DSV

Text of the final DSV from 31 August 2022, without the Annex 2 (amend­ments to other decrees). The text has been con­ver­ted auto­ma­ti­cal­ly – thank you for poin­ting out errors. The arti­cles are pre­ce­ded by the cor­re­spon­ding text of the Explana­to­ry Report assi­gned, this without indi­ca­ti­on of page num­bers and gene­ral remarks of the report. 
fold out | fold

Chap­ter 1: Gene­ral provisions

Sec­tion 1: Data security

Explana­to­ry report
The guard rails for ensu­ring data secu­ri­ty are alrea­dy stan­dar­di­zed in the law. Accord­ing to Arti­cle 8 (1) nDSG, the con­trol­ler and the order pro­ces­sor are obli­ged to ensu­re data secu­ri­ty appro­pria­te to the risk by means of sui­ta­ble tech­ni­cal and orga­niz­a­tio­nal mea­su­res. Accord­ing to para­graph 2, the­se mea­su­res must make it pos­si­ble to avoid data secu­ri­ty brea­ches. Para­graph 3 inst­ructs the Federal Coun­cil to spe­ci­fy the mini­mum data secu­ri­ty requi­re­ments at the ordi­nan­ce level. With the pro­vi­si­ons on data secu­ri­ty, the Federal Coun­cil ful­fills the legal man­da­te pur­suant to Arti­cle 8 para­graph 3 nDSG. The penal pro­vi­si­on in Arti­cle 61 let­ter c nDSG is also lin­ked to the­se mini­mum requi­re­ments. The degree of secu­ri­ty that must be main­tai­ned so that the penal norm is not vio­la­ted is deter­mi­ned in accordance with the princi­ples and cri­te­ria of this sec­tion. Pur­suant to Arti­cle 61 let­ter c nDSG, cri­mi­nal lia­bi­li­ty exists only in the case of inten­tio­nal com­mis­si­on. This requi­res that the respon­si­ble par­ty kno­win­gly and will­ful­ly fails to com­ply with the mini­mum data secu­ri­ty requi­re­ments. For examp­le, someo­ne who fails to install anti-virus soft­ware even though he knows (or at least accepts) that he is taking insuf­fi­ci­ent mea­su­res to com­ply with the mini­mum data secu­ri­ty requi­re­ments would be liable to pro­se­cu­ti­on. Sin­ce the law alrea­dy fol­lows the approach of risk-based data secu­ri­ty and no gene­ral­ly app­li­ca­ble mini­mum requi­re­ments can be defi­ned for any indu­stry, the Art. refrains from a rigid regime of mini­mum requi­re­ments. Ins­tead, the approach of the Art. is based on the fact that it is pri­ma­ri­ly the respon­si­bi­li­ty of the respon­si­ble par­ty to deter­mi­ne and take the mea­su­res necessa­ry in each indi­vi­du­al case. The­se mea­su­res must be deter­mi­ned on a case-by-case basis, depen­ding on the risk invol­ved. For examp­le, in a hospi­tal, whe­re par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data is regu­lar­ly pro­ces­sed, the­re are gene­ral­ly more strin­gent requi­re­ments com­pa­red to the pro­ces­sing of custo­mer or sup­plier data in a bak­e­ry or butcher’s shop. The Art. the­re­fo­re inclu­des, in par­ti­cu­lar, the gui­de­li­nes for deter­mi­ning the mea­su­res to be taken (Art. 1, 2 and 3 Art.). In this way, the fle­xi­bi­li­ty necessa­ry in view of the varie­ty of pos­si­ble case con­stel­la­ti­ons can be ensu­red and over­re­gu­la­ti­on can be pre­ven­ted, espe­cial­ly for busi­nes­ses with minor and low-risk data pro­ces­sing. Unli­ke the GDPR, Swiss law does not have a gene­ral accoun­ta­bi­li­ty requi­re­ment. Howe­ver, Swiss law alrea­dy con­tains mea­su­res in the cur­rent law with which the accoun­ta­bi­li­ty obli­ga­ti­on can be ful­fil­led: log­ging (Art. 4) and the pro­ces­sing regu­la­ti­ons (Art. 5, 6). Both mea­su­res are adop­ted in the Art. They are cru­cial to ensu­re that Swiss law can pro­vi­de an ade­qua­te level of pro­tec­tion com­pa­red to EU law. In addi­ti­on, Direc­ti­ve (EU) 2016/680 requi­res log­ging. Both mea­su­res repre­sent mini­mum data secu­ri­ty requi­re­ments wit­hin the mea­ning of Arti­cle 8 (3) nDSG. Here, too, the Federal Coun­cil fol­lows a risk-based approach: the hig­her the thre­at to the per­so­nal rights and fun­da­men­tal rights of the indi­vi­du­al, the hig­her the requi­re­ments. Under cur­rent law, the mini­mum requi­re­ments for data secu­ri­ty are regu­la­ted in Arti­cles 8 – 12 and Arti­cles 20 – 21 of the FADP. The Federal Coun­cil has deci­ded to tie in with the cur­rent stan­dard of data secu­ri­ty. The sub­stan­ti­ve requi­re­ments are the­re­fo­re adop­ted in princip­le as they are. Adjust­ments will only be made whe­re this seems appro­pria­te due to digi­ta­liz­a­ti­on or tech­ni­cal pro­gress, the requi­re­ments in the revi­sed law or Direc­ti­ve (EU) 2016/680, which is rele­vant for Switz­er­land, name­ly its Arti­cles 25 and 29. In addi­ti­on, the Federal Coun­cil has also taken Regu­la­ti­on (EU) 2016/679 as a gui­de­li­ne so that Swiss com­pa­nies ope­ra­ting in the EU and ensu­ring data secu­ri­ty that com­plies with the GDPR can also assu­me that they meet the mini­mum requi­re­ments in Switz­er­land. From a syste­ma­tic point of view, data secu­ri­ty is now stan­dar­di­zed in a dedi­ca­ted sec­tion. In the cur­rent VDSG, data secu­ri­ty is regu­la­ted sepa­r­ate­ly for pri­va­te and federal bodies; for rea­sons of cla­ri­ty and bet­ter reada­bi­li­ty, the pro­vi­si­ons are now com­bi­ned. Whe­re dif­fe­rent requi­re­ments app­ly to pri­va­te and federal bodies, the­se are regu­la­ted in sepa­ra­te arti­cles or paragraphs. 

Art. 1 Principles

1 In order to ensu­re ade­qua­te data secu­ri­ty, the con­trol­ler and the pro­ces­sor must deter­mi­ne the need for pro­tec­tion of the per­so­nal data and spe­ci­fy the tech­ni­cal and orga­niz­a­tio­nal mea­su­res that are appro­pria­te in view of the risk
2 The need for pro­tec­tion of per­so­nal data is asses­sed accord­ing to the fol­lo­wing cri­te­ria:
a. Type of data processed;
b. The pur­po­se, natu­re, scope and cir­cum­stan­ces of the processing.
3 The risk to the per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject shall be asses­sed accord­ing to the fol­lo­wing cri­te­ria:
a. Cau­ses of risk;
b. main hazards;
c. mea­su­res taken or plan­ned to redu­ce the risk;
d. The likeli­hood and seve­ri­ty of a data bre­ach despi­te the mea­su­res taken or pro­vi­ded for.
4 The fol­lo­wing cri­te­ria are also taken into account when deter­mi­ning the tech­ni­cal and orga­niz­a­tio­nal mea­su­res:
a. Sta­te of the art;
b. Imple­men­ta­ti­on costs.
5 The need for pro­tec­tion of per­so­nal data, the risk and the tech­ni­cal and orga­niz­a­tio­nal mea­su­res must be review­ed over the enti­re pro­ces­sing peri­od. The mea­su­res must be adap­ted if necessary.
Explana­to­ry report
Arti­cle 1 Art. regu­la­tes the princi­ples to be obser­ved when deter­mi­ning the mea­su­res. It essen­ti­al­ly adopts the regu­la­to­ry con­cept of Arti­cle 8(2) and (3) of the Data Pro­tec­tion Act, with cer­tain aspects being regu­la­ted more pre­cise­ly. On the other hand, Arti­cle 8(1) of the FADP has been dele­ted, as the objec­ti­ves for ensu­ring data secu­ri­ty are now loca­ted at the level of the law. Arti­cle 8(2) nDSG spe­ci­fi­cal­ly sta­tes that data secu­ri­ty mea­su­res must make it pos­si­ble to avoid data secu­ri­ty brea­ches. Accord­ing to Arti­cle 5 let­ter h nDSG, a bre­ach of data secu­ri­ty occurs when per­so­nal data is unin­ten­tio­nal­ly or unlaw­ful­ly lost, dele­ted, destroy­ed or modi­fied, or dis­c­lo­sed or made acces­si­ble to unaut­ho­ri­zed per­sons. The con­ven­tio­nal IT pro­tec­tion objec­ti­ves of con­fi­dentia­li­ty, inte­gri­ty, avai­la­bi­li­ty and tracea­bi­li­ty can be deri­ved from this. Accord­ing to Arti­cle 8 (1) nDSG, the con­trol­ler and the pro­ces­sor must ensu­re data secu­ri­ty appro­pria­te to the risk. In Arti­cle 1 Art. this pro­tec­tion goal is inclu­ded in a new para­graph 1. In addi­ti­on, various cri­te­ria for asses­sing the need for pro­tec­tion (para. 2) and for asses­sing the risk to the per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject (para. 3) are spe­ci­fied. Para­graph 4 spe­ci­fies that fur­ther cri­te­ria may be taken into account when deter­mi­ning the tech­ni­cal and orga­niz­a­tio­nal mea­su­res requi­red to ensu­re ade­qua­te data secu­ri­ty (para. 4). The list of cri­te­ria is based on the cur­rent law. Arti­cle 1(2) Art. adopts Arti­cle 8(2)(a) and (b) of the Data Pro­tec­tion Act in terms of con­tent and sup­ple­ments it to regu­la­te the pro­tec­tion needs ana­ly­sis. The need for pro­tec­tion is asses­sed on the basis of the type of data pro­ces­sed and the pur­po­se, natu­re, scope and cir­cum­stan­ces of the data pro­ces­sing. In par­ti­cu­lar, this invol­ves the level of pro­tec­tion that must be ensu­red in view of the risk to the per­so­nal and fun­da­men­tal rights of the data sub­jects. The hig­her the need for pro­tec­tion, the stric­ter the requi­re­ments for the mea­su­res. The fol­lo­wing cri­te­ria should be taken into account when asses­sing the need for pro­tec­tion: The type of data pro­ces­sed (let. a): for examp­le, it is decisi­ve whe­ther per­so­nal data requi­ring spe­cial pro­tec­tion (Art. 5 let. c nDSG) are pro­ces­sed. The pur­po­se, natu­re, scope and cir­cum­stan­ces of the data pro­ces­sing (let. b): the pur­po­se refers to the pur­po­se of the pro­ces­sing and, in par­ti­cu­lar, to the exami­na­ti­on of whe­ther the pur­po­se of the pro­ces­sing entails an incre­a­sed risk to per­so­nal rights and fun­da­men­tal rights; in the case of the natu­re of the pro­ces­sing, it is of inte­rest how the data is pro­ces­sed. The need for pro­tec­tion may be hig­her, for examp­le, in the case of a ful­ly auto­ma­ted deci­si­on (use of arti­fi­cial intel­li­gence); the scope of the pro­ces­sing is rela­ted in par­ti­cu­lar to the num­ber of per­sons affec­ted by the pro­ces­sing (e.g., if exten­si­ve data is pro­ces­sed or exten­si­ve public are­as are syste­ma­ti­cal­ly moni­to­red). When using a cloud, the need for pro­tec­tion may be hig­her than when data is stored on an inter­nal ser­ver without exter­nal access. Let­ter b has been sup­ple­men­ted in accordance with Arti­cle 22(2) nDSG with the expres­si­on of the “cir­cum­stan­ces” of the data pro­ces­sing. The­se are aspects that may be of par­ti­cu­lar import­ance in indi­vi­du­al cases becau­se they have an impact on the other cri­te­ria. Thus, cri­te­ria can be inclu­ded that would not fit into the defi­ni­ti­on of the cri­te­ria alrea­dy men­tio­ned. Arti­cle 1(3) Art. incor­po­ra­tes and cla­ri­fies Arti­cle 8(2)(c) of the Data Pro­tec­tion Act. The pro­vi­si­on intro­du­ces the assess­ment of the risk of vio­la­ti­on of per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject. As in the pre­vious para­graph, a set of cri­te­ria is estab­lished. The para­graph is rewor­ded to make it clear that the cau­ses of the risk (sub­pa­ra­graph (a)), the main dan­gers (sub­pa­ra­graph (b)), the mea­su­res taken or envi­sa­ged to redu­ce the risk (sub­pa­ra­graph (c)) and the likeli­hood and seve­ri­ty of a data bre­ach (sub­pa­ra­graph (d)) are decisi­ve. This is an assess­ment accord­ing to a cas­ca­de system: the result of the assess­ment accord­ing to one cri­ter­ion is decisi­ve for the fur­ther risk assess­ment. More detail­ed infor­ma­ti­on on the indi­vi­du­al points can be found here: The cau­ses of the risk (point a): It must be pos­si­ble to deter­mi­ne which per­sons (e.g. an IT mana­ger, a user, a com­pe­ti­tor) or events (e.g. fire, com­pu­ter virus) could under­lie the risk. The main thre­ats (b): This cri­ter­ion can be used to iden­ti­fy thre­ats that could lead to data secu­ri­ty brea­ches (lost, dama­ged, alte­red, impro­per­ly or frau­du­lent­ly used data, etc.). The mea­su­res taken or that may be taken to redu­ce the risk (sub­pa­ra­graph c): the various tech­ni­cal and orga­niz­a­tio­nal mea­su­res that may be envi­sa­ged or taken to redu­ce the risk are spe­ci­fied in Arti­cle 3 Art. The likeli­hood and seve­ri­ty of a data bre­ach despi­te the mea­su­res taken or envi­sa­ged (sub­pa­ra. d): the poten­ti­al impact on data sub­jects must be iden­ti­fied, for examp­le, if indi­vi­du­als unlaw­ful­ly access (and dis­c­lo­se), modi­fy (lea­ding to incor­rect infor­ma­ti­on about the data sub­ject) or dele­te (put­ting them at risk of losing necessa­ry data; here we can think, for examp­le, of a pati­ent dos­sier in which some data has been destroy­ed, pre­ven­ting appro­pria­te medi­cal tre­at­ment). Here, the more likely the occur­rence of a data bre­ach and the grea­ter the impact on the affec­ted indi­vi­du­als, the hig­her the requi­re­ments for the mea­su­res. It should be noted at this point that not every bre­ach of data secu­ri­ty wit­hin the mea­ning of Arti­cle 5 let­ter h nDSG also con­sti­tu­tes a bre­ach of the mini­mum requi­re­ments wit­hin the mea­ning of Arti­cle 8 para­graph 3 nDSG and thus a bre­ach of the due dili­gence obli­ga­ti­ons pur­suant to Arti­cle 61 let­ter c nDSG. Abso­lu­te secu­ri­ty can­not and should not be requi­red. In par­ti­cu­lar, it is con­ceiva­ble that the con­trol­ler has taken all rea­son­ab­le mea­su­res, but a data secu­ri­ty bre­ach nevertheless occurs, name­ly becau­se the resi­du­al risk has mate­ria­li­zed. This can­not be bla­med on the respon­si­ble par­ty. Rather, wit­hin the frame­work of the mini­mum requi­re­ments, it must be exami­ned whe­ther the con­trol­ler and the pro­ces­sor have taken the appro­pria­te mea­su­res to ensu­re data secu­ri­ty in view of the spe­ci­fic situa­ti­on, regard­less of whe­ther a data bre­ach occurs. Fol­lo­wing Arti­cle 8(2)(d) of the Data Pro­tec­tion Act, Arti­cle 1(4) Art. intro­du­ces addi­tio­nal cri­te­ria that may be taken into account when deter­mi­ning the tech­ni­cal and orga­niz­a­tio­nal mea­su­res to ensu­re ade­qua­te data secu­ri­ty. The term “deter­mi­na­ti­on” inclu­des the “assess­ment” and the “deci­si­on” (the French ver­si­on uses the term “déter­mi­na­ti­on”). The cri­te­ria are as fol­lows: the sta­te of the art (sub­pa­ra­graph (a)) and the imple­men­ta­ti­on costs (sub­pa­ra­graph (b)). The­se cri­te­ria only indi­rect­ly indi­ca­te whe­ther mea­su­res need to be taken and whe­ther the mea­su­res to be taken are appro­pria­te. Sta­te of the art (sub­pa­ra. a): The mea­su­res are to be deter­mi­ned taking into account the sta­te of the art (tech­ni­cal and sci­en­ti­fic know­ledge) and adap­ted if necessa­ry. The sta­te of the art means the con­si­de­ra­ti­on of the cur­rent sta­te of the art. It is the­re­fo­re suf­fi­ci­ent to take mea­su­res that are alrea­dy avail­ab­le and have pro­ven them­sel­ves accord­in­gly. On the other hand, it can­not be deman­ded that brand-new unex­plo­red tech­ni­ques or tho­se that are still in the deve­lo­p­ment pro­cess be used. Imple­men­ta­ti­on costs (b): The term “costs” is to be under­s­tood in a broad sen­se. It is not limi­ted to finan­cial costs, but also inclu­des the necessa­ry human and time resour­ces. This ter­mi­no­lo­gy cor­re­sponds to that of Euro­pean law (Direc­ti­ve [EU] 2016/680 and GDPR). The imple­men­ta­ti­on costs are – as can be seen from the “Com­men­ta­ry of the Federal Office of Jus­ti­ce on the Enfor­ce­ment Ordi­nan­ce of June 14, 1993 (as of Janu­a­ry 1, 2008) on the Federal Data Pro­tec­tion Act (FADP, SR 235.11)” (item 6.1.1) – also a cri­ter­ion under cur­rent law when asses­sing the ade­quacy of the mea­su­res. Howe­ver, the pri­ma­ry focus is on which tech­ni­cal and orga­niz­a­tio­nal mea­su­res are requi­red in light of the cri­te­ria in let­ters a‑c. In par­ti­cu­lar, data con­trol­lers and pro­ces­sors can­not exempt them­sel­ves from the obli­ga­ti­on of ade­qua­te data secu­ri­ty on the grounds that this would entail exces­si­ve costs; rather, they must in any case be in a posi­ti­on to ensu­re ade­qua­te data secu­ri­ty. Nor can it be argued that if the­re is no con­cept during deve­lo­p­ment, the imple­men­ta­ti­on costs for imple­men­ting data secu­ri­ty after going live will pro­ve to be too high. Rather, for lega­cy app­li­ca­ti­ons, the plan­ned time to repla­ce­ment must be inclu­ded (life­cy­cle). Howe­ver, the cri­ter­ion of cost may mean that, if the­re are several mea­su­res avail­ab­le to ensu­re an appro­pria­te level of data pro­tec­tion at all times, the less expen­si­ve vari­ant may be pre­fer­red. Various mea­su­res can be con­si­de­red to ensu­re data secu­ri­ty. Three mea­su­res are men­tio­ned here as examp­les: Anony­miz­a­ti­on, pseud­ony­miz­a­ti­on and encryp­ti­on of per­so­nal data: Anony­miz­a­ti­on con­tri­bu­tes in par­ti­cu­lar to redu­cing any nega­ti­ve effects for the data sub­jects that may result, for examp­le, from the unaut­ho­ri­zed dis­clo­sure of per­so­nal data. If anony­miz­a­ti­on exists, the FADP does not app­ly at all in accordance with its scope of app­li­ca­ti­on. Pro­ce­du­res for iden­ti­fy­ing, asses­sing and eva­lua­ting risks and reviewing the ade­quacy of the mea­su­res taken: Abo­ve a cer­tain level of risk, it will make sen­se or even be necessa­ry in many cases to imple­ment stan­dar­di­zed pro­ce­du­res and pro­ces­ses that not only regu­lar­ly review the risks and the appro­pria­teness of the mea­su­res taken, but also assess and eva­lua­te them. Such mea­su­res are par­ti­cu­lar­ly important for auto­ma­ted systems. They help to ensu­re that data secu­ri­ty is per­ma­nent­ly gua­ran­te­ed and that it is also easier to pro­ve. Trai­ning and advice for the per­sons ent­ru­sted with imple­men­ta­ti­on: In the view of the Federal Coun­cil, this mea­su­re is signi­fi­cant becau­se the imple­men­ta­ti­on and effec­ti­ve­ness of data secu­ri­ty also depends in par­ti­cu­lar on whe­ther the per­sons invol­ved app­ly the spe­ci­fied mea­su­res. Thus, a lack of trai­ning and gui­d­ance can lead to a data bre­ach. For examp­le, employees should be edu­ca­ted about the risk of ope­ning mal­wa­re. Ulti­mate­ly, of cour­se, the cir­cum­stan­ces of the indi­vi­du­al case remain decisi­ve in deter­mi­ning the mea­su­res. Accord­ing to Arti­cle 1 (5), the mea­su­res must be review­ed on an ongo­ing basis and adju­sted if necessa­ry, as is the case under app­li­ca­ble law. In par­ti­cu­lar, it must be review­ed whe­ther the mea­su­res are still appro­pria­te to the risk and effec­ti­ve. Ins­tead of “perio­di­cal­ly”, the review must now take place “over the enti­re pro­ces­sing peri­od”. The need for review depends in par­ti­cu­lar on the level of risk to the per­so­nal rights and fun­da­men­tal rights of tho­se affec­ted: the hig­her it is, the more fre­quent­ly the mea­su­res must be review­ed on a regu­lar basis. The new for­mu­la­ti­on moves in the direc­tion of a con­stant review. Howe­ver, it lea­ves the per­son in char­ge and the order pro­ces­sor a gre­at deal of dis­cre­ti­on. A review may also be necessa­ry if the­re has been a bre­ach of data secu­ri­ty or if the pro­ces­sing of per­so­nal data has been adap­ted. Arti­cle 1(5) fur­ther cla­ri­fies that not only the tech­ni­cal and orga­niz­a­tio­nal mea­su­res must be review­ed during the enti­re dura­ti­on of the pro­ces­sing, i.e. during the enti­re “life­cy­cle” of the per­so­nal data, but also the need for pro­tec­tion and the risks. By reviewing the need for pro­tec­tion and the risks, it is also (indi­rect­ly) checked whe­ther the tech­ni­cal and orga­niz­a­tio­nal mea­su­res are suitable. 

Art. 2 Goals

The data con­trol­ler and the pro­ces­sor must take tech­ni­cal and orga­niz­a­tio­nal mea­su­res to ensu­re that the pro­ces­sed data are hand­led in accordance with their pro­tec­tion requi­re­ments:
a. are only acces­si­ble to aut­ho­ri­zed per­sons (con­fi­dentia­li­ty);
b. are avail­ab­le when they are nee­ded (avai­la­bi­li­ty);
c. not be chan­ged unaut­ho­ri­zed or unin­ten­tio­nal­ly (inte­gri­ty);
d. are pro­ces­sed in a com­pre­hen­si­ble man­ner (tracea­bi­li­ty).
Explana­to­ry report
Arti­cle 2 Art. sup­ple­ments Arti­cle 1 nDSG in terms of the pur­po­se of the law and spe­ci­fies the objec­ti­ves for ensu­ring ade­qua­te data secu­ri­ty, which are now set out in Arti­cle 8(2) nDSG. Accord­ing to this pro­vi­si­on, the mea­su­res must make it pos­si­ble to avoid a bre­ach of data secu­ri­ty. Abso­lu­te secu­ri­ty is an unat­tainab­le ide­al. The risk-based approach is inten­ded to iden­ti­fy the risks (Art. 1 Art.) so that the mea­su­res are ali­gned with the objec­ti­ves and selec­ted accord­in­gly. The respon­si­ble par­ty and the order pro­ces­sor must deter­mi­ne the objec­ti­ves and the scope of pro­tec­tion. In doc­tri­ne and prac­ti­ce, four pro­tec­tion objec­ti­ves are usual­ly recor­ded, known in French by the acro­nym (C.A.I.D.): con­fi­dentia­li­ty (con­fi­dentia­li­té), authen­ti­ci­ty (authen­ti­fi­ca­ti­on), inte­gri­ty (inté­gri­té) and avai­la­bi­li­ty (dis­po­ni­bi­li­té) of the data. In line with Arti­cle 32 of the GDPR and with a view to har­mo­niz­a­ti­on with the Federal Act on Infor­ma­ti­on Secu­ri­ty at the Con­fe­de­ra­ti­on , which is to enter into for­ce soon, Arti­cle 2 is to regu­la­te con­fi­dentia­li­ty (sub­pa­ra. a), avai­la­bi­li­ty (sub­pa­ra. b), inte­gri­ty (sub­pa­ra. c) and tracea­bi­li­ty (sub­pa­ra. d). Con­fi­dentia­li­ty (sub­pa­ra. a): The per­so­nal data may only be acces­si­ble to aut­ho­ri­zed per­sons. The cir­cle of aut­ho­ri­zed per­sons is deter­mi­ned by the con­text of the task area and the con­tent and import­ance of the data. It can be very broad or extre­me­ly nar­row. Con­fi­dentia­li­ty also inclu­des authen­ti­ca­ti­on, asso­cia­ted methods, and systems for mana­ging and restric­ting access to ensu­re data secu­ri­ty. Final­ly, the con­fi­dentia­li­ty of the system and the data should be gua­ran­te­ed. The avai­la­bi­li­ty (sub­pa­ra­graph b): accord­ing to this pur­po­se, the respon­si­ble par­ty ensu­res that the data can be view­ed at any time. This requi­re­ment is even more strin­gent if the infor­ma­ti­on must be con­stant­ly avail­ab­le for the ful­fill­ment of essen­ti­al or even legal tasks. Inte­gri­ty (c): This objec­ti­ve ensu­res the accu­ra­cy of the data. It is par­ti­cu­lar­ly important if the data is inten­ded for the public or is to be reu­sed. Inte­gri­ty is under­s­tood to mean authen­ti­ci­ty, impu­ta­bi­li­ty and non-repu­dia­ti­on of the data. The­se terms are also used in prac­ti­ce or in tea­ching ins­tead of inte­gri­ty. Tracea­bi­li­ty (let. d): Based on this objec­ti­ve, unaut­ho­ri­zed access or even misu­se can be iden­ti­fied. In addi­ti­on, the cau­se of an inci­dent can be deter­mi­ned. The respon­si­ble par­ty ensu­res that events and data traces are recor­ded and that they can­not be chan­ged. Tracea­bi­li­ty of pro­ces­sing can be important to the pro­cess (evi­dence) and faci­li­ta­tes con­trols and moni­to­ring. Attri­bu­ta­bi­li­ty and non-repu­dia­ti­on of data are also men­tio­ned in prac­ti­ce in con­nec­tion with tracea­bi­li­ty mecha­nisms. Based on the­se objec­ti­ves, pro­ce­du­res should be deve­lo­ped to regu­lar­ly con­trol, ana­ly­ze and eva­lua­te the effec­ti­ve­ness of the mea­su­res taken (Art. 1 para. 5 and Art. 3 Art.). 

