­des the per­so­nal data of seve­ral per­sons is likely to be affec­ted in many cases, such as the account histo­ry of a cus­to­mer or data on tele­pho­ne calls or mes­sa­ges that con­tain infor­ma­ti­on about third par­ties. In the con­text of a request for sur­ren­der or trans­fer of per­so­nal data, the appli­cant should also be pro­vi­ded with the­se records. Howe­ver, the per­so­nal data of third par­ties may not be pro­ce­s­sed for pur­po­ses that affect their rights and free­doms. This would be the case if the new con­trol­ler used the trans­fer­red per­so­nal data of third par­ties for its own pur­po­ses, for exam­p­le, to offer its own ser­vices to them. On the other hand, the­re would be no inter­fe­rence if, in the case of a trans­fer of account infor­ma­ti­on to a new bank account at the account holder’s request, the cont­act address in the account histo­ry of his bank account con­ti­nues to be used for the same pur­po­se, i.e. as a cont­act address and for his per­so­nal use.
Fur­ther­mo­re, only per­so­nal data that the data sub­ject actively makes available to a data con­trol­ler is cover­ed by Artic­le 20(1). Accor­ding to let­ter a, this rela­tes on the one hand to per­so­nal data that the data sub­ject direct­ly and kno­wing­ly pro­vi­des to the data con­trol­ler, such as his or her cont­act details via an online form or by making “likes”. Accor­ding to let­ter b, the cla­im also inclu­des per­so­nal data that the data sub­ject gene­ra­tes indi­rect­ly, i.e. through his or her acti­vi­ties when using a ser­vice or device (kno­wing­ly or unkno­wing­ly), and which are obser­ved by the data con­trol­ler (so-cal­led usa­ge data or “obser­ved” data, such as search queries, acti­vi­ty logs, web­site usa­ge histo­ry).
The fact that the­se per­so­nal data are cover­ed by the right to sur­ren­der and trans­fer is in line with the Euro­pean regu­la­ti­on and the pur­po­se of the stan­dard in Artic­le 28 nDSG, accor­ding to which the data sub­ject should be able to demand the sur­ren­der and fur­ther use of the per­so­nal data he or she has made available to a data con­trol­ler.
Para. 2
Para­graph 2 descri­bes which per­so­nal data is not to be regard­ed as per­so­nal data dis­c­lo­sed by the data sub­ject within the mea­ning of Artic­le 28(1) nDSG. This regu­la­ti­on thus spe­ci­fi­es the scope of the right to data dis­clo­sure or trans­fer. Accor­din­gly, the cla­im does not cover per­so­nal data which a data con­trol­ler deri­ves from infe­ren­ces from the per­so­nal data pro­vi­ded or obser­ved by the data sub­ject within the mea­ning of Artic­le 20 (1) (a) and (b) its­elf or which is gene­ra­ted by its own ana­ly­ses of such per­so­nal data. One can think, for exam­p­le, of the assess­ment of a user’s sta­te of health, user or risk pro­files, cre­dit risk ana­ly­ses, etc. In con­trast to the pro­vi­ded per­so­nal data, the ser­vices and invest­ments of the con­trol­ler here rela­te to the ana­ly­sis and eva­lua­ti­on of the pro­vi­ded data and not to the coll­ec­tion and pro­ce­s­sing of the per­so­nal data.
The exemp­ti­on of such per­so­nal data from the right to data sur­ren­der or trans­fer cor­re­sponds to the regu­la­ti­on in Euro­pean law. Sin­ce the aim of this cla­im is to enable the data sub­ject to make fur­ther use of his or her per­so­nal data, it seems justi­fi­ed to pro­vi­de for an excep­ti­on for such per­so­nal data which a con­trol­ler gene­ra­tes by eva­lua­ting and using its own resour­ces (own efforts, own invest­ment, in-hou­se algo­rith­ms and ana­ly­sis pro­ce­du­res). In con­trast to the per­so­nal data “pro­vi­ded” by the data sub­ject pur­su­ant to para­graph 1, in the case of per­so­nal data gene­ra­ted by the data con­trol­ler, the data controller’s inte­rest in pro­tec­ting its own per­for­mance and invest­ment must be given grea­ter weight. Such per­so­nal data the­r­e­fo­re do not fall within the scope of the right to dis­clo­sure or trans­fer.
Howe­ver, within the frame­work of the right to infor­ma­ti­on pur­su­ant to Artic­le 25 nDSG and the asso­cia­ted pro­vi­si­ons of the Regu­la­ti­on (Art. 16 – 19 Art.), the data sub­ject has the pos­si­bi­li­ty to obtain infor­ma­ti­on from the con­trol­ler about this per­so­nal data, its pro­ce­s­sing pur­po­se, its sto­rage peri­od and, in the case of auto­ma­ted indi­vi­du­al decis­i­ons, about the logic on which this decis­i­on is based.
It is important to note that the pro­vi­si­on in Artic­le 20(2) should not be under­s­tood as a rest­ric­tion from the right to data dis­clo­sure or trans­fer intro­du­ced in Artic­le 28 nDSG, but rather ser­ves to inter­pret the sta­tu­to­ry pro­vi­si­on by spe­ci­fy­ing the scope of the right.
Rather, based on the refe­rence in Artic­le 29(1) nDSG to Artic­le 26(1) and (2) nDSG, the rea­sons pro­vi­ded for the rest­ric­tion of the right of access also app­ly muta­tis mut­an­dis to the refu­sal, rest­ric­tion or post­po­ne­ment of dis­clo­sure or trans­fer of per­so­nal data, for exam­p­le to pro­tect over­ri­ding inte­rests of the con­trol­ler (e.g. in the case of trade secrets or intellec­tu­al pro­per­ty) or to pro­tect over­ri­ding inte­rests of third par­ties. Howe­ver, this should not lead to a refu­sal to dis­c­lo­se any infor­ma­ti­on to the data sub­ject. Rather, it must be deter­mi­ned on a case-by-case basis, as part of a pro­por­tio­na­li­ty test and weig­hing of inte­rests, whe­ther and which per­so­nal data is to be released to the data sub­ject or trans­fer­red to ano­ther data con­trol­ler.
If the con­trol­ler refu­ses or rest­ricts the sur­ren­der or trans­fer of per­so­nal data or post­po­nes this, he is obli­ged to pro­vi­de the data sub­ject with rea­sons in accordance with Artic­le 29 para­graph 2 nDSG.


Art. 21 Tech­ni­cal requi­re­ments for implementation

1 Com­mon elec­tro­nic for­mats are tho­se that enable the per­so­nal data to be trans­fer­red with a rea­sonable effort and to be fur­ther used by the data sub­ject or ano­ther controller
2 The right to issue or trans­fer data does not crea­te an obli­ga­ti­on for the data con­trol­ler to adopt or main­tain tech­ni­cal­ly com­pa­ti­ble data pro­ce­s­sing systems
3 A dis­pro­por­tio­na­te effort for the trans­fer of per­so­nal data to ano­ther con­trol­ler exists if the trans­fer is tech­ni­cal­ly not possible

Expl­ana­to­ry report

Para. 1
This pro­vi­si­on spe­ci­fi­es what is to be regard­ed as a com­mon elec­tro­nic for­mat within the mea­ning of Artic­le 28(1) nDSG. The­se are name­ly tho­se for­mats that enable the per­so­nal data to be trans­fer­red with a pro­por­tio­na­te effort and to be fur­ther used by the data sub­ject or ano­ther data con­trol­ler.
Whe­re per­so­nal data is not in a com­mon­ly rea­da­ble for­mat (espe­ci­al­ly pro­prie­ta­ry or low-use for­mats), it must be con­ver­ted by the data con­trol­ler into a com­mon­ly used elec­tro­nic for­mat. The data for­mats should allow the data sub­ject to upload their data in a stan­dard com­pu­ter-rea­da­ble for­mat direct­ly from their per­so­nal account or area. The­r­e­fo­re, data for­mats that are appro­pria­te for the type of data in que­sti­on should be cho­sen. Pre­fe­rence should be given to open and inter­ope­ra­ble for­mats such as XML and JSON for more com­pre­hen­si­ve solu­ti­ons, as well as CSV, ODT, ODS, etc., which in many cases are sui­ta­ble for data out­put and trans­fer becau­se they can be adopted by other respon­si­ble par­ties wit­hout signi­fi­cant com­pa­ti­bi­li­ty issues. Data deli­ver­ed in a for­mat that is dif­fi­cult to pro­cess (e.g., an image or PDF) or in a pro­prie­ta­ry for­mat, the use of which requi­res the purcha­se of soft­ware or a paid licen­se, do not con­sti­tu­te a sui­ta­ble for­mat a prio­ri.
Fur­ther­mo­re, the con­tent of the trans­fer­red infor­ma­ti­on should be pre­cis­e­ly descri­bed with sui­ta­ble and com­pre­hen­si­ble meta­da­ta so that it can be meaningful­ly trans­fer­red to a new system. The data sub­jects and the respon­si­ble par­ties who take over the data as part of a data trans­fer must under­stand what type of data is invol­ved. This meta­da­ta should be exten­si­ve enough to allow the data to be used and reu­sed wit­hout dis­clo­sing trade secrets.
Para. 2
In accordance with Euro­pean law, this pro­vi­si­on spe­ci­fi­es that the right of the data sub­ject to request that per­so­nal data rela­ting to him or her be trans­fer­red by the con­trol­ler to ano­ther con­trol­ler does not crea­te an obli­ga­ti­on for the con­trol­ler to adopt or main­tain tech­ni­cal­ly com­pa­ti­ble data pro­ce­s­sing systems.
Alt­hough the intro­duc­tion of stan­dards for data for­mats would be pos­si­ble in prin­ci­ple, the most sui­ta­ble for­mat in each case is likely to dif­fer depen­ding on the indu­stry and sec­tor. The­r­e­fo­re, it seems suf­fi­ci­ent to pro­vi­de for the use of com­mon for­mats wit­hout spe­ci­fy­ing the­se for­mats in more detail or even con­clu­si­ve­ly. From a tech­ni­cal point of view, it is neces­sa­ry that the respon­si­ble par­ties crea­te the con­di­ti­ons to be able to exch­an­ge per­so­nal data. In addi­ti­on, it must be pos­si­ble for the per­so­nal data exch­an­ged to be used by the data sub­ject or the new data con­trol­ler. To this end, the data con­trol­ler must make the per­so­nal data available in inter­ope­ra­ble for­mats and descri­be them in a way that is com­pre­hen­si­ble to the data sub­ject and the new data con­trol­ler by means of sui­ta­ble meta­da­ta in order to enable their fur­ther use.
Para. 3
Para­graph 3 spe­ci­fi­es when, within the mea­ning of Artic­le 28(3) nDSG, a trans­fer requi­res a dis­pro­por­tio­na­te effort and the con­trol­ler is not obli­ged to trans­fer per­so­nal data to ano­ther con­trol­ler at the request of the data sub­ject. Again in line with Euro­pean law, a pro­por­tio­na­te effort for a trans­fer is to be assu­med if it is tech­ni­cal­ly pos­si­ble and fea­si­ble.
Accor­din­gly, the con­trol­ler is obli­ged to trans­fer the per­so­nal data direct­ly and in an inter­ope­ra­ble for­mat to ano­ther con­trol­ler upon request of the data sub­ject. Even if the other con­trol­ler does not sup­port this for­mat, a direct data trans­fer can also take place if com­mu­ni­ca­ti­on bet­ween two systems is pos­si­ble in a secu­re man­ner and the recei­ving system is tech­ni­cal­ly capa­ble of recei­ving the inco­ming data. Whe­ther a trans­mis­si­on is tech­ni­cal­ly fea­si­ble must be checked on a case-by-case basis. It would also be conceiva­ble for the con­trol­ler to pro­vi­de a secu­re appli­ca­ti­on pro­gram inter­face (API) to enable the other con­trol­ler to auto­ma­ti­cal­ly retrie­ve the per­so­nal data. Howe­ver, if direct data trans­fer is not pos­si­ble due to tech­ni­cal obs­ta­cles, the con­trol­ler must inform the data sub­ject of the­se obs­ta­cles (Art. 29 para. 2 nDSG).
Howe­ver, the data con­trol­ler must not unju­sti­fi­a­bly impe­de the trans­fer of the per­so­nal data by pro­vi­ding tech­ni­cal bar­riers that slow down or pre­vent data access, data trans­fer, or data reu­se by the data sub­ject or ano­ther data con­trol­ler. This would be the case, for exam­p­le, if data inter­ope­ra­bi­li­ty is not pro­vi­ded or access to a data for­mat, pro­gramming inter­face, or for­mat pro­vi­ded is not pro­vi­ded, if exce­s­si­ve delays occur or retrie­val of the full data set is too com­pli­ca­ted, if data is inten­tio­nal­ly obfusca­ted, or if spe­ci­fic or unju­sti­fi­ed sec­tor-spe­ci­fic stan­dar­dizati­on or accre­di­ta­ti­on requi­re­ments are imposed.


