Text of the draft of the revised VDSG
from 23 June 2021. The texts have been converted automatically – we thank you for pointing out errors. Critical comments on the E‑VDSG can be found at
here, the revised DPA
here and the current VDSG
here.
Chapter 1: General provisions
Section 1: Data security
Art. 1 Principles
1 Whether the technical or organizational measures to ensure data security are appropriate to the risk shall be assessed according to the following criteria:
a. The purpose, nature, scope and circumstances of data processing;
b. the probability of occurrence of a data breach and its potential impact on data subjects;
c. the state of the art;
d. Implementation costs.
2 The measures must be reviewed at appropriate intervals throughout the processing period.
Art. 2 Protection goals
To the extent appropriate, data security measures must achieve the following protection goals:
a. Access control: Access by authorized persons is limited to the personal data they need to perform their tasks.
b. Access control: Access to facilities and equipment where personal data is processed is denied to unauthorized persons.
c. Disk control: Prevents unauthorized persons from reading, copying, modifying, moving or removing disks.
d. Memory control: Unauthorized entry into the data memory and unauthorized viewing, modification or deletion of stored personal data is prevented.
e. User control: The use of automated data processing systems by means of data transmission equipment by unauthorized persons is prevented.
f. Transport control: When personal data is disclosed and data carriers are transported, it is prevented that the data can be read, copied, modified or deleted without authorization.
g. Input control: In automated systems, it is possible to check which personal data was entered or changed at what time and by which person.
h. Disclosure control: It is possible to check to whom personal data has been disclosed using data transmission equipment.
i. Recovery: The availability of and access to personal data can be quickly restored in the event of a physical or technical incident.
j. It is guaranteed that all functions of the system are available (availability), occurring malfunctions are reported (reliability) and stored personal data cannot be damaged by malfunctions of the system (data integrity).
k. Detection: Data security breaches can be quickly detected and mitigation or remediation actions initiated.
Art. 3 Logging
1 If the data protection impact assessment shows that there is still a high risk to the personality or fundamental rights of the data subjects in the automated processing of personal data despite the measures provided by the controller, the private controller and its commissioned processor shall log at least the following operations: storage, modification, reading, disclosure, deletion or destruction.
2 Federal bodies and their commissioned processors shall log at least the following processes during the automated processing of personal data: storage, modification, reading, disclosure, deletion or destruction.
3 The log shall provide information on the type of processing operation, the identity of the person who carried out the processing, the identity of the recipient and the time at which the processing took place.
4 The logs must be kept for two years separately from the system in which the personal data are processed. They shall be accessible only to the bodies or persons responsible for monitoring data protection regulations or for restoring the confidentiality, integrity, availability and traceability of the data, and may be used only for this purpose.
Art. 4 Processing regulations of private persons
1 The person responsible and his order processor must draw up regulations for automated processing if they:
a. extensively process personal data requiring special protection; or
b. Perform high-risk profiling.
2 The regulations must contain at least the following information:
a. for the purpose of processing;
b. on the categories of data subjects and the categories of personal data processed;
c. on the retention period of the personal data or the criteria for determining this period;
d. to the internal organization;
e. on the origin of the personal data and how it was obtained;
f. on the technical and organizational measures to ensure data security;
g. on access authorizations and on the type and scope of access;
h. on the measures taken to minimize data;
i. on the data processing procedures, in particular the procedures for storage, correction, disclosure, retention, archiving, pseudonymization, anonymization and deletion or destruction;
j. on the procedure for exercising the right of access and the right to issue or transfer data.
3 The private individual must regularly update the regulations and make them available to the data protection advisor in a form that the advisor can understand.
Art. 5 Processing regulations of federal bodies
1 The responsible federal body and its commissioned processor shall draw up processing regulations for automated processing operations if they:
a. process personal data requiring special protection;
b. perform profiling;
c. carry out data processing operations within the meaning of Article 34(2)(c) FADP;
d. Cantons, foreign authorities, international organizations or private persons will make personal data accessible;
e. Link data sets with each other; or
f. operate an information system or manage data resources together with other federal bodies.
2 The regulations must contain at least the information specified in Article 4 paragraph 2.
3 The federal body responsible must regularly update the regulations and make them available to the data protection advisor in a form that is comprehensible to him or her and to the Federal Data Protection and Information Commissioner (FDPIC) upon request.
Section 2: Processing by Order Processors
Art. 6 Modalities
1 The controller who entrusts the processing of personal data to a processor remains responsible for data protection. He must ensure that the data is processed in accordance with the contract or the law.
2 If the processor is not subject to the FADP, the controller must ensure that other legal provisions guarantee equivalent data protection. Otherwise, he must ensure this by contractual means.
3 If the controller is a federal body, the commissioned processor may transfer the data processing to a third party if the federal body has approved this in writing.
Art. 7 Information to the data protection advisor of the federal body
The federal body shall inform the data protection advisor without delay of the conclusion of a contract with a commissioned processor or of the authorization to transfer data processing to a third party. Furthermore, it shall inform the data protection advisor if problems arise in complying with the statutory or contractual data protection provisions.
Section 3: Disclosure of personal data abroad
Art. 8 Assessment of the adequacy of data protection of a foreign state or an international body.
1 If personal data are disclosed abroad, the following criteria in particular must be taken into account when assessing whether a state, a territory, one or more specific sectors in a state or an international body ensures adequate data protection:
a. the international obligations of the state or international body in the field of data protection;
b. respect for human rights;
c. the applicable legislation on data protection and its implementation and the relevant case law;
d. the effective guarantee of the rights of data subjects and legal protection;
e. the effective functioning of one or more independent authorities in charge of data protection in the State concerned or to which an international body is subordinate and which have sufficient powers and competences.