Art. 3 Tech­ni­cal and orga­niz­a­tio­nal measures

1 To ensu­re con­fi­dentia­li­ty, the con­trol­ler and the pro­ces­sor must take appro­pria­te mea­su­res so that:
a. aut­ho­ri­zed per­sons have access only to the per­so­nal data they need to per­form their tasks (access control);
b. only aut­ho­ri­zed per­sons have access to the pre­mi­ses and faci­li­ties whe­re per­so­nal data is pro­ces­sed (access control);
c. unaut­ho­ri­zed per­sons can­not use auto­ma­ted data pro­ces­sing systems by means of data trans­mis­si­on equip­ment (user control).
2 To ensu­re avai­la­bi­li­ty and inte­gri­ty, the con­trol­ler and the pro­ces­sor must take appro­pria­te mea­su­res to ensu­re that:
a. unaut­ho­ri­zed per­sons can­not read, copy, modi­fy, move, dele­te or destroy data car­ri­ers (data car­ri­er control);
b. unaut­ho­ri­zed per­sons can­not store, read, modi­fy, dele­te or destroy per­so­nal data in the memo­ry (memo­ry control);
c. unaut­ho­ri­zed per­sons can­not read, copy, modi­fy, dele­te or destroy per­so­nal data when dis­clo­sing per­so­nal data or trans­porting data car­ri­ers (trans­port control);
d. the avai­la­bi­li­ty of and access to per­so­nal data can be quick­ly resto­red in the event of a phy­si­cal or tech­ni­cal inci­dent (reco­very);
e. all func­tions of the auto­ma­ted data pro­ces­sing system are avail­ab­le (avai­la­bi­li­ty), mal­func­tions are repor­ted (relia­bi­li­ty) and stored per­so­nal data can­not be dama­ged by mal­func­tions of the system (data integrity);
f. Ope­ra­ting systems and app­li­ca­ti­on soft­ware are always kept up to date with the latest secu­ri­ty stan­dards and known cri­ti­cal gaps are clo­sed (system security).
3 To ensu­re tracea­bi­li­ty, the con­trol­ler and the pro­ces­sor must take appro­pria­te mea­su­res so that:
a. it is pos­si­ble to check which per­so­nal data is ente­red or modi­fied in the auto­ma­ted data pro­ces­sing system, at what time and by which per­son (input control);
b. it is pos­si­ble to veri­fy to whom per­so­nal data is dis­c­lo­sed using data trans­mis­si­on equip­ment (dis­clo­sure control);
c. Data secu­ri­ty brea­ches can be detec­ted quick­ly (detec­tion) and mea­su­res can be taken to miti­ga­te or eli­mi­na­te the con­se­quen­ces (eli­mi­na­ti­on).
Explana­to­ry report
Arti­cle 8(1) nDSG requi­res that ade­qua­te secu­ri­ty of per­so­nal data be ensu­red. Taking into account the results of the con­sul­ta­ti­on, Arti­cle 3 pro­vi­des that orga­niz­a­tio­nal and tech­ni­cal mea­su­res must be taken to achie­ve the objec­ti­ves of Arti­cle 2. In app­li­ca­ti­on of pro­por­tio­na­li­ty, the orga­niz­a­tio­nal and tech­ni­cal mea­su­res of the indi­vi­du­al case are to be deter­mi­ned on this basis. The respon­si­ble par­ties and order pro­ces­sors must the­re­fo­re exami­ne which sui­ta­ble mea­su­res they can use to achie­ve the pro­tec­tion goals. It is qui­te con­ceiva­ble that not every pro­tec­tion goal is rele­vant in every case. Howe­ver, if a pro­tec­tion goal is not rele­vant in a case, the respon­si­ble par­ty and order pro­ces­sor must be able to justi­fy why this is the case. The “sui­ta­bi­li­ty” of the mea­su­res depends on the cir­cum­stan­ces. The arti­cle shows the respon­si­ble per­son and the order pro­ces­sor, in a didac­tic man­ner, a seri­es of mea­su­res with which they can achie­ve the objec­ti­ves of Arti­cle 2. Moreo­ver, a mea­su­re may con­tri­bu­te to the achie­ve­ment of dif­fe­rent objec­ti­ves. The arti­cle is lar­ge­ly a take­over of Arti­cle 9 of the Data Pro­tec­tion Act: The regu­la­ti­on is now under the tit­le “Tech­ni­cal and orga­niz­a­tio­nal mea­su­res”. With Arti­cle 3 Art. Switz­er­land also imple­ments the requi­re­ments of Arti­cle 29 of Direc­ti­ve (EU) 2016/680. Arti­cle 1(3)(c) Art. requi­res the con­trol­ler to take tech­ni­cal and orga­niz­a­tio­nal mea­su­res to redu­ce the risk. The text of the regu­la­ti­on refers to “aut­ho­ri­zed” per­sons in several tech­ni­cal and orga­niz­a­tio­nal mea­su­res. This does not necessa­ri­ly requi­re direct action by a per­son. Cases in which per­so­nal data is pro­ces­sed in app­li­ca­ti­ons or in an auto­ma­ted infor­ma­ti­on system can also be sub­su­med under this. Arti­cle 3(1) spe­ci­fies Arti­cle 2(1)(a) and men­ti­ons mea­su­res for con­fi­dentia­li­ty, i.e. mea­su­res to ensu­re access con­trol (sub­pa­ra­graph (a)), access con­trol (sub­pa­ra­graph (b)) and user con­trol (sub­pa­ra­graph (c)). In the first place, let­ter a now stan­dar­di­zes access con­trol. The pro­tec­tion goal has been taken from Arti­cle 9 (1) (g) of the Data Pro­tec­tion Act. It is main­ly a mat­ter of deter­mi­ning the access aut­ho­riz­a­ti­ons that regu­la­te the type and scope of access. Care must be taken to ensu­re that aut­ho­ri­zed per­sons only have access to the per­so­nal data for which they are aut­ho­ri­zed. The mea­su­res to be taken are of an orga­niz­a­tio­nal and tech­ni­cal natu­re. Let­ter b stan­dar­di­zes the access con­trol ancho­red in Arti­cle 9 para­graph 1 let­ter a of the Data Pro­tec­tion Act. Accord­in­gly, unaut­ho­ri­zed per­sons must be denied access to the pre­mi­ses and faci­li­ties in which per­so­nal data are pro­ces­sed. The pro­tec­tion objec­ti­ve now also inclu­des the term “faci­li­ties”. This is inten­ded to express in par­ti­cu­lar that access to mobi­le pro­ces­sing systems must also be pre­ven­ted. The term is very broad­ly defi­ned and inclu­des all devices for pro­ces­sing per­so­nal data, from fixed ser­ver systems and com­pu­ters to cell pho­nes and tablets. Due to tech­no­lo­gi­cal advan­ces, “faci­li­ty” can refer to faci­li­ties of both a phy­si­cal and vir­tu­al natu­re. Pos­si­ble mea­su­res inclu­de alarm systems and lock­able ser­ver cabi­nets. Let­ter c con­tains the user con­trol regu­la­ted in Arti­cle 9 para­graph 1 let­ter f of the Data Pro­tec­tion Act. This is desi­gned to pre­vent the use of auto­ma­ted data pro­ces­sing systems by means of data trans­mis­si­on equip­ment by unaut­ho­ri­zed per­sons. The mea­su­res ensu­re that data can­not be used or pas­sed on without aut­ho­riz­a­ti­on. Pos­si­ble mea­su­res inclu­de regu­lar checks of aut­ho­riz­a­ti­ons (e.g., blocking aut­ho­riz­a­ti­ons due to per­son­nel chan­ges or new task assign­ments) and the use of soft­ware to pro­tect against viruses or spy­wa­re, as well as rai­sing staff awa­reness of phis­hing methods. With regard to avai­la­bi­li­ty and inte­gri­ty, Arti­cle 3(2) Art. takes over the objec­ti­ves of Arti­cle 2(1)(b) and (c) Art. The mea­su­res in this regard are to ensu­re con­trol of the data car­ri­ers (sub­pa­ra­graph a), sto­rage (sub­pa­ra­graph b), trans­port (sub­pa­ra­graph c) and reco­very (sub­pa­ra­graph d). The mea­su­res must be sui­ta­ble to ensu­re avai­la­bi­li­ty, relia­bi­li­ty and inte­gri­ty (sub­pa­ra­graph e). Final­ly, the secu­ri­ty of the system must be kept up to date (sub­pa­ra­graph (f)). Let­ter a regu­la­tes the data car­ri­er con­trol, which is cur­r­ent­ly stan­dar­di­zed in Arti­cle 9 para­graph 1 let­ter b VDSG. This means that unaut­ho­ri­zed per­sons must be pre­ven­ted from rea­ding, copy­ing, modi­fy­ing, moving, deleting or destroy­ing data car­ri­ers. In par­ti­cu­lar, per­so­nal data must be pre­ven­ted from being trans­fer­red to data car­ri­ers (e.g. hard dri­ves, USB sticks) in an uncon­trol­led man­ner. Data car­ri­ers are not only phy­si­cal car­ri­ers, but also cloud ser­vices, for examp­le. Pos­si­ble mea­su­res inclu­de, for examp­le, encryp­ti­on and the pro­per dest­ruc­tion of data car­ri­ers. The let­ter cor­re­sponds to the requi­re­ment of Arti­cle 29(2)(b) of Direc­ti­ve (EU) 2016/680. Let­ter b cor­re­sponds to Arti­cle 9(1)(e) of the Data Pro­tec­tion Act and stan­dar­di­zes sto­rage con­trol. Accord­ing to the mea­su­re, unaut­ho­ri­zed per­sons may not store, view, modi­fy, dele­te or destroy per­so­nal data in the memo­ry. It must be made impos­si­ble for unaut­ho­ri­zed per­sons to access, view, modi­fy or dele­te the con­t­ents of the data store. Pos­si­ble mea­su­res inclu­de, for examp­le, defi­ning dif­fe­ren­tia­ted access aut­ho­riz­a­ti­ons for data, app­li­ca­ti­ons and ope­ra­ting systems and log­ging access to app­li­ca­ti­ons. The let­ter cor­re­sponds to the requi­re­ment of Arti­cle 29(2)(c) of Direc­ti­ve (EU) 2016/680. Let­ter c stan­dar­di­zes the trans­port con­trol, which is cur­r­ent­ly regu­la­ted in Arti­cle 9(1)(c) VDSG. Accord­in­gly, when per­so­nal data is dis­c­lo­sed and data car­ri­ers are trans­por­ted, it must be pre­ven­ted that the data can be read, copied, modi­fied, dele­ted or destroy­ed without aut­ho­riz­a­ti­on. The per­son respon­si­ble and the pro­ces­sor must ensu­re that the desi­gna­ted reci­pi­ent recei­ves the data in its ori­gi­nal form and that no third par­ty can inter­cept the data without aut­ho­riz­a­ti­on. Par­ti­cu­lar­ly in the case of per­so­nal data requi­ring spe­cial pro­tec­tion, the­re are incre­a­sed requi­re­ments for the mea­su­res to be taken. For examp­le, the encryp­ti­on of data or data car­ri­ers may be con­si­de­red. Let­ter d deals with the pos­si­bi­li­ty of resto­ring the avai­la­bi­li­ty of per­so­nal data and access to it after a phy­si­cal or tech­ni­cal inci­dent. It has been new­ly inclu­ded in the cata­log based on Arti­cle 32(1)(c) of Regu­la­ti­on (EU) 2016/679 and cor­re­sponds to the requi­re­ment in Arti­cle 29(2)(i) of Direc­ti­ve (EU) 2016/680. One pos­si­ble mea­su­re is the pre­pa­ra­ti­on and app­li­ca­ti­on of a back­up con­cept. Let­ter e spe­ci­fies that all func­tions of the auto­ma­ted data pro­ces­sing system are avail­ab­le (avai­la­bi­li­ty), any mal­func­tions that occur are repor­ted (relia­bi­li­ty) and stored per­so­nal data can­not be dama­ged by mal­func­tions of the system (data inte­gri­ty). It was new­ly inclu­ded in the cata­log based on Arti­cle 32(1)(b) of Regu­la­ti­on (EU) 2016/679 and cor­re­sponds to the requi­re­ment in Arti­cle 29(2)(j) of Direc­ti­ve (EU) 2016/680. Here, the focus is in par­ti­cu­lar on ensu­ring that the sta­bi­li­ty or resi­li­en­ce of the systems used is per­ma­nent­ly gua­ran­te­ed. The noti­fi­ca­ti­on of mal­func­tions is to be made by the system its­elf, so that the per­son respon­si­ble or the order pro­ces­sor is auto­ma­ti­cal­ly made awa­re that a mal­func­tion has occur­red. If a mal­func­tion is repor­ted, this does not auto­ma­ti­cal­ly mean that the func­tions are reli­able; rather, the mal­func­tion must also be cor­rec­ted for this. Let­ter f is about ensu­ring the secu­ri­ty of ope­ra­ting systems and app­li­ca­ti­on soft­ware used in the pro­ces­sing of per­so­nal data. Sin­ce the pro­ces­sing of per­so­nal data is based on systems and various app­li­ca­ti­ons run­ning on them, it is necessa­ry that the­se are kept up to date with the latest secu­ri­ty stan­dards and that cri­ti­cal gaps are clo­sed prompt­ly. Let­ter f thus sup­ple­ments the requi­re­ments in let­ters d and e, with the aim of ensu­ring holi­stic secu­ri­ty. It is not requi­red that every system and app­li­ca­ti­on update be instal­led immedia­te­ly, but that a pro­cess for upda­ting be in place (so-cal­led vul­nera­bi­li­ty and patch manage­ment). The cor­re­spon­ding secu­ri­ty update can be imple­men­ted in a time-pha­sed man­ner, taking into account the cri­ti­ca­li­ty levels (high, medi­um, low). Howe­ver, until vul­nera­bi­li­ties are reme­di­ed, mea­su­res must be taken to ensu­re that data secu­ri­ty is still gua­ran­te­ed. In con­trast to Arti­cle 3 (3) (c), (f) is not about reac­ti­ve mea­su­res, but proac­ti­ve reme­dia­ti­on of vul­nera­bi­li­ties for which no data secu­ri­ty bre­ach has been iden­ti­fied in the system to date. Para­graph 3 lists the tracea­bi­li­ty mea­su­res (Art. 2(1)(d) Art.), i.e. mea­su­res to ensu­re input con­trol (sub­pa­ra. a) and dis­clo­sure con­trol (sub­pa­ra. b), as well as detec­tion and reme­dia­ti­on mea­su­res (sub­pa­ra. c). In let­ter a, the input con­trol is new­ly regu­la­ted. This requi­res – in accordance with Arti­cle 9 (2) (h) of the Data Pro­tec­tion Act – that it be pos­si­ble to sub­se­quent­ly veri­fy which per­so­nal data was ente­red or modi­fied in the auto­ma­ted data pro­ces­sing system, at what time and by which per­son. The pro­tec­tion goal has been adap­ted in such a way that it is now expli­ci­tly sta­ted that it must also be pos­si­ble to sub­se­quent­ly veri­fy the modi­fi­ca­ti­on of per­so­nal data. Log­ging in par­ti­cu­lar can be con­si­de­red as a pos­si­ble mea­su­re. Let­ter b con­cerns the dis­clo­sure con­trol. It has been taken over from Arti­cle 9 (1) (d) of the Data Pro­tec­tion Act and the wor­d­ing has been slight­ly adap­ted. Accord­ing to the new let­ter b, it is pos­si­ble to check to whom per­so­nal data has been dis­c­lo­sed using data trans­mis­si­on equip­ment. In par­ti­cu­lar, the mea­su­res should make it pos­si­ble to iden­ti­fy the data reci­pi­ents. In this con­text, it may be suf­fi­ci­ent that the insti­tu­ti­on as such is known, without the natu­ral per­son having to be iden­ti­fia­ble in every case. If necessa­ry, it must be pos­si­ble to deter­mi­ne, for examp­le, by means of pro­to­cols, which per­so­nal data were dis­c­lo­sed to whom. Let­ter c requi­res that the con­trol­ler and the pro­ces­sor can quick­ly iden­ti­fy brea­ches of data secu­ri­ty wit­hin the mea­ning of Arti­cle 5 let­ter h nDSG and initia­te mea­su­res to miti­ga­te or eli­mi­na­te their con­se­quen­ces. In con­trast to para­graph 2 let­ter e, this rela­tes in par­ti­cu­lar to reac­ti­ve mea­su­res taken by the con­trol­ler and the pro­ces­sor. Arti­cle 9(2) VDSG has been dele­ted, as it is no lon­ger necessa­ry in the view of the Federal Coun­cil. The rea­sons for refu­sing, restric­ting or defer­ring a requ­est for infor­ma­ti­on are defi­ned at the level of the law (cf. Art. 26 nDSG). Thus, the data con­trol­lers and order pro­ces­sors are alrea­dy obli­ged by vir­tue of the nDSG to ensu­re that the data sub­jects can effec­tively exer­cise their rights, and this irre­spec­ti­ve of the spe­ci­fic tech­no­lo­gies used to pro­cess the per­so­nal data. 

Art. 4 Logging

1 If per­so­nal data requi­ring spe­cial pro­tec­tion is pro­ces­sed auto­ma­ti­cal­ly on a lar­ge sca­le or if high-risk pro­filing is car­ri­ed out and pre­ven­ti­ve mea­su­res can­not gua­ran­tee data pro­tec­tion, the pri­va­te con­trol­ler and his pri­va­te pro­ces­sor must at least log the sto­rage, modi­fi­ca­ti­on, rea­ding, dis­clo­sure, dele­ti­on and dest­ruc­tion of the data. Log­ging must be car­ri­ed out in par­ti­cu­lar if it can­not other­wi­se be deter­mi­ned retro­spec­tively whe­ther the data was pro­ces­sed for the pur­po­ses for which it was obtai­ned or disclosed.
2 In the case of auto­ma­ted pro­ces­sing of per­so­nal data, the federal body respon­si­ble and its pro­ces­sor shall at least record the sto­rage, modi­fi­ca­ti­on, rea­ding, dis­clo­sure, dele­ti­on and dest­ruc­tion of the data.
3 In the case of per­so­nal data that is gene­ral­ly acces­si­ble to the public, at least the sto­rage, modi­fi­ca­ti­on, dele­ti­on and dest­ruc­tion of the data must be logged.
4 The log must pro­vi­de infor­ma­ti­on on the iden­ti­ty of the per­son who car­ri­ed out the pro­ces­sing, the type, date and time of the pro­ces­sing and, if app­li­ca­ble, the iden­ti­ty of the reci­pi­ent of the data.
5 The logs must be kept for at least one year sepa­r­ate­ly from the system in which the per­so­nal data are pro­ces­sed. They must be acces­si­ble only to the bodies and per­sons respon­si­ble for veri­fy­ing the app­li­ca­ti­on of the data pro­tec­tion pro­vi­si­ons or for main­tai­ning or resto­ring the con­fi­dentia­li­ty, inte­gri­ty, avai­la­bi­li­ty and tracea­bi­li­ty of the data, and may be used only for this purpose.
Explana­to­ry report
Log­ging is gover­ned by Arti­cle 10 of the VDSG, which also app­lies to federal bodies due to the refe­rence in the first sen­tence of Arti­cle 20(1) of the VDSG. Arti­cle 4 adopts this regu­la­ti­on in amen­ded form. Log­ging con­sti­tu­tes a mea­su­re wit­hin the mea­ning of Arti­cle 3 Art. This takes into account the fact that Swiss law, unli­ke the GDPR, does not pro­vi­de for a gene­ral “accoun­ta­bi­li­ty obli­ga­ti­on”. Moreo­ver, log­ging is also recom­men­ded by cer­tain Euro­pean data pro­tec­tion aut­ho­ri­ties. Fur­ther­mo­re, log­ging is a clas­sic, pre­ven­ti­ve means of ensu­ring cyber­se­cu­ri­ty. The pur­po­se of log­ging is to ensu­re that the pro­ces­sing of per­so­nal data can be veri­fied retro­spec­tively, so that it can be deter­mi­ned in retro­spect whe­ther data has been lost or dele­ted, destroy­ed, modi­fied or dis­c­lo­sed. In addi­ti­on, it is also a que­sti­on of ensu­ring con­for­mi­ty with the pur­po­se of the data and appro­pria­te data secu­ri­ty. Log­ging can also pro­vi­de infor­ma­ti­on as to whe­ther per­so­nal data has been pro­ces­sed in accordance with its pur­po­se. Fur­ther­mo­re, log­ging can also ser­ve to unco­ver and cla­ri­fy brea­ches of data secu­ri­ty. Howe­ver, log­ging is not inten­ded to moni­tor the users who pro­cess per­so­nal data. Log­ging is an auto­ma­ted pro­cess. Nowa­days, the­re is hard­ly any infor­ma­ti­on system or auto­ma­ted data pro­ces­sing system in which data pro­ces­sing is not log­ged. Arti­cle 4(1) Art. requi­res log­ging for the pri­va­te con­trol­ler and its pri­va­te pro­ces­sor in the case of auto­ma­ted pro­ces­sing of par­ti­cu­lar­ly sen­si­ti­ve data on a lar­ge sca­le or in the case of high-risk pro­filing, if pre­ven­ti­ve mea­su­res can­not gua­ran­tee data pro­tec­tion and if, without such mea­su­res, it can­not be deter­mi­ned retro­spec­tively whe­ther the data were pro­ces­sed for the pur­po­ses for which they were obtai­ned or dis­c­lo­sed. At least the pro­ces­ses of sto­ring, modi­fy­ing, rea­ding, dis­clo­sing, deleting and destroy­ing data must be log­ged. The pro­cess of “rea­ding” is to be under­s­tood as access without “modi­fi­ca­ti­on”; it is the­re­fo­re suf­fi­ci­ent if the access to per­so­nal data and the modi­fi­ca­ti­on of this data are log­ged. The log­ging of “rea­ding” is thus satis­fied. The phra­se “pre­ven­ti­ve mea­su­res can­not gua­ran­tee data pro­tec­tion” has been taken over from cur­rent law. In prac­ti­ce, it is of secon­da­ry import­ance, sin­ce the pre­ven­ti­ve mea­su­res only rare­ly gua­ran­tee data pro­tec­tion. Accord­ing to para­graph 2, when per­so­nal data are pro­ces­sed auto­ma­ti­cal­ly, the federal body respon­si­ble and its con­trac­ted pro­ces­sor must at least log the sto­rage, modi­fi­ca­ti­on, rea­ding, dis­clo­sure, dele­ti­on and dest­ruc­tion of the data. The­se are the same pro­ces­sing ope­ra­ti­ons that the pri­va­te con­trol­ler must also log, but for federal bodies, log­ging must take place in a lar­ger num­ber of cases (for each auto­ma­ted pro­ces­sing ope­ra­ti­on). This takes into account the requi­re­ments of Arti­cle 25 of Direc­ti­ve (EU) 2016/680 app­li­ca­ble in the con­text of Schen­gen coope­ra­ti­on in the area of cri­mi­nal law. As sta­ted abo­ve, with regard to “rea­ding”, it is suf­fi­ci­ent if the acces­ses to per­so­nal data and the modi­fi­ca­ti­on of the­se data are log­ged. For the imple­men­ta­ti­on of the log­ging obli­ga­ti­on, a tran­si­tio­nal peri­od of three years is pro­vi­ded for in Arti­cle 46(1) for data pro­ces­sing ope­ra­ti­ons that do not fall wit­hin the scope of Direc­ti­ve (EU) 2016/680. Para­graph 3 now sta­tes that for per­so­nal data that is gene­ral­ly acces­si­ble to the public, at least the sto­rage, modi­fi­ca­ti­on, dele­ti­on and dest­ruc­tion of the data must be log­ged. This means, for examp­le, that the con­sul­ta­ti­on of the sta­te calen­dar, which is gene­ral­ly publicly acces­si­ble, does not necessa­ri­ly have to be log­ged. The regu­la­ti­on was sup­ple­men­ted with a new para­graph 4, whe­re the con­t­ents of the log­ging are spe­ci­fied. Thus, the log­ging must pro­vi­de infor­ma­ti­on on the iden­ti­ty of the per­son who car­ri­ed out the pro­ces­sing, the type, date and time of the pro­ces­sing and, if app­li­ca­ble, the iden­ti­ty of the reci­pi­ent of the data. In para­graph 5, Arti­cle 10 para­graph 2 VDSG is taken over in a slight­ly modi­fied form. The logs must be kept for at least one year sepa­r­ate­ly from the system in which the per­so­nal data are pro­ces­sed. Howe­ver, this does not mean that the logs may be kept for a dis­pro­por­tio­na­te­ly long peri­od. The reten­ti­on peri­od must be pro­por­tio­na­te to the goal of ade­qua­te data secu­ri­ty. Moreo­ver, the spe­cial legal pro­vi­si­ons remain reser­ved for federal bodies in any case. In par­ti­cu­lar, the Ordi­nan­ce of 22 Febru­a­ry 2012 on the Pro­ces­sing of Per­so­nal Data Ari­sing from the Use of the Elec­tro­nic Infra­st­ruc­tu­re of the Con­fe­de­ra­ti­on pro­vi­des in Arti­cle 4(1)(b) that data rela­ting to the use of the elec­tro­nic infra­st­ruc­tu­re may be retai­ned for a maxi­mum of two years. Sepa­ra­te sto­rage from the system is necessa­ry becau­se other­wi­se the log its­elf could also be mani­pu­la­ted or encryp­ted in the event of cyber attacks. The logs are acces­si­ble only to the bodies or per­sons respon­si­ble for veri­fy­ing the app­li­ca­ti­on of data pro­tec­tion regu­la­ti­ons or for main­tai­ning or resto­ring the con­fi­dentia­li­ty, inte­gri­ty, avai­la­bi­li­ty and tracea­bi­li­ty of the data, and may be used only for this pur­po­se. With the lat­ter addi­ti­on, the text of the ordi­nan­ce now expres­ses that the logs should also be acces­si­ble to secu­ri­ty offi­cers so that they can res­to­re the con­fi­dentia­li­ty, inte­gri­ty, avai­la­bi­li­ty and tracea­bi­li­ty of the data. The term “pre­ser­va­ti­on” is also inten­ded to ensu­re that system admi­ni­stra­tors also have access to the logs gene­ra­ted in the system if they suspect that a secu­ri­ty vul­nera­bi­li­ty exists. Con­se­quent­ly, this data may not be used for the pur­po­se of moni­to­ring users, espe­cial­ly their pro­fes­sio­nal acti­vi­ties. Of cour­se, the use for pur­po­ses pro­vi­ded for in spe­cial legis­la­ti­on, such as pos­si­ble use in cri­mi­nal pro­ce­e­dings, remains reser­ved. The third sen­tence of Arti­cle 10(1) of the Data Pro­tec­tion Act has been dele­ted. It would be con­tra­ry to the system if the FDPIC could make recom­men­da­ti­ons in the area of data secu­ri­ty, which is sub­ject to cri­mi­nal lia­bi­li­ty under Arti­cle 61(c). In addi­ti­on, the FDPIC can order log­ging in any case in the con­text of an inve­sti­ga­ti­on under Arti­cle 51 nDSG in accordance with his gene­ral power of disposal. 