Art. 22 Time limit, moda­li­ties and competence


Artic­les 16(1) and (5) and 17 – 19 shall app­ly muta­tis mut­an­dis to the right to issue or trans­fer data.
Expl­ana­to­ry report

As far as the moda­li­ties of the right to sur­ren­der or trans­fer data are con­cer­ned, various pro­vi­si­ons on the right to infor­ma­ti­on app­ly muta­tis mut­an­dis. This con­cerns the form in which the data sub­ject may request the sur­ren­der or trans­fer of his or her per­so­nal data (Art. 16 para. 1 Art., form­er­ly Art. 20 para. 1 E‑Data Pro­tec­tion Act), as well as the rea­sonable mea­su­res that must be taken to ensu­re the iden­ti­fi­ca­ti­on of the data sub­ject (Art. 16 para. 5 Art., form­er­ly Art. 20 para. 4 E‑Data Pro­tec­tion Act).
The pro­vi­si­ons regu­la­ting respon­si­bi­li­ties in the case of requests for infor­ma­ti­on from seve­ral data con­trol­lers (Art. 17 para. 1 Art., form­er­ly Art. 21 para. 1 E‑Data Pro­tec­tion Act) or in the case of data pro­ce­s­sing by a data pro­ces­sor (Art. 17 para. 2 Art., form­er­ly Art. 21 para. 2 E‑Data Pro­tec­tion Act) also app­ly muta­tis mut­an­dis. It should be noted that per­so­nal data pro­ce­s­sed by com­mis­sio­ned pro­ces­sors are also sub­ject to the right to data sur­ren­der or trans­fer. In this case, it is the respon­si­bi­li­ty of the data con­trol­ler to crea­te the tech­ni­cal and orga­nizatio­nal solu­ti­ons with which this right can be enforced. The com­mis­sio­ned pro­ces­sor must sup­port the con­trol­ler in ful­fil­ling its obli­ga­ti­ons with regard to the right to data sur­ren­der or trans­fer (Art. 17 para. 2 Art., for­mer Art. 21 para. 2 E‑Data Pro­tec­tion Act).
Final­ly, the pro­vi­si­ons on time limits (Art. 18 Art., form­er­ly Art. 22 Elec­tro­nic Data Pro­tec­tion Act) and the excep­ti­ons to free of char­ge (Art. 19 Art., form­er­ly Art. 23 Elec­tro­nic Data Pro­tec­tion Act) in the case of requests for infor­ma­ti­on also app­ly muta­tis mut­an­dis to the right to issue or trans­fer data.

Chap­ter 4: Spe­cial pro­vi­si­ons on data pro­ce­s­sing by pri­va­te persons

Art. 23 Data pro­tec­tion advisor


The respon­si­ble par­ty must noti­fy the data pro­tec­tion advi­sor:
a. Pro­vi­de the neces­sa­ry resources;
b. Grant access to all infor­ma­ti­on, docu­ments, records of pro­ce­s­sing acti­vi­ties and per­so­nal data requi­red by the con­sul­tant to per­form his or her duties;
c. grant the right to inform the hig­hest manage­ment or admi­ni­stra­ti­ve body in important cases.

Expl­ana­to­ry report

Artic­le 10(2) nDSG regu­la­tes in a non-exhaus­ti­ve man­ner two are­as of respon­si­bi­li­ty of the data pro­tec­tion advi­sor of a pri­va­te con­trol­ler: He or she trains and advi­ses the pri­va­te con­trol­ler on data pro­tec­tion issues (sub­pa­ra­graph (a)) and assists in the enforce­ment of data pro­tec­tion regu­la­ti­ons (sub­pa­ra­graph (b)). Sin­ce the­se are­as of respon­si­bi­li­ty are suf­fi­ci­ent­ly spe­ci­fic from the law, they will not be defi­ned again in the ordi­nan­ce in the future, con­tra­ry to the con­sul­ta­ti­on draft.
Let­ters a and b
The­se pro­vi­si­ons cor­re­spond in sub­stance to Artic­le 12b(2)(b) and (c) of the Data Pro­tec­tion Act.
The list of docu­ments to which the data pro­tec­tion advi­sor must have access has been adapt­ed to the ter­mi­no­lo­gy in the nDSG. Access is not unre­st­ric­ted, but only to tho­se docu­ments that the data pro­tec­tion advi­sor actual­ly needs to ful­fill his or her duties. In par­ti­cu­lar, access to per­so­nal data must only be gran­ted if it is requi­red for the per­for­mance of the task. If, for exam­p­le, the data pro­tec­tion advi­sor is con­duc­ting a gene­ral review of inter­nal data pro­tec­tion regu­la­ti­ons or data pro­ce­s­sing pro­ce­s­ses, he or she will gene­ral­ly not need to have access to per­so­nal data.
On the other hand, Artic­le 12b (2) (a) of the Fede­ral Data Pro­tec­tion Act is not adopted becau­se the requi­re­ment men­tio­ned the­r­ein is new­ly pro­vi­ded for in the Act (Art. 10 (3) (a) of the Fede­ral Data Pro­tec­tion Act).
Let. c
The data con­trol­ler must grant the data pro­tec­tion advi­sor the right to inform the hig­hest manage­ment or admi­ni­stra­ti­ve body in important cases. This refers to the top manage­ment of the pri­va­te con­trol­ler, i.e., the body that is also respon­si­ble for com­pli­ance with data pro­tec­tion regu­la­ti­ons. The pro­vi­si­on estab­lishes a right of escala­ti­on for the data pro­tec­tion advi­sor. This is neces­sa­ry so that the data pro­tec­tion advi­sor, in the case of inter­nal com­pa­ny audits of com­pli­ance with data pro­tec­tion rules, must not only trust the docu­ments available to him or her, but can also enforce the pro­cu­re­ment of addi­tio­nal infor­ma­ti­on and docu­ments. In addi­ti­on, this ensu­res that the data pro­tec­tion advi­sor can report to the hig­hest bodies of the con­trol­ler or the com­mis­sio­ned pro­ces­sor in the event of com­plex cir­cum­stances and par­ti­cu­lar­ly serious vio­la­ti­ons and bring about a decis­i­on.
Repeal of Artic­le 12a VDSG
This pro­vi­si­on is repea­led as its con­tent has been new­ly inclu­ded in the law (Art. 10 para. 3 let. b and c nDSG).


Art. 24 Exemp­ti­on from the obli­ga­ti­on to keep a regi­ster of pro­ce­s­sing activities


Com­pa­nies and other orga­nizati­ons under pri­va­te law that employ fewer than 250 employees on Janu­ary 1 of any year, as well as natu­ral per­sons, are exempt from the obli­ga­ti­on to keep a regi­ster of pro­ce­s­sing acti­vi­ties, unless one of the fol­lo­wing con­di­ti­ons is met:
a. Per­so­nal data requi­ring spe­cial pro­tec­tion is pro­ce­s­sed on a lar­ge scale.
b. High risk pro­fil­ing is performed.