2 The assessments of international bodies or foreign authorities responsible for data protection may be taken into account in the assessment.
3 The adequacy of data protection of the state, territory, specific sectors in a state or international body concerned shall be reassessed periodically.
4 If it emerges from an assessment under paragraph 3 or from available information that a state, a territory, one or more specific sectors in a state or an international body no longer ensures adequate data protection, the decision shall be amended, suspended or revoked in accordance with Article 16 paragraph 1 FADP. This new decision has no effect on data disclosures that have already been made.
5 The States, territories, specific sectors in a State and international bodies with adequate data protection are listed in Annex 1.
6 The FDPIC shall be consulted prior to any decision on the adequacy of data protection.
Art. 9 Data protection clauses and specific safeguards
1 The data protection clauses in a contract pursuant to Article 16 paragraph 2 letter b FADP and the specific guarantees pursuant to Article 16 paragraph 2 letter c FADP must regulate at least the following points:
a. the application of the principles of legality, good faith, proportionality, purpose limitation and accuracy;
b. the categories of personal data disclosed and the persons concerned;
c. the nature and purpose of the disclosure of personal data;
d. the names of the states to which personal data are disclosed;
e. the names of the international bodies to which personal data are disclosed;
f. the requirements for the retention, deletion and destruction of personal data;
g. the recipients authorized to process the data;
h. the measures taken to ensure data security;
i. the requirements for disclosure of personal data to another foreign state or to another international body;
j. the obligation of the recipient to inform the data subjects about the processing;
k. the rights of the data subject, namely:
1 . the right to information,
2 . the right to object,
3 . the right to rectification, deletion or destruction of their data,
4 . the right to seek redress from an independent authority.
2 The controller must take reasonable measures to ensure that the recipient complies with the data protection clauses in a contract or with the specific safeguards.
3 If the FDPIC has been informed of the data protection clauses in a contract or of the specific safeguards, the information obligation shall be deemed to have been fulfilled for all further disclosures that:
a. take place under the same data protection clauses or safeguards, provided that the categories of recipients, the purpose of the processing and the categories of data remain substantially unchanged; or
b. take place within the same legal entity or company or between companies belonging to the same group, provided that the data protection clauses or safeguards continue to ensure appropriate data protection.
Art. 10 Standard data protection clauses
1 If the controller discloses personal data abroad using standard data protection clauses in accordance with Article 16 paragraph 2 letter d FADP, it shall take appropriate measures to ensure that the recipient complies with them.
2 The FDPIC publishes a list of standard data protection clauses that it has approved, issued or recognized.
Art. 11 Binding corporate data protection regulations
1 Binding corporate data protection regulations pursuant to Article 16 paragraph 2 letter e FADP apply to all companies belonging to the same group.
2 They shall include at least the items referred to in Article 9(1) and the following information:
a. the organization and contact details of the Group and its companies;
b. the measures taken within the Group to ensure compliance with binding internal corporate data protection regulations.
Art. 12 Codes of conduct and certifications
1 Personal data may be disclosed abroad if appropriate data protection is guaranteed by a code of conduct or certification.
2 The code of conduct shall contain at least the information specified in Article 9 paragraph 1 and must be approved in advance by the FDPIC.
3 The code of conduct or certification must be accompanied by a binding and enforceable commitment by the controller or processor in the third country to apply the measures contained therein.
Chapter 2: Obligations of the controller and the processor
Art. 13 Modalities of the information obligations
1 The controller and the processor shall communicate the information on the acquisition of personal data in a precise, comprehensible and easily accessible form.
2 If it communicates the information in combination with pictograms that are displayed electronically, these must be machine-readable.
Art. 14 Duty of the federal bodies to provide information in the case of systematic acquisition of personal data
If the data subject is not obliged to provide information, the federal body responsible shall inform him or her of the voluntary nature of the provision of information in the event of a systematic acquisition of personal data, in particular by means of a questionnaire.
Art. 15 Information on the disclosure of personal data
The data controller and the order processor shall inform the recipient about the up-to-dateness, reliability and completeness of the personal data disclosed by them, insofar as this information is not apparent from the data itself or from the circumstances.
Art. 16 Information on the correction, deletion or destruction as well as the restriction of the processing of personal data
The data controller shall inform the recipients to whom it has disclosed personal data without undue delay about the correction, deletion or destruction as well as the restriction of the processing of personal data, unless the notification is impossible or involves a disproportionate effort.
Art. 17 Review of an automated individual decision
If a person affected by an automated individual decision requests that he or she be able to state his or her position or that a natural person review the decision, he or she may not be disadvantaged as a result.
Art. 18 Form and retention of the data protection impact assessment
The data controller must record the data protection impact assessment in writing. It must be retained for two years after the end of data processing.
Art. 19 Notification of data security breaches
1 The controller shall notify the FDPIC in the event of a data breach:
a. the nature of the injury;
b. as far as possible, the time and duration;
c. as far as possible, the categories and approximate number of personal data concerned;
d. as far as possible, the categories and approximate number of data subjects;
e. the consequences, including any risks, for the persons concerned;
f. what measures have been taken or are planned to remedy the deficiency or mitigate the consequences;
g. the name and contact details of a contact person.
2 If, upon discovery of the data breach, it is not possible for the data controller to provide the FDPIC with all the information referred to in paragraph 1 at the same time, it may provide this information in stages without undue further delay.
3 The controller shall communicate to