Art. 5 Pro­ces­sing regu­la­ti­ons of pri­va­te persons

1 The pri­va­te con­trol­ler and its pri­va­te pro­ces­sor must draw up regu­la­ti­ons for auto­ma­ted pro­ces­sing ope­ra­ti­ons if they:
a. pro­cess per­so­nal data requi­ring spe­cial pro­tec­tion on a lar­ge sca­le; or
b. per­form high-risk profiling.
2 The regu­la­ti­ons must in par­ti­cu­lar con­tain details of the inter­nal orga­niz­a­ti­on, the data pro­ces­sing and con­trol pro­ce­du­re and the mea­su­res to ensu­re data security.
3 The pri­va­te con­trol­ler and its pri­va­te com­mis­sio­ned pro­ces­sor must update the regu­la­ti­ons regu­lar­ly. If a data pro­tec­tion advi­sor has been appoin­ted, the regu­la­ti­ons must be made avail­ab­le to him or her.
Explana­to­ry report
Pro­ces­sing regu­la­ti­ons had to be drawn up by the “con­trol­ler of an auto­ma­ted data file sub­ject to noti­fi­ca­ti­on” under Arti­cle 11a (3) FADP, who was not exempt from the obli­ga­ti­on to noti­fy his data files on the basis of Arti­cle 11a (5) let­ters b‑d FADP (Art. 11 (1) FADP). Sin­ce the noti­fi­ca­ti­on obli­ga­ti­on for pri­va­te data con­trol­lers (Art. 11a FADP) no lon­ger exists in the nDSG, Arti­cle 11 FADP can­not be adop­ted unch­an­ged. Accord­ing to the princip­le of accoun­ta­bi­li­ty pro­vi­ded for in the GDPR, the con­trol­ler must be able to demon­stra­te com­pli­an­ce with the data pro­ces­sing princi­ples (Art. 5(2) GDPR). Swiss law does not have a gene­ral accoun­ta­bi­li­ty obli­ga­ti­on, but the obli­ga­ti­on to draw up pro­ces­sing regu­la­ti­ons ser­ves the same pur­po­se. The obli­ga­ti­on to draw up pro­ces­sing regu­la­ti­ons is incum­bent on the data con­trol­ler as well as its order pro­ces­sor. Pri­va­te pro­ces­sors acting on behalf of federal bodies fall under Arti­cle 6. If, excep­tio­nal­ly, a federal body acts as a pro­ces­sor of a pri­va­te pro­ces­sor, it does not fall under Arti­cle 5, whe­re only pri­va­te pro­ces­sors are cove­r­ed, but under the stric­ter Arti­cle 6. This is justi­fied by the spe­cial posi­ti­on and respon­si­bi­li­ty resul­ting from the legal natu­re of the federal body. The pro­ces­sing regu­la­ti­ons are to be drawn up sepa­r­ate­ly. In accordance with the risk-based approach of the data secu­ri­ty requi­re­ment, pro­ces­sing regu­la­ti­ons should always be drawn up when the­re is an incre­a­sed risk. Thus, pri­va­te data con­trol­lers must crea­te pro­ces­sing regu­la­ti­ons for auto­ma­ted pro­ces­sing if they pro­cess per­so­nal data requi­ring spe­cial pro­tec­tion on a lar­ge sca­le (sub­pa­ra­graph (a)) or per­form high-risk pro­filing (sub­pa­ra­graph (b)). Let­ter a cor­re­sponds to the requi­re­ment in Arti­cle 22 para­graph 2 let­ter a nDSG and refers to the pro­ces­sing of par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data on a lar­ge sca­le. This exclu­des cases in which per­sons requi­ring spe­cial pro­tec­tion are only pro­ces­sed on an iso­la­ted basis. Many com­pa­nies, espe­cial­ly “tra­di­tio­nal” SMEs, do not car­ry out such pro­ces­sing. They are the­re­fo­re not affec­ted by this pro­vi­si­on. Para­graph 2 con­tains a list of the con­t­ents that must at least be spe­ci­fied in the pro­ces­sing regu­la­ti­ons. The con­t­ents have been taken over from Arti­cle 11 para­graph 1 and Arti­cle 21 para­graph 2 VDSG in a slight­ly adap­ted form and sup­ple­men­ted. As befo­re, the pro­ces­sing regu­la­ti­ons must be desi­gned as docu­men­ta­ti­on or a manu­al and should also be used for this pur­po­se by the per­son respon­si­ble. As befo­re, the pri­va­te con­trol­ler and the pro­ces­sor must descri­be the inter­nal orga­niz­a­ti­on in the pro­ces­sing regu­la­ti­ons. This also inclu­des a descrip­ti­on of the archi­tec­tu­re and func­tio­n­ing of the systems. Para­graph 2 spe­ci­fies that the data pro­ces­sing pro­ce­du­res, i.e. in par­ti­cu­lar the pro­ce­du­res for sto­ring, cor­rec­ting, dis­clo­sing, retai­ning, archi­ving, pseud­ony­mi­zing, anony­mi­zing, deleting or destroy­ing the data, must be con­tai­ned in the pro­ces­sing regu­la­ti­ons. This also inclu­des mea­su­res for data mini­miz­a­ti­on. The princip­le of data mini­miz­a­ti­on is a cen­tral princip­le of data pro­tec­tion and, as can be seen from the DPA Mes­sa­ge of Sep­tem­ber 15, 2017 , impli­ci­tly fol­lows from the princip­le of pro­por­tio­na­li­ty pur­suant to Arti­cle 6(2) nDSG. In par­ti­cu­lar, it should be spe­ci­fied which data pro­ces­sing pro­ce­du­res are to be under­ta­ken and how they are to be car­ri­ed out. The regu­la­ti­ons must also con­tain the pro­ce­du­re for exer­ci­s­ing the right of access and the right to issue or trans­fer data. The con­trol pro­ce­du­res must make it pos­si­ble to deter­mi­ne the access aut­ho­riz­a­ti­ons, the type and scope of access. Final­ly, it is essen­ti­al that the pro­ces­sing regu­la­ti­ons also inclu­de the tech­ni­cal and orga­niz­a­tio­nal mea­su­res to ensu­re appro­pria­te data secu­ri­ty. For examp­le, it must be sta­ted which mea­su­res are used to take account of the pro­tec­tion objec­ti­ves pur­suant to Arti­cle 2. The infor­ma­ti­on should also pro­vi­de infor­ma­ti­on on the con­fi­gu­ra­ti­on of the IT resour­ces, sin­ce this is a tech­ni­cal mea­su­re. The pre­vious Arti­cle 21(2)(h) of the Data Pro­tec­tion Act, which still expli­ci­tly men­ti­ons the con­fi­gu­ra­ti­on of the IT resour­ces, was the­re­fo­re not adop­ted. It is suf­fi­ci­ent that the most important basic con­fi­gu­ra­ti­ons of the IT resour­ces are exp­lai­ned in the pro­ces­sing regu­la­ti­ons. Howe­ver, they do not have to be ela­bo­ra­ted down to the tech­ni­cal details. Para­graph 3 repres­ents an adop­ti­on of Arti­cle 11 para­graph 2 VDSG. Com­pa­red to the cur­rent law, the addi­ti­on that the pro­ces­sing regu­la­ti­ons must be made avail­ab­le to the con­sul­tant in a form that he or she can under­stand has been dis­pen­sed with. Sin­ce the advi­sor hims­elf or herself is invol­ved in the pre­pa­ra­ti­on of the regu­la­ti­ons, they are gene­ral­ly com­pre­hen­si­ble to him or her. The obli­ga­ti­on that the pro­ces­sing regu­la­ti­ons must also be made avail­ab­le to the agent upon requ­est has been dele­ted. As with the list of pro­ces­sing acti­vi­ties, howe­ver, the FDPIC can requ­est it as part of an inve­sti­ga­ti­on (Art. 50 para. 1 let. a nDSG). 

Art. 6 Pro­ces­sing regu­la­ti­ons of federal bodies

1 The respon­si­ble federal body and its com­mis­sio­ned pro­ces­sor shall draw up pro­ces­sing regu­la­ti­ons for auto­ma­ted pro­ces­sing ope­ra­ti­ons if they:
a. pro­cess per­so­nal data requi­ring spe­cial protection;
b. car­ry out profiling;
c. pro­cess per­so­nal data in accordance with Arti­cle 34 para­graph 2 let­ter c FADP;
d. make per­so­nal data acces­si­ble to can­tons, for­eign aut­ho­ri­ties, inter­na­tio­nal orga­niz­a­ti­ons or pri­va­te persons;
e. Link data files tog­e­ther; or
f. ope­ra­te an infor­ma­ti­on system or mana­ge data resour­ces tog­e­ther with other federal bodies.
2 The regu­la­ti­ons must in par­ti­cu­lar con­tain infor­ma­ti­on on the inter­nal orga­niz­a­ti­on, the data pro­ces­sing and con­trol pro­ce­du­re and the mea­su­res to ensu­re data security
3 The federal body respon­si­ble and its com­mis­sio­ned pro­ces­sor must regu­lar­ly update the regu­la­ti­ons and make them avail­ab­le to the data pro­tec­tion advisor
Explana­to­ry report
Arti­cle 6 cor­re­sponds, with some chan­ges, to Arti­cle 21 of the Data Pro­tec­tion Act. The obli­ga­ti­on to draw up pro­ces­sing regu­la­ti­ons is incum­bent on the respon­si­ble federal body as well as its com­mis­sio­ned pro­ces­sor. As men­tio­ned abo­ve, Arti­cle 6 con­cerns both pri­va­te order pro­ces­sors and federal bodies that act as order pro­ces­sors by way of excep­ti­on. The pro­ces­sing regu­la­ti­ons are to be drawn up sepa­r­ate­ly. In the intro­duc­to­ry sen­tence of para­graph 1, the term “data collec­tions” appearing in Arti­cle 21(1) intro­duc­to­ry sen­tence of the FADP is repla­ced by “pro­ces­sing ope­ra­ti­ons” becau­se it is no lon­ger used in the nDSG. This pro­vi­si­on now sti­pu­la­tes that the respon­si­ble federal bodies must draw up pro­ces­sing regu­la­ti­ons in the cases refer­red to in para­graph 1 let­ters a‑f. The nDSG abolishes the term “per­so­na­li­ty pro­fi­le” and intro­du­ces the term “pro­filing”. Accord­in­gly, Arti­cle 21(1)(a) of the FADP must be amen­ded and Arti­cle 6(1) Art. must pro­vi­de that the federal body respon­si­ble and its com­mis­sio­ned pro­ces­sor must draw up pro­ces­sing regu­la­ti­ons if it pro­ces­ses per­so­nal data requi­ring spe­cial pro­tec­tion (sub­pa­ra­graph a), car­ri­es out pro­filing in accordance with Arti­cle 5(f) of the nDSG (sub­pa­ra­graph b) or pro­ces­ses data in accordance with Arti­cle 34(2)(c) of the nDSG (sub­pa­ra­graph c). The case under let­ter a cor­re­sponds to the pre­vious right under the FADP. Let­ters b and c are new. They replace Arti­cle 21(1)(a) FADP, which requi­res the federal body respon­si­ble to draw up pro­ces­sing regu­la­ti­ons for all auto­ma­ted data collec­tions that con­tain per­so­na­li­ty pro­files. Arti­cle 6 para­graph 1 let­ter d Art. under­goes only a few edi­to­ri­al chan­ges com­pa­red to Arti­cle 21 para­graph 1 let­ter c FADP. In Arti­cle 6(1)(e), the term “data collec­tions” used in the cor­re­spon­ding Arti­cle 21(1)(d) FADP is repla­ced by “data files”. Based on Arti­cle 6 para­graph 1 let­ter f Art. a set of pro­ces­sing regu­la­ti­ons must also be drawn up if the respon­si­ble federal body ope­ra­tes an infor­ma­ti­on system or mana­ges data files tog­e­ther with other federal bodies. This pro­vi­si­on replaces Arti­cle 21 para­graph 1 let­ter b VDSG, accord­ing to which such an obli­ga­ti­on exists if an auto­ma­ted data collec­tion is used by several federal bodies. Para­graph 2 cor­re­sponds to the con­tent of the pro­ces­sing regu­la­ti­ons for pri­va­te indi­vi­du­als under Arti­cle 5 para­graph 2 Art. Refe­rence should the­re­fo­re be made at this point to the com­ments made abo­ve. Para­graph 3 was taken over in slight­ly adap­ted form from Arti­cle 21 para­graph 3 VDSG. As in Arti­cle 5(3) Art. the pro­vi­si­on in intel­li­gi­ble form has also been dele­ted at this point. The term “super­vi­so­ry bodies” has been repla­ced by “data pro­tec­tion advi­sor”. The men­ti­on of the FDPIC has been omit­ted for the rea­sons men­tio­ned abo­ve in con­nec­tion with Arti­cle 5(3) Art. 

Sec­tion 2: Pro­ces­sing by Order Processors

Art. 7

1 The pri­or aut­ho­riz­a­ti­on of the con­trol­ler allo­wing the pro­ces­sor to ent­rust the data pro­ces­sing to a third par­ty may be of a spe­ci­fic or gene­ral nature
2 In the case of a gene­ral aut­ho­riz­a­ti­on, the Order Pro­ces­sor shall inform the Respon­si­ble Par­ty of any inten­ded chan­ge regar­ding the invol­ve­ment or sub­sti­tu­ti­on of other third par­ties. The per­son respon­si­ble may object to this change
Explana­to­ry report
Arti­cle 7 Art. regu­la­tes the type of pri­or aut­ho­riz­a­ti­on by which a con­trol­ler may aut­ho­ri­ze a pro­ces­sor to trans­fer data pro­ces­sing to a third par­ty. This pro­vi­si­on is based on Arti­cle 22(2) of Direc­ti­ve (EU) 2016/680 or Arti­cle 28(2) of the GDPR. For rea­sons of legal cer­tain­ty, it expli­ci­tly sta­tes what the Federal Coun­cil has alrea­dy sta­ted in the Dis­patch on the Total Revi­si­on of the Data Pro­tec­tion Act regar­ding the aut­ho­riz­a­ti­on of sub­con­trac­ted pro­ces­sing (see BBl 2017 6941, 7032). The pri­or aut­ho­riz­a­ti­on of the con­trol­ler may be of a spe­ci­fic or gene­ral natu­re (Art. 7(1) Art.). In the case of a gene­ral aut­ho­riz­a­ti­on, the order pro­ces­sor must inform the respon­si­ble per­son of any inten­ded chan­ge regar­ding the addi­ti­on or repla­ce­ment of ano­t­her sub­or­der pro­ces­sor. The con­trol­ler may object to this chan­ge (Art. 7 par. 2 Art.). 

Sec­tion 3: Dis­clo­sure of per­so­nal data abroad

Explana­to­ry report
In accordance with the system of the Act, the pro­vi­si­ons on the dis­clo­sure of per­so­nal data abroad have been pla­ced among the gene­ral pro­vi­si­ons in Chap­ter 1. Several terms rela­ted to the dis­clo­sure of data abroad need to be cla­ri­fied. In the Art. this is done in five dif­fe­rent arti­cles: A first arti­cle spe­ci­fies the cri­te­ria that the Federal Coun­cil must take into account when asses­sing whe­ther a sta­te, a ter­ri­to­ry, a spe­ci­fic sec­tor in a sta­te, or an inter­na­tio­nal orga­niz­a­ti­on ensu­res ade­qua­te data pro­tec­tion; a second arti­cle sets out what the data pro­tec­tion clau­ses in a trea­ty and the spe­ci­fic safe­guards to ensu­re ade­qua­te data pro­tec­tion must regu­la­te; a third arti­cle deals with stan­dard data pro­tec­tion clau­ses; a fourth arti­cle focu­ses on bin­ding inter­nal com­pa­ny data pro­tec­tion rules; based on the com­pe­tence assi­gned to the Federal Coun­cil in Arti­cle 16(3) nDSG, a final pro­vi­si­on pro­vi­des for fur­ther appro­pria­te safeguards. 
 

Art. 8 Assess­ment of the ade­quacy of data pro­tec­tion of a Sta­te, a ter­ri­to­ry, a spe­ci­fic sec­tor in a Sta­te or an inter­na­tio­nal body.

1 The Sta­tes, ter­ri­to­ries, spe­ci­fic sec­tors in a Sta­te and inter­na­tio­nal bodies with ade­qua­te data pro­tec­tion are listed in Annex 1.
2 In asses­sing whe­ther a Sta­te, a ter­ri­to­ry, a spe­ci­fic sec­tor in a Sta­te or an inter­na­tio­nal body ensu­res ade­qua­te data pro­tec­tion, the fol­lo­wing cri­te­ria in par­ti­cu­lar shall be taken into account:
a. the inter­na­tio­nal obli­ga­ti­ons of the sta­te or inter­na­tio­nal body, espe­cial­ly in the field of data protection;
b. the rule of law and respect for human rights;
c. the app­li­ca­ble legis­la­ti­on, in par­ti­cu­lar on data pro­tec­tion, as well as its imple­men­ta­ti­on and the rele­vant case law;
d. the effec­ti­ve gua­ran­tee of the rights of data sub­jects and legal protection;
e. the effec­ti­ve func­tio­n­ing of one or more inde­pen­dent aut­ho­ri­ties respon­si­ble for data pro­tec­tion in the Sta­te con­cer­ned or to which an inter­na­tio­nal body is ans­wer­able and which have suf­fi­ci­ent powers and competences. 
3 The Federal Data Pro­tec­tion and Infor­ma­ti­on Com­mis­sio­ner (FDPIC) shall be con­sul­ted on any assess­ment. The assess­ments of inter­na­tio­nal bodies or for­eign aut­ho­ri­ties respon­si­ble for data pro­tec­tion may be taken into account.
4 The ade­quacy of data pro­tec­tion shall be reas­ses­sed periodically.
5 The assess­ments are published.
6 If the assess­ment under para­graph 4 or other infor­ma­ti­on shows that ade­qua­te data pro­tec­tion is no lon­ger gua­ran­te­ed, Annex 1 shall be amen­ded; this shall have no effect on the data dis­clo­sures alrea­dy made.
Explana­to­ry report
If cer­tain cri­te­ria are met, the Federal Coun­cil may assess that a sta­te or ter­ri­to­ry, a spe­ci­fic sec­tor in a sta­te or an inter­na­tio­nal body gua­ran­tees ade­qua­te pro­tec­tion. Accord­ing to Arti­cle 7 para­graph 1 let­ter d of the Orga­niz­a­ti­on Ordi­nan­ce of 17 Novem­ber 1999 for the Federal Depart­ment of Jus­ti­ce and Poli­ce (OV FDJP), the task of ensu­ring ade­qua­te data pro­tec­tion of a sta­te, a ter­ri­to­ry, a spe­ci­fic sec­tor in a sta­te or an inter­na­tio­nal body falls wit­hin the com­pe­tence of the Federal Office of Jus­ti­ce. Pur­suant to Arti­cle 8(1) DPA, the sta­tes, ter­ri­to­ries, spe­ci­fic sec­tors in a sta­te and inter­na­tio­nal bodies who­se data pro­tec­tion has been deemed ade­qua­te are listed in the Annex to the Ordi­nan­ce. As exp­lai­ned in the dis­patch, this is a “posi­ti­ve list”. If a sta­te is not inclu­ded, this does not necessa­ri­ly mean that it does not have data pro­tec­tion legis­la­ti­on that ensu­res ade­qua­te data pro­tec­tion; rather, it is con­ceiva­ble that the sta­te has not (yet) been asses­sed by the Federal Coun­cil. Only sta­tes that are inclu­ded in the list in the Annex can the­re­fo­re be con­si­de­red to ensu­re ade­qua­te data pro­tec­tion. This approach dif­fers some­what from the approach of the FDPIC. Inde­ed, the FDPIC has so far indi­ca­ted for each sta­te whe­ther it ensu­res ade­qua­te pro­tec­tion, ade­qua­te pro­tec­tion under cer­tain con­di­ti­ons, or insuf­fi­ci­ent pro­tec­tion. It should also be noted that the FDPIC’s list is not bin­ding and, in par­ti­cu­lar, does not bind the courts in the event of a dis­pu­te. Befo­re dis­cus­sing in detail the fac­tors that the Federal Coun­cil must take into account in its assess­ment, it should first be cla­ri­fied what is meant by a “ter­ri­to­ry” or a “spe­ci­fic sec­tor in a Sta­te”. The term “ter­ri­to­ry” refers to cases whe­re the coun­try is not sub­ject to a sin­gle legis­la­ti­on. This con­cerns name­ly the case of federal sta­tes, name­ly when the legis­la­ti­on of the cen­tral sta­te does not ensu­re ade­qua­te pro­tec­tion, while a federal sta­te has ade­qua­te data pro­tec­tion legis­la­ti­on, but this only app­lies on its own ter­ri­to­ry. Regar­ding the noti­on of “spe­ci­fic sec­tor in a sta­te”, for examp­le, the list of the FDPIC can be cited, which takes into account, under Cana­da, that on the basis of a spe­ci­fic data pro­tec­tion law for the pri­va­te sec­tor, an ade­qua­te level of pro­tec­tion can only be reco­gni­zed for this sec­tor. Until July 2020, this also app­lied to the USA due to the Pri­va­cy Shield CH-US, which only allo­wed the free trans­fer of data to com­pa­nies that had com­mit­ted to com­ply with the bin­ding princi­ples of the Pri­va­cy Shield. Other spe­ci­fic sec­tors such as the finan­cial or insuran­ce sec­tor or data pro­ces­sing by order pro­ces­sors should be men­tio­ned. The term inter­na­tio­nal body was cla­ri­fied in the mes­sa­ge on the Data Pro­tec­tion Act. It refers to “all inter­na­tio­nal insti­tu­ti­ons, be they orga­niz­a­ti­ons or courts” (BBl 2017 6941, 7038) . When deci­ding whe­ther a sta­te, a ter­ri­to­ry, a spe­ci­fic sec­tor in a sta­te, or an inter­na­tio­nal body ensu­res ade­qua­te data pro­tec­tion, the fol­lo­wing cri­te­ria, among others, must be taken into account (Art. 8(2) DPA): The inter­na­tio­nal obli­ga­ti­ons of the sta­te or inter­na­tio­nal body con­cer­ned, in par­ti­cu­lar in the area of data pro­tec­tion (para. 2 let. a): this refers in par­ti­cu­lar to the revi­sed Con­ven­ti­on ETS 108. Howe­ver, not only agree­ments in the area of data pro­tec­tion are rele­vant, which is why the term “in par­ti­cu­lar” is used (see also the explana­ti­on to let. c). For examp­le, agree­ments regu­la­ting the exchan­ge of infor­ma­ti­on may also play a role. The rule of law and respect for human rights (para. 2(b)): In let­ter b, the term “human rights” is used in order to use the same ter­mi­no­lo­gy as in the ECHR and UN Covenant II. The Federal Coun­cil has the necessa­ry dis­cre­ti­on to deter­mi­ne whe­ther a sta­te ensu­res ade­qua­te data pro­tec­tion even if it does not ful­ly com­ply with inter­na­tio­nal­ly reco­gni­zed human rights. What is important here is that pro­tec­tion against dis­pro­por­tio­na­te inter­fe­rence with pri­va­te life is gua­ran­te­ed, even if the sta­te does not, for examp­le, meet the requi­re­ments of the ECHR in all respects. The app­li­ca­ble legis­la­ti­on, in par­ti­cu­lar on data pro­tec­tion, as well as its imple­men­ta­ti­on and the rele­vant case law (para. 2(c)): Due to the expres­si­on “in par­ti­cu­lar”, sec­to­ral legis­la­ti­on is also meant. The­se often con­tain (direct and/or indi­rect) regu­la­ti­ons on data pro­tec­tion. This app­lies, for examp­le, to sta­tes that do not have a frame­work law on data pro­tec­tion, but only a civil code. In some cases, the­se sta­tes have sec­to­ral laws that con­tain data pro­tec­tion pro­vi­si­ons. It is important that the app­li­ca­ble laws app­ly. The­re­fo­re, the focus will be on the rele­vant gene­ral and spe­ci­fic legis­la­ti­on of the sta­te, inclu­ding tho­se on public secu­ri­ty, defen­se, natio­nal secu­ri­ty, cri­mi­nal law, and access to per­so­nal data by public aut­ho­ri­ties. The effec­ti­ve gua­ran­tee of the rights of data sub­jects and legal pro­tec­tion (para. 2(d)): the aim is not only to veri­fy that the rights of data sub­jects are con­tai­ned in legal bases, but also to ensu­re that the­se rights are actual­ly imple­men­ted. The effec­ti­ve func­tio­n­ing of one or more inde­pen­dent aut­ho­ri­ties in char­ge of data pro­tec­tion in the Sta­te con­cer­ned or to which an inter­na­tio­nal body is sub­or­di­na­te and which have suf­fi­ci­ent powers and com­pe­ten­ces. In this sen­se, the mini­mum requi­re­ments of the revi­sed Con­ven­ti­on ETS 108 must be met (para­graph 2(e)). The third para­graph sti­pu­la­tes that the FDPIC is con­sul­ted in any ade­quacy assess­ment. Its opi­ni­on is not bin­ding on the Federal Coun­cil, but must be taken into account, espe­cial­ly in the con­text of the office con­sul­ta­ti­on. The FDPIC may also publish its opi­ni­on. The Federal Coun­cil may also take into account an assess­ment of the level of pro­tec­tion made by a for­eign aut­ho­ri­ty respon­si­ble for data pro­tec­tion (and belon­ging to a sta­te with an ade­qua­te level of pro­tec­tion) or by an inter­na­tio­nal body. An inter­na­tio­nal body wit­hin the mea­ning of this para­graph may be, inter alia, the Com­mit­tee of the Par­ties estab­lished by the revi­sed Con­ven­ti­on ETS 108. Assess­ments made by the Euro­pean Com­mis­si­on may also ser­ve as a source of infor­ma­ti­on. The fourth para­graph pro­vi­des for perio­dic reas­sess­ment of the level of pro­tec­tion in the Sta­te or body con­cer­ned. Based on the various com­ments recei­ved during the con­sul­ta­ti­on pro­ce­du­re, a new para­graph 5 pro­vi­des that the assess­ments car­ri­ed out by the Federal Office of Jus­ti­ce shall be published. The term assess­ment inclu­des both the assess­ment and the reas­sess­ment of sta­tes, ter­ri­to­ries, spe­ci­fic sec­tors in a sta­te or inter­na­tio­nal bodies that are alrea­dy on the list and are being reas­ses­sed. A new tran­si­tio­nal pro­vi­si­on (Art. 46(2)) cla­ri­fies that assess­ments con­duc­ted pri­or to the ent­ry into for­ce of the DSV will not be published. The ordi­nan­ce new­ly intro­du­ces the per­for­mance of a balan­cing of inte­rests, which makes it pos­si­ble to act in urgent cases if it can be con­clu­ded that ade­quacy is no lon­ger gua­ran­te­ed. Accord­ing to para­graph 6, Annex 1 shall be amen­ded if it is deter­mi­ned that data pro­tec­tion can no lon­ger be gua­ran­te­ed in a Sta­te, a ter­ri­to­ry, a spe­ci­fic sec­tor in a Sta­te or an inter­na­tio­nal body. In the case of the U.S., for examp­le, the July 2020 “Schrems II” ruling by the ECJ cau­sed the FDPIC to recon­si­der its assess­ment and amend its list. If infor­ma­ti­on sug­gests that a sta­te con­cer­ned no lon­ger ensu­res ade­qua­te data pro­tec­tion (e.g. due to a sta­te cri­sis), the Federal Coun­cil may urgent­ly amend the list without having car­ri­ed out a for­mal and com­ple­te exami­na­ti­on. This is becau­se urgent publi­ca­ti­ons are pos­si­ble under Arti­cle 7(3) PublG. Howe­ver, this only app­lies in the case of a dele­ti­on from the list. In the case of an addi­ti­on to the list, the assess­ment pro­ce­du­re must be fol­lo­wed (paras. 1 and 2). The amend­ment has no effect on data dis­clo­sures that have alrea­dy been made. 