Expl­ana­to­ry report

Based on Artic­le 12 nDSG, data con­trol­lers and data pro­ces­sors must each keep a regi­ster of their pro­ce­s­sing acti­vi­ties. This must con­tain some mini­mum infor­ma­ti­on. For the direc­to­ry of the con­trol­ler, the­se are: the iden­ti­ty of the con­trol­ler, the pur­po­se of the pro­ce­s­sing, a descrip­ti­on of the cate­go­ries of data sub­jects and the cate­go­ries of per­so­nal data pro­ce­s­sed, the cate­go­ries of reci­pi­en­ts, if pos­si­ble the reten­ti­on peri­od of the per­so­nal data or the cri­te­ria for deter­mi­ning this peri­od, as well as a gene­ral descrip­ti­on of the mea­su­res to ensu­re data secu­ri­ty in accordance with Artic­le 8 nDSG, and, if the data are dis­c­lo­sed abroad, the indi­ca­ti­on of the sta­te as well as the gua­ran­tees in accordance with Artic­le 16 para­graph 2 nDSG (Artic­le 12 para­graph 2 nDSG).
For some SMEs, kee­ping such a regi­ster may invol­ve a dis­pro­por­tio­na­te admi­ni­stra­ti­ve bur­den com­pared to the poten­ti­al risks that data pro­ce­s­sing ent­ails for the per­so­na­li­ty of the data sub­jects. Sin­ce Artic­le 12(5) nDSG requi­res the Fede­ral Coun­cil to pro­vi­de for excep­ti­ons for com­pa­nies, inclu­ding sole pro­prie­tor­ships, it is accor­din­gly also aut­ho­ri­zed to app­ly the­se excep­ti­ons to natu­ral per­sons and other legal enti­ties such as asso­cia­ti­ons and foun­da­ti­ons. This seems appro­pria­te becau­se kee­ping the regi­ster could impo­se a dis­pro­por­tio­na­te bur­den on them, as it does on SMEs.
Artic­le 24 Art. (for­mer Art. 26 E‑VDSG) thus con­cre­ti­zes Art. 12(5) nDSG by deter­mi­ning to whom the­se exemp­ti­ons app­ly and in which cases the risks of per­so­na­li­ty vio­la­ti­ons within the mea­ning of this pro­vi­si­on are low (see Dis­patch, BBl 2017 7037). It pro­vi­des that com­pa­nies and other orga­nizati­ons under pri­va­te law with fewer than 250 employees on Janu­ary 1 of a year (regard­less of the degree of employment), as well as natu­ral per­sons, are exempt from the obli­ga­ti­on to keep a regi­ster of pro­ce­s­sing acti­vi­ties. Howe­ver, this only applies if per­so­nal data requi­ring spe­cial pro­tec­tion is not pro­ce­s­sed on a lar­ge sca­le (sub­pa­ra­graph a) and if no high-risk pro­fil­ing is car­ri­ed out (sub­pa­ra­graph b). The requi­re­ment of Artic­le 24 let­ter a Art. ther­eby cor­re­sponds to Artic­le 22 para­graph 2 let­ter a nDSG. In other words, only SMEs that per­form cer­tain high-risk data pro­ce­s­sing acti­vi­ties are requi­red to keep a regi­ster of pro­ce­s­sing acti­vi­ties. The list of high-risk data pro­ce­s­sing acti­vi­ties in this pro­vi­si­on is exhaus­ti­ve. For the requi­re­ment in let­ter a, plea­se refer to the expl­ana­ti­ons on the simi­lar­ly struc­tu­red requi­re­ment in Artic­le 5 para­graph 1 let­ter a Art. (form­er­ly Art. 4 para. 1 let. a Draft Data Pro­tec­tion Act) on the obli­ga­ti­on of pri­va­te per­sons to draw up pro­ce­s­sing regu­la­ti­ons.
Exten­si­ve pro­ce­s­sing of data requi­ring spe­cial pro­tec­tion inclu­des, in par­ti­cu­lar, data pro­ce­s­sing invol­ving lar­ge quan­ti­ties of data or a lar­ge num­ber of per­sons.
SMEs that pro­cess data within the mea­ning of Artic­le 24 let­ters a and b Art. only have to keep a regi­ster of pro­ce­s­sing acti­vi­ties for the­se data pro­ce­s­sing acti­vi­ties, but not for other data pro­ce­s­sing acti­vi­ties. Of cour­se, SMEs that are exempt from the obli­ga­ti­on are not pre­ven­ted from vol­un­t­a­ri­ly kee­ping a regi­ster of pro­ce­s­sing acti­vi­ties. Espe­ci­al­ly if a con­trol­ler regu­lar­ly pro­ce­s­ses per­so­nal data, it is a useful and simp­le tool to keep an over­view of the pro­ce­s­sing acti­vi­ties, which can also faci­li­ta­te the controller’s com­pli­ance with other obli­ga­ti­ons, such as the duty to inform.

Chap­ter 5: Spe­cial Pro­vi­si­ons on Data Pro­ce­s­sing by Fede­ral Bodies

Sec­tion 1: Data pro­tec­tion advisor

Expl­ana­to­ry report

Artic­les 25 – 28 Art. (for­mer Art. 25 – 30 E‑VDSG) replace Art. 23 VDSG, which deals with the data pro­tec­tion advi­sor of fede­ral bodies.

Art. 25 Appointment


Each fede­ral body shall appoint a data pro­tec­tion advi­sor. Seve­ral fede­ral bodies may joint­ly appoint a data pro­tec­tion advi­sor.
Expl­ana­to­ry report

Artic­le 25 Art. imple­ments Artic­le 10(4) nDSG and Artic­le 32 of Direc­ti­ve (EU) 2016/680. The pro­vi­si­on wher­eby seve­ral fede­ral bodies may joint­ly desi­gna­te a data pro­tec­tion advi­sor is inten­ded to enable smal­ler fede­ral bodies or depart­ments with a cen­tra­li­zed orga­nizatio­nal struc­tu­re in par­ti­cu­lar to take advan­ta­ge of meaningful and resour­ce-saving syn­er­gies. On the other hand, lar­ger fede­ral offices, for exam­p­le, can be expec­ted to have a data pro­tec­tion advi­sor on their own. Of cour­se, it is also open to the fede­ral bodies to desi­gna­te seve­ral advisors.


Art. 26 Requi­re­ments and tasks

1 The pri­va­cy con­sul­tant must meet the fol­lo­wing requirements:

a. She or he has the requi­red expertise.
b. He or she shall exer­cise his or her func­tion vis-à-vis the fede­ral body in a pro­fes­sio­nal­ly inde­pen­dent man­ner and wit­hout being bound by instructions.

2 She or he must per­form the fol­lo­wing duties:

a. She or he shall coope­ra­te in the appli­ca­ti­on of the data pro­tec­tion rules, in par­ti­cu­lar by:

1. exami­nes the pro­ce­s­sing of per­so­nal data and recom­mends cor­rec­ti­ve mea­su­res if a breach of data pro­tec­tion regu­la­ti­ons is identified,
2. advi­ses the con­trol­ler on the pre­pa­ra­ti­on of the data pro­tec­tion impact assess­ment and reviews its execution.
b. She or he shall ser­ve as a point of cont­act for affec­ted individuals.
c. She or he shall train and advi­se the employees of the fede­ral body on data pro­tec­tion issues.

Expl­ana­to­ry report

Para. 1
Artic­le 26(1) Art. takes over in let­ter a the requi­re­ment of Artic­le 12a(2) last sub-sen­tence VDSG. In let­ter b – as pre­vious­ly regu­la­ted in Artic­le 12b (2) (a) of the Fede­ral Data Pro­tec­tion Act and ana­log­ous to the regu­la­ti­on for pri­va­te data con­trol­lers in Artic­le 10 (3) (a) of the Fede­ral Data Pro­tec­tion Act – it is now man­da­to­ry for all fede­ral bodies (pre­vious­ly only tho­se fede­ral bodies had to meet the requi­re­ments of Artic­le 12a and Artic­le 12b of the Fede­ral Data Pro­tec­tion Act that wis­hed to be exempt from the obli­ga­ti­on to regi­ster their data coll­ec­tions, see Artic­le 23 (2) of the Fede­ral Data Pro­tec­tion Act) that the data pro­tec­tion advi­sor per­forms his or her func­tion in a pro­fes­sio­nal­ly inde­pen­dent man­ner and not bound by ins­truc­tions. This streng­thens and insti­tu­tio­na­li­zes the role of the data pro­tec­tion advi­sor in the fede­ral bodies, which are usual­ly hier­ar­chi­cal, so that he or she can per­form his or her duties effec­tively. Admit­ted­ly, the role of the data pro­tec­tion advi­sor is mere­ly advi­so­ry and sup­port­i­ve, and thus the poten­ti­al for con­flict with the respon­si­ble and supe­ri­or bodies is to be regard­ed as redu­ced. Nevert­hel­ess, it must be ensu­red that the data pro­tec­tion advi­sor is free to make his or her recom­men­da­ti­ons – even if they are some­ti­mes dis­agreeable in natu­re – wit­hout having to fear any dis­ad­van­ta­ges. Inde­pen­dence also implies that in important cases – as is expli­ci­t­ly pro­vi­ded for pri­va­te indi­vi­du­als in Artic­le 23(c) – the data pro­tec­tion advi­sor can appeal to the top manage­ment of the fede­ral body. The inde­pen­dence of the data pro­tec­tion advi­sor must be ensu­red pri­ma­ri­ly by orga­nizatio­nal mea­su­res: In par­ti­cu­lar, it must be pre­ven­ted that the acti­vi­ty as data pro­tec­tion advi­sor can have a nega­ti­ve impact on the employee inter­view.
Para. 2
The tasks of the data pro­tec­tion advi­sor of the fede­ral body in para­graph 2 have been ter­mi­no­lo­gi­cal­ly ali­gned with the pro­vi­si­on in the case of pri­va­te data con­trol­lers (Artic­le 10(3) nDSG). Para­graph 2(a) sta­tes that the data pro­tec­tion advi­sor, as alre­a­dy sta­ted in Artic­le 10(2)(b) nDSG, shall assist in the appli­ca­ti­on of the data pro­tec­tion pro­vi­si­ons. This inclu­des, in par­ti­cu­lar, that he or she, in accordance with item 1, checks the pro­ce­s­sing of per­so­nal data and recom­mends cor­rec­ti­ve mea­su­res if a breach of the data pro­tec­tion regu­la­ti­ons is iden­ti­fi­ed; and in accordance with item 2, advi­ses the data con­trol­ler in the pre­pa­ra­ti­on of the data pro­tec­tion impact assess­ment and checks its exe­cu­ti­on. The invol­vement of the data pro­tec­tion advi­sor may help to redu­ce the bur­den on the FDPIC. The requi­re­ment in point 2. cor­re­sponds to Artic­le 7(c) of Direc­ti­ve (EU) 2016/680. The data pro­tec­tion advi­sor is to be under­s­tood as an advi­so­ry and sup­port­ing body and not as a super­vi­so­ry body. With regard to the review of pro­ce­s­sing ope­ra­ti­ons and the recom­men­da­ti­on of cor­rec­ti­ve mea­su­res, it should the­r­e­fo­re be noted that the aim is not to intro­du­ce an acti­ve duty to review or to pre­scri­be syste­ma­tic checks of all data pro­ce­s­sing ope­ra­ti­ons. Rather, it is suf­fi­ci­ent for the data con­trol­ler to beco­me acti­ve if, for exam­p­le, the­re are requests from the respon­si­ble bodies to check data pro­ce­s­sing or if he or she recei­ves indi­ca­ti­ons that data pro­tec­tion regu­la­ti­ons have been vio­la­ted. Of cour­se, the data pro­tec­tion advi­sor is also free to proac­tively check. Fur­ther­mo­re, in accordance with para­graph 2 let­ter b, the data pro­tec­tion advi­sor ser­ves as a point of cont­act for the data sub­jects, for exam­p­le in the event of a request for infor­ma­ti­on pur­su­ant to Artic­le 25 nDSG.


Art. 27 Duties of the fede­ral body

1 The fede­ral body has the fol­lo­wing obli­ga­ti­ons towards the data pro­tec­tion advisor:

a. It shall grant him or her access to all infor­ma­ti­on, docu­ments, lists of pro­ce­s­sing acti­vi­ties and per­so­nal data that he or she requi­res to per­form his or her duties.
b. It ensu­res that she or he is noti­fi­ed of a data breach.
2 It shall publish the cont­act details of the data pro­tec­tion advi­sor on the Inter­net and noti­fy the FDPIC of the­se details.

Expl­ana­to­ry report

Artic­le 27(1)(a) Art. (for­mer Art. 29 para. 1 E‑DPA) is iden­ti­cal to the regu­la­ti­on for pri­va­te data con­trol­lers in Artic­le 22 let­ter b Art. (for­mer Art. 25 para. 2 let. b Draft Data Pro­tec­tion Act). Here, the­r­e­fo­re, refe­rence can be made muta­tis mut­an­dis to the expl­ana­ti­ons the­re. If spe­cial legal bases pre­vent the data pro­tec­tion advi­sor from acce­s­sing cer­tain infor­ma­ti­on, in par­ti­cu­lar per­so­nal data, the­se take pre­ce­dence in accordance with the gene­ral prin­ci­ple of lex spe­cia­lis. If neces­sa­ry, the per­so­nal data must be blacked out if the data pro­tec­tion advi­sor requi­res access to infor­ma­ti­on con­tai­ning per­so­nal data for the per­for­mance of his or her duties. Accor­ding to Artic­le 27(1)(b) Art. the fede­ral body is now obli­ged to ensu­re that the advi­sor is infor­med about brea­ches of data secu­ri­ty. This obli­ga­ti­on can be ensu­red, for exam­p­le, by the fede­ral body obliging employees by means of ins­truc­tions to inform the con­sul­tant in the event of a data secu­ri­ty breach. The obli­ga­ti­on does not only con­cern brea­ches that must be repor­ted to the FDPIC on the basis of Artic­le 24 nDSG, but rela­tes to any data secu­ri­ty breach. The data pro­tec­tion advi­sor advi­ses the data con­trol­ler on whe­ther the breach is sub­ject to a noti­fi­ca­ti­on obli­ga­ti­on within the mea­ning of Artic­le 24 nDSG. Howe­ver, the noti­fi­ca­ti­on its­elf is the respon­si­bi­li­ty of the data con­trol­ler: He or she deci­des whe­ther and which brea­ches are repor­ted to the FDPIC.
Para­graph 2 has been added and pro­vi­des for an ana­log­ous regu­la­ti­on as in Artic­le 10(3)(d) nDSG for pri­va­te data con­trol­lers. This is inten­ded to make it easier for data sub­jects to exer­cise their rights by making it pos­si­ble to loca­te at least one pro­fes­sio­nal cont­act per­son direct­ly. It is not neces­sa­ry to publish the name of the data pro­tec­tion advi­sor. It is suf­fi­ci­ent, for exam­p­le, to pro­vi­de an e‑mail address of the tech­ni­cal­ly respon­si­ble office. Fur­ther­mo­re, the cont­act details of the data pro­tec­tion advi­sor must also be com­mu­ni­ca­ted to the FDPIC.


Art. 28 Cont­act point of the FDPIC


The data pro­tec­tion advi­sor ser­ves as a point of cont­act for the FDPIC for que­sti­ons rela­ting to the pro­ce­s­sing of per­so­nal data by the fede­ral body con­cer­ned.
Expl­ana­to­ry report

Artic­le 28 Art. (for­mer Art. 30 E‑VDSG) takes over the mea­ning of Art. 23(3) VDSG in a more pre­cise form. The wor­ding has been adapt­ed, howe­ver, as it was misun­ders­tood as a rest­ric­tion on cont­act. The fede­ral bodies should remain free to com­mu­ni­ca­te with the FDPIC via other bodies as well and not only via the data pro­tec­tion advi­sor. It is not the opi­ni­on that she or he acts as a liai­son for the FDPIC, but as a point of cont­act, sin­ce she or he has the neces­sa­ry exper­ti­se and inter­nal know­ledge in mat­ters rela­ting to the pro­ce­s­sing of per­so­nal data by the fede­ral body’s own.

Sec­tion 2: Infor­ma­ti­on requirements

Art. 29 Duty to pro­vi­de infor­ma­ti­on when dis­clo­sing per­so­nal data


The fede­ral body shall inform the reci­pi­ent of the time­liness, relia­bi­li­ty and com­ple­ten­ess of the per­so­nal data dis­c­lo­sed by it, inso­far as this infor­ma­ti­on is not appa­rent from the data its­elf or from the cir­cum­stances.
Expl­ana­to­ry report

This pro­vi­si­on cor­re­sponds to Artic­les 12 and 26 of the FADP and con­cerns the relia­bi­li­ty of the per­so­nal data dis­c­lo­sed. In addi­ti­on to the “time­liness” and “relia­bi­li­ty” of the per­so­nal data, Artic­le 29 Art. (for­mer Art. 15 E‑VDSG) now men­ti­ons “com­ple­ten­ess”. To ensu­re data qua­li­ty, the data must be up-to-date, relia­ble and com­ple­te (i.e. neither only par­ti­al­ly available nor incom­ple­te). The pro­vi­si­on is thus ali­gned with Artic­le 7(2) of Direc­ti­ve (EU) 2016/680. It sup­ple­ments Artic­le 6(5) nDSG.


Art. 30 Duty to pro­vi­de infor­ma­ti­on in the case of syste­ma­tic acqui­si­ti­on of per­so­nal data


If the data sub­ject is not obli­ged to pro­vi­de infor­ma­ti­on, the fede­ral body respon­si­ble shall draw his or her atten­ti­on to this fact in the event of a syste­ma­tic acqui­si­ti­on of per­so­nal data.
Expl­ana­to­ry report

The regu­la­ti­on cor­re­sponds to the cur­rent Artic­le 24 FADP: If the data sub­ject is not obli­ged to pro­vi­de infor­ma­ti­on, the fede­ral body respon­si­ble must point out to him that his pro­vi­si­on of infor­ma­ti­on is vol­un­t­a­ry. In accordance with the pro­vi­si­on of Artic­le 24 FADP, this obli­ga­ti­on also applies only to the syste­ma­tic acqui­si­ti­on of per­so­nal data. It applies in par­ti­cu­lar to the area of sta­tis­tics and research.

Sec­tion 3: Noti­fi­ca­ti­on of pro­jects for the auto­ma­ted pro­ce­s­sing of per­so­nal data to the FDPIC


Art. 31

1 The respon­si­ble fede­ral body shall noti­fy the FDPIC of the plan­ned auto­ma­ted pro­ce­s­sing acti­vi­ties at the time of the decis­i­on to deve­lop or appro­ve the project
2 The noti­fi­ca­ti­on must con­tain the infor­ma­ti­on in accordance with Artic­le 12 para­graph 2 let­ters a‑d FADP and the expec­ted date of com­mence­ment of the pro­ce­s­sing activities
3 The FDPIC shall include this noti­fi­ca­ti­on in the regi­ster of pro­ce­s­sing activities
4 The respon­si­ble fede­ral body shall update the noti­fi­ca­ti­on upon tran­si­ti­on to pro­duc­ti­ve ope­ra­ti­on or upon pro­ject termination

Expl­ana­to­ry report

Artic­le 31(1) Art. sti­pu­la­tes that the respon­si­ble fede­ral body must noti­fy the FDPIC of the plan­ned auto­ma­ted pro­ce­s­sing acti­vi­ties at the time of the pro­ject appr­oval or the decis­i­on to deve­lop. Com­pared to the sub­si­dia­ry noti­fi­ca­ti­on to the FDPIC under Artic­le 20(2) of the FDPIC, which aims to exami­ne the con­tent of pro­jects, the pre­sent noti­fi­ca­ti­on, on the other hand, ser­ves the pur­po­se of pro­vi­ding the FDPIC with a mere over­view of plan­ned pro­jects in which per­so­nal data are to be pro­ce­s­sed by auto­ma­ted means. First and fore­most, the noti­fi­ca­ti­on is inten­ded to enable the FDPIC to obtain an over­all pic­tu­re of the plan­ned pro­jects and thus also to be able to opti­mi­ze its resour­ce plan­ning in the area of advi­so­ry acti­vi­ties and moni­to­ring of legis­la­ti­ve pro­jects. Secon­da­ri­ly, of cour­se, this noti­fi­ca­ti­on also ser­ves the pro­tec­tion of pri­va­cy.
Sin­ce the pro­jects are still at an ear­ly stage at the time of noti­fi­ca­ti­on, the con­tent of the noti­fi­ca­ti­on under para­graph 2 is limi­t­ed to a sub­set of the infor­ma­ti­on requi­red under Artic­le 12(2) nDSG, name­ly let­ters a‑d. As with the noti­fi­ca­ti­on of lists of exi­sting pro­ce­s­sing acti­vi­ties under Artic­le 12 nDSG, the FDPIC also inclu­des noti­fi­ca­ti­ons of plan­ned pro­ce­s­sing acti­vi­ties in the regi­ster of pro­ce­s­sing acti­vi­ties under Artic­le 56 nDSG. Howe­ver, the infor­ma­ti­on on the noti­fi­ca­ti­on of plan­ned pro­ce­s­sing acti­vi­ties is not published (see Art. 42 para. 2 Art.). The fede­ral body respon­si­ble updates the ent­ry in accordance with para­graph 4 when the pro­ject is suc­cessful­ly com­ple­ted, i.e. when it goes into pro­duc­ti­ve ope­ra­ti­on (or trans­fers the ent­ry to a noti­fi­ca­ti­on in accordance with Art. 12 para. 4 nDSG), or when the pro­ject is dis­con­tin­ued (i.e. the ent­ry is dele­ted). The noti­fi­ca­ti­on is the­r­e­fo­re only “visi­ble” to the FDPIC at the time of the pro­ject release or the decis­i­on to deve­lop the project.

Sec­tion 4: Pilot testing


Art. 32 Indis­pensa­bi­li­ty of the pilot test


A pilot test is indis­pensable if one of the fol­lo­wing con­di­ti­ons is met:
a. The ful­fill­ment of a task requi­res tech­ni­cal inno­va­tions, the effects of which must first be evaluated.
b. The ful­fill­ment of a task requi­res signi­fi­cant orga­nizatio­nal or tech­ni­cal mea­su­res, the effec­ti­ve­ness of which must first be exami­ned, espe­ci­al­ly in the case of coope­ra­ti­on bet­ween fede­ral and can­to­nal bodies.
c. The ful­fill­ment of a task requi­res that the per­so­nal data be acce­s­si­ble in the retrie­val procedure.