Art. 9 Data pro­tec­tion clau­ses and spe­ci­fic safeguards

1 The data pro­tec­tion clau­ses in a con­tract under Arti­cle 16(2)(b) FADP and the spe­ci­fic gua­ran­tees under Arti­cle 16(2)(c) FADP must con­tain at least the fol­lo­wing points:
a. the app­li­ca­ti­on of the princi­ples of lega­li­ty, good faith, pro­por­tio­na­li­ty, trans­pa­ren­cy, pur­po­se limi­ta­ti­on and accuracy;
b. the cate­go­ries of per­so­nal data dis­c­lo­sed and the per­sons concerned;
c. the natu­re and pur­po­se of the dis­clo­sure of per­so­nal data;
d. whe­re app­li­ca­ble, the names of the sta­tes or inter­na­tio­nal bodies to which or to which per­so­nal data are dis­c­lo­sed and the requi­re­ments for disclosure;
e. the requi­re­ments for the reten­ti­on, dele­ti­on and dest­ruc­tion of per­so­nal data;
f. the reci­pi­ents or cate­go­ries of recipients;
g. the mea­su­res to ensu­re data security;
h. the obli­ga­ti­on to report brea­ches of data security;
i. if the reci­pi­ents are data con­trol­lers: the obli­ga­ti­on to inform the data sub­jects about the processing;
j. the rights of the data sub­ject, in par­ti­cu­lar:
1. the right of access and the right to issue or trans­fer data,
2. the right to object to the dis­clo­sure of data,
3. the right to rec­ti­fi­ca­ti­on, era­su­re or dest­ruc­tion of their data,
4. the right to seek legal pro­tec­tion from an inde­pen­dent authority.
2 The con­trol­ler and, in the case of data pro­tec­tion clau­ses in a con­tract, the pro­ces­sor must take rea­son­ab­le mea­su­res to ensu­re that the reci­pi­ent com­plies with the­se clau­ses or the spe­ci­fic safeguards
3 If the FDPIC has been infor­med of the data pro­tec­tion clau­ses in a con­tract or of the spe­ci­fic safe­guards, the infor­ma­ti­on obli­ga­ti­on shall be deemed to have been ful­fil­led for all fur­ther dis­clo­sures that:
a. take place under the same data pro­tec­tion clau­ses or safe­guards, pro­vi­ded that the cate­go­ries of reci­pi­ents, the pur­po­se of the pro­ces­sing and the cate­go­ries of data remain sub­stan­ti­al­ly unch­an­ged; or
b. take place wit­hin the same legal enti­ty or com­pa­ny or bet­ween com­pa­nies belon­ging to the same group.
Explana­to­ry report
Accord­ing to Arti­cle 16 (2) nDSG, per­so­nal data may be dis­c­lo­sed to a sta­te that is not listed in Annex 1 of the Ordi­nan­ce – i.e. without the Federal Coun­cil having reco­gni­zed the ade­quacy of data pro­tec­tion as appro­pria­te – if appro­pria­te data pro­tec­tion is gua­ran­te­ed. In the pri­va­te sec­tor, this may be ensu­red by a data pro­tec­tion clau­se in a con­tract bet­ween the con­trol­ler or pro­ces­sor and its con­trac­tu­al part­ner (Art. 16 para. 2 let. b nDSG), and in the public sec­tor by spe­ci­fic gua­ran­tees drawn up by the com­pe­tent federal body (Art. 16 para. 2 let. c nDSG). Unli­ke the other instru­ments men­tio­ned in para­graph 2 of Arti­cle 16 nDSG, data con­trol­lers and pro­ces­sors do not have to have the­se safe­guards appro­ved by the FDPIC, but only have to noti­fy him of them befo­re dis­clo­sing data abroad. The­re is a cer­tain risk that data con­trol­lers and data pro­ces­sors will assess the level of pro­tec­tion to be achie­ved by the­se safe­guards dif­fer­ent­ly, and this app­lies equal­ly to the pri­va­te sec­tor and the public sec­tor. The Federal Coun­cil the­re­fo­re con­si­ders it appro­pria­te to estab­lish cer­tain data pro­tec­tion stan­dards and spe­ci­fies in Arti­cle 9(1) Art. what the­se data pro­tec­tion clau­ses or spe­ci­fic gua­ran­tees must regu­la­te as a mini­mum. The­se are as fol­lows: The app­li­ca­ti­on of the princi­ples of law­ful­ness, good faith, pro­por­tio­na­li­ty, trans­pa­ren­cy, pur­po­se limi­ta­ti­on and accu­ra­cy (sub­pa­ra­graph a). The cate­go­ries of per­so­nal data dis­c­lo­sed and the data sub­jects (sub­pa­ra­graph b). The natu­re and pur­po­se of the dis­clo­sure of per­so­nal data (sub­pa­ra­graph c). Whe­re app­li­ca­ble, the names of the Sta­tes or inter­na­tio­nal bodies to which or to which per­so­nal data are dis­c­lo­sed and the requi­re­ments for dis­clo­sure (sub­pa­ra­graph (d)): the expres­si­on “whe­re app­li­ca­ble” offers the pos­si­bi­li­ty of adap­ting to the cir­cum­stan­ces of a trea­ty. In cer­tain very nar­row­ly defi­ned con­tracts, this sub­pa­ra­graph does not qua­li­fy. For examp­le, if the con­tract does not dis­c­lo­se data to an inter­na­tio­nal body, such a refe­rence would obvious­ly be super­fluous. The requi­re­ments for the reten­ti­on, dele­ti­on and dest­ruc­tion of per­so­nal data (sub­pa­ra­graph (e)). The reci­pi­ents or cate­go­ries of reci­pi­ents (sub­pa­ra­graph (f)): The cate­go­ries of reci­pi­ents may be use­ful, albeit in spe­ci­fy­ing a gene­ric form, as necessa­ry (e.g.: Agents and repre­sen­ta­ti­ves, order pro­ces­sors, co-respon­si­ble par­ties, trea­ting phy­si­ci­ans, muni­ci­pa­li­ties, exter­nal part­ner orga­niz­a­ti­ons, etc.). The mea­su­res to ensu­re data secu­ri­ty (sub­pa­ra­graph g). The obli­ga­ti­on to report data secu­ri­ty brea­ches (sub­pa­ra. h). If the reci­pi­ents are data con­trol­lers: the obli­ga­ti­on to inform the data sub­jects about the pro­ces­sing (sub­pa­ra. i): The reci­pi­ent, as a pro­ces­sor, can­not be a data con­trol­ler and com­ply with this obli­ga­ti­on. The rights of the data sub­ject (sub­pa­ra­graph (j)), in par­ti­cu­lar: the right of access and the right to have data dis­c­lo­sed or trans­fer­red (sub­pa­ra­graph (1)), the right to object to the dis­clo­sure of data (sub­pa­ra­graph (2)), the right to have their data rec­ti­fied, era­sed or destroy­ed (sub­pa­ra­graph (3)) and the right to seek judi­cial pro­tec­tion from an inde­pen­dent aut­ho­ri­ty (data pro­tec­tion aut­ho­ri­ty or court) (sub­pa­ra­graph (4)). All of the­se points cor­re­spond to the fun­da­men­tals of the nDSG. Para­graph 2 also cla­ri­fies that if per­so­nal data are dis­c­lo­sed abroad, the con­trol­ler must take rea­son­ab­le mea­su­res to ensu­re that the reci­pi­ent com­plies with the data pro­tec­tion clau­ses in a con­tract or the spe­ci­fic safe­guards; the pro­ces­sor must also ensu­re this in the case of data pro­tec­tion clau­ses in a con­tract (con­tract pro­ces­sing is not app­li­ca­ble to the spe­ci­fic safe­guards). In this way, this para­graph (which essen­ti­al­ly adopts Art. 6(2) and (4) FADP) can be used to ensu­re that the reci­pi­ent of the dis­c­lo­sed data com­plies with the data pro­tec­tion frame­work app­li­ca­ble in Switz­er­land. A third para­graph takes over Art. 6(2) FADP on the duty of the data con­trol­ler to pro­vi­de infor­ma­ti­on. It is only edi­to­ri­al­ly adap­ted (e.g. the term “maît­re du fichier” is repla­ced in the French ver­si­on) by deleting the second sub-sen­tence in Arti­cle 6(2)(b) FADP. In any case, dis­clo­sure abroad is only per­mis­si­ble if the data pro­tec­tion clau­ses or safe­guards ensu­re appro­pria­te pro­tec­tion, name­ly by mee­ting the requi­re­ments of Arti­cle 9(1) Art. It is the­re­fo­re not necessa­ry to men­ti­on this again in Arti­cle 9(3)(b) Art. 

Art. 10 Stan­dard data pro­tec­tion clauses 

1 If the con­trol­ler or pro­ces­sor dis­c­lo­ses per­so­nal data abroad by means of stan­dard data pro­tec­tion clau­ses in accordance with Arti­cle 16 para­graph 2 let­ter d FADP, it shall take appro­pria­te mea­su­res to ensu­re that the reci­pi­ent com­plies with these
2 The FDPIC shall publish a list of stan­dard data pro­tec­tion clau­ses which he has appro­ved, issued or reco­gni­zed. It shall com­mu­ni­ca­te the result of the exami­na­ti­on of the stan­dard data pro­tec­tion clau­ses sub­mit­ted to it wit­hin 90 days
Explana­to­ry report
As in the case of data dis­clo­sure abroad, which is based on data pro­tec­tion clau­ses in a con­tract and on spe­ci­fic gua­ran­tees, Swiss data pro­tec­tion regu­la­ti­ons must also be com­plied with in the case of data dis­clo­sure by means of stan­dard data pro­tec­tion clau­ses (Art. 16 para. 2 let. d nDSG). Thus, Arti­cle 10(1) Art. which cor­re­sponds in princip­le to Arti­cle 6(4) nDSG spe­ci­fies that the con­trol­ler or pro­ces­sor must take appro­pria­te mea­su­res to ensu­re that the reci­pi­ent actual­ly com­plies with the stan­dard clau­ses. In the com­men­ta­ry of the Federal Office of Jus­ti­ce on the VDSG, this duty of care is spe­ci­fied as fol­lows: “The appro­pria­teness of the requi­red mea­su­res depends on the cir­cum­stan­ces in the spe­ci­fic case and the sta­te of the art. If it is a mat­ter of par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data or per­so­na­li­ty pro­files, the requi­re­ments are hig­her than if it is a mat­ter of simp­le per­so­nal data.” Alt­hough the term “per­so­na­li­ty pro­files” is no lon­ger used in the nDSG, the explana­ti­on is still rele­vant for under­stan­ding that the mea­su­res must be adap­ted to the spe­ci­fic cir­cum­stan­ces. This is a duty of care and the con­trol­ler or pro­ces­sor must ensu­re that the mea­su­res are taken and moni­tor their imple­men­ta­ti­on. Para­graph 2 con­cerns the appro­val by the FDPIC of stan­dard data pro­tec­tion clau­ses drawn up by a pri­va­te per­son or a federal body. The FDPIC issu­es an opi­ni­on and publishes on its web­site a list of stan­dard data pro­tec­tion clau­ses that it has appro­ved, issued or reco­gni­zed. The stan­dard clau­ses must com­ply with Swiss data pro­tec­tion requi­re­ments and be capa­ble of being inter­pre­ted in accordance with Swiss data pro­tec­tion law. The FDPIC “shall com­mu­ni­ca­te the result of the review of the stan­dard data pro­tec­tion clau­ses sub­mit­ted to it wit­hin 90 days”. 

Art. 11 Bin­ding cor­po­ra­te data pro­tec­tion regulations

1 Bin­ding cor­po­ra­te data pro­tec­tion regu­la­ti­ons pur­suant to Arti­cle 16 para­graph 2 let­ter e FADP app­ly to all com­pa­nies belon­ging to the same group of companies
2 They shall inclu­de at least the items refer­red to in Arti­cle 9(1) and the fol­lo­wing infor­ma­ti­on:
a. the orga­niz­a­ti­on and con­ta­ct details of the Group and its companies;
b. the mea­su­res taken wit­hin the Group to com­ply with bin­ding inter­nal cor­po­ra­te data pro­tec­tion regulations.
3 The FDPIC shall com­mu­ni­ca­te the result of the review of the bin­ding cor­po­ra­te data pro­tec­tion rules sub­mit­ted to it wit­hin 90 days
Explana­to­ry report
Bin­ding cor­po­ra­te data pro­tec­tion regu­la­ti­ons app­ly to all com­pa­nies belon­ging to the same cor­po­ra­te group and must be com­plied with by them. The­se regu­la­ti­ons must inclu­de not only the points men­tio­ned in Arti­cle 9 (1) Art. but also infor­ma­ti­on on the orga­niz­a­ti­on and con­ta­ct details of the group and each of its units (para. 2 let. a) as well as infor­ma­ti­on on the mea­su­res taken wit­hin the group to ensu­re com­pli­an­ce with the inter­nal com­pa­ny regu­la­ti­ons (para. 2 let. b). The­se bin­ding inter­nal com­pa­ny regu­la­ti­ons must also be sub­mit­ted to the FDPIC in accordance with Arti­cle 16 para­graph 2 let­ter e nDSG. Arti­cle 11 Art. inclu­des a new para­graph 3, accord­ing to which the FDPIC “shall com­mu­ni­ca­te the result of the review of the bin­ding cor­po­ra­te inter­nal data pro­tec­tion rules sub­mit­ted to it wit­hin 90 days”. 

Art. 12 Codes of con­duct and certifications

1 Per­so­nal data may be dis­c­lo­sed abroad if a code of con­duct or cer­ti­fi­ca­ti­on ensu­res appro­pria­te data protection
2 The code of con­duct must be sub­mit­ted in advan­ce to the FDPIC for approval.
3 The code of con­duct or cer­ti­fi­ca­ti­on must be accom­pa­nied by a bin­ding and enfor­ce­ab­le com­mit­ment by the con­trol­ler or pro­ces­sor in the third coun­try to app­ly the mea­su­res con­tai­ned therein
Explana­to­ry report
Accord­ing to Arti­cle 16(3) nDSG, the Federal Coun­cil may pro­vi­de for other sui­ta­ble safe­guards that allow data to be dis­c­lo­sed abroad. For examp­le, appro­pria­te data pro­tec­tion can also be gua­ran­te­ed by a code of con­duct or cer­ti­fi­ca­ti­on (para. 1). This new mea­su­re pro­vi­des com­pa­nies with an incen­ti­ve to intro­du­ce such a code or to have their systems, pro­ducts or ser­vices cer­ti­fied. As with stan­dard data pro­tec­tion clau­ses and bin­ding inter­nal com­pa­ny regu­la­ti­ons, for rea­sons of con­si­sten­cy, it is also sti­pu­la­ted that codes of con­duct must be appro­ved by the FDPIC (para. 2). This is becau­se the­se instru­ments must be exami­ned for their sui­ta­bi­li­ty. For its exami­na­ti­on, the FDPIC may be gui­ded by the cri­te­ria of Arti­cle 9(1) Art. The appro­val of the codes of con­duct by the FDPIC does not con­tra­dict Arti­cle 11 nDSG, which pro­vi­des in gene­ral terms that the FDPIC shall give an opi­ni­on on the codes of con­duct sub­mit­ted to him, but shall not appro­ve them. In the spe­ci­fic case whe­re a con­trol­ler reli­es on its code of con­duct when dis­clo­sing data abroad, it is appro­pria­te, as in the case of stan­dard data pro­tec­tion clau­ses and bin­ding cor­po­ra­te rules, for the FDPIC to appro­ve this instru­ment. Accord­ing to the ordi­nan­ce of 28 Sep­tem­ber 2007 on data pro­tec­tion cer­ti­fi­ca­ti­ons, only for­eign cer­ti­fi­ca­ti­ons must be reco­gni­zed by the FDPIC. This is main­tai­ned in this way with the total­ly revi­sed ordi­nan­ce. Howe­ver, this does not mean that the cer­ti­fi­ca­ti­on does not have to meet the requi­re­ments of the Ordi­nan­ce on Data Pro­tec­tion Cer­ti­fi­ca­ti­ons. In addi­ti­on, the con­trol­ler or pro­ces­sor loca­ted in a third coun­try must enter into a bin­ding and enfor­ce­ab­le com­mit­ment to app­ly the mea­su­res con­tai­ned in the code of con­duct or cer­ti­fi­ca­ti­on (para. 3). Repeal of Arti­cles 5 and 7 VDSG Arti­cles 5 and 7 VDSG are not taken over. The for­mer pro­vi­si­on was inser­ted into the nDSG (Art. 18). The second, which assi­gned the FDPIC the com­pe­tence to draw up a list of coun­tries with an ade­qua­te level of data pro­tec­tion, is obso­le­te becau­se the Federal Coun­cil now has this com­pe­tence (Art. 16 para. 1 nDSG). 

Chap­ter 2: Obli­ga­ti­ons of the respon­si­ble person

Art. 13 Moda­li­ties of the infor­ma­ti­on obligation

The data con­trol­ler must pro­vi­de the data sub­ject with the infor­ma­ti­on on the acqui­si­ti­on of per­so­nal data in a pre­cise, trans­pa­rent, com­pre­hen­si­ble and easi­ly acces­si­ble form.
Explana­to­ry report
The duty of the data con­trol­ler to pro­vi­de infor­ma­ti­on is ensh­ri­ned in Arti­cle 19 nDSG. Excep­ti­ons and limi­ta­ti­ons are set out in Arti­cle 20 nDSG. Arti­cle 19(1) nDSG pro­vi­des that the data sub­ject must be pro­vi­ded with “ade­qua­te” infor­ma­ti­on. This means that, as far as pos­si­ble, the infor­ma­ti­on is com­mu­ni­ca­ted in a pre­cise, trans­pa­rent, com­pre­hen­si­ble and easi­ly acces­si­ble form. In other words, when choo­sing the form of infor­ma­ti­on, the con­trol­ler must ensu­re that the data sub­ject always recei­ves the most important infor­ma­ti­on at the first level of com­mu­ni­ca­ti­on when obtai­ning his or her per­so­nal data. If the com­mu­ni­ca­ti­on takes place via a web­site, for examp­le, a good prac­ti­ce may be that all essen­ti­al infor­ma­ti­on is avail­ab­le at a glance, e.g. in the form of an orga­ni­zed over­view. To obtain fur­ther infor­ma­ti­on, the data sub­ject can then click on this infor­ma­ti­on dis­play­ed first, whe­reu­pon a win­dow opens with more detail­ed infor­ma­ti­on. It should be noted, howe­ver, that com­mu­ni­ca­ti­on via a web­site is not always suf­fi­ci­ent: The data sub­ject must know that he or she will find the infor­ma­ti­on on a spe­ci­fic web­site. In the case of a tele­pho­ne con­ver­sa­ti­on, the infor­ma­ti­on can also be com­mu­ni­ca­ted oral­ly and, if necessa­ry, sup­ple­men­ted by a link to a web­site. In the case of recor­ded infor­ma­ti­on, the data sub­ject must have the oppor­tu­ni­ty to listen to more detail­ed infor­ma­ti­on. In the event that the per­son is filmed using a video sur­veil­lan­ce system or a dro­ne, he or she must be made awa­re of this, for examp­le, by means of a sign or as part of an infor­ma­ti­on cam­pai­gn. In accordance with Arti­cle 19(1) nDSG, Arti­cle 13 Art. is direc­ted sole­ly at the con­trol­ler and not at the com­mis­sio­ned pro­ces­sor. Howe­ver, it should be noted at this point that the infor­ma­ti­on pro­vi­ded to the data con­trol­ler pur­suant to Arti­cle 19(2)(c) nDSG must also con­tain details of the reci­pi­ents or cate­go­ries of reci­pi­ents. Accord­ing to the explana­ti­ons in the Dis­patch on the Data Pro­tec­tion Act, the com­mis­sio­ned pro­ces­sor is also one of the reci­pi­ents wit­hin the mea­ning of Arti­cle 19(2)(c) nDSG (BBl 2017 6941, 7051). When obtai­ning per­so­nal data, the con­trol­ler must the­re­fo­re also inform the data sub­ject that the data will be dis­c­lo­sed to a com­mis­sio­ned processor. 

Art. 14 Reten­ti­on of the data pro­tec­tion impact assessment

The con­trol­ler must keep the data pro­tec­tion impact assess­ment for at least two years after the end of data pro­ces­sing.
Explana­to­ry report
The stan­dard spe­ci­fies the reten­ti­on peri­od for the data pro­tec­tion impact assess­ment wit­hin the mea­ning of Arti­cle 22 nDSG. It must be retai­ned for at least 2 years. The rea­son for retai­ning the data pro­tec­tion impact assess­ment beyond the time the data pro­ces­sing is car­ri­ed out is that it repres­ents a cen­tral instru­ment under data pro­tec­tion law. It can be of par­ti­cu­lar import­ance when cla­ri­fy­ing brea­ches of data secu­ri­ty or asses­sing the punis­ha­bi­li­ty of con­duct. Thus, the data pro­tec­tion impact assess­ment pro­vi­des infor­ma­ti­on on how the risks to per­so­na­li­ty or fun­da­men­tal rights have been asses­sed and what mea­su­res have been taken. In the case of federal bodies, which in princip­le can only pro­cess data on the basis of legal foun­da­ti­ons, it may be the case that a data pro­tec­tion impact assess­ment must be retai­ned for a very long peri­od of time due to the per­ma­nence of cer­tain legal foun­da­ti­ons.< In the case of federal bodies, it will be necessa­ry to fur­ther regu­la­te how the data pro­tec­tion impact assess­ment is to be coor­di­na­ted in time with the legis­la­ti­ve pro­cess for crea­ting the legal bases for data pro­ces­sing. It is to be sti­pu­la­ted that the federal bodies must inclu­de the data pro­tec­tion impact assess­ment tog­e­ther with the draft enact­ments in the app­li­ca­ti­on to the Federal Coun­cil and that they must record the results of the data pro­tec­tion impact assess­ment in the Federal Council’s mes­sa­ge. Howe­ver, sin­ce the regu­la­ti­on is only of a direc­ti­ve natu­re wit­hin the federal admi­ni­stra­ti­on, it is not to be regu­la­ted at ordi­nan­ce level. It is plan­ned to imple­ment the regu­la­ti­on in the gui­de­li­nes for Federal Coun­cil busi­ness (“red fol­der”) and in the embas­sy gui­de. For the imple­men­ta­ti­on of the data pro­tec­tion impact assess­ment, the FDPIC may make use of his com­pe­tence to deve­lop working instru­ments as recom­men­da­ti­ons of good prac­ti­ce for the atten­ti­on of data con­trol­lers wit­hin the mea­ning of Arti­cle 58(1)(g) nDSG. In doing so, it has a cer­tain degree of discretion. 

Art. 15 Noti­fi­ca­ti­on of data secu­ri­ty breaches

1 The noti­fi­ca­ti­on of a data bre­ach to the FDPIC must con­tain the fol­lo­wing infor­ma­ti­on:
a. the natu­re of the injury;
b. as far as pos­si­ble, the time and duration;
c. as far as pos­si­ble, the cate­go­ries and appro­xi­ma­te num­ber of per­so­nal data concerned;
d. as far as pos­si­ble, the cate­go­ries and appro­xi­ma­te num­ber of per­sons concerned;
e. the con­se­quen­ces, inclu­ding any risks, for the per­sons concerned;
f. what mea­su­res have been taken or are plan­ned to reme­dy the defect and miti­ga­te the con­se­quen­ces, inclu­ding any risks;
g. the name and con­ta­ct details of a con­ta­ct person.
2 If it is not pos­si­ble for the per­son respon­si­ble to report all the infor­ma­ti­on at the same time, he or she shall pro­vi­de the mis­sing infor­ma­ti­on as quick­ly as possible
3 If the con­trol­ler is obli­ged to inform the data sub­ject, he shall inform him in plain and intel­li­gi­ble lan­guage of at least the infor­ma­ti­on refer­red to in para­graph 1 let­ters a and e‑g
4 The per­son respon­si­ble must docu­ment the vio­la­ti­ons. The docu­men­ta­ti­on must con­tain the facts rela­ting to the inci­dents, their effects and the mea­su­res taken. It must be kept for at least two years from the time of noti­fi­ca­ti­on in accordance with para­graph 1
Explana­to­ry report
Arti­cle 24(2) nDSG con­tains the mini­mum requi­re­ments for a noti­fi­ca­ti­on of data secu­ri­ty brea­ches by the data con­trol­ler to the FDPIC: this inclu­des the natu­re of the data secu­ri­ty bre­ach, its con­se­quen­ces and the mea­su­res taken or envi­sa­ged. The con­tent of this noti­fi­ca­ti­on to the FDPIC is spe­ci­fied in Art. 15 para. 1 Art. (for­mer Art. 19 para. 1 Elec­tro­nic Data Pro­tec­tion Act) is fur­ther spe­ci­fied. It should be noted that, accord­ing to Arti­cle 24(1) nDSG, noti­fi­ca­ti­on to the FDPIC is limi­ted to data secu­ri­ty brea­ches that are likely to result in a high risk to the per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject. Only noti­fia­ble brea­ches must be repor­ted. Para­graph 1 con­tains the fol­lo­wing cata­log of infor­ma­ti­on: In addi­ti­on to the type of data secu­ri­ty bre­ach alrea­dy men­tio­ned in the law (sub­pa­ra­graph (a)), it is fur­ther pro­vi­ded that, to the extent pos­si­ble, the time and dura­ti­on of the data secu­ri­ty bre­ach must also be repor­ted (sub­pa­ra­graph (b)). Fur­ther, to the extent pos­si­ble, the cate­go­ries and appro­xi­ma­te num­ber of per­so­nal data affec­ted by the data bre­ach (sub­pa­ra­graph (c)) must also be repor­ted, as well as the cate­go­ries and appro­xi­ma­te num­ber of indi­vi­du­als affec­ted (sub­pa­ra­graph (d)). This infor­ma­ti­on is of fun­da­men­tal import­ance so that the extent of the bre­ach can be asses­sed. In par­ti­cu­lar, it is necessa­ry to know which cate­go­ries of per­so­nal data are affec­ted by the bre­ach (e.g. addres­ses, credit card infor­ma­ti­on, health data) so that the explana­ti­ons of the con­se­quen­ces, risks and mea­su­res can be under­s­tood at all. In con­nec­tion with the noti­fi­ca­ti­on of con­se­quen­ces and risks for the data sub­jects (sub­pa­ra­graph (e)) and the mea­su­res taken by the data con­trol­ler (sub­pa­ra­graph (f)), the data con­trol­ler must, when infor­ming the data sub­ject, also spe­ci­fy, among other things, which cate­go­ries of per­so­nal data are affec­ted by the bre­ach in his case. This allo­ws the data sub­ject to take con­cre­te mea­su­res hims­elf (e.g. immedia­te pass­word chan­ge if log­in data has been sto­len or credit card blocking). Final­ly, the data con­trol­ler must report the name and con­ta­ct details of a con­ta­ct per­son (sub­pa­ra­graph g) who will act as a point of con­ta­ct for com­mu­ni­ca­ti­on with the FDPIC as well as the data sub­jects. Para­graph 2 allo­ws the data con­trol­ler to pro­vi­de the infor­ma­ti­on to the FDPIC in sta­ges if it is not pos­si­ble for the data con­trol­ler to pro­vi­de all the infor­ma­ti­on under para­graph 1 at the same time when the data bre­ach is dis­co­ve­r­ed. Sin­ce the data con­trol­ler must sub­mit the noti­fi­ca­ti­on “as soon as pos­si­ble” pur­suant to Arti­cle 24(1) nDSG, the pro­blem will regu­lar­ly ari­se in prac­ti­ce, par­ti­cu­lar­ly with regard to the infor­ma­ti­on pur­suant to para­graph 1 let­ters b‑d, that this is often not even avail­ab­le immedia­te­ly after the data secu­ri­ty bre­ach is dis­co­ve­r­ed. The­re­fo­re, the respon­si­ble par­ty is enab­led to pro­vi­de only the basic infor­ma­ti­on known to it in a first step when the bre­ach is dis­co­ve­r­ed. For the sub­se­quent noti­fi­ca­ti­on, it app­lies – as accord­ing to Arti­cle 24 para­graph 1 nDSG – that the respon­si­ble par­ty must report the remai­ning infor­ma­ti­on “as soon as pos­si­ble”. As soon as the mis­sing infor­ma­ti­on is avail­ab­le, the respon­si­ble par­ty must pro­vi­de it to the FDPIC with a sub­se­quent noti­fi­ca­ti­on. If the infor­ma­ti­on still has to be obtai­ned, he must take care of it without delay. Para­graph 3 spe­ci­fies which infor­ma­ti­on must be pro­vi­ded to the data sub­ject if infor­ma­ti­on is to be pro­vi­ded to him or her in accordance with Arti­cle 24 para­graph 4 nDSG. Fur­ther­mo­re, this infor­ma­ti­on – in com­pa­ri­son to the noti­fi­ca­ti­on to the Com­mis­sio­ner – must be pro­vi­ded in the simp­lest and most com­pre­hen­si­ble lan­guage pos­si­ble, sin­ce it can­not be assu­med that an average data sub­ject is fami­li­ar with the tech­ni­cal jar­gon of this tech­ni­cal sub­ject mat­ter. The con­tent of the noti­fi­ca­ti­on to the FDPIC is some­what broa­der than the infor­ma­ti­on to the data sub­jects, sin­ce the for­mer must be able to get an idea of the extent of a data secu­ri­ty bre­ach. Para­graph 4 pro­vi­des that the facts rela­ted to the repor­ted data bre­ach, its effects and the mea­su­res taken must be docu­men­ted. The docu­men­ta­ti­on must be kept for at least two years from the date of noti­fi­ca­ti­on of the data bre­ach. In con­nec­tion with the prac­ti­cal imple­men­ta­ti­on of the noti­fi­ca­ti­on obli­ga­ti­on under Arti­cle 24 nDSG, it should be noted that, based on the expe­ri­ence of for­eign super­vi­so­ry aut­ho­ri­ties in imple­men­ting the simi­lar­ly struc­tu­red noti­fi­ca­ti­on obli­ga­ti­on in Arti­cle 33 of Regu­la­ti­on (EU) 2016/679, a lar­ge num­ber of annu­al noti­fi­ca­ti­ons can be expec­ted. For examp­le, the exchan­ge with the Bava­ri­an Sta­te Office for Data Pro­tec­tion Super­vi­si­on, who­se figu­res can be rough­ly pro­jec­ted to Switz­er­land, has shown that around 6000 noti­fi­ca­ti­ons could be recei­ved per year. In order to offer tho­se respon­si­ble a struc­tu­red reporting opti­on and to pro­cess the mass of reports as effi­ci­ent­ly as pos­si­ble, the FDPIC is cur­r­ent­ly working on the deve­lo­p­ment of a web-based reporting inter­face, pro­bab­ly in the form of an inter­ac­ti­ve form. As part of this pro­ject, the FDPIC is also cur­r­ent­ly exami­ning the pos­si­bi­li­ty of a joint reporting por­tal tog­e­ther with other federal bodies that pro­vi­de for simi­lar reporting obli­ga­ti­ons or pos­si­bi­li­ties in the area of data secu­ri­ty (e.g., for cri­ti­cal infra­st­ruc­tu­re reporting). Such a reporting por­tal would redu­ce the workload for the per­son respon­si­ble if he or she has to sub­mit reports to several federal agencies. 