Expl­ana­to­ry report

Based on Artic­le 35 para­graph 1 nDSG, the Fede­ral Coun­cil may aut­ho­ri­ze the auto­ma­ted pro­ce­s­sing of per­so­nal data requi­ring spe­cial pro­tec­tion or other data pro­ce­s­sing pur­su­ant to Artic­le 34 para­graph 2 let­ters b and c nDSG pri­or to the ent­ry into force of a law in the for­mal sen­se if cer­tain pre­re­qui­si­tes are cumu­la­tively met. One of the­se pre­re­qui­si­tes is that a test pha­se pri­or to ent­ry into force is indis­pensable for the prac­ti­cal imple­men­ta­ti­on of the data pro­ce­s­sing, in par­ti­cu­lar for tech­ni­cal rea­sons. In order to redu­ce the regu­la­to­ry den­si­ty in Artic­le 35 nDSG, the Fede­ral Coun­cil has moved the­se cla­ri­fi­ca­ti­ons from Artic­le 17a para­graph 2 FADP to the ordi­nan­ce.
Artic­le 32 Art. deter­mi­nes in which cases a test pha­se is to be con­side­red indis­pensable. It takes over Artic­le 17a(2) FADP with some edi­to­ri­al chan­ges. For exam­p­le, the term “tech­ni­cal inno­va­tions” is to be under­s­tood as befo­re: On the one hand, this inclu­des the use of new tech­no­lo­gies, but also the use of alre­a­dy known tech­no­lo­gy in a new envi­ron­ment or when imple­men­ting new solu­ti­ons. The Swis­s­Co­vid app can be taken as an exam­p­le of this: Alt­hough it is based on alre­a­dy known tech­no­lo­gies such as Blue­tooth, the­se have never been used in a com­pa­ra­ble solu­ti­on. Only let­ter c is adapt­ed: The wor­ding now covers all retrie­val pro­ce­du­res and no lon­ger only tho­se that crea­te access for can­to­nal aut­ho­ri­ties. This rest­ric­ti­ve wor­ding was due to histo­ri­cal rea­sons, but it can­not be decisi­ve who the addres­sees of the retrie­val pro­ce­du­re are, but rather the tech­ni­cal aspect is in the fore­ground for the assump­ti­on of indis­pensa­bi­li­ty (cf. Art. 35 para. 1 let. c nDSG).
At least one con­di­ti­on accor­ding to let­ters a‑c must be ful­fil­led, which means in par­ti­cu­lar that a pilot test must not be used purely for rea­sons of time.


Art. 33 Pro­ce­du­re for the appr­oval of the pilot test

1 Pri­or to con­sul­ting the inte­re­sted admi­ni­stra­ti­ve units, the fede­ral body respon­si­ble for the pilot sche­me shall set out how com­pli­ance with the requi­re­ments under Artic­le 35 FADP is to be met and shall invi­te the FDPIC to sub­mit its comments

2 The FDPIC issues an opi­ni­on on whe­ther the licen­sing requi­re­ments under Artic­le 35 FADP have been met. The fede­ral body shall pro­vi­de him with all docu­ments neces­sa­ry for this pur­po­se, in particular:

a. a gene­ral descrip­ti­on of the pilot test;
b. a report pro­ving that the ful­fill­ment of the tasks pro­vi­ded for by law requi­res pro­ce­s­sing in accordance with Artic­le 34 para­graph 2 FADP and that a test pha­se is indis­pensable in the for­mal sen­se befo­re the law comes into force;
c. a descrip­ti­on of the inter­nal orga­nizati­on and the data pro­ce­s­sing and con­trol procedures;
d. a descrip­ti­on of the secu­ri­ty and data pro­tec­tion measures;
e. the draft of an ordi­nan­ce regu­la­ting the details of pro­ce­s­sing, or the con­cept of an ordinance;
f. the plan­ning of the various pha­ses of the pilot test.
3 The FDPIC may request fur­ther docu­ments and car­ry out addi­tio­nal investigations
4 The fede­ral body shall inform the FDPIC of any important chan­ge affec­ting com­pli­ance with the requi­re­ments under Artic­le 35 FADP. The FDPIC shall com­ment again if necessary
5 The opi­ni­on of the FDPIC must be atta­ched to the appli­ca­ti­on to the Fede­ral Council
6 Auto­ma­ted data pro­ce­s­sing is gover­ned by an ordinance

Expl­ana­to­ry report

This pro­vi­si­on adopts Artic­le 27 of the FADP with some edi­to­ri­al adjust­ments. The refe­ren­ces are adapt­ed to the nDSG whe­re neces­sa­ry. A new para­graph 6 has been added, in which it is sta­ted – simi­lar to the cur­rent Artic­le 17a (3) FADP – that auto­ma­ted data pro­ce­s­sing will be regu­la­ted in an ordi­nan­ce. This ensu­res the trans­pa­ren­cy of the pilot tests.


Art. 34 Eva­lua­ti­on report

1 The com­pe­tent fede­ral body shall sub­mit the draft eva­lua­ti­on report to the FDPIC for com­ment to the Fede­ral Council
2 It shall sub­mit the eva­lua­ti­on report with the opi­ni­on of the FDPIC to the Fede­ral Council.

Expl­ana­to­ry report

This pro­vi­si­on takes over Artic­le 27a of the VDSG.
Pur­su­ant to Artic­le 34 Art. the com­pe­tent fede­ral body shall sub­mit the draft eva­lua­ti­on report to the FDPIC for its opi­ni­on. If it deems it neces­sa­ry, the com­pe­tent fede­ral body shall adapt the eva­lua­ti­on report.

Sec­tion 5: Data pro­ce­s­sing for non-per­so­nal purposes


Art. 35


If per­so­nal data are pro­ce­s­sed for non-per­so­nal pur­po­ses, in par­ti­cu­lar rese­arch, plan­ning and sta­tis­tics, and at the same time for ano­ther pur­po­se, the excep­ti­ons under Artic­le 39 para­graph 2 FADP shall only app­ly to pro­ce­s­sing for the non-per­so­nal pur­po­ses.
Expl­ana­to­ry report

In order to ensu­re that the appli­ca­ti­on of the excep­ti­ons under Artic­le 39(2) nDSG does not go bey­ond the legal frame­work, the ordi­nan­ce spe­ci­fi­es that, in the case of data pro­ce­s­sing for non-per­so­nal pur­po­ses (e.g. for rese­arch, plan­ning or sta­tis­tics) that simul­ta­neous­ly ser­ves ano­ther pur­po­se, the­se excep­ti­ons are only appli­ca­ble to pro­ce­s­sing for the pur­po­ses spe­ci­fi­ed in Artic­le 39 nDSG.

Chap­ter 6: Fede­ral Data Pro­tec­tion and Infor­ma­ti­on Commissioner

Art. 36 Head­quar­ters and per­ma­nent secretariat

1 The seat of the FDPIC is loca­ted in Bern
2 Fede­ral per­son­nel legis­la­ti­on applies to the employment rela­ti­on­ships of the employees of the per­ma­nent secre­ta­ri­at of the FDPIC. The employees are insu­red within the frame­work of the Confederation’s pen­si­on sche­me with the Pen­si­on Fund of the Confederation

Expl­ana­to­ry report

This pro­vi­si­on cor­re­sponds in prin­ci­ple to Artic­le 30 VDSG.
Artic­le 36 (1) Art. (for­mer Art. 37 Para. 1 Elec­tro­nic Data Pro­tec­tion Act) remains mate­ri­al­ly unch­an­ged. Howe­ver, the pre­vious men­ti­on of the secre­ta­ri­at is dis­pen­sed with here, sin­ce the chan­ge in ter­mi­no­lo­gy from “Com­mis­sio­ner” to “FDPIC” alre­a­dy indi­ca­tes that this means the aut­ho­ri­ty as a who­le and thus also inclu­des the secre­ta­ri­at.
Artic­le 36 para. 2 Art. (for­mer Art. 37 para. 1 EDPA) regu­la­tes the employment rela­ti­on­ship of the per­ma­nent secre­ta­ri­at of the FDPIC. In terms of con­tent, the pro­vi­si­on cor­re­sponds to the cur­rent Artic­le 30 para­graph 2 FADP. Howe­ver, com­pared to the cur­rent law, it con­ta­ins (ter­mi­no­lo­gi­cal) adjust­ments and an addi­ti­on. Even after the total revi­si­on of the FADP, the Com­mis­sio­ner and the per­ma­nent secre­ta­ri­at of the FDPIC con­sti­tu­te a decen­tra­li­sed admi­ni­stra­ti­ve unit wit­hout legal per­so­na­li­ty, which is admi­ni­stra­tively assi­gned to the Fede­ral Chan­cel­lery (Art. 43 para. 4 second sen­tence nDSG, Art. 2 para. 1 let. e [BPG] , Art. 2 para. 3 of the Govern­ment and Admi­ni­stra­ti­on Orga­ni­sa­ti­on Act of 21 March 1997 [RVOG] as well as Art. 8 para. 1 let. b in. in con­junc­tion with Annex 1 let­ter A item 2.1.1 of the Govern­ment and Admi­ni­stra­ti­on Orga­nizati­on Ordi­nan­ce of Novem­ber 25, 1998 [RVOV]). As befo­re, the second sen­tence of Artic­le 43(5) nDSG pro­vi­des that the Com­mis­sio­ner himself/herself hires his/her staff and has cer­tain powers within this frame­work. For exam­p­le, the employment con­tracts of the FDPIC’s staff are signed by the Com­mis­sio­ner. Howe­ver, the appoin­tee is still not con­side­red by the FDPIC’s secre­ta­ri­at to be an employer under per­son­nel or pen­si­on law within the mea­ning of the CPC. Accor­ding to Artic­le 3 para­graph 1 let­ter a BPG, the employer is the Fede­ral Coun­cil. The employment rela­ti­on­ship of the employees of the per­ma­nent secre­ta­ri­at of the FDPIC the­r­e­fo­re con­ti­nues to be gover­ned by fede­ral per­son­nel legis­la­ti­on in accordance with the first sen­tence of Artic­le 36 para­graph 2 Art. Thus, the Fede­ral Per­son­nel Ordi­nan­ce of 3 July 2001 (FPL), the FDF Ordi­nan­ce of 6 Decem­ber 2001 on the Fede­ral Per­son­nel Ordi­nan­ce (FPL) and the Ordi­nan­ce of 22 Novem­ber 2017 on the Pro­tec­tion of Per­so­nal Data of Fede­ral Per­son­nel (FPL) con­ti­n­ue to app­ly. In this regard, the cur­rent Artic­le 30 para­graph 2 FADP mere­ly under­goes a ter­mi­no­lo­gi­cal adjust­ment (“employees of the per­ma­nent secre­ta­ri­at of the FDPIC” instead of “secre­ta­ri­at of the Com­mis­sio­ner” and “fede­ral per­son­nel legis­la­ti­on” instead of “fede­ral per­son­nel legis­la­ti­on […] as well as […] its enforce­ment pro­vi­si­ons”). In addi­ti­on, the second sen­tence of Art. 36(2) cla­ri­fi­es that the employees of the FDPIC’s per­ma­nent secre­ta­ri­at are insu­red under the Confederation’s pen­si­on sche­me with the Confederation’s pen­si­on fund. This addi­ti­on does not ent­ail any mate­ri­al chan­ge, but mere­ly expli­ci­t­ly sta­tes the pen­si­on law regu­la­ti­on for the per­ma­nent secre­ta­ri­at of the FDPIC that alre­a­dy exi­sted (cf. Art. 32a para. 1 and Art. 32d para. 1 BPG). Accor­din­gly, the staff remains insu­red in accordance with the pro­vi­si­ons of the pen­si­on regu­la­ti­ons of 15 June 2007 for the employees and pen­si­on reci­pi­en­ts of the Fede­ral Pen­si­on Fund (VRAB).
With regard to the employment rela­ti­on­ship of the per­ma­nent secre­ta­ri­at of the FDPIC, the sta­tus quo will the­r­e­fo­re be main­tai­ned for the time being. This is justi­fi­ed in par­ti­cu­lar becau­se the admi­ni­stra­ti­ve assign­ment to the Fede­ral Chan­cel­lery allo­ws the FDPIC to con­cen­tra­te its resour­ces on ope­ra­tio­nal acti­vi­ties. Coope­ra­ti­on bet­ween the Fede­ral Chan­cel­lery and the FDPIC is struc­tu­red in such a way that the inde­pen­dence of the FDPIC remains gua­ran­teed. Nevert­hel­ess, the que­sti­on ari­ses as to whe­ther the Com­mis­sio­ner should have employer powers under per­son­nel and pen­si­on law vis-à-vis the employees of the per­ma­nent secre­ta­ri­at. This que­sti­on must be cla­ri­fi­ed at the ear­liest oppor­tu­ni­ty at the for­mal legal level. The coor­di­na­ted review and adap­t­ati­on of the spe­cial legal bases for the data of legal per­sons, which is to take place in the five years fol­lo­wing the ent­ry into force of the nDSG (cf. Art. 71 nDSG), could pro­vi­de an oppor­tu­ni­ty to do so.
By con­trast, the imple­men­ting pro­vi­si­ons on the employment rela­ti­on­ship of the Com­mis­sio­ner are not to be issued by the Fede­ral Coun­cil but by the Fede­ral Assem­bly. This is becau­se the employment rela­ti­on­ship of the appoin­tee is now estab­lished upon elec­tion by the United Fede­ral Assem­bly (Art. 43 para. 1 nDSG). As part of par­lia­men­ta­ry initia­ti­ve 21.443, the SPK‑N adopted a draft ordi­nan­ce of the Fede­ral Assem­bly on 27 Janu­ary 2022 con­tai­ning the imple­men­ting pro­vi­si­ons on the employment rela­ti­on­ship of the Com­mis­sio­ner. In addi­ti­on, indi­vi­du­al amend­ments to the nDSG are plan­ned in this con­text. Par­lia­ment adopted the bills in the final vote on 17 June 2022.
Artic­le 30 para­graph 3 of the FDPCA has not been retai­ned, sin­ce the FDPIC now has an inde­pen­dent bud­get, which is con­clu­si­ve­ly regu­la­ted in Artic­le 45 of the nDPA and in Artic­le 142 para­graphs 2 and 3 of the Par­lia­men­ta­ry Act of 13 Decem­ber 2002 (nParlG).


Art. 37 Com­mu­ni­ca­ti­on channel

1 The FDPIC com­mu­ni­ca­tes with the Fede­ral Coun­cil via the Fede­ral Chan­cell­or. The lat­ter shall for­ward the pro­po­sals, opi­ni­ons and reports unch­an­ged to the Fede­ral Council
2 The FDPIC sub­mits reports for the atten­ti­on of the Fede­ral Assem­bly via the par­lia­men­ta­ry services

Expl­ana­to­ry report

Artic­le 37 Art. lar­ge­ly repres­ents an adop­ti­on of Artic­le 31(1) and (1bis) of the Data Pro­tec­tion Act. Artic­le 31(2) has not been incor­po­ra­ted into the Art. sin­ce it fol­lows from the inde­pen­dence of the FDPIC and the fact that he is not bound by ins­truc­tions any­way that the FDPIC can com­mu­ni­ca­te direct­ly with other admi­ni­stra­ti­ve units. The dele­ti­on the­r­e­fo­re does not lead to any sub­stan­ti­ve chan­ge. Com­pared to Artic­le 31 of the Fede­ral Data Pro­tec­tion Act, the first para­graph has been amen­ded. The new wor­ding is inten­ded to cla­ri­fy that the FDPIC can also cont­act the Fede­ral Coun­cil on issues that are not on the agen­da of a Fede­ral Coun­cil mee­ting, for exam­p­le by having opi­ni­ons for­ward­ed to it. Apart from this, the con­tent of para­graph 1 remains unch­an­ged becau­se the Fede­ral Chan­cell­or must for­ward all com­mu­ni­ca­ti­ons to the Fede­ral Coun­cil and has no room for maneu­ver in this regard. This also applies to the co-report­ing pro­ce­du­re. In para­graph 2, only the wor­ding has been slight­ly adapt­ed; the sub­stan­ti­ve con­tent, howe­ver, cor­re­sponds to Artic­le 31 para­graph 1bis of the FADP.

Art. 38 Noti­fi­ca­ti­on of decis­i­ons, gui­de­lines and projects

1 The depart­ments and the Fede­ral Chan­cel­lery shall noti­fy the FDPIC of their decis­i­ons in the area of data pro­tec­tion in anony­mous form, as well as their guidelines
2 The fede­ral bodies shall sub­mit to the FDPIC all draft legis­la­ti­on rela­ting to the pro­ce­s­sing of per­so­nal data, data pro­tec­tion and access to offi­ci­al documents.

Expl­ana­to­ry report

This pro­vi­si­on cor­re­sponds, apart from ter­mi­no­lo­gi­cal and syste­ma­tic adjust­ments, to Artic­le 32(1) of the FADP.
Para­graph 2: The FDPIC should be invol­ved as ear­ly as pos­si­ble. It must be con­sul­ted at the latest within the frame­work of the office consultation.


Art. 39 Pro­ce­s­sing of per­so­nal data


The FDPIC may pro­cess per­so­nal data, inclu­ding per­so­nal data requi­ring spe­cial pro­tec­tion, in par­ti­cu­lar for the fol­lo­wing pur­po­ses:
a. to car­ry out its super­vi­so­ry activities;
b. to car­ry out its con­sul­ting activities;
c. to coope­ra­te with fede­ral, can­to­nal and for­eign authorities;
d. for the per­for­mance of tasks within the scope of the penal pro­vi­si­ons under the FADP;
e. to con­duct con­ci­lia­ti­on pro­ce­e­dings and to issue recom­men­da­ti­ons in accordance with the Public Act of 17 Decem­ber 2004 (Public Act);
f. to con­duct eva­lua­tions in accordance with the BGÖ;
g. to car­ry out pro­ce­du­res for access to offi­ci­al docu­ments in accordance with the Fede­ral Law on Civil Procedure;
h. for the infor­ma­ti­on of the par­lia­men­ta­ry supervision;
i. for the infor­ma­ti­on of the public;
j. to car­ry out its trai­ning activities.

Expl­ana­to­ry report

Under cur­rent law, Artic­le 32(2) FADP sta­tes the pur­po­ses for which the FDPIC ope­ra­tes an infor­ma­ti­on and docu­men­ta­ti­on system. Howe­ver, Artic­le 57h RVOG, which was new­ly inser­ted as part of the total revi­si­on of the FADP, will in future sta­te in gene­ral terms that the units of the fede­ral admi­ni­stra­ti­on ope­ra­te elec­tro­nic busi­ness manage­ment systems to mana­ge their docu­ments. In the future, it will the­r­e­fo­re not be neces­sa­ry to refer to the use of the busi­ness manage­ment system in the Art.
On the other hand, the pur­po­ses for which the FDPIC pro­ce­s­ses per­so­nal data are now regu­la­ted in more detail (para. 1). It may pro­cess per­so­nal data, inclu­ding per­so­nal data requi­ring spe­cial pro­tec­tion, in par­ti­cu­lar for the fol­lo­wing pur­po­ses: to car­ry out its super­vi­so­ry acti­vi­ties (sub­pa­ra. a), to car­ry out its advi­so­ry acti­vi­ties (sub­pa­ra. b), to coope­ra­te with fede­ral, can­to­nal and for­eign aut­ho­ri­ties (sub­pa­ra. c), to per­form its duties under the penal pro­vi­si­ons of the FADP (sub­pa­ra. d), to con­duct con­ci­lia­ti­on pro­ce­e­dings and issue recom­men­da­ti­ons under the Fede­ral Act of 17 Decem­ber 2004 on the Prin­ci­ple of Public Access to Admi­ni­stra­ti­ve Docu­ments (FOPA) (sub­pa­ra. e), to con­duct eva­lua­tions under the FOPA (sub­pa­ra. f), to con­duct pro­ce­du­res for access to offi­ci­al docu­ments under the FOPA (sub­pa­ra. g), to inform par­lia­men­ta­ry over­sight (sub­pa­ra. h), to inform the public (sub­pa­ra. i), and to car­ry out its trai­ning acti­vi­ties (sub­pa­ra. j).

Art. 40 Self-regulation


The FDPIC shall estab­lish pro­ce­s­sing regu­la­ti­ons for all auto­ma­ted pro­ce­s­sing ope­ra­ti­ons; Artic­le 6(1) shall not app­ly.
Expl­ana­to­ry report

Artic­le 48 nDSG pro­vi­des that the FDPIC must take appro­pria­te mea­su­res to ensu­re that the data pro­tec­tion pro­vi­si­ons within his aut­ho­ri­ty are enforced in accordance with the law. The dis­patch on the Data Pro­tec­tion Act spe­ci­fi­es that the Fede­ral Coun­cil has the task of spe­ci­fy­ing the mea­su­res to be taken by the FDPIC in the ordi­nan­ce (BBl 2017 6941, 7089).
Accor­ding to Artic­le 40 Art., the FDPIC is expec­ted to draw up pro­ce­s­sing regu­la­ti­ons for all auto­ma­ted pro­ce­s­sing car­ri­ed out by him, and not only in the cases men­tio­ned in Artic­le 6(1) Art. such as the pro­ce­s­sing of par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data or pro­fil­ing. Even if this is not expli­ci­t­ly sta­ted (unli­ke still in Art. 41 para. 2 of the Elec­tro­nic Data Pro­tec­tion Act), the FDPIC, like other fede­ral bodies which are obli­ged to draw up pro­ce­s­sing regu­la­ti­ons (cf. Art. 6 Art.), must pro­vi­de for inter­nal pro­ce­s­ses which ensu­re that its data pro­ce­s­sing ope­ra­ti­ons are car­ri­ed out in accordance with the pro­ce­s­sing regu­la­ti­ons, and must veri­fy com­pli­ance with the pro­ce­s­sing regulations.