Chap­ter 3: Rights of the data subject

Explana­to­ry report
The chap­ter on the rights of the data sub­ject in the e‑DSG only inclu­ded the right of access and its restric­tions. Par­lia­ment has added a right to data issu­an­ce and trans­fer. Accord­in­gly, the Regu­la­ti­on spe­ci­fies the­se two types of data sub­ject rights in sepa­ra­te sec­tions. The 1st sec­tion deals with the right of access. After con­sul­ta­ti­on with the Federal Depart­ment of For­eign Affairs and the Federal Depart­ment of Defen­se, Civil Pro­tec­tion and Sport, the con­tent of Arti­cle 14 of the Federal Data Pro­tec­tion Act was not inclu­ded in the Art. becau­se it is no lon­ger cur­rent. The­re­fo­re, the right to infor­ma­ti­on for both sec­tors, pri­va­te and public, is now regu­la­ted in the same chap­ter. This fol­lows the syste­ma­tics of the nDSG and con­nects to the pro­vi­si­ons on the duties of the data con­trol­ler. The various aspects of the right to infor­ma­ti­on are now spread over several arti­cles. A first arti­cle focu­ses on the moda­li­ties of the right to infor­ma­ti­on, in par­ti­cu­lar the form in which infor­ma­ti­on is to be pro­vi­ded. A second arti­cle regu­la­tes the right of access when several data con­trol­lers joint­ly pro­cess per­so­nal data or when data is pro­ces­sed by a pro­ces­sor. A third arti­cle spe­ci­fies the time limits, and a fourth arti­cle regu­la­tes the excep­ti­ons to the right of access being free of char­ge. The 2nd sec­tion deals with the right to issue or trans­fer data. It inclu­des the fol­lo­wing arti­cles: Arti­cle 20 Art. deals with the scope of the right, Arti­cle 21 Art. deals with the tech­ni­cal requi­re­ments for imple­men­ta­ti­on, and Arti­cle 22 Art. (for­mer Art. 24 E‑VDSG) spe­ci­fies under time limit, moda­li­ties and com­pe­tence to what extent the pro­vi­si­ons on the right to infor­ma­ti­on are app­li­ca­ble to the right to data sur­ren­der or transfer. 

Sec­tion 1: Right to information

Art. 16 Modalities

1 Anyo­ne who requests infor­ma­ti­on from the per­son respon­si­ble as to whe­ther per­so­nal data rela­ting to him or her is being pro­ces­sed must do so in wri­ting. If the per­son respon­si­ble agrees, the requ­est may also be made orally.
2 The infor­ma­ti­on shall be pro­vi­ded in wri­ting or in the form in which the data is avail­ab­le. With the agree­ment of the data con­trol­ler, the data sub­ject may inspect his or her data on site. The infor­ma­ti­on may be pro­vi­ded oral­ly if the data sub­ject agrees to
3 The requ­est for infor­ma­ti­on and the pro­vi­si­on of infor­ma­ti­on may be made by elec­tro­nic means
4 The infor­ma­ti­on must be pro­vi­ded to the data sub­ject in an intel­li­gi­ble form
5 The per­son respon­si­ble must take appro­pria­te mea­su­res to iden­ti­fy the data sub­ject. This per­son is obli­ged to cooperate
Explana­to­ry report
This pro­vi­si­on spe­ci­fies the moda­li­ties of the right to infor­ma­ti­on pro­vi­ded for in Arti­cle 25 nDSG. It par­ti­al­ly incor­po­ra­tes Arti­cle 8(5) FADP and Arti­cle 1(1 – 3) FADP. Para. 1 Arti­cle 16 Art. (for­mer Art. 20 E‑DPA) focu­ses in para­graph 1 on the form of the requ­est for infor­ma­ti­on. “In wri­ting” wit­hin the mea­ning of Arti­cle 16(1) Art. inclu­des any form that enab­les pro­of by text. Not meant, howe­ver, is the so-cal­led simp­le writ­ten form accord­ing to Arti­cles 13 – 15 of the Code of Obli­ga­ti­ons . This requi­res a hand signa­tu­re or a qua­li­fied elec­tro­nic signa­tu­re lin­ked with a qua­li­fied time stamp in accordance with the Federal Act of 18 March 2016 on Elec­tro­nic Signa­tures. Arti­cle 16 para. 1 Art. on the other hand only requi­res the pre­sence of a writ­ten text. Art. 16 para. 1 Art. essen­ti­al­ly adopts the con­tent of Art. 1 para. 1 VDSG, accord­ing to which the per­son must “as a rule, app­ly for his right to infor­ma­ti­on in wri­ting”. The com­men­ta­ry on the FADP by the Federal Office of Jus­ti­ce alrea­dy spe­ci­fies that in cer­tain cases and sub­ject to the con­sent of the owner of the data collec­tion (now the data con­trol­ler), the oral form is suf­fi­ci­ent. For the sake of incre­a­sed cla­ri­ty, Arti­cle 16 Art. has been rewor­ded accord­in­gly. In addi­ti­on, Arti­cle 1 (1) of the Data Pro­tec­tion Act has been edi­to­ri­al­ly adap­ted. Para. 2 Com­pa­red to the cur­rent law, Arti­cle 16 (2) Art. (for­mer Art. 20 para. 2 E‑Data Pro­tec­tion Act) now expli­ci­tly sta­tes that infor­ma­ti­on may be pro­vi­ded not only in wri­ting but also in the form in which the data is avail­ab­le. As a rule, this is per­so­nal data in writ­ten form. If, on the other hand, the data is avail­ab­le in the form of visu­al or audio record­ings, for examp­le, the data sub­ject will recei­ve the data in this form. As sta­ted abo­ve, “in wri­ting” in the pre­sent con­text is to be under­s­tood as requi­ring the exi­stence of a writ­ten text. As pro­vi­ded for in Arti­cle 1(3) of the FADP, per­so­nal data may also be con­sul­ted on the spot, in par­ti­cu­lar if they are spread over various files or are par­ti­cu­lar­ly volu­min­ous, or if the infor­ma­ti­on reque­sted requi­res explana­ti­on. In con­trast to Arti­cle 1 (3) of the Data Pro­tec­tion Act, the pas­sa­ge accord­ing to which on-site inspec­tion takes place at the sug­ge­sti­on of the per­son respon­si­ble has been dele­ted. On-site inspec­tion always requi­res the con­sent of the data con­trol­ler and the data sub­ject. On who­se sug­ge­sti­on the on-site inspec­tion takes place, howe­ver, is not decisi­ve. In the case of on-site inspec­tion, the data sub­ject must nevertheless have the pos­si­bi­li­ty to requ­est a pho­to­co­py of cer­tain files in his or her dos­sier. As the Federal Supre­me Court sta­ted in BGE 119 III 141, the han­ding over of writ­ten (inclu­ding elec­tro­nic) docu­ments can be extre­me­ly signi­fi­cant for the per­son con­cer­ned. The oral com­mu­ni­ca­ti­on of infor­ma­ti­on, for examp­le on the tele­pho­ne, is also pos­si­ble, pro­vi­ded the data sub­ject has con­sen­ted. Infor­ma­ti­on in sum­ma­ri­zed (“aggre­ga­ted”) form is not per­mit­ted. Para. 3 Para­graph 3 adopts Arti­cle 1(2) of the Data Pro­tec­tion Act in an adap­ted form. It spe­ci­fi­cal­ly regu­la­tes the form of trans­mis­si­on of the requ­est for infor­ma­ti­on and the pro­vi­si­on of infor­ma­ti­on. Thus, the requ­est for infor­ma­ti­on and the pro­vi­si­on of infor­ma­ti­on may also be made elec­tro­ni­cal­ly. The data sub­ject may sub­mit his or her requ­est, for examp­le, by e‑mail or via an online plat­form of a com­pa­ny (e.g. the widespread custo­mer accounts). Accord­ing to the gene­ral rules, the sen­der bears the bur­den of pro­of that his or her mes­sa­ge has rea­ched the reci­pi­ent. Sin­ce elec­tro­nic trans­mis­si­on is also per­mit­ted without a legal basis, para­graph 3 is a decla­ra­to­ry pro­vi­si­on. Para. 4 If per­so­nal data are pro­vi­ded in a tech­ni­cal form, for examp­le in a non-stan­dard file for­mat, that is not read­a­ble and/or under­stand­a­ble by the data sub­ject, the data con­trol­ler must be able to pro­vi­de him or her with sup­ple­men­ta­ry explana­ti­ons, for examp­le ver­bal­ly. Par. 5 The con­trol­ler must take appro­pria­te mea­su­res to ensu­re the iden­ti­fi­ca­ti­on of the data sub­ject. The data sub­ject must the­re­fo­re coope­ra­te in their iden­ti­fi­ca­ti­on. In order for the con­trol­ler to be able to ensu­re the iden­ti­fi­ca­ti­on of the data sub­ject, he needs the necessa­ry infor­ma­ti­on from the data sub­ject. In the case of oral infor­ma­ti­on, the per­son respon­si­ble shall ensu­re in advan­ce (e.g. by pro­vi­ding the AHV no.) that he/she is pro­vi­ding the infor­ma­ti­on to the cor­rect per­son. Arti­cle 16 para. 5 Art. (for­mer Art. 20 para. 4 E‑VDSG) replaces the requi­re­ment under Art. 1 para. 1 VDSG that the data sub­ject must pro­ve his iden­ti­ty. Other aspects Para­graph 4 of Arti­cle 1 FADP, which con­cerns the time limit for pro­vi­ding infor­ma­ti­on, is con­ver­ted into a stand-alo­ne arti­cle (see Art. 18 Art., ex-Art. 22 Draft FADP below). The same app­lies to Arti­cle 1(5) and (6) of the FADP (see Art. 17 Art., for­mer Art. 21 Draft FADP below). 

Art. 17 Competence

1 If several data con­trol­lers pro­cess per­so­nal data joint­ly, the data sub­ject may assert his or her right of access with each data controller
2 If the requ­est rela­tes to data pro­ces­sed by a pro­ces­sor, the pro­ces­sor shall assist the con­trol­ler in pro­vi­ding the infor­ma­ti­on, unless the con­trol­ler is respon­ding to the requ­est on behalf of the controller.
Explana­to­ry report
A sepa­ra­te arti­cle has been pro­vi­ded to cla­ri­fy the respon­si­bi­li­ty in cases whe­re several data con­trol­lers joint­ly pro­cess per­so­nal data. Para. 1 Para­graph 1 takes over para­graph 5 of Arti­cle 1 of the Data Pro­tec­tion Act in an adap­ted form. From a ter­mi­no­lo­gi­cal point of view, the term “data con­trol­ler” has been repla­ced by “data pro­ces­sor”. The excep­ti­on to the pos­si­bi­li­ty of asser­ting the right of access with any data con­trol­ler has been remo­ved. Thus, the data sub­ject may now always assert his or her right of access with any data con­trol­ler. In con­trast to Arti­cle 1(5) of the FADP, Arti­cle 17(1) no lon­ger obli­ges data con­trol­lers to for­ward the requests; rather, they must pro­vi­de infor­ma­ti­on in any case. The para­graph cor­re­sponds to Arti­cle 21(2) of Direc­ti­ve (EU) 2016/680 and Arti­cle 26(3) GDPR. Para. 2 Para­graph 2 adopts Arti­cle 1(6) of the FADP in an adap­ted form. The term “order pro­ces­sor” intro­du­ced in the nDSG (Art. 5 let. k nDSG) is adop­ted and the term “data con­trol­ler” is repla­ced by “data con­trol­ler”. Accord­ing to Arti­cle 25(4) nDSG, the con­trol­ler remains obli­ged to pro­vi­de infor­ma­ti­on even if he has the per­so­nal data pro­ces­sed by a com­mis­sio­ned pro­ces­sor. The pro­ces­sor is the­re­fo­re not requi­red by law to respond to requests for infor­ma­ti­on hims­elf. The­re­fo­re, in con­trast to the VDSG, Arti­cle 17(2) Art. now pro­vi­des that the order pro­ces­sor shall assist the con­trol­ler in respon­ding, pro­vi­ded that he does not respond to the requ­est on behalf of the con­trol­ler. This means that the pro­ces­sor must pro­vi­de the data to the con­trol­ler if the con­trol­ler does not have it himself. 

Art. 18 Time limit

1 The infor­ma­ti­on must be pro­vi­ded wit­hin 30 days of rece­i­pt of the request
2 If the infor­ma­ti­on can­not be pro­vi­ded wit­hin 30 days, the con­trol­ler must inform the data sub­ject the­re­of and indi­ca­te the peri­od wit­hin which the infor­ma­ti­on will be provided
3 If the per­son respon­si­ble refu­ses, restricts or post­po­nes the infor­ma­ti­on, he or she must noti­fy the fol­lo­wing wit­hin the same time limit
Explana­to­ry report
Arti­cle 18 Art. (for­mer Art. 22 E‑DPA) takes over the fourth para­graph of Art. 1 FADP without any signi­fi­cant chan­ge. It cla­ri­fies the para­graph 7 inser­ted by Par­lia­ment in Arti­cle 25 nDSG, which sets the 30-day peri­od pre­vious­ly pro­vi­ded for in the ordi­nan­ce at the level of the law. The spe­ci­fi­ca­ti­on that the deci­si­on on the restric­tion of the right of access must be justi­fied has been dele­ted, as this pro­vi­si­on has alrea­dy been inclu­ded in Arti­cle 26(4) nDSG. Fur­ther­mo­re, the term “app­li­cant” is repla­ced by “data sub­ject” so that the ter­mi­no­lo­gy is con­si­stent with the nDSG. Essen­ti­al­ly, the pro­vi­si­on means that the data con­trol­ler must pro­vi­de the reque­sted infor­ma­ti­on to the data sub­ject wit­hin 30 days or noti­fy the data sub­ject wit­hin this peri­od that it refu­ses, restricts or post­po­nes the infor­ma­ti­on. In the public sec­tor, the pro­vi­si­on of infor­ma­ti­on as well as the refu­sal, restric­tion or defer­ral of infor­ma­ti­on is an order wit­hin the mea­ning of Arti­cle 5 VwVG . Para­graph 2 is only app­li­ca­ble if the data con­trol­ler is unab­le to pro­vi­de the infor­ma­ti­on wit­hin 30 days of rece­i­pt of the requ­est (and not in the case whe­re he restricts the right to infor­ma­ti­on wit­hin the mea­ning of Art. 26 nDSG): In that case, the respon­si­ble par­ty must com­mu­ni­ca­te in a time­ly man­ner, i.e. without unre­a­son­ab­le delay, the peri­od wit­hin which the infor­ma­ti­on will be provided. 

Art. 19 Excep­ti­on from free of charge

1 If the pro­vi­si­on of the infor­ma­ti­on invol­ves a dis­pro­por­tio­na­te effort, the con­trol­ler may requi­re the data sub­ject to make a rea­son­ab­le con­tri­bu­ti­on to the costs incurred
2 The par­ti­ci­pa­ti­on amounts to a maxi­mum of 300 Swiss francs
3 The data con­trol­ler must inform the data sub­ject of the amount of the par­ti­ci­pa­ti­on befo­re pro­vi­ding the infor­ma­ti­on. If the data sub­ject does not con­firm the requ­est wit­hin ten days, it shall be deemed to have been with­drawn without incur­ring any costs. The time limit in accordance with Arti­cle 18 para­graph 1 begins to run after expi­ry of the ten-day coo­ling-off period
Explana­to­ry report
The tit­le of the pro­vi­si­on is edi­to­ri­al­ly chan­ged com­pa­red to Arti­cle 2 of the Data Pro­tec­tion Act. Para. 1 Arti­cle 2(1)(a) of the FADP, which con­cerns que­ru­lous requests for infor­ma­ti­on, is repealed. Such cases are now regu­la­ted in the nDSG, which pro­vi­des in Arti­cle 26(1)(c) that the con­trol­ler may refu­se, restrict or post­po­ne the infor­ma­ti­on if the requ­est for infor­ma­ti­on is obvious­ly que­ru­lous. Arti­cle 2(1)(b) as well as para­graph 2 of the Data Pro­tec­tion Act are taken over in a slight­ly adap­ted form. The term “excep­tio­nal­ly” is dele­ted, sin­ce the tit­le of the arti­cle alrea­dy refers to “excep­ti­on”; the term “app­li­cant” (new para­graph 3) is repla­ced by “data sub­ject” for rea­sons of ter­mi­no­lo­gi­cal con­si­sten­cy with the nDSG. The term “par­ti­cu­lar­ly hea­vy workload” is repla­ced by “dis­pro­por­tio­na­te effort” so that the wor­d­ing is con­si­stent with the chan­ges made by the Natio­nal Coun­cil in Arti­cle 25(6) nDSG. For examp­le, it does not con­sti­tu­te a dis­pro­por­tio­na­te effort if the con­trol­ler has to grant access to a lar­ge num­ber of per­so­nal data if its inte­rest is pre­cise­ly to collect as much data as pos­si­ble. The same app­lies if the workload is lar­ge becau­se the data con­trol­ler is not orga­ni­zed in a suf­fi­ci­ent­ly struc­tu­red man­ner (dis­re­gard of the princip­le of “pri­va­cy by design”; becau­se accord­ing to this princip­le, data con­trol­lers or pro­ces­sors must have a system that allo­ws easy access to the data pro­ces­sed). Para. 2 The amount of 300 francs remains unch­an­ged. Accord­ing to the natio­nal con­su­mer pri­ce index, the amount has chan­ged only slight­ly sin­ce its intro­duc­tion in the ordi­nan­ce. Moreo­ver, it is not inten­ded to have a deter­rent effect on the per­son con­cer­ned. Para. 3 The per­son respon­si­ble must inform the data sub­ject of the amount of the par­ti­ci­pa­ti­on befo­re pro­vi­ding the infor­ma­ti­on. If the app­li­cant does not con­firm the requ­est wit­hin ten days, it shall be deemed to have been with­drawn without incur­ring any costs. The time limit pur­suant to Art. 18 para. (for­mer Art. 22 para. 1 E‑VDSG) begins to run after the 10-day coo­ling-off peri­od has expired. 

Sec­tion 2: Right to issue or trans­fer data

Explana­to­ry report
The­se arti­cles spe­ci­fy which various requi­re­ments app­ly to the right to data sur­ren­der or trans­fer as intro­du­ced in Arti­cle 28 nDSG. In light of the fact that it was the legislator’s goal to crea­te a simi­lar regu­la­ti­on as in Euro­pean law, the rules app­li­ca­ble in Arti­cle 20 GDPR on the right to data por­ta­bi­li­ty are taken into account. With the right to data sur­ren­der or data trans­fer, the data sub­jects recei­ve, on the one hand, the right, under cer­tain con­di­ti­ons, to requ­est their per­so­nal data, which they have made avail­ab­le to the con­trol­ler, from the con­trol­ler in a form that can be fur­ther used. The reque­sted per­so­nal data can be used for various pur­po­ses: for examp­le, for pure­ly per­so­nal use (e.g., to store the data on a per­so­nal sto­rage space), to for­ward it to ano­t­her online ser­vice pro­vi­der or to chan­ge the plat­form. The right to requ­est the trans­fer of their per­so­nal data, on the other hand, gives data sub­jects the right to requ­est that the data con­trol­ler trans­fer that per­so­nal data direct­ly to ano­t­her data con­trol­ler (e.g., so that a new online ser­vice pro­vi­der can aug­ment that per­so­nal data or offer new ser­vices to the data sub­ject, or to main­tain its own “histo­ry” in the event of a chan­ge of pro­vi­der), pro­vi­ded that this does not requi­re a dis­pro­por­tio­na­te effort. The right to data sur­ren­der or trans­fer must be distin­guis­hed from the right to infor­ma­ti­on under Arti­cle 25 nDSG. The right of access enti­t­les the data sub­ject to requ­est infor­ma­ti­on from the con­trol­ler about what per­so­nal data the con­trol­ler is pro­ces­sing about him or her. This enab­les the data sub­ject to requ­est the cor­rec­tion or dele­ti­on of his/her per­so­nal data in the event of unlaw­ful data pro­ces­sing. In con­trast, the new right to data dis­clo­sure or trans­fer aims to streng­t­hen the con­trol of data sub­jects over their per­so­nal data and its fur­ther use. It thus allo­ws them to dis­po­se of the issued or trans­fer­red per­so­nal data them­sel­ves, to use it fur­ther or to pass it on to other per­sons respon­si­ble. In addi­ti­on, this new right also makes it easier for data sub­jects to switch bet­ween dif­fe­rent offers, which also pro­mo­tes com­pe­ti­ti­on and inno­va­ti­on. For data con­trol­lers, this new right crea­tes the obli­ga­ti­on to make the per­so­nal data reque­sted avail­ab­le in aggre­ga­ted form wit­hin a rea­son­ab­le peri­od of time and to enab­le it to be embed­ded in a new system without dis­pro­por­tio­na­te effort. This requi­res that they use com­mon file for­mats and imple­ment com­mon, stan­dar­di­zed data manage­ment systems so that the data can con­ti­nue to be used. Both when issuing the reque­sted per­so­nal data and when trans­fer­ring it, the data con­trol­lers must take into account the princi­ples of data pro­tec­tion law as well as their obli­ga­ti­ons under data pro­tec­tion law. 
 

Art. 20 Scope of the claim

1 Per­so­nal data that the data sub­ject has dis­c­lo­sed to the data con­trol­ler shall be deemed to be:
a. Data that it kno­win­gly and wil­lin­g­ly makes avail­ab­le to it;
b. Data collec­ted by the data con­trol­ler about the data sub­ject and his or her beha­vi­or in the cour­se of using a ser­vice or device.
2 Per­so­nal data gene­ra­ted by the data con­trol­ler through its own eva­lua­ti­on of the per­so­nal data pro­vi­ded or obser­ved shall not be deemed to be per­so­nal data that the data sub­ject has dis­c­lo­sed to the data controller
Explana­to­ry report
Para. 1 This pro­vi­si­on spe­ci­fies which per­so­nal data are cove­r­ed by the enti­t­le­ment to data sur­ren­der or trans­fer. The enti­t­le­ment covers per­so­nal data rela­ting to the data sub­ject hims­elf and which is pro­ces­sed auto­ma­ti­cal­ly and on the basis of con­sent or in con­nec­tion with a con­tract (Art. 28 (1) nDSG). First and fore­most, per­so­nal data that is stored in paper form is exclu­ded from the claim. The claim does not app­ly to data con­trol­lers who pro­cess per­so­nal data in the per­for­mance of a public task or in the public inte­rest. This is in line with the pro­vi­si­on of Arti­cle 20(3) of the GDPR as well as the pri­ma­ri­ly eco­no­mic pur­po­se of the enti­t­le­ment to data sur­ren­der or trans­fer. Federal bodies that pro­cess per­so­nal data wit­hin the scope of their legal duties and on the basis of a legal foun­da­ti­on are the­re­fo­re in princip­le not affec­ted by the right to data sur­ren­der or trans­fer. Howe­ver, if federal bodies pro­cess per­so­nal data, for examp­le in com­pe­ti­ti­on with pri­va­te indi­vi­du­als, it is con­ceiva­ble that this per­so­nal data may be cove­r­ed by the claim. In any case, it is up to the data con­trol­ler to deter­mi­ne to which per­so­nal data it pro­ces­ses the claim could app­ly and which are exclu­ded. Fur­ther­mo­re, anony­mi­zed per­so­nal data or data that does not con­cern the data sub­ject is not cove­r­ed by the claim. Pseud­ony­mi­zed per­so­nal data that can be unam­bi­guous­ly lin­ked to the data sub­ject, on the other hand, is cove­r­ed by Arti­cle 20(1) Art. In prac­ti­ce, infor­ma­ti­on that inclu­des the per­so­nal data of several per­sons is likely to be affec­ted in many cases, such as the account histo­ry of a custo­mer or data on tele­pho­ne calls or messages that con­tain infor­ma­ti­on about third par­ties. In the con­text of a requ­est for sur­ren­der or trans­fer of per­so­nal data, the app­li­cant should also be pro­vi­ded with the­se records. Howe­ver, the per­so­nal data of third par­ties may not be pro­ces­sed for pur­po­ses that affect their rights and free­doms. This would be the case if the new con­trol­ler used the trans­fer­red per­so­nal data of third par­ties for its own pur­po­ses, for examp­le, to offer its own ser­vices to them. On the other hand, the­re would be no inter­fe­rence if, in the case of a trans­fer of account infor­ma­ti­on to a new bank account at the initia­ti­ve of the account hol­der, the con­ta­ct address in the account histo­ry of his bank account con­ti­nues to be used for the same pur­po­se, i.e. as a con­ta­ct address and for his per­so­nal use. Fur­ther­mo­re, only tho­se per­so­nal data that the data sub­ject actively pro­vi­des to a data con­trol­ler fall under Arti­cle 20(1) Art. Accord­ing to let­ter a, this rela­tes on the one hand to per­so­nal data that he or she pro­vi­des direct­ly and kno­win­gly to the data con­trol­ler, such as his or her con­ta­ct details via an online form or by making “likes”. Accord­ing to let­ter b, the claim also inclu­des per­so­nal data that the data sub­ject gene­ra­tes indi­rect­ly, i.e. through his or her acti­vi­ties when using a ser­vice or device (kno­win­gly or unkno­win­gly), and which are obser­ved by the data con­trol­ler (so-cal­led usa­ge data or “obser­ved” data, such as search que­ries, acti­vi­ty logs, web­site usa­ge histo­ry). The fact that this per­so­nal data is cove­r­ed by the claim for sur­ren­der and trans­fer is in line with the Euro­pean regu­la­ti­on and the pur­po­se of the stan­dard in Arti­cle 28 nDSG, accord­ing to which the data sub­ject should be able to demand sur­ren­der and fur­ther use the per­so­nal data he or she has pro­vi­ded to a data con­trol­ler. Para. 2 Para­graph 2 descri­bes which per­so­nal data is not to be regar­ded as per­so­nal data dis­c­lo­sed by the data sub­ject wit­hin the mea­ning of Arti­cle 28(1) nDSG. This regu­la­ti­on thus spe­ci­fies the scope of the right to data dis­clo­sure or trans­fer. Accord­in­gly, the claim does not cover per­so­nal data which a data con­trol­ler deri­ves from infe­ren­ces from the per­so­nal data pro­vi­ded or obser­ved by the data sub­ject wit­hin the mea­ning of Arti­cle 20 (1) (a) and (b) its­elf or which is gene­ra­ted by its own ana­ly­ses of such per­so­nal data. One can think, for examp­le, of the assess­ment of a user’s sta­te of health, user or risk pro­files, credit risk ana­ly­ses, etc. In con­trast to the Per­so­nal Data pro­vi­ded, the ser­vices and invest­ments of the Con­trol­ler here rela­te to the ana­ly­sis and eva­lua­ti­on of the data pro­vi­ded and not to the collec­tion and pro­ces­sing of the Per­so­nal Data. The exemp­ti­on of the­se per­so­nal data from the right to data dis­clo­sure or trans­fer is in line with the regu­la­ti­on in Euro­pean law. Sin­ce the aim of this claim is to enab­le the data sub­ject to fur­ther use his or her per­so­nal data, it seems justi­fied to pro­vi­de for an excep­ti­on for such per­so­nal data that a data con­trol­ler gene­ra­tes by eva­lua­ting and using its own resour­ces (own efforts, own invest­ment, in-hou­se algo­rith­ms and ana­ly­sis pro­ce­du­res). In con­trast to the per­so­nal data “pro­vi­ded” by the data sub­ject pur­suant to para­graph 1, in the case of such per­so­nal data gene­ra­ted by the data con­trol­ler, the data controller’s inte­rest in pro­tec­ting its own per­for­mance and own invest­ment must be given grea­ter weight. Such per­so­nal data the­re­fo­re do not fall wit­hin the scope of the right to data sur­ren­der or trans­fer. Howe­ver, wit­hin the frame­work of the right to infor­ma­ti­on under Arti­cle 25 nDSG and the asso­cia­ted pro­vi­si­ons of the Regu­la­ti­on (Art. 16 – 19 Art.), the data sub­ject has the pos­si­bi­li­ty to obtain infor­ma­ti­on from the data con­trol­ler about such per­so­nal data, its pro­ces­sing pur­po­se, its reten­ti­on peri­od and, in the case of auto­ma­ted indi­vi­du­al deci­si­ons, about the logic on which such deci­si­on is based. It is important to note that the pro­vi­si­on in Arti­cle 20(2) is not to be under­s­tood as a restric­tion of the right to data dis­clo­sure or trans­fer intro­du­ced in Arti­cle 28 nDSG, but ser­ves to inter­pret the sta­tu­to­ry pro­vi­si­on by spe­ci­fy­ing the scope of the right. Rather, based on the refe­rence in Arti­cle 29(1) nDSG to Arti­cle 26(1) and (2) nDSG, the grounds pro­vi­ded for the restric­tion of the right of access app­ly muta­tis mutan­dis equal­ly to the refu­sal, restric­tion or post­po­ne­ment of the sur­ren­der or trans­fer of per­so­nal data, for examp­le to pro­tect over­ri­ding inte­rests of the con­trol­ler (e.g. in the case of tra­de secrets or intel­lec­tu­al pro­per­ty) or to pro­tect over­ri­ding inte­rests of third par­ties. Howe­ver, this should not lead to a refu­sal to dis­c­lo­se any infor­ma­ti­on to the data sub­ject. Rather, a pro­por­tio­na­li­ty test and balan­cing of inte­rests must deter­mi­ne on a case-by-case basis whe­ther and which per­so­nal data should be released to the data sub­ject or trans­fer­red to ano­t­her data con­trol­ler. If the data con­trol­ler refu­ses or restricts the release or trans­fer of per­so­nal data or post­po­nes it, it is obli­ged to give rea­sons to the data sub­ject in accordance with Arti­cle 29(2) nDSG. 

Art. 21 Tech­ni­cal requi­re­ments for implementation

1 Com­mon elec­tro­nic for­mats are tho­se that enab­le the per­so­nal data to be trans­fer­red with a rea­son­ab­le effort and to be fur­ther used by the data sub­ject or ano­t­her controller
2 The right to issue or trans­fer data does not crea­te an obli­ga­ti­on for the data con­trol­ler to adopt or main­tain tech­ni­cal­ly com­pa­ti­ble data pro­ces­sing systems
3 A dis­pro­por­tio­na­te effort for the trans­fer of per­so­nal data to ano­t­her con­trol­ler exists if the trans­fer is tech­ni­cal­ly not possible
Explana­to­ry report
Para. 1 This pro­vi­si­on spe­ci­fies what is to be regar­ded as a com­mon elec­tro­nic for­mat wit­hin the mea­ning of Arti­cle 28(1) nDSG. The­se are name­ly tho­se for­mats that enab­le the per­so­nal data to be trans­fer­red with a pro­por­tio­na­te effort and to be fur­ther used by the data sub­ject or ano­t­her data con­trol­ler. If per­so­nal data is not avail­ab­le in a gene­ral­ly read­a­ble for­mat (espe­cial­ly in the case of pro­prie­ta­ry or litt­le-used for­mats), it must be con­ver­ted into a com­mon elec­tro­nic for­mat by the data con­trol­ler. Data for­mats should allow the data sub­ject to upload their data in a stan­dard com­pu­ter-read­a­ble for­mat direct­ly from their per­so­nal account or area. The­re­fo­re, data for­mats that are appro­pria­te for the type of data in que­sti­on should be cho­sen. Pre­fe­rence should be given to open and inter­ope­ra­ble for­mats such as XML and JSON for more com­pre­hen­si­ve solu­ti­ons, as well as CSV, ODT, ODS, etc., which in many cases are sui­ta­ble for data out­put and trans­fer becau­se they can be adop­ted by other respon­si­ble par­ties without signi­fi­cant com­pa­ti­bi­li­ty issu­es. Data deli­ve­r­ed in a for­mat that is dif­fi­cult to pro­cess (e.g., an image or PDF) or in a pro­prie­ta­ry for­mat that requi­res the purcha­se of soft­ware or a paid licen­se to use is not a prio­ri a sui­ta­ble for­mat. Fur­ther­mo­re, the con­tent of the infor­ma­ti­on pro­vi­ded should be accu­ra­te­ly descri­bed with appro­pria­te and under­stand­a­ble meta­da­ta so that it can be mea­ning­ful­ly incor­po­ra­ted into a new system. The data sub­jects and the respon­si­ble par­ties who take over the data as part of a data trans­fer must under­stand what kind of data it is. This meta­da­ta should be com­pre­hen­si­ve enough to allow the data to be used and reu­sed without dis­clo­sing tra­de secrets. Para. 2 In accordance with Euro­pean law, this pro­vi­si­on spe­ci­fies that the right of the data sub­ject to requ­est per­so­nal data rela­ting to him or her to be trans­fer­red by the con­trol­ler to ano­t­her con­trol­ler does not crea­te an obli­ga­ti­on for the con­trol­ler to adopt or main­tain tech­ni­cal­ly com­pa­ti­ble data pro­ces­sing systems. Alt­hough the intro­duc­tion of stan­dards for data for­mats would be pos­si­ble in princip­le, the most sui­ta­ble for­mat in each case is likely to dif­fer depen­ding on the indu­stry and sec­tor. The­re­fo­re, it seems suf­fi­ci­ent to pro­vi­de for the use of com­mon for­mats without spe­ci­fy­ing the­se for­mats in more detail or even con­clu­si­ve­ly. From a tech­ni­cal point of view, it is necessa­ry that the respon­si­ble par­ties crea­te the con­di­ti­ons to be able to exchan­ge per­so­nal data. In addi­ti­on, it must be pos­si­ble for the per­so­nal data exch­an­ged to be used by the data sub­ject or the new data con­trol­ler. To this end, the data con­trol­ler must make the per­so­nal data avail­ab­le in inter­ope­ra­ble for­mats and descri­be them in a way that is com­pre­hen­si­ble to the data sub­ject and the new data con­trol­ler by means of sui­ta­ble meta­da­ta in order to enab­le their fur­ther use. Para. 3 Para­graph 3 spe­ci­fies when, wit­hin the mea­ning of Arti­cle 28(3) nDSG, a trans­fer requi­res a dis­pro­por­tio­na­te effort and the con­trol­ler is not obli­ged to trans­fer per­so­nal data to ano­t­her con­trol­ler at the requ­est of the data sub­ject. Again in line with Euro­pean law, a pro­por­tio­na­te effort for a trans­fer is to be assu­med if it is tech­ni­cal­ly pos­si­ble and fea­si­ble. Accord­in­gly, the con­trol­ler is obli­ged to trans­fer the per­so­nal data direct­ly and in an inter­ope­ra­ble for­mat to ano­t­her con­trol­ler upon requ­est of the data sub­ject. Even if the other con­trol­ler does not sup­port this for­mat, a direct data trans­fer can also take place if com­mu­ni­ca­ti­on bet­ween two systems is pos­si­ble in a secu­re man­ner and the recei­ving system is tech­ni­cal­ly capa­ble of recei­ving the inco­m­ing data. Whe­ther a trans­mis­si­on is tech­ni­cal­ly fea­si­ble must be checked on a case-by-case basis. It would also be con­ceiva­ble for the con­trol­ler to pro­vi­de a secu­re app­li­ca­ti­on pro­gram inter­face (API) to enab­le the other con­trol­ler to auto­ma­ti­cal­ly retrie­ve the per­so­nal data. Howe­ver, if a direct data trans­fer is not pos­si­ble due to tech­ni­cal obsta­cles, the data con­trol­ler must inform the data sub­ject about the­se obsta­cles (Art. 29 para. 2 nDSG). Howe­ver, the con­trol­ler must not unju­sti­fia­b­ly impe­de the trans­fer of per­so­nal data by pro­vi­ding tech­ni­cal obsta­cles that slow down or pre­vent data access, data trans­fer or data reu­se by the data sub­ject or ano­t­her con­trol­ler. This would be the case, for examp­le, if data inter­ope­ra­bi­li­ty is not pro­vi­ded or access to a data for­mat, pro­gram­ming inter­face, or for­mat pro­vi­ded is not pro­vi­ded, if exces­si­ve delays occur or retrie­val of the full data set is too com­pli­ca­ted, if data is inten­tio­nal­ly obfusca­ted, or if spe­ci­fic or unju­sti­fied sec­tor-spe­ci­fic stan­dar­diz­a­ti­on or accredi­ta­ti­on requi­re­ments are imposed. 

Art. 22 Time limit, moda­li­ties and competence

Arti­cles 16(1) and (5) and 17 – 19 shall app­ly muta­tis mutan­dis to the right to issue or trans­fer data.
Explana­to­ry report
As far as the moda­li­ties of the right to sur­ren­der or trans­fer data are con­cer­ned, various pro­vi­si­ons on the right to infor­ma­ti­on app­ly muta­tis mutan­dis. This con­cerns the form in which the data sub­ject may requ­est the sur­ren­der or trans­fer of his or her per­so­nal data (Art. 16 para. 1 Art., form­er­ly Art. 20 para. 1 E‑Data Pro­tec­tion Act), as well as the rea­son­ab­le mea­su­res that must be taken to ensu­re the iden­ti­fi­ca­ti­on of the data sub­ject (Art. 16 para. 5 Art., form­er­ly Art. 20 para. 4 E‑Data Pro­tec­tion Act). The pro­vi­si­ons regu­la­ting respon­si­bi­li­ties in the case of requests for infor­ma­ti­on from several data con­trol­lers (Art. 17 para. 1 Art., form­er­ly Art. 21 para. 1 Elec­tro­nic Data Pro­tec­tion Act), or in the case of data pro­ces­sing by a com­mis­sio­ned pro­ces­sor (Art. 17 para. 2 Art., form­er­ly Art. 21 para. 2 Elec­tro­nic Data Pro­tec­tion Act) are also app­li­ca­ble muta­tis mutan­dis. It should be noted that per­so­nal data pro­ces­sed by com­mis­sio­ned pro­ces­sors are also sub­ject to the right to data sur­ren­der or trans­fer. In this case, it is the respon­si­bi­li­ty of the data con­trol­ler to crea­te the tech­ni­cal and orga­niz­a­tio­nal solu­ti­ons with which this right can be enfor­ced. The pro­ces­sor must sup­port the con­trol­ler in ful­fil­ling its obli­ga­ti­ons with regard to the right to data sur­ren­der or trans­fer (Art. 17 para. 2 Art., for­mer Art. 21 para. 2 E‑Data Pro­tec­tion Act). Final­ly, the pro­vi­si­ons on time limits (Art. 18 Art., form­er­ly Art. 22 Elec­tro­nic Data Pro­tec­tion Act) and the excep­ti­ons to free of char­ge (Art. 19 Art., form­er­ly Art. 23 Elec­tro­nic Data Pro­tec­tion Act) are also app­li­ca­ble muta­tis mutan­dis to the right to issue or trans­fer data in the case of requests for information. 

Chap­ter 4: Spe­cial pro­vi­si­ons on data pro­ces­sing by pri­va­te persons

Art. 23 Data pro­tec­tion advisor

The respon­si­ble par­ty must noti­fy the data pro­tec­tion advi­sor:
a. Pro­vi­de the necessa­ry resources;
b. Grant access to all infor­ma­ti­on, docu­ments, records of pro­ces­sing acti­vi­ties and per­so­nal data requi­red by the con­sul­tant to per­form his or her duties;
c. grant the right to inform the hig­hest manage­ment or admi­ni­stra­ti­ve body in important cases.
Explana­to­ry report
Arti­cle 10(2) nDSG regu­la­tes in a non-exhaus­ti­ve man­ner two are­as of respon­si­bi­li­ty of the data pro­tec­tion advi­sor of a pri­va­te con­trol­ler: He or she trains and advi­ses the pri­va­te con­trol­ler on data pro­tec­tion issu­es (sub­pa­ra­graph (a)) and assists in the enfor­ce­ment of data pro­tec­tion regu­la­ti­ons (sub­pa­ra­graph (b)). Sin­ce the­se are­as of respon­si­bi­li­ty are suf­fi­ci­ent­ly spe­ci­fic from the law, they will not be defi­ned again in the ordi­nan­ce in the future, con­tra­ry to the con­sul­ta­ti­on draft. Let­ters a and b The­se pro­vi­si­ons cor­re­spond in con­tent to Arti­cle 12b (2) (b) and (c) of the FADP. The list of docu­ments to which the data pro­tec­tion advi­sor must have access has been adap­ted to the ter­mi­no­lo­gy in the nDSG. Access is not unre­stric­ted, but only to tho­se docu­ments that the data pro­tec­tion advi­sor actual­ly needs to ful­fill his or her duties. In par­ti­cu­lar, access to per­so­nal data must only be gran­ted if it is requi­red for the per­for­mance of the task. If, for examp­le, the data pro­tec­tion advi­sor is con­duc­ting a gene­ral review of inter­nal data pro­tec­tion regu­la­ti­ons or data pro­ces­sing pro­ces­ses, he or she will not nor­mal­ly need to be able to inspect per­so­nal data. On the other hand, Arti­cle 12b(2)(a) of the FADP is not adop­ted becau­se the requi­re­ment men­tio­ned the­r­ein is new­ly pro­vi­ded for in the law (Art. 10(3)(a) of the FADP). Let. c The data con­trol­ler must grant the data pro­tec­tion advi­sor the right to inform the hig­hest manage­ment or admi­ni­stra­ti­ve body in important cases. This refers to the top manage­ment of the pri­va­te con­trol­ler, i.e., the body that is also respon­si­ble for com­pli­an­ce with data pro­tec­tion regu­la­ti­ons. The pro­vi­si­on estab­lishes a right of esca­la­ti­on for the data pro­tec­tion advi­sor. This is necessa­ry so that the data pro­tec­tion advi­sor, in the case of inter­nal com­pa­ny audits of com­pli­an­ce with data pro­tec­tion rules, must not only trust the docu­ments avail­ab­le to him or her, but can also enfor­ce the pro­cu­re­ment of addi­tio­nal infor­ma­ti­on and docu­ments. In addi­ti­on, this ensu­res that the data pro­tec­tion advi­sor can report to the hig­hest bodies of the con­trol­ler or the com­mis­sio­ned pro­ces­sor in the event of com­plex cir­cum­stan­ces and par­ti­cu­lar­ly serious vio­la­ti­ons and bring about a deci­si­on. Repeal of Arti­cle 12a VDSG This pro­vi­si­on is repealed as its con­tent has been new­ly inclu­ded in the law (Art. 10 para. 3 let. b and c nDSG). 

Art. 24 Exemp­ti­on from the obli­ga­ti­on to keep a regi­ster of pro­ces­sing activities

Com­pa­nies and other orga­niz­a­ti­ons under pri­va­te law that employ fewer than 250 employees on Janu­a­ry 1 of any year, as well as natu­ral per­sons, are exempt from the obli­ga­ti­on to keep a regi­ster of pro­ces­sing acti­vi­ties, unless one of the fol­lo­wing con­di­ti­ons is met:
a. Per­so­nal data requi­ring spe­cial pro­tec­tion is pro­ces­sed on a lar­ge scale.
b. High risk pro­filing is performed.
Explana­to­ry report
Based on Arti­cle 12 nDSG, data con­trol­lers and data pro­ces­sors must each keep a regi­ster of their pro­ces­sing acti­vi­ties. This must con­tain some mini­mum infor­ma­ti­on. For the direc­to­ry of the con­trol­ler, the­se are: the iden­ti­ty of the con­trol­ler, the pur­po­se of the pro­ces­sing, a descrip­ti­on of the cate­go­ries of data sub­jects and the cate­go­ries of per­so­nal data pro­ces­sed, the cate­go­ries of reci­pi­ents, if pos­si­ble the reten­ti­on peri­od of the per­so­nal data or the cri­te­ria for deter­mi­ning this peri­od, as well as a gene­ral descrip­ti­on of the mea­su­res taken to ensu­re data secu­ri­ty in accordance with Arti­cle 8 nDSG, and, if the data are dis­c­lo­sed abroad, the indi­ca­ti­on of the sta­te as well as the gua­ran­tees in accordance with Arti­cle 16 para­graph 2 nDSG (Arti­cle 12 para­graph 2 nDSG). For some SMEs, kee­ping such a regi­ster may invol­ve a dis­pro­por­tio­na­te admi­ni­stra­ti­ve bur­den com­pa­red to the pos­si­ble risks that data pro­ces­sing entails for the per­so­na­li­ty of the data sub­jects. Sin­ce Arti­cle 12(5) nDSG requi­res the Federal Coun­cil to pro­vi­de for excep­ti­ons for com­pa­nies, inclu­ding sole pro­prietor­ships, it is accord­in­gly also empowe­red to app­ly the­se excep­ti­ons to natu­ral per­sons and other legal enti­ties such as asso­cia­ti­ons and foun­da­ti­ons. This seems appro­pria­te becau­se kee­ping the regi­ster could impo­se a dis­pro­por­tio­na­te bur­den on them, as it does on SMEs. Arti­cle 24 Art. (for­mer Art. 26 E‑DPA) thus con­creti­zes Arti­cle 12(5) nDSG by deter­mi­ning to whom the­se excep­ti­ons app­ly and in which cases the risks of per­so­na­li­ty vio­la­ti­ons wit­hin the mea­ning of this pro­vi­si­on are low (see Dis­patch, BBl 2017 7037). It pro­vi­des that com­pa­nies and other orga­niz­a­ti­ons under pri­va­te law with fewer than 250 employees on Janu­a­ry 1 of a year (regard­less of the degree of employ­ment), as well as natu­ral per­sons, are exempt from the obli­ga­ti­on to keep a regi­ster of pro­ces­sing acti­vi­ties. Howe­ver, this only app­lies if per­so­nal data requi­ring spe­cial pro­tec­tion is not pro­ces­sed on a lar­ge sca­le (sub­pa­ra­graph a) and if no high-risk pro­filing is car­ri­ed out (sub­pa­ra­graph b). The requi­re­ment of Arti­cle 24 let­ter a Art. ther­eby cor­re­sponds to Arti­cle 22 para­graph 2 let­ter a nDSG. In other words, only SMEs that per­form cer­tain high-risk data pro­ces­sing acti­vi­ties are requi­red to keep a regi­ster of pro­ces­sing acti­vi­ties. The list of high-risk data pro­ces­sing acti­vi­ties in this pro­vi­si­on is exhaus­ti­ve. For the requi­re­ment in let­ter a, plea­se refer to the explana­ti­ons on the simi­lar­ly desi­gned requi­re­ment in Arti­cle 5 para­graph 1 let­ter a Art. (form­er­ly Art. 4 para. 1 let. a Draft Data Pro­tec­tion Act) on the obli­ga­ti­on of pri­va­te per­sons to draw up pro­ces­sing regu­la­ti­ons. Exten­si­ve pro­ces­sing of data requi­ring spe­cial pro­tec­tion is deemed to be, in par­ti­cu­lar, data pro­ces­sing invol­ving lar­ge quan­ti­ties of data or a lar­ge num­ber of per­sons. SMEs that pro­cess data wit­hin the mea­ning of Arti­cle 24 let­ters a and b Art. only have to keep a regi­ster of pro­ces­sing acti­vi­ties for the­se data pro­ces­sing acti­vi­ties, but not for other data pro­ces­sing acti­vi­ties. Of cour­se, SMEs that are exempt from the obli­ga­ti­on are not pre­ven­ted from volun­ta­ri­ly kee­ping a regi­ster of pro­ces­sing acti­vi­ties. Espe­cial­ly if a con­trol­ler regu­lar­ly pro­ces­ses per­so­nal data, it is a use­ful and simp­le tool to keep an over­view of the pro­ces­sing acti­vi­ties, which can also faci­li­ta­te the controller’s com­pli­an­ce with other obli­ga­ti­ons, such as the duty to inform. 

Chap­ter 5: Spe­cial Pro­vi­si­ons on Data Pro­ces­sing by Federal Bodies

Sec­tion 1: Data pro­tec­tion advisor

Explana­to­ry report
Arti­cles 25 – 28 Art. (for­mer Art. 25 – 30 E‑VDSG) replace Art. 23 VDSG, which deals with the data pro­tec­tion advi­sor of federal bodies. 

Art. 25 Appointment

Each federal body shall appoint a data pro­tec­tion advi­sor. Several federal bodies may joint­ly appoint a data pro­tec­tion advi­sor.
Explana­to­ry report
Arti­cle 25 Art. imple­ments Arti­cle 10(4) nDSG and Arti­cle 32 of Direc­ti­ve (EU) 2016/680. The pro­vi­si­on wher­eby several federal bodies may joint­ly desi­gna­te a data pro­tec­tion advi­sor is inten­ded to enab­le smal­ler federal bodies or depart­ments with a cen­tra­li­zed orga­niz­a­tio­nal struc­tu­re in par­ti­cu­lar to take advan­ta­ge of mea­ning­ful and resour­ce-saving syn­er­gies. On the other hand, lar­ger federal offices, for examp­le, can be expec­ted to have a data pro­tec­tion advi­sor on their own. Of cour­se, it is also open to the federal bodies to desi­gna­te several advisors. 

Art. 26 Requi­re­ments and tasks

1 The pri­va­cy con­sul­tant must meet the fol­lo­wing requi­re­ments:
a. She or he has the requi­red expertise.
b. He or she shall exer­cise his or her func­tion vis-à-vis the federal body in a pro­fes­sio­nal­ly inde­pen­dent man­ner and without being bound by instructions.
2 She or he must per­form the fol­lo­wing duties: 
a. She or he shall coope­ra­te in the app­li­ca­ti­on of the data pro­tec­tion rules, in par­ti­cu­lar by:
1. exami­nes the pro­ces­sing of per­so­nal data and recom­mends cor­rec­ti­ve mea­su­res if a bre­ach of data pro­tec­tion regu­la­ti­ons is identified,
2. advi­ses the con­trol­ler on the pre­pa­ra­ti­on of the data pro­tec­tion impact assess­ment and reviews its execution.
b. She or he shall ser­ve as a point of con­ta­ct for affec­ted individuals.
c. She or he shall train and advi­se the employees of the federal body on data pro­tec­tion issues.
Explana­to­ry report
Para. 1 Arti­cle 26(1) Art. takes over in let­ter a the requi­re­ment of Arti­cle 12a(2) last sub-sen­tence VDSG. In let­ter b – as pre­vious­ly regu­la­ted in Arti­cle 12b (2) (a) of the Federal Data Pro­tec­tion Act and ana­lo­gous to the regu­la­ti­on for pri­va­te data con­trol­lers in Arti­cle 10 (3) (a) of the Federal Data Pro­tec­tion Act – it is now man­da­to­ry for all federal bodies (pre­vious­ly only tho­se federal bodies had to meet the requi­re­ments of Arti­cle 12a and Arti­cle 12b of the Federal Data Pro­tec­tion Act that wis­hed to be exempt from the obli­ga­ti­on to regi­ster their data collec­tions, see Arti­cle 23 (2) of the Federal Data Pro­tec­tion Act) that the data pro­tec­tion advi­sor per­forms his or her func­tion in a pro­fes­sio­nal­ly inde­pen­dent man­ner and not bound by inst­ruc­tions. This streng­t­hens and insti­tu­tio­na­li­zes the role of the data pro­tec­tion advi­sor in the federal bodies, which are usual­ly hier­ar­chi­cal, so that he or she can per­form his or her duties effec­tively. Admit­ted­ly, the role of the data pro­tec­tion advi­sor is merely advi­so­ry and sup­por­ti­ve, and thus the poten­ti­al for con­flict with the respon­si­ble and supe­ri­or bodies is to be regar­ded as redu­ced. Nevertheless, it must be ensu­red that the data pro­tec­tion advi­sor is free to make his or her recom­men­da­ti­ons – even if they are some­ti­mes dis­agree­ab­le in natu­re – without having to fear any dis­ad­van­ta­ges. Inde­pen­dence also implies that in important cases – as is expli­ci­tly pro­vi­ded for pri­va­te indi­vi­du­als in Arti­cle 23(c) – the data pro­tec­tion advi­sor can appeal to the top manage­ment of the federal body. The inde­pen­dence of the data pro­tec­tion advi­sor must be ensu­red pri­ma­ri­ly by orga­niz­a­tio­nal mea­su­res: In par­ti­cu­lar, it must be pre­ven­ted that the acti­vi­ty as data pro­tec­tion advi­sor can have a nega­ti­ve impact on the employee inter­view. Para. 2 The tasks of the data pro­tec­tion advi­sor of the federal body in para­graph 2 have been ter­mi­no­lo­gi­cal­ly ali­gned with the pro­vi­si­on in the case of pri­va­te data con­trol­lers (Arti­cle 10(3) nDSG). Para­graph 2(a) sta­tes that the data pro­tec­tion advi­sor, as alrea­dy sta­ted in Arti­cle 10(2)(b) nDSG, shall assist in the app­li­ca­ti­on of the data pro­tec­tion pro­vi­si­ons. This inclu­des, in par­ti­cu­lar, that he or she, in accordance with item 1, checks the pro­ces­sing of per­so­nal data and recom­mends cor­rec­ti­ve mea­su­res if a bre­ach of the data pro­tec­tion regu­la­ti­ons is iden­ti­fied; and in accordance with item 2, advi­ses the data con­trol­ler in the pre­pa­ra­ti­on of the data pro­tec­tion impact assess­ment and checks its exe­cu­ti­on. The invol­ve­ment of the data pro­tec­tion advi­sor may help to redu­ce the bur­den on the FDPIC. The requi­re­ment in point 2. cor­re­sponds to Arti­cle 7(c) of Direc­ti­ve (EU) 2016/680. The data pro­tec­tion advi­sor is to be under­s­tood as an advi­so­ry and sup­porting body and not as a super­vi­so­ry body. With regard to the review of pro­ces­sing ope­ra­ti­ons and the recom­men­da­ti­on of cor­rec­ti­ve mea­su­res, it should the­re­fo­re be noted that the aim is not to intro­du­ce an acti­ve duty to review or to pre­scri­be syste­ma­tic checks of all data pro­ces­sing ope­ra­ti­ons. Rather, it is suf­fi­ci­ent for the data con­trol­ler to beco­me acti­ve if, for examp­le, the­re are requests from the respon­si­ble bodies to check data pro­ces­sing or if he or she recei­ves indi­ca­ti­ons that data pro­tec­tion regu­la­ti­ons have been vio­la­ted. Of cour­se, the data pro­tec­tion advi­sor is also free to proac­tively check. Fur­ther­mo­re, in accordance with para­graph 2 let­ter b, the data pro­tec­tion advi­sor ser­ves as a point of con­ta­ct for the data sub­jects, for examp­le in the event of a requ­est for infor­ma­ti­on pur­suant to Arti­cle 25 nDSG. 

Art. 27 Duties of the federal body

1 The federal body has the fol­lo­wing obli­ga­ti­ons towards the data pro­tec­tion advi­sor:
a. It shall grant him or her access to all infor­ma­ti­on, docu­ments, lists of pro­ces­sing acti­vi­ties and per­so­nal data that he or she requi­res to per­form his or her duties.
b. It ensu­res that she or he is noti­fied of a data breach.
2 It shall publish the con­ta­ct details of the data pro­tec­tion advi­sor on the Inter­net and noti­fy the FDPIC of the­se details.
Explana­to­ry report
Arti­cle 27(1)(a) Art. (for­mer Art. 29 para. 1 E‑DPA) is iden­ti­cal to the regu­la­ti­on for pri­va­te data con­trol­lers in Arti­cle 22 let­ter b Art. (for­mer Art. 25 para. 2 let. b Draft Data Pro­tec­tion Act). Here, the­re­fo­re, refe­rence can be made muta­tis mutan­dis to the explana­ti­ons the­re. If spe­cial legal bases pre­vent the data pro­tec­tion advi­sor from acces­sing cer­tain infor­ma­ti­on, in par­ti­cu­lar per­so­nal data, the­se take pre­ce­dence in accordance with the gene­ral princip­le of lex spe­cia­lis. If necessa­ry, the per­so­nal data must be blacked out if the data pro­tec­tion advi­sor requi­res access to infor­ma­ti­on con­tai­ning per­so­nal data for the per­for­mance of his or her duties. Accord­ing to Arti­cle 27(1)(b) Art. the federal body is now obli­ged to ensu­re that the advi­sor is infor­med about brea­ches of data secu­ri­ty. This obli­ga­ti­on can be ensu­red, for examp­le, by the federal body obli­ging employees by means of inst­ruc­tions to inform the con­sul­tant in the event of a data secu­ri­ty bre­ach. The obli­ga­ti­on does not only con­cern brea­ches that must be repor­ted to the FDPIC on the basis of Arti­cle 24 nDSG, but rela­tes to any data secu­ri­ty bre­ach. The data pro­tec­tion advi­sor advi­ses the data con­trol­ler on whe­ther the bre­ach is sub­ject to a noti­fi­ca­ti­on obli­ga­ti­on wit­hin the mea­ning of Arti­cle 24 nDSG. Howe­ver, the noti­fi­ca­ti­on its­elf is the respon­si­bi­li­ty of the data con­trol­ler: He deci­des whe­ther and which brea­ches are repor­ted to the FDPIC. Para­graph 2 has been new­ly inser­ted and pro­vi­des for an ana­lo­gous rule as in Arti­cle 10(3)(d) nDSG in the case of pri­va­te data con­trol­lers. This is inten­ded to make it easier for the data sub­jects to exer­cise their rights by making it pos­si­ble to loca­te at least one pro­fes­sio­nal con­ta­ct per­son direct­ly. It is not necessa­ry to publish the name of the data pro­tec­tion advi­sor. It is suf­fi­ci­ent, for examp­le, to pro­vi­de an e‑mail address of the tech­ni­cal­ly respon­si­ble office. The con­ta­ct details of the data pro­tec­tion advi­sor must also be pro­vi­ded to the FDPIC. 

Art. 28 Con­ta­ct point of the FDPIC

The data pro­tec­tion advi­sor ser­ves as a point of con­ta­ct for the FDPIC for que­sti­ons rela­ting to the pro­ces­sing of per­so­nal data by the federal body con­cer­ned.
Explana­to­ry report
Arti­cle 28 Art. (for­mer Art. 30 E‑VDSG) takes over the mea­ning of Art. 23(3) VDSG in a more pre­cise form. The wor­d­ing has been adap­ted, howe­ver, as it was misun­ders­tood as a restric­tion on con­ta­ct. The federal bodies should remain free to com­mu­ni­ca­te with the FDPIC via other bodies as well and not only via the data pro­tec­tion advi­sor. It is not the opi­ni­on that she or he acts as a liai­son for the FDPIC, but as a point of con­ta­ct, sin­ce she or he has the necessa­ry exper­ti­se and inter­nal know­ledge in mat­ters rela­ting to the pro­ces­sing of per­so­nal data by the federal body’s own. 

Sec­tion 2: Infor­ma­ti­on requirements

 

Art. 29 Duty to pro­vi­de infor­ma­ti­on when dis­clo­sing per­so­nal data

The federal body shall inform the reci­pi­ent of the time­li­ness, relia­bi­li­ty and com­ple­teness of the per­so­nal data dis­c­lo­sed by it, inso­far as this infor­ma­ti­on is not appa­rent from the data its­elf or from the cir­cum­stan­ces.
Explana­to­ry report
This pro­vi­si­on cor­re­sponds to Arti­cles 12 and 26 of the FADP and con­cerns the relia­bi­li­ty of the per­so­nal data dis­c­lo­sed. In addi­ti­on to the “time­li­ness” and “relia­bi­li­ty” of the per­so­nal data, Arti­cle 29 Art. (for­mer Art. 15 E‑VDSG) now men­ti­ons “com­ple­teness”. To ensu­re data qua­li­ty, the data must be up-to-date, reli­able and com­ple­te (i.e. neit­her only par­ti­al­ly avail­ab­le nor incom­ple­te). The pro­vi­si­on is thus ali­gned with Arti­cle 7(2) of Direc­ti­ve (EU) 2016/680. It sup­ple­ments Arti­cle 6(5) nDSG. 

Art. 30 Duty to pro­vi­de infor­ma­ti­on in the case of syste­ma­tic acqui­si­ti­on of per­so­nal data

If the data sub­ject is not obli­ged to pro­vi­de infor­ma­ti­on, the federal body respon­si­ble shall draw his or her atten­ti­on to this fact in the event of a syste­ma­tic acqui­si­ti­on of per­so­nal data.
Explana­to­ry report
The regu­la­ti­on cor­re­sponds to the cur­rent Arti­cle 24 FADP: If the data sub­ject is not obli­ged to pro­vi­de infor­ma­ti­on, the federal body respon­si­ble must point out to him that his pro­vi­si­on of infor­ma­ti­on is volun­ta­ry. In accordance with the pro­vi­si­on of Arti­cle 24 FADP, this obli­ga­ti­on also app­lies only to the syste­ma­tic acqui­si­ti­on of per­so­nal data. It app­lies in par­ti­cu­lar to the area of sta­tis­tics and research. 

Sec­tion 3: Noti­fi­ca­ti­on of pro­jects for the auto­ma­ted pro­ces­sing of per­so­nal data to the FDPIC

Art. 31

1 The respon­si­ble federal body shall noti­fy the FDPIC of the plan­ned auto­ma­ted pro­ces­sing acti­vi­ties at the time of the deci­si­on to deve­lop or appro­ve the project
2 The noti­fi­ca­ti­on must con­tain the infor­ma­ti­on in accordance with Arti­cle 12 para­graph 2 let­ters a‑d FADP and the expec­ted date of com­men­ce­ment of the pro­ces­sing activities
3 The FDPIC shall inclu­de this noti­fi­ca­ti­on in the regi­ster of pro­ces­sing activities
4 The respon­si­ble federal body shall update the noti­fi­ca­ti­on upon tran­si­ti­on to pro­duc­ti­ve ope­ra­ti­on or upon pro­ject termination
Explana­to­ry report
Arti­cle 31(1) Art. sti­pu­la­tes that the respon­si­ble federal body must noti­fy the FDPIC of the plan­ned auto­ma­ted pro­ces­sing acti­vi­ties at the time of the pro­ject appro­val or the deci­si­on to deve­lop. Com­pa­red to the sub­si­dia­ry noti­fi­ca­ti­on to the FDPIC under Arti­cle 20(2) of the FDPIC, which aims to exami­ne the con­tent of pro­jects, the pre­sent noti­fi­ca­ti­on, on the other hand, ser­ves the pur­po­se of pro­vi­ding the FDPIC with a mere over­view of plan­ned pro­jects in which per­so­nal data are to be pro­ces­sed by auto­ma­ted means. First and fore­most, the noti­fi­ca­ti­on is inten­ded to enab­le the FDPIC to obtain an over­all pic­tu­re of the plan­ned pro­jects and thus also to be able to opti­mi­ze its resour­ce plan­ning in the area of advi­so­ry acti­vi­ties and moni­to­ring of legis­la­ti­ve pro­jects. Secon­da­ri­ly, of cour­se, this noti­fi­ca­ti­on also ser­ves to pro­tect per­so­nal pri­va­cy. Sin­ce the pro­jects are still at an ear­ly sta­ge at the time of noti­fi­ca­ti­on, the con­tent of the noti­fi­ca­ti­on pur­suant to para­graph 2 is limi­ted to a sub­set of the infor­ma­ti­on requi­red by Arti­cle 12 para­graph 2 nDSG, name­ly let­ters a‑d. As with the noti­fi­ca­ti­on of lists of exi­sting pro­ces­sing acti­vi­ties under Arti­cle 12 nDSG, the FDPIC also inclu­des noti­fi­ca­ti­ons of plan­ned pro­ces­sing acti­vi­ties in the regi­ster of pro­ces­sing acti­vi­ties under Arti­cle 56 nDSG. Howe­ver, the infor­ma­ti­on on the noti­fi­ca­ti­on of plan­ned pro­ces­sing acti­vi­ties is not published (see Art. 42 para. 2 Art.). The federal body respon­si­ble updates the ent­ry in accordance with para­graph 4 when the pro­ject is suc­cess­ful­ly com­ple­ted, i.e. when it goes into pro­duc­ti­ve ope­ra­ti­on (or trans­fers the ent­ry to a noti­fi­ca­ti­on in accordance with Art. 12 para. 4 nDSG), or when the pro­ject is dis­con­ti­nued (i.e. the ent­ry is dele­ted). The noti­fi­ca­ti­on is the­re­fo­re only “visi­ble” to the FDPIC at the time of the pro­ject release or the deci­si­on to deve­lop the project. 

Sec­tion 4: Pilot testing

Art. 32 Indis­pensa­bi­li­ty of the pilot test

A pilot test is indis­pensable if one of the fol­lo­wing con­di­ti­ons is met:
a. The ful­fill­ment of a task requi­res tech­ni­cal inno­va­tions, the effects of which must first be evaluated.
b. The ful­fill­ment of a task requi­res signi­fi­cant orga­niz­a­tio­nal or tech­ni­cal mea­su­res, the effec­ti­ve­ness of which must first be exami­ned, espe­cial­ly in the case of coope­ra­ti­on bet­ween federal and can­to­nal bodies.
c. The ful­fill­ment of a task requi­res that the per­so­nal data be acces­si­ble in the retrie­val procedure.
Explana­to­ry report
Based on Arti­cle 35 para­graph 1 nDSG, the Federal Coun­cil may aut­ho­ri­ze the auto­ma­ted pro­ces­sing of per­so­nal data requi­ring spe­cial pro­tec­tion or other data pro­ces­sing pur­suant to Arti­cle 34 para­graph 2 let­ters b and c nDSG pri­or to the ent­ry into for­ce of a law in the for­mal sen­se if cer­tain pre­re­qui­si­tes are cumu­la­tively met. One of the­se con­di­ti­ons is that a test pha­se pri­or to ent­ry into for­ce is indis­pensable for the prac­ti­cal imple­men­ta­ti­on of the data pro­ces­sing, in par­ti­cu­lar for tech­ni­cal rea­sons. In order to redu­ce the regu­la­to­ry den­si­ty in Arti­cle 35 nDSG, the Federal Coun­cil has moved the­se cla­ri­fi­ca­ti­ons from Arti­cle 17a para­graph 2 FADP to the ordi­nan­ce. Arti­cle 32 Art. deter­mi­nes in which cases a test pha­se is to be con­si­de­red indis­pensable. It takes over Arti­cle 17a(2) FADP with some edi­to­ri­al chan­ges. For examp­le, the term “tech­ni­cal inno­va­tions” is to be under­s­tood as befo­re: On the one hand, this inclu­des the use of new tech­no­lo­gies, but also the use of alrea­dy known tech­no­lo­gy in a new envi­ron­ment or when imple­men­ting new solu­ti­ons. The Swis­s­Co­vid app can be taken as an examp­le of this: It is based on alrea­dy known tech­no­lo­gies such as Blue­tooth, but the­se have never been used in a com­pa­ra­ble solu­ti­on. Only let­ter c is adap­ted: The wor­d­ing now covers all retrie­val pro­ce­du­res and no lon­ger only tho­se that crea­te access for can­to­nal aut­ho­ri­ties. This restric­ti­ve wor­d­ing had histo­ri­cal rea­sons, but in the mat­ter at hand it can­not be decisi­ve who the addres­sees of the retrie­val pro­ce­du­re are, but the tech­ni­cal aspect is in the fore­ground for the assump­ti­on of indis­pensa­bi­li­ty (cf. Art. 35 para. 1 let. c nDSG). At least one con­di­ti­on accord­ing to let­ters a‑c must be met, which means in par­ti­cu­lar that a pilot test may not be used pure­ly for rea­sons of time. 

Art. 33 Pro­ce­du­re for the appro­val of the pilot test

1 Pri­or to con­sul­ting the inte­re­sted admi­ni­stra­ti­ve units, the federal body respon­si­ble for the pilot sche­me shall set out how com­pli­an­ce with the requi­re­ments under Arti­cle 35 FADP is to be met and shall invi­te the FDPIC to sub­mit its comments
2 The FDPIC issu­es an opi­ni­on on whe­ther the licen­sing requi­re­ments under Arti­cle 35 FADP have been met. The federal body shall pro­vi­de him with all docu­ments necessa­ry for this pur­po­se, in par­ti­cu­lar:
a. a gene­ral descrip­ti­on of the pilot test;
b. a report pro­ving that the ful­fill­ment of the tasks pro­vi­ded for by law requi­res pro­ces­sing in accordance with Arti­cle 34 para­graph 2 FADP and that a test pha­se is indis­pensable in the for­mal sen­se befo­re the law comes into force;
c. a descrip­ti­on of the inter­nal orga­niz­a­ti­on and the data pro­ces­sing and con­trol procedures;
d. a descrip­ti­on of the secu­ri­ty and data pro­tec­tion measures;
e. the draft of an ordi­nan­ce regu­la­ting the details of pro­ces­sing, or the con­cept of an ordinance;
f. the plan­ning of the various pha­ses of the pilot test.
3 The FDPIC may requ­est fur­ther docu­ments and car­ry out addi­tio­nal investigations
4 The federal body shall inform the FDPIC of any important chan­ge affec­ting com­pli­an­ce with the requi­re­ments under Arti­cle 35 FADP. The FDPIC shall com­ment again if necessary
5 The opi­ni­on of the FDPIC must be atta­ched to the app­li­ca­ti­on to the Federal Council
6 Auto­ma­ted data pro­ces­sing is gover­ned by an ordinance
Explana­to­ry report
This pro­vi­si­on adopts Arti­cle 27 of the FADP with some edi­to­ri­al adjust­ments. The refe­ren­ces are adap­ted to the nDSG whe­re necessa­ry. A new para­graph 6 has been added, in which it is sta­ted – simi­lar to the cur­rent Arti­cle 17a (3) FADP – that auto­ma­ted data pro­ces­sing will be regu­la­ted in an ordi­nan­ce. This ensu­res the trans­pa­ren­cy of the pilot tests. 

Art. 34 Eva­lua­ti­on report

1 The com­pe­tent federal body shall sub­mit the draft eva­lua­ti­on report to the FDPIC for com­ment to the Federal Council
2 It shall sub­mit the eva­lua­ti­on report with the opi­ni­on of the FDPIC to the Federal Council.
Explana­to­ry report
This pro­vi­si­on takes over Arti­cle 27a of the FADP. Accord­ing to Arti­cle 34 Art. the com­pe­tent federal body shall sub­mit the draft eva­lua­ti­on report to the FDPIC for com­ments. If it deems it necessa­ry, the com­pe­tent federal body shall adapt the eva­lua­ti­on report. 

Sec­tion 5: Data pro­ces­sing for non-per­so­nal purposes

Art. 35

If per­so­nal data are pro­ces­sed for non-per­so­nal pur­po­ses, in par­ti­cu­lar rese­arch, plan­ning and sta­tis­tics, and at the same time for ano­t­her pur­po­se, the excep­ti­ons under Arti­cle 39 para­graph 2 FADP shall only app­ly to pro­ces­sing for the non-per­so­nal pur­po­ses.
Explana­to­ry report
In order to ensu­re that the app­li­ca­ti­on of the excep­ti­ons under Arti­cle 39(2) nDSG does not go beyond the legal frame­work, the ordi­nan­ce spe­ci­fies that, in the case of data pro­ces­sing for non-per­so­nal pur­po­ses (e.g. for rese­arch, plan­ning or sta­tis­tics) that simul­ta­ne­ous­ly ser­ves ano­t­her pur­po­se, the­se excep­ti­ons are only app­li­ca­ble to pro­ces­sing for the pur­po­ses spe­ci­fied in Arti­cle 39 nDSG. 

Chap­ter 6: Federal Data Pro­tec­tion and Infor­ma­ti­on Commissioner

Art. 36 Head­quar­ters and per­ma­nent secretariat

1 The seat of the FDPIC is loca­ted in Bern
2 Federal per­son­nel legis­la­ti­on app­lies to the employ­ment rela­ti­ons­hips of the employees of the per­ma­nent secre­ta­ri­at of the FDPIC. The employees are insu­red wit­hin the frame­work of the Confederation’s pen­si­on sche­me with the Pen­si­on Fund of the Confederation
Explana­to­ry report
This pro­vi­si­on cor­re­sponds in princip­le to Arti­cle 30 VDSG. Arti­cle 36 para. 1 Art. (for­mer Art. 37 Para. 1 EDPA) remains mate­ri­al­ly unch­an­ged. Howe­ver, the pre­vious men­ti­on of the secre­ta­ri­at is dis­pen­sed with here, sin­ce the chan­ge in ter­mi­no­lo­gy from “Com­mis­sio­ner” to “FDPIC” alrea­dy indi­ca­tes that this means the aut­ho­ri­ty as a who­le and thus also inclu­des the secre­ta­ri­at. Arti­cle 36 para. 2 art. (for­mer Art. 37(1) EDPTA) regu­la­tes the employ­ment rela­ti­ons­hip of the per­ma­nent secre­ta­ri­at of the FDPIC. In terms of con­tent, the pro­vi­si­on cor­re­sponds to the cur­rent Arti­cle 30 para­graph 2 FADP. Howe­ver, com­pa­red to the cur­rent law, it con­tains (ter­mi­no­lo­gi­cal) adjust­ments and an addi­ti­on. Even after the total revi­si­on of the FADP, the Com­mis­sio­ner and the per­ma­nent secre­ta­ri­at of the FDPIC con­sti­tu­te a decen­tra­li­sed admi­ni­stra­ti­ve unit without legal per­so­na­li­ty, which is admi­ni­stra­tively assi­gned to the Federal Chan­cel­le­ry (Art. 43 para. 4 second sen­tence nDSG, Art. 2 para. 1 let. e [BPG] , Art. 2 para. 3 of the Government and Admi­ni­stra­ti­on Orga­ni­sa­ti­on Act of 21 March 1997 [RVOG] as well as Art. 8 para. 1 let. b in. in con­junc­tion with Annex 1 let­ter A item 2.1.1 of the Government and Admi­ni­stra­ti­on Orga­niz­a­ti­on Ordi­nan­ce of Novem­ber 25, 1998 [RVOV]). As befo­re, the second sen­tence of Arti­cle 43(5) nDSG pro­vi­des that the Com­mis­sio­ner himself/herself hires his/her staff and has cer­tain powers wit­hin this frame­work. For examp­le, the employ­ment con­tracts of the FDPIC’s staff are signed by the Com­mis­sio­ner. Howe­ver, the appoin­tee is still not con­si­de­red by the FDPIC’s secre­ta­ri­at to be an employ­er under per­son­nel or pen­si­on law wit­hin the mea­ning of the CPC. Accord­ing to Arti­cle 3 para­graph 1 let­ter a BPG, the employ­er is the Federal Coun­cil. The employ­ment rela­ti­ons­hip of the employees of the per­ma­nent secre­ta­ri­at of the FDPIC the­re­fo­re con­ti­nues to be gover­ned by federal per­son­nel legis­la­ti­on in accordance with the first sen­tence of Arti­cle 36 para­graph 2 Art. Thus, the Federal Per­son­nel Ordi­nan­ce of 3 July 2001 (FPL), the FDF Ordi­nan­ce of 6 Decem­ber 2001 on the Federal Per­son­nel Ordi­nan­ce (FPL) and the Ordi­nan­ce of 22 Novem­ber 2017 on the Pro­tec­tion of Per­so­nal Data of Federal Per­son­nel (FPL) con­ti­nue to app­ly. In this regard, the cur­rent Arti­cle 30 para­graph 2 FADP merely under­goes a ter­mi­no­lo­gi­cal adjust­ment (“employees of the per­ma­nent secre­ta­ri­at of the FDPIC” ins­tead of “secre­ta­ri­at of the Com­mis­sio­ner” and “Federal Per­son­nel Act” ins­tead of “Federal Per­son­nel Act […] as well as […] its enfor­ce­ment pro­vi­si­ons”). In addi­ti­on, the second sen­tence of Art. 36(2) cla­ri­fies that the employees of the FDPIC’s per­ma­nent secre­ta­ri­at are insu­red under the Confederation’s pen­si­on sche­me with the Confederation’s pen­si­on fund. This addi­ti­on does not entail any mate­ri­al chan­ge, but merely expli­ci­tly sta­tes the pen­si­on law regu­la­ti­on for the per­ma­nent secre­ta­ri­at of the FDPIC that alrea­dy exi­sted (cf. Art. 32a para. 1 and Art. 32d para. 1 BPG). Accord­in­gly, the staff remains insu­red in accordance with the pro­vi­si­ons of the pen­si­on regu­la­ti­ons of 15 June 2007 for the employees and pen­si­on reci­pi­ents of the Federal Pen­si­on Fund (VRAB). With regard to the employ­ment rela­ti­ons­hip of the per­ma­nent secre­ta­ri­at of the FDPIC, the sta­tus quo will the­re­fo­re be main­tai­ned for the time being. This is justi­fied in par­ti­cu­lar becau­se the admi­ni­stra­ti­ve assign­ment to the Federal Chan­cel­le­ry allo­ws the FDPIC to con­cen­tra­te its resour­ces on ope­ra­tio­nal acti­vi­ties. Coope­ra­ti­on bet­ween the Federal Chan­cel­le­ry and the FDPIC is struc­tu­red in such a way that the inde­pen­dence of the FDPIC remains gua­ran­te­ed. Nevertheless, the que­sti­on ari­ses as to whe­ther the Com­mis­sio­ner should have employ­er powers under per­son­nel and pen­si­on law vis-à-vis the employees of the per­ma­nent secre­ta­ri­at. This que­sti­on must be cla­ri­fied at the ear­liest oppor­tu­ni­ty at the for­mal legal level. The coor­di­na­ted review and adap­t­ati­on of the spe­cial legal bases for the data of legal per­sons, which is to take place in the five years fol­lo­wing the ent­ry into for­ce of the nDSG (cf. Art. 71 nDSG), could pro­vi­de an oppor­tu­ni­ty for this. The imple­men­ting pro­vi­si­ons on the employ­ment rela­ti­ons­hip of the Com­mis­sio­ner, on the other hand, are not to be issued by the Federal Coun­cil, but by the Federal Assem­bly. This is becau­se the employ­ment rela­ti­ons­hip of the Com­mis­sio­ner is now estab­lished upon elec­tion by the United Federal Assem­bly (Art. 43 para. 1 nDSG). As part of par­lia­men­ta­ry initia­ti­ve 21.443, the SPK‑N adop­ted a draft ordi­nan­ce of the Federal Assem­bly on 27 Janu­a­ry 2022 con­tai­ning the imple­men­ting pro­vi­si­ons on the employ­ment rela­ti­ons­hip of the Com­mis­sio­ner. In addi­ti­on, indi­vi­du­al amend­ments to the nDSG are plan­ned in this con­text. Par­lia­ment adop­ted the bills in the final vote on 17 June 2022. Arti­cle 30 para­graph 3 of the FADP was not retai­ned, as the FDPIC now has an inde­pen­dent bud­get, which is con­clu­si­ve­ly regu­la­ted in Arti­cle 45 of the nDSG and in Arti­cle 142 para­graphs 2 and 3 of the Par­lia­men­ta­ry Act of 13 Decem­ber 2002 (nParlG).

Art. 37 Com­mu­ni­ca­ti­on channel

1 The FDPIC com­mu­ni­ca­tes with the Federal Coun­cil via the Federal Chan­cellor. The lat­ter shall for­ward the pro­po­sals, opi­ni­ons and reports unch­an­ged to the Federal Council
2 The FDPIC sub­mits reports for the atten­ti­on of the Federal Assem­bly via the par­lia­men­ta­ry services
Explana­to­ry report
Arti­cle 37 Art. lar­ge­ly repres­ents an adop­ti­on of Arti­cle 31(1) and (1bis) of the Data Pro­tec­tion Act. Arti­cle 31(2) has not been incor­po­ra­ted into the Art. sin­ce it fol­lows from the inde­pen­dence of the FDPIC and the fact that he is not bound by inst­ruc­tions any­way that the FDPIC can com­mu­ni­ca­te direct­ly with other admi­ni­stra­ti­ve units. The dele­ti­on the­re­fo­re does not lead to any sub­stan­ti­ve chan­ge. Com­pa­red to Arti­cle 31 of the Federal Data Pro­tec­tion Act, the first para­graph has been amen­ded. The new wor­d­ing is inten­ded to cla­ri­fy that the FDPIC can also con­ta­ct the Federal Coun­cil on issu­es that are not on the agen­da of a Federal Coun­cil mee­ting, for examp­le by having opi­ni­ons for­war­ded to it. Apart from this, the con­tent of para­graph 1 remains unch­an­ged becau­se the Federal Chan­cellor must for­ward all com­mu­ni­ca­ti­ons to the Federal Coun­cil and has no room for maneu­ver in this regard. This also app­lies to the co-reporting pro­ce­du­re. In para­graph 2, only the wor­d­ing has been slight­ly adap­ted; the sub­stan­ti­ve con­tent, howe­ver, cor­re­sponds to Arti­cle 31 para­graph 1bis of the FADP. 

Art. 38 Noti­fi­ca­ti­on of deci­si­ons, gui­de­li­nes and projects

1 The depart­ments and the Federal Chan­cel­le­ry shall noti­fy the FDPIC of their deci­si­ons in the area of data pro­tec­tion in anony­mous form, as well as their guidelines
2 The federal bodies shall sub­mit to the FDPIC all draft legis­la­ti­on rela­ting to the pro­ces­sing of per­so­nal data, data pro­tec­tion and access to offi­cial documents.
Explana­to­ry report
Apart from ter­mi­no­lo­gi­cal and syste­ma­tic adjust­ments, this pro­vi­si­on cor­re­sponds to Arti­cle 32(1) of the Data Pro­tec­tion Act. Para­graph 2: The FDPIC should be invol­ved as ear­ly as pos­si­ble. It must be con­sul­ted at the latest wit­hin the frame­work of the office consultation. 

Art. 39 Pro­ces­sing of per­so­nal data

The FDPIC may pro­cess per­so­nal data, inclu­ding per­so­nal data requi­ring spe­cial pro­tec­tion, in par­ti­cu­lar for the fol­lo­wing pur­po­ses:
a. to car­ry out its super­vi­so­ry activities;
b. to car­ry out its con­sul­ting activities;
c. to coope­ra­te with federal, can­to­nal and for­eign authorities;
d. for the per­for­mance of tasks wit­hin the scope of the penal pro­vi­si­ons under the FADP;
e. to con­duct con­ci­lia­ti­on pro­ce­e­dings and to issue recom­men­da­ti­ons in accordance with the Public Act of 17 Decem­ber 2004 (Public Act);
f. to con­duct eva­lua­tions in accordance with the BGÖ;
g. to car­ry out pro­ce­du­res for access to offi­cial docu­ments in accordance with the Federal Law on Civil Procedure;
h. for the infor­ma­ti­on of the par­lia­men­ta­ry supervision;
i. for the infor­ma­ti­on of the public;
j. to car­ry out its trai­ning activities.
Explana­to­ry report
Under cur­rent law, Arti­cle 32(2) FADP sta­tes the pur­po­ses for which the FDPIC ope­ra­tes an infor­ma­ti­on and docu­men­ta­ti­on system. Howe­ver, Arti­cle 57h RVOG, which was new­ly inser­ted as part of the total revi­si­on of the FADP, will in future sta­te in gene­ral terms that the units of the federal admi­ni­stra­ti­on ope­ra­te elec­tro­nic busi­ness manage­ment systems to mana­ge their docu­ments. In the future, it will the­re­fo­re not be necessa­ry to refer to the use of the busi­ness manage­ment system in the Art. On the other hand, the pur­po­ses for which the FDPIC pro­ces­ses per­so­nal data are now regu­la­ted in more detail (para. 1). It may pro­cess per­so­nal data, inclu­ding per­so­nal data requi­ring spe­cial pro­tec­tion, in par­ti­cu­lar for the fol­lo­wing pur­po­ses: to car­ry out its super­vi­so­ry acti­vi­ties (sub­pa­ra. a), to car­ry out its advi­so­ry acti­vi­ties (sub­pa­ra. b), to coope­ra­te with federal, can­to­nal and for­eign aut­ho­ri­ties (sub­pa­ra. c), to per­form its duties wit­hin the frame­work of the penal pro­vi­si­ons under the FADP (sub­pa­ra. d), to con­duct con­ci­lia­ti­on pro­ce­e­dings and issue recom­men­da­ti­ons under the Federal Act of 17 Decem­ber 2004 on the Princip­le of Public Access to Admi­ni­stra­ti­ve Docu­ments (FOPA) (sub­pa­ra. e), to con­duct eva­lua­tions under the FOPA (sub­pa­ra. f), to con­duct pro­ce­du­res for access to offi­cial docu­ments under the FOPA (sub­pa­ra. g), to inform par­lia­men­ta­ry over­sight (sub­pa­ra. h), to inform the public (sub­pa­ra. i), and to car­ry out its trai­ning acti­vi­ties (sub­pa­ra. j). 

Art. 40 Self-regulation

The FDPIC shall estab­lish pro­ces­sing regu­la­ti­ons for all auto­ma­ted pro­ces­sing ope­ra­ti­ons; Arti­cle 6(1) shall not app­ly.
Explana­to­ry report
Arti­cle 48 nDSG pro­vi­des that the FDPIC must take appro­pria­te mea­su­res to ensu­re that the data pro­tec­tion pro­vi­si­ons wit­hin his aut­ho­ri­ty are enfor­ced in accordance with the law. The dis­patch on the Data Pro­tec­tion Act spe­ci­fies that the Federal Coun­cil has the task of spe­ci­fy­ing the mea­su­res to be taken by the FDPIC in the ordi­nan­ce (BBl 2017 6941, 7089). Accord­ing to Arti­cle 40 Art. the FDPIC is expec­ted to draw up pro­ces­sing regu­la­ti­ons for all auto­ma­ted pro­ces­sing car­ri­ed out by him, and not only in the cases men­tio­ned in Arti­cle 6(1) Art. such as the pro­ces­sing of par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data or pro­filing. Even if this is not expli­ci­tly sta­ted (unli­ke still in Art. 41 para. 2 of the Elec­tro­nic Data Pro­tec­tion Act), the FDPIC, like other federal bodies which are obli­ged to draw up pro­ces­sing regu­la­ti­ons (cf. Art. 6 Art.), must pro­vi­de for inter­nal pro­ces­ses which ensu­re that its data pro­ces­sing ope­ra­ti­ons are car­ri­ed out in accordance with the pro­ces­sing regu­la­ti­ons, and must veri­fy com­pli­an­ce with the pro­ces­sing regulations. 

Art. 41 Coope­ra­ti­on with the NCSC

1 The FDPIC may for­ward a data bre­ach noti­fi­ca­ti­on to the Natio­nal Cyber Secu­ri­ty Cen­ter (NCSC) for ana­ly­sis of the inci­dent with the con­sent of the respon­si­ble par­ty sub­ject to the noti­fi­ca­ti­on. The noti­fi­ca­ti­on may con­tain per­so­nal data
2 The FDPIC shall invi­te the NCSC to sub­mit its com­ments befo­re orde­ring the federal body to take the pre­cau­ti­ons pur­suant to Arti­cle 8 FADP.
Explana­to­ry report
In order for the FDPIC to be able to invol­ve the tech­ni­cal spe­cia­lists in the ana­ly­sis of a data secu­ri­ty bre­ach which has occur­red and which has been repor­ted to him by the data con­trol­ler on the basis of Arti­cle 24 nDSG and Arti­cle 15 Art. (for­mer Art. 19 e‑Data Pro­tec­tion Act), the tech­ni­cal spe­cia­lists of the NCSC can be invol­ved, Arti­cle 41 para­graph 1 Art. (for­mer Art. 42 Elec­tro­nic Data Pro­tec­tion Act) pro­vi­des that the FDPIC may for­ward the infor­ma­ti­on on the noti­fi­ca­ti­on of a data bre­ach to the NCSC. The for­war­ding may con­tain any infor­ma­ti­on pur­suant to Art. 15(1) Art. but at the same time must be limi­ted to the data necessa­ry for the NCSC to ana­ly­ze the inci­dent. In this regard, the com­mu­ni­ca­ti­on from the FDPIC to the NCSC may also con­tain per­so­nal data. It is a pre­re­qui­si­te that the per­son respon­si­ble, who is obli­ged to noti­fy the FDPIC, has given his pri­or con­sent to the for­war­ding. Fur­ther­mo­re, the for­war­ding must not lead to the cir­cum­ven­ti­on of Arti­cle 24 para­graph 6 nDSG, accord­ing to which the report may only be used in the con­text of cri­mi­nal pro­ce­e­dings with the con­sent of the per­son obli­ged to report. Arti­cle 41(1) Art. does not allow the FDPIC to syste­ma­ti­cal­ly for­ward reports to the NCSC. Rather, the FDPIC may only make use of this pos­si­bi­li­ty in indi­vi­du­al cases whe­re the tech­ni­cal exper­ti­se of the NCSC is necessa­ry for the cla­ri­fi­ca­ti­on of an inci­dent. The pro­vi­si­on is to be trans­fer­red to the legis­la­ti­ve level at the ear­liest oppor­tu­ni­ty. For this rea­son, a new Arti­cle 24 para­graph 5bis nDSG is pro­vi­ded for in the annex to the preli­mi­na­ry draft amend­ment to the Infor­ma­ti­on Secu­ri­ty Act of 18 Decem­ber 2020 (ISG), which the Federal Coun­cil sent out for con­sul­ta­ti­on on 12 Janu­a­ry 2022. This will also regu­la­te the dis­clo­sure by the FDPIC to the NCSC of par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data rela­ting to admi­ni­stra­ti­ve and cri­mi­nal pro­se­cu­ti­ons or sanc­tions of the respon­si­ble par­ty sub­ject to the reporting obli­ga­ti­on. If and when the new Arti­cle 24(5bis) nDSG enters into for­ce, Arti­cle 41(1) Art. may be repealed again. Arti­cle 41(2) Art. sta­tes that the FDPIC and the NCSC shall coor­di­na­te in over­lap­ping are­as of acti­vi­ty. The norm cor­re­sponds in princip­le to Arti­cle 20(3), second sen­tence, of the FDPIC Act. The FDPIC is requi­red to invi­te the NCSC to give its opi­ni­on befo­re orde­ring the federal body to take the pre­cau­ti­ons under Arti­cle 8 nDSG. The legal basis for such an order is 51(3)(b) nDSG. The aim is in par­ti­cu­lar to ensu­re that the FDPIC and the NCSC do not impo­se dif­fe­rent requi­re­ments on federal bodies in the same area. Howe­ver, the inde­pen­dence of the FDPIC remains gua­ran­te­ed, sin­ce he is only requi­red to obtain the opi­ni­on, but not also to take it into account. 

Art. 42 Regi­ster of pro­ces­sing acti­vi­ties of federal bodies

1 The regi­ster of pro­ces­sing acti­vi­ties of federal bodies con­tains the infor­ma­ti­on pro­vi­ded by federal bodies in accordance with Arti­cle 12 para­graph 2 FADP as well as Arti­cle 31 para­graph 2 of this Ordinance
2 It shall be published on the inter­net. The regi­ster ent­ries on plan­ned auto­ma­ted pro­ces­sing acti­vi­ties in accordance with Arti­cle 31 shall not be published.
Explana­to­ry report
Based on Arti­cle 12 para­graph 4 nDSG, the federal bodies must report their lists of pro­ces­sing acti­vi­ties to the FDPIC. The lat­ter, in turn, is requi­red by Arti­cle 56 nDSG to keep a regi­ster of the pro­ces­sing acti­vi­ties of federal bodies and to publish it. Arti­cle 42(1) Art. spe­ci­fies what the FDPIC’s regi­ster must con­tain, name­ly the infor­ma­ti­on that federal bodies must pro­vi­de pur­suant to Arti­cle 12(2) nDSG. In addi­ti­on, the regi­ster also con­tains the infor­ma­ti­on on the plan­ned auto­ma­ted pro­ces­sing acti­vi­ties of the federal bodies pur­suant to Arti­cle 31(2) Art. The second para­graph spe­ci­fies that the regi­ster of the FDPIC must be published on the inter­net. The regi­ster ent­ries on the plan­ned auto­ma­ted pro­ces­sing acti­vi­ties of the federal bodies pur­suant to Arti­cle 31 Art. are not published, as the­se can­not yet be con­si­de­red defi­ni­ti­ve at the time of their regi­stra­ti­on or could still be sub­ject to changes. 

Art. 43 Codes of conduct 

If a code of con­duct is sub­mit­ted to the FDPIC, the FDPIC shall sta­te in its opi­ni­on whe­ther the code of con­duct meets the requi­re­ments of Arti­cle 22(5)(a) and (b) FADP.
Explana­to­ry report
Based on Arti­cle 22(5) nDSG, the pri­va­te con­trol­ler may refrain from drawing up a data pro­tec­tion impact assess­ment if it is cer­ti­fied under Arti­cle 13 nDSG or if it com­plies with a code of con­duct under Arti­cle 11 nDSG that meets cer­tain requi­re­ments. If a code of con­duct is sub­mit­ted to the FDPIC, the FDPIC shall indi­ca­te in its opi­ni­on whe­ther, in its view, the requi­re­ments are met to refrain from pre­pa­ring a data pro­tec­tion impact assess­ment. This pro­vi­si­on spe­ci­fies that a con­trol­ler who wis­hes to wai­ve a data pro­tec­tion impact assess­ment must sub­mit its code of con­duct to the FDPIC and the lat­ter must have the oppor­tu­ni­ty to assess the code. It is not a mat­ter of appro­val, but if a con­trol­ler, con­tra­ry to the opi­ni­on of the FDPIC, wis­hes to make use of the excep­ti­on under Arti­cle 22(5)(a‑c), the FDPIC may, on the basis of Arti­cle 51(3)(d) nDSG, order the con­trol­ler to car­ry out a data pro­tec­tion impact assessment. 

Art. 44 Fees

1 The fees char­ged by the FDPIC are cal­cu­la­ted on the basis of the time spent
2 An hour­ly rate of 150 to 250 Swiss francs app­lies, depen­ding on the func­tion of the exe­cu­ting personnel.
3 In the case of ser­vices of excep­tio­nal scope, par­ti­cu­lar dif­fi­cul­ty or urgen­cy, surch­ar­ges of up to 50 per­cent of the fee in accordance with para­graph 2 may be levied
4 If the ser­vice pro­vi­ded by the FDPIC can be fur­ther used by the per­son liable to pay the fee for com­mer­cial pur­po­ses, surch­ar­ges of up to 100 per­cent of the fee pur­suant to para­graph 2 may be levied
5 In all other respects, the Gene­ral Ordi­nan­ce on Fees of Sep­tem­ber 8, 2004 shall apply.
Explana­to­ry report
Based on Arti­cle 59 (1) nDSG, the FDPIC must char­ge fees for cer­tain ser­vices it pro­vi­des to pri­va­te indi­vi­du­als. The­se inclu­de the opi­ni­on on a code of con­duct (sub­pa­ra. a), the appro­val of stan­dard data pro­tec­tion clau­ses and bin­ding cor­po­ra­te data pro­tec­tion regu­la­ti­ons (sub­pa­ra. b), the review of the data pro­tec­tion impact assess­ment (sub­pa­ra. c), pre­cau­tio­na­ry mea­su­res and mea­su­res under Arti­cle 51 nDSG (sub­pa­ra. d) and con­sul­ta­ti­ons on data pro­tec­tion issu­es (sub­pa­ra. e). Arti­cle 59 para­graph 2 nDSG man­da­tes the Federal Coun­cil to deter­mi­ne the amount of the fees. Arti­cle 44 para. 1 art. (for­mer Art. 44 Para. 1 E‑Data Pro­tec­tion Act) lays down the princip­le that fees are cal­cu­la­ted on the basis of the time spent. Accord­ing to para­graph 2, an hour­ly rate of 150 – 250 francs app­lies depen­ding on the func­tion of the exe­cu­ting per­son­nel. The amount is based on the hour­ly rate of the per­son­nel of the requi­red func­tion to be able to pro­vi­de the ser­vice. The FDPIC thus cal­cu­la­tes the fees on the basis of the hours spent by the exe­cu­ting per­son­nel. Any per­sons who have con­tri­buted to the pro­vi­si­on of the ser­vice must be inclu­ded in this cal­cu­la­ti­on. Pur­suant to para­graph 3, the FDPIC has the opti­on of levy­ing surch­ar­ges of up to 50 per­cent of the fee pur­suant to para­graph 2 in the case of a ser­vice of excep­tio­nal scope, par­ti­cu­lar dif­fi­cul­ty or urgen­cy. The regu­la­ti­on spe­ci­fies the gene­ral requi­re­ment of Arti­cle 5 para­graph 3 of the Gene­ral Fees Ordi­nan­ce of 8 Sep­tem­ber 2004 (Allg­GebV). In the event that the ser­vice pro­vi­ded by the FDPIC can be fur­ther used by the per­son liable to pay the fee for com­mer­cial pur­po­ses, the FDPIC may levy surch­ar­ges of up to 100 per­cent of the fee pur­suant to para­graph 2 in accordance with para­graph 4. For examp­le, if the FDPIC asses­ses a tool that can be resold by the per­son making the requ­est as a data pro­tec­tion-com­pli­ant app­li­ca­ti­on, the FDPIC should have the opti­on of incre­a­sing the fee so that it rough­ly cor­re­sponds to the hour­ly wage of a spe­cia­li­zed lawy­er. The decisi­ve fac­tor here is whe­ther the ser­vice is sui­ta­ble for fur­ther use for com­mer­cial pur­po­ses, regard­less of whe­ther this actual­ly hap­pens. The regu­la­ti­on pur­suant to para­graph 4 con­cerns in par­ti­cu­lar the case of advice wit­hin the mea­ning of Arti­cle 59 para­graph 1 let­ter e nDSG. Nevertheless, it is also con­ceiva­ble that the FDPIC will assess stan­dard data pro­tec­tion clau­ses or codes of con­duct that can be fur­ther used for com­mer­cial pur­po­ses, e.g. becau­se they can be used as a pro­to­ty­pe for other stan­dard data pro­tec­tion clau­ses or codes of con­duct. Para­graph 5, moreo­ver, decla­res the Allg­GebV app­li­ca­ble. For its part, the Allg­GebV regu­la­tes in par­ti­cu­lar the princi­ples of char­ging fees, exemp­ti­ons from the obli­ga­ti­on to char­ge fees, and the collec­tion procedure. 

Chap­ter 7: Final Provisions

Art. 45 Repeal and amend­ment of other enactments

The repeal and amend­ment of other enact­ments are gover­ned by Annex 2.
Explana­to­ry report
Sin­ce the pro­vi­si­ons on the repeal and amend­ment of other enact­ments tog­e­ther com­pri­se more than one prin­ted page, they are listed in an appen­dix. The repeal and amend­ment of other enact­ments are com­men­ted on in sec­tion 7. 

Art. 46 Tran­si­tio­nal provisions

1 For data pro­ces­sing ope­ra­ti­ons that do not fall wit­hin the scope of Direc­ti­ve (EU) 2016/680, Arti­cle 4(2) shall app­ly at the latest three years after the ent­ry into for­ce of this Regu­la­ti­on or at the latest at the end of the life cycle of the system. In the mean­ti­me, the­se pro­ces­sing ope­ra­ti­ons shall be sub­ject to Arti­cle 4(1)
2 Arti­cle 8(5) does not app­ly to assess­ments car­ri­ed out befo­re the ent­ry into for­ce of this Regulation
3 Arti­cle 31 does not app­ly to plan­ned auto­ma­ted pro­ces­sing acti­vi­ties for which pro­ject appro­val or the deci­si­on to deve­lop the pro­ject has alrea­dy been made at the time of ent­ry into for­ce of this Ordinance
Explana­to­ry report
Arti­cle 4(2) obli­ges the respon­si­ble federal bodies and their com­mis­sio­ned pro­ces­sors to log the auto­ma­ted pro­ces­sing of per­so­nal data. For data pro­ces­sing that falls wit­hin the scope of Direc­ti­ve (EU) 2016/680, the log­ging obli­ga­ti­on has app­lied sin­ce the ent­ry into for­ce of the Schen­gen Data Pro­tec­tion Act due to the requi­re­ment of Arti­cle 25 of the said Direc­ti­ve. Various federal bodies have poin­ted out an addi­tio­nal effort in con­nec­tion with the imple­men­ta­ti­on of Arti­cle 4(2) Art. In order to take account of this addi­tio­nal effort, Arti­cle 46(1) pro­vi­des for a tran­si­tio­nal peri­od of three years from the ent­ry into for­ce of the Regu­la­ti­on or, at the latest, after the end of the life cycle of the system, for the remai­ning data pro­ces­sing ope­ra­ti­ons. During this peri­od, Arti­cle 4(1) of the Regu­la­ti­on app­lies to the­se data pro­ces­sing ope­ra­ti­ons. Arti­cle 8(5) Art. intro­du­ces the obli­ga­ti­on to publish assess­ments. Arti­cle 46(2) spe­ci­fies that the assess­ments car­ri­ed out befo­re the ent­ry into for­ce of the Regu­la­ti­on will not be published. Accord­ing to Arti­cle 31 Art., federal bodies must now noti­fy the FDPIC of their plan­ned auto­ma­ted pro­ces­sing acti­vi­ties at the time of the pro­ject appro­val or the deci­si­on to deve­lop the pro­ject. Para­graph 3 the­re­fo­re sti­pu­la­tes by way of tran­si­tio­nal law that Arti­cle 31 Art. does not app­ly to plan­ned auto­ma­ted pro­ces­sing acti­vi­ties for which the pro­ject appro­val or the deci­si­on on pro­ject deve­lo­p­ment has alrea­dy taken place at the time the ordi­nan­ce enters into force. 

Art. 47 Ent­ry into force

This Ordi­nan­ce shall enter into for­ce on Sep­tem­ber 1, 2023. 

Attach­ments

Annex 1 (Art. 8 par. 1)

19.
1 Ger­ma­ny*
2 Andor­ra***
3 Argen­ti­na***
4 Austria*
5 Bel­gi­um*
6 Bul­ga­ria***
7 Cana­da*** Ade­qua­te data pro­tec­tion is deemed to be ensu­red if the Cana­di­an federal law “Loi sur la pro­tec­tion des rens­eig­ne­ments per­son­nels et les docu­ments élec­tro­ni­ques” of April 13, 2000 app­lies in the pri­va­te sec­tor or the law of a Cana­di­an pro­vin­ce that lar­ge­ly cor­re­sponds to this federal law. The federal law app­lies to per­so­nal infor­ma­ti­on obtai­ned, pro­ces­sed or dis­c­lo­sed in the cour­se of com­mer­cial acti­vi­ties, whe­ther by orga­niz­a­ti­ons such as asso­cia­ti­ons, part­nerships, indi­vi­du­als or uni­ons, or feder­al­ly regu­la­ted enti­ties such as plants, works, enter­pri­ses or busi­ness acti­vi­ties that fall wit­hin the legis­la­ti­ve juris­dic­tion of the Par­lia­ment of Cana­da. The pro­vin­ces of Qué­bec, Bri­tish Colum­bia, and Alber­ta have enac­ted legis­la­ti­on that is broad­ly simi­lar to the federal law; the pro­vin­ces of Onta­rio, New Brunswick, New­found­land and Labra­dor, and Nova Sco­tia have enac­ted legis­la­ti­on that is broad­ly simi­lar to that law in the area of health infor­ma­ti­on. In all Cana­di­an pro­vin­ces, the federal law app­lies to all per­so­nal data obtai­ned, pro­ces­sed or dis­c­lo­sed by feder­al­ly regu­la­ted enti­ties, inclu­ding data about employees of tho­se enti­ties. The federal law also app­lies to per­so­nal data trans­fer­red to ano­t­her pro­vin­ce or coun­try in the cour­se of com­mer­cial activities
8 Cyprus***
9 Croa­tia***
10 Den­mark*
11 Spain*
12 Esto­nia*
13 Fin­land*
14 Fran­ce*
15 Gibral­tar***
16 Greece*
17 Guern­sey***
18 Hun­ga­ry*
19 Isle of Man***
20 Faroe Islands***
21 Ire­land***
22 Ice­land*
23 Isra­el***
24 Ita­ly*
25 Jer­sey***
26 Lat­via*
27 Liech­ten­stein*
28 Lit­hua­nia*
29 Luxem­bourg*
30 Mal­ta*
31 Mona­co***
32 Nor­way*
33 New Zealand***
34 Nether­lands*
35 Poland*
36 Por­tu­gal*
37 Czech Republic*
38 Roma­nia***
39 United Kingdom**
40 Slo­va­kia*
41 Slo­ve­nia*
42 Swe­den*
43 Uru­gu­ay***
The data pro­tec­tion ade­quacy assess­ment inclu­des the dis­clo­sure of per­so­nal data pur­suant to Direc­ti­ve (EU) 2016/680. * The data pro­tec­tion ade­quacy assess­ment shall inclu­de the dis­clo­sure of per­so­nal data pur­suant to an imple­men­ting deci­si­on of the Euro­pean Com­mis­si­on deter­mi­ning data pro­tec­tion ade­quacy under Direc­ti­ve (EU) 2016/680. ** The data pro­tec­tion ade­quacy assess­ment does not inclu­de the dis­clo­sure of per­so­nal data in the con­text of the coope­ra­ti­on pro­vi­ded for by Direc­ti­ve (EU) 2016/680.
Explana­to­ry report
Based on Arti­cle 16 para­graph 1 nDSG, the Federal Coun­cil is respon­si­ble for this and has the task of asses­sing which sta­te (or which ter­ri­to­ry or which spe­ci­fic sec­tor of a sta­te) and which inter­na­tio­nal body gua­ran­tees an ade­qua­te level of pro­tec­tion for the dis­clo­sure of per­so­nal data abroad. A list of sta­tes is published in the Annex to the Regu­la­ti­on. The aim of this list is to crea­te a sin­gle space in terms of data pro­tec­tion. The list will be review­ed regu­lar­ly to take into account, on the one hand, the prac­ti­ce of other Sta­tes and, on the other hand, deve­lo­p­ments at the inter­na­tio­nal level, in par­ti­cu­lar the rati­fi­ca­ti­ons of the revi­sed Con­ven­ti­on ETS 108. Con­se­quent­ly, the list is not defi­ni­ti­ve and could be sub­ject to chan­ge befo­re the Regu­la­ti­on enters into for­ce. The assess­ment of the ade­quacy of data pro­tec­tion inclu­des the dis­clo­sure of data for law enfor­ce­ment pur­po­ses only if this is indi­ca­ted in the Annex. For examp­le, one aste­risk means that the data pro­tec­tion ade­quacy assess­ment inclu­des the dis­clo­sure of per­so­nal data in accordance with Direc­ti­ve (EU) 2016/680, while two aste­risks means that it inclu­des the dis­clo­sure of per­so­nal data in accordance with an imple­men­ting deci­si­on of the Euro­pean Com­mis­si­on deter­mi­ning data pro­tec­tion ade­quacy in accordance with Direc­ti­ve (EU) 2016/680 (this cur­r­ent­ly app­lies to the United King­dom). Final­ly, three aste­risks mean that the data pro­tec­tion ade­quacy assess­ment does not inclu­de the dis­clo­sure of per­so­nal data in the con­text of the coope­ra­ti­on pro­vi­ded for by Direc­ti­ve (EU) 2016/680. 18. sta­tes, ter­ri­to­ries, spe­ci­fic sec­tors in a sta­te and inter­na­tio­nal bodies with ade­qua­te data protection 

Table of Contents