Art. 41 Coope­ra­ti­on with the NCSC

1 The FDPIC may for­ward a data breach noti­fi­ca­ti­on to the Natio­nal Cyber Secu­ri­ty Cen­ter (NCSC) for ana­ly­sis of the inci­dent with the con­sent of the respon­si­ble par­ty sub­ject to the noti­fi­ca­ti­on. The noti­fi­ca­ti­on may con­tain per­so­nal data
2 The FDPIC shall invi­te the NCSC to sub­mit its comm­ents befo­re orde­ring the fede­ral body to take the pre­cau­ti­ons pur­su­ant to Artic­le 8 FADP.

Expl­ana­to­ry report

In order for the FDPIC to be able to invol­ve the tech­ni­cal spe­cia­lists in the ana­ly­sis of a data secu­ri­ty breach which has occur­red and which has been repor­ted to him by the data con­trol­ler on the basis of Artic­le 24 nDSG and Artic­le 15 Art. (for­mer Art. 19 e‑Data Pro­tec­tion Act), the tech­ni­cal spe­cia­lists of the NCSC can be invol­ved, Artic­le 41 para­graph 1 Art. (for­mer Art. 42 Elec­tro­nic Data Pro­tec­tion Act) pro­vi­des that the FDPIC may for­ward the infor­ma­ti­on on the noti­fi­ca­ti­on of a data breach to the NCSC. The for­war­ding may con­tain any infor­ma­ti­on pur­su­ant to Art. 15(1) Art. but at the same time must be limi­t­ed to the data neces­sa­ry for the NCSC to ana­ly­ze the inci­dent. In this regard, the com­mu­ni­ca­ti­on from the FDPIC to the NCSC may also con­tain per­so­nal data. It is a pre­re­qui­si­te that the per­son respon­si­ble, who is obli­ged to noti­fy the FDPIC, has given his pri­or con­sent to the for­war­ding. Fur­ther­mo­re, the for­war­ding must not lead to the cir­cum­ven­ti­on of Artic­le 24 para­graph 6 nDSG, accor­ding to which the report may only be used in the con­text of cri­mi­nal pro­ce­e­dings with the con­sent of the per­son obli­ged to report. Artic­le 41(1) Art. does not allow the FDPIC to syste­ma­ti­cal­ly for­ward reports to the NCSC. Rather, the FDPIC may only make use of this pos­si­bi­li­ty in indi­vi­du­al cases whe­re the tech­ni­cal exper­ti­se of the NCSC is neces­sa­ry for the cla­ri­fi­ca­ti­on of an inci­dent. The pro­vi­si­on is to be trans­fer­red to the legis­la­ti­ve level at the ear­liest oppor­tu­ni­ty. For this rea­son, a new Artic­le 24 para­graph 5bis nDSG is pro­vi­ded for in the annex to the preli­mi­na­ry draft amend­ment to the Infor­ma­ti­on Secu­ri­ty Act of 18 Decem­ber 2020 (ISG), which the Fede­ral Coun­cil sent out for con­sul­ta­ti­on on 12 Janu­ary 2022. This will also regu­la­te the dis­clo­sure by the FDPIC to the NCSC of par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data rela­ting to admi­ni­stra­ti­ve and cri­mi­nal pro­se­cu­ti­ons or sanc­tions of the respon­si­ble par­ty sub­ject to the report­ing obli­ga­ti­on. If and when the new Artic­le 24(5bis) nDSG enters into force, Artic­le 41(1) Art. may be repea­led again.
Artic­le 41(2) Art. sta­tes that the FDPIC and the NCSC shall coor­di­na­te in over­lap­ping are­as of acti­vi­ty. The stan­dard cor­re­sponds in prin­ci­ple to Artic­le 20(3), second sen­tence, of the Data Pro­tec­tion Act. The FDPIC is requi­red to invi­te the NCSC to give its opi­ni­on befo­re orde­ring the fede­ral body to take the pre­cau­ti­ons under Artic­le 8 nDSG. The legal basis for such an order is 51(3)(b) nDSG. The aim is in par­ti­cu­lar to ensu­re that the FDPIC and the NCSC do not impo­se dif­fe­rent requi­re­ments on fede­ral bodies in the same area. Howe­ver, the inde­pen­dence of the FDPIC remains gua­ran­teed, sin­ce he is only requi­red to obtain the opi­ni­on, but not also to take it into account.


Art. 42 Regi­ster of pro­ce­s­sing acti­vi­ties of fede­ral bodies

1 The regi­ster of pro­ce­s­sing acti­vi­ties of fede­ral bodies con­ta­ins the infor­ma­ti­on pro­vi­ded by fede­ral bodies in accordance with Artic­le 12 para­graph 2 FADP as well as Artic­le 31 para­graph 2 of this Ordinance
2 It shall be published on the inter­net. The regi­ster ent­ries on plan­ned auto­ma­ted pro­ce­s­sing acti­vi­ties in accordance with Artic­le 31 shall not be published.

Expl­ana­to­ry report

Based on Artic­le 12 para­graph 4 nDSG, the fede­ral bodies must report their lists of pro­ce­s­sing acti­vi­ties to the FDPIC. The lat­ter, in turn, is requi­red by Artic­le 56 nDSG to keep a regi­ster of the pro­ce­s­sing acti­vi­ties of fede­ral bodies and to publish it.
Artic­le 42(1) Art. spe­ci­fi­es what the FDPIC’s regi­ster must con­tain, name­ly the infor­ma­ti­on that fede­ral bodies must pro­vi­de pur­su­ant to Artic­le 12(2) nDSG. In addi­ti­on, the regi­ster also con­ta­ins the infor­ma­ti­on on the plan­ned auto­ma­ted pro­ce­s­sing acti­vi­ties of the fede­ral bodies pur­su­ant to Artic­le 31(2) Art.
The second para­graph spe­ci­fi­es that the regi­ster of the FDPIC must be published on the inter­net. The regi­ster ent­ries on the plan­ned auto­ma­ted pro­ce­s­sing acti­vi­ties of the fede­ral bodies pur­su­ant to Artic­le 31 Art. are not published, as the­se can­not yet be con­side­red defi­ni­ti­ve at the time of their regi­stra­ti­on or could still be sub­ject to changes.


Art. 43 Codes of conduct 


If a code of con­duct is sub­mit­ted to the FDPIC, the FDPIC shall sta­te in its opi­ni­on whe­ther the code of con­duct meets the requi­re­ments of Artic­le 22(5)(a) and (b) FADP.
Expl­ana­to­ry report

Based on Artic­le 22(5) nDSG, the pri­va­te con­trol­ler may refrain from dra­wing up a data pro­tec­tion impact assess­ment if it is cer­ti­fi­ed under Artic­le 13 nDSG or if it com­plies with a code of con­duct under Artic­le 11 nDSG that meets cer­tain requi­re­ments. If a code of con­duct is sub­mit­ted to the FDPIC, the FDPIC shall indi­ca­te in its opi­ni­on whe­ther, in its view, the requi­re­ments are met to refrain from pre­pa­ring a data pro­tec­tion impact assess­ment. This pro­vi­si­on spe­ci­fi­es that a con­trol­ler who wis­hes to wai­ve a data pro­tec­tion impact assess­ment must sub­mit its code of con­duct to the FDPIC and the lat­ter must have the oppor­tu­ni­ty to assess the code. It is not a mat­ter of appr­oval, but if a con­trol­ler, con­tra­ry to the opi­ni­on of the FDPIC, wis­hes to make use of the excep­ti­on under Artic­le 22(5)(a‑c), the FDPIC may, on the basis of Artic­le 51(3)(d) nDSG, order the con­trol­ler to car­ry out a data pro­tec­tion impact assessment.


Art. 44 Fees

1 The fees char­ged by the FDPIC are cal­cu­la­ted on the basis of the time spent
2 An hour­ly rate of 150 to 250 Swiss francs applies, depen­ding on the func­tion of the exe­cu­ting personnel.
3 In the case of ser­vices of excep­tio­nal scope, par­ti­cu­lar dif­fi­cul­ty or urgen­cy, surchar­ges of up to 50 per­cent of the fee in accordance with para­graph 2 may be levied
4 If the ser­vice pro­vi­ded by the FDPIC can be fur­ther used by the per­son lia­ble to pay the fee for com­mer­cial pur­po­ses, surchar­ges of up to 100 per­cent of the fee pur­su­ant to para­graph 2 may be levied
5 In all other respects, the Gene­ral Ordi­nan­ce on Fees of Sep­tem­ber 8, 2004 shall apply.

Expl­ana­to­ry report

Based on Artic­le 59 (1) nDSG, the FDPIC must char­ge fees for cer­tain ser­vices it pro­vi­des to pri­va­te indi­vi­du­als. The­se include the opi­ni­on on a code of con­duct (sub­pa­ra. a), the appr­oval of stan­dard data pro­tec­tion clau­ses and bin­ding cor­po­ra­te data pro­tec­tion regu­la­ti­ons (sub­pa­ra. b), the review of the data pro­tec­tion impact assess­ment (sub­pa­ra. c), pre­cau­tio­na­ry mea­su­res and mea­su­res under Artic­le 51 nDSG (sub­pa­ra. d) and con­sul­ta­ti­ons on data pro­tec­tion issues (sub­pa­ra. e).
Artic­le 59 para­graph 2 nDSG man­da­tes the Fede­ral Coun­cil to deter­mi­ne the amount of the fees.
Artic­le 44 para. 1 Art. (for­mer Art. 44 para. 1 E‑VDSG) estab­lishes the prin­ci­ple that the fees are cal­cu­la­ted accor­ding to the time spent. Accor­ding to para­graph 2, an hour­ly rate of 150 – 250 francs applies depen­ding on the func­tion of the exe­cu­ting per­son­nel. The amount is based on the hour­ly rate of the per­son­nel of the requi­red func­tion to be able to pro­vi­de the ser­vice. The FDPIC thus cal­cu­la­tes the fees on the basis of the hours spent by the exe­cu­ting per­son­nel. Any per­sons who have con­tri­bu­ted to the pro­vi­si­on of the ser­vice must be inclu­ded in this cal­cu­la­ti­on. Pur­su­ant to para­graph 3, the FDPIC has the opti­on of levy­ing surchar­ges of up to 50 per­cent of the fee pur­su­ant to para­graph 2 in the case of a ser­vice of excep­tio­nal scope, par­ti­cu­lar dif­fi­cul­ty or urgen­cy. The regu­la­ti­on spe­ci­fi­es the gene­ral requi­re­ment of Artic­le 5 para­graph 3 of the Gene­ral Fees Ordi­nan­ce of 8 Sep­tem­ber 2004 (Allg­Ge­bV). In the event that the ser­vice pro­vi­ded by the FDPIC can be fur­ther used by the per­son lia­ble to pay the fee for com­mer­cial pur­po­ses, the FDPIC may levy surchar­ges of up to 100 per­cent of the fee pur­su­ant to para­graph 2 in accordance with para­graph 4. For exam­p­le, if the FDPIC asses­ses a tool that can be resold by the per­son making the request as a data pro­tec­tion-com­pli­ant appli­ca­ti­on, the FDPIC should have the opti­on of incre­a­sing the fee so that it rough­ly cor­re­sponds to the hour­ly wage of a spe­cia­li­zed lawy­er. The decisi­ve fac­tor here is whe­ther the ser­vice is sui­ta­ble for fur­ther use for com­mer­cial pur­po­ses, regard­less of whe­ther this actual­ly hap­pens. The regu­la­ti­on pur­su­ant to para­graph 4 con­cerns in par­ti­cu­lar the case of advice within the mea­ning of Artic­le 59 para­graph 1 let­ter e nDSG. Nevert­hel­ess, it is also conceiva­ble that the FDPIC will assess stan­dard data pro­tec­tion clau­ses or codes of con­duct that can be fur­ther used for com­mer­cial pur­po­ses, e.g. becau­se they can be used as a pro­to­ty­pe for other stan­dard data pro­tec­tion clau­ses or codes of con­duct. Para­graph 5, moreo­ver, decla­res the Allg­Ge­bV appli­ca­ble. For its part, the Allg­Ge­bV regu­la­tes in par­ti­cu­lar the prin­ci­ples of char­ging fees, exemp­ti­ons from the obli­ga­ti­on to char­ge fees, and the coll­ec­tion procedure.

Chap­ter 7: Final Provisions

Art. 45 Repeal and amend­ment of other enactments


The repeal and amend­ment of other enact­ments are gover­ned by Annex 2.
Expl­ana­to­ry report

Sin­ce the pro­vi­si­ons on the repeal and amend­ment of other enact­ments tog­e­ther com­pri­se more than one prin­ted page, they are listed in an appen­dix. The repeal and amend­ment of other enact­ments are com­men­ted on in sec­tion 7.


Art. 46 Tran­si­tio­nal provisions

1 For data pro­ce­s­sing ope­ra­ti­ons that do not fall within the scope of Direc­ti­ve (EU) 2016/680, Artic­le 4(2) shall app­ly at the latest three years after the ent­ry into force of this Regu­la­ti­on or at the latest at the end of the life cycle of the system. In the mean­ti­me, the­se pro­ce­s­sing ope­ra­ti­ons shall be sub­ject to Artic­le 4(1)
2 Artic­le 8(5) does not app­ly to assess­ments car­ri­ed out befo­re the ent­ry into force of this Regulation
3 Artic­le 31 does not app­ly to plan­ned auto­ma­ted pro­ce­s­sing acti­vi­ties for which pro­ject appr­oval or the decis­i­on to deve­lop the pro­ject has alre­a­dy been made at the time of ent­ry into force of this Ordinance

Expl­ana­to­ry report

Artic­le 4(2) obli­ges the respon­si­ble fede­ral bodies and their com­mis­sio­ned pro­ces­sors to log the auto­ma­ted pro­ce­s­sing of per­so­nal data. For data pro­ce­s­sing fal­ling within the scope of Direc­ti­ve (EU) 2016/680, the log­ging obli­ga­ti­on has applied sin­ce the ent­ry into force of the Schen­gen Data Pro­tec­tion Act due to the requi­re­ment of Artic­le 25 of the said Direc­ti­ve. Various fede­ral bodies have poin­ted out an addi­tio­nal effort in con­nec­tion with the imple­men­ta­ti­on of Artic­le 4(2) Art. In order to take account of this addi­tio­nal effort, Artic­le 46(1) pro­vi­des for a tran­si­tio­nal peri­od of three years from the ent­ry into force of the Regu­la­ti­on or, at the latest, after the end of the life cycle of the system, for the remai­ning data pro­ce­s­sing ope­ra­ti­ons. During this peri­od, Artic­le 4(1) of the Regu­la­ti­on applies to the­se data pro­ce­s­sing ope­ra­ti­ons.
Artic­le 8(5) Art. intro­du­ces the obli­ga­ti­on to publish app­raisals. Artic­le 46(2) spe­ci­fi­es that the assess­ments car­ri­ed out befo­re the ent­ry into force of the Regu­la­ti­on shall not be published.
Accor­ding to Artic­le 31 Art., fede­ral bodies must now noti­fy the FDPIC of their plan­ned auto­ma­ted pro­ce­s­sing acti­vi­ties at the time of the pro­ject appr­oval or the decis­i­on on pro­ject deve­lo­p­ment. Para­graph 3 the­r­e­fo­re sti­pu­la­tes by way of tran­si­tio­nal law that Artic­le 31 Art. does not app­ly to plan­ned auto­ma­ted pro­ce­s­sing acti­vi­ties for which the pro­ject appr­oval or the decis­i­on on pro­ject deve­lo­p­ment has alre­a­dy taken place at the time the ordi­nan­ce enters into force.


Art. 47 Ent­ry into force


This Ordi­nan­ce shall enter into force on Sep­tem­ber 1, 2023.

Attach­ments

Annex 1 (Art. 8 par. 1)


19.
1 Ger­ma­ny*
2 Andor­ra***
3 Argen­ti­na***
4 Austria*
5 Bel­gi­um*
6 Bul­ga­ria***
7 Cana­da*** Ade­qua­te data pro­tec­tion is dee­med to be ensu­red if the Cana­di­an fede­ral law “Loi sur la pro­tec­tion des rens­eig­ne­ments per­son­nels et les docu­ments élec­tro­ni­ques” of April 13, 2000 applies in the pri­va­te sec­tor or the law of a Cana­di­an pro­vin­ce that lar­ge­ly cor­re­sponds to this fede­ral law. The fede­ral law applies to per­so­nal infor­ma­ti­on obtai­ned, pro­ce­s­sed or dis­c­lo­sed in the cour­se of com­mer­cial acti­vi­ties, whe­ther by orga­nizati­ons such as asso­cia­ti­ons, part­ner­ships, indi­vi­du­als or uni­ons, or fede­ral­ly regu­la­ted enti­ties such as plants, works, enter­pri­ses or busi­ness acti­vi­ties that fall within the legis­la­ti­ve juris­dic­tion of the Par­lia­ment of Cana­da. The pro­vin­ces of Qué­bec, Bri­tish Colum­bia, and Alber­ta have enac­ted legis­la­ti­on that is broad­ly simi­lar to the fede­ral law; the pro­vin­ces of Onta­rio, New Bruns­wick, New­found­land and Labra­dor, and Nova Sco­tia have enac­ted legis­la­ti­on that is broad­ly simi­lar to that law in the area of health infor­ma­ti­on. In all Cana­di­an pro­vin­ces, the fede­ral law applies to all per­so­nal data obtai­ned, pro­ce­s­sed or dis­c­lo­sed by fede­ral­ly regu­la­ted enti­ties, inclu­ding data about employees of tho­se enti­ties. The fede­ral law also applies to per­so­nal data trans­fer­red to ano­ther pro­vin­ce or coun­try in the cour­se of com­mer­cial activities
8 Cyprus***
9 Croa­tia***
10 Den­mark*
11 Spain*
12 Esto­nia*
13 Fin­land*
14 France*
15 Gibral­tar***
16 Greece*
17 Guern­sey***
18 Hun­ga­ry*
19 Isle of Man***
20 Faroe Islands***
21 Ire­land***
22 Ice­land*
23 Isra­el***
24 Ita­ly*
25 Jer­sey***
26 Lat­via*
27 Liech­ten­stein*
28 Lithua­nia*
29 Luxem­bourg*
30 Mal­ta*
31 Mona­co***
32 Nor­way*
33 New Zealand***
34 Net­her­lands*
35 Pol­and*
36 Por­tu­gal*
37 Czech Republic*
38 Roma­nia***
39 United Kingdom**
40 Slo­va­kia*
41 Slove­nia*
42 Swe­den*
43 Uru­gu­ay***

The data pro­tec­tion ade­qua­cy assess­ment inclu­des the dis­clo­sure of per­so­nal data in accordance with Direc­ti­ve (EU) 2016/680.
* The data pro­tec­tion ade­qua­cy assess­ment inclu­des the dis­clo­sure of per­so­nal data in accordance with an imple­men­ting decis­i­on of the Euro­pean Com­mis­si­on deter­mi­ning data pro­tec­tion ade­qua­cy under Direc­ti­ve (EU) 2016/680.
** The assess­ment of the ade­qua­cy of data pro­tec­tion does not include the dis­clo­sure of per­so­nal data in the con­text of the coope­ra­ti­on pro­vi­ded for by Direc­ti­ve (EU) 2016/680.

Expl­ana­to­ry report

Based on Artic­le 16 para­graph 1 nDSG, the Fede­ral Coun­cil is respon­si­ble for this and has the task of asses­sing which sta­te (or which ter­ri­to­ry or which spe­ci­fic sec­tor of a sta­te) and which inter­na­tio­nal body gua­ran­tees an ade­qua­te level of pro­tec­tion for the dis­clo­sure of per­so­nal data abroad.
A list of sta­tes is published in the annex to the regu­la­ti­on. The aim of this list is to crea­te a sin­gle space in terms of data pro­tec­tion. The list will be review­ed regu­lar­ly to take into account, on the one hand, the prac­ti­ce of other sta­tes and, on the other hand, deve­lo­p­ments at the inter­na­tio­nal level, in par­ti­cu­lar the rati­fi­ca­ti­ons of the revi­sed Con­ven­ti­on ETS 108. Con­se­quent­ly, the list is not final and could still be modi­fi­ed befo­re the ent­ry into force of the Regu­la­ti­on.
The data pro­tec­tion ade­qua­cy assess­ment inclu­des the dis­clo­sure of data for law enforce­ment pur­po­ses only if this is indi­ca­ted in the Annex. For exam­p­le, one aste­risk means that the ade­qua­cy assess­ment inclu­des the dis­clo­sure of per­so­nal data in accordance with Direc­ti­ve (EU) 2016/680, while two aste­risks means that it inclu­des the dis­clo­sure of per­so­nal data in accordance with an imple­men­ting decis­i­on of the Euro­pean Com­mis­si­on deter­mi­ning the ade­qua­cy of data pro­tec­tion in accordance with Direc­ti­ve (EU) 2016/680 (this curr­ent­ly applies to the United King­dom). Final­ly, three aste­risks mean that the data pro­tec­tion ade­qua­cy assess­ment does not include the dis­clo­sure of per­so­nal data in the con­text of the coope­ra­ti­on pro­vi­ded for by Direc­ti­ve (EU) 2016/680.
18. sta­tes, ter­ri­to­ries, spe­ci­fic sec­tors in a sta­te and inter­na­tio­nal bodies with ade­qua­te data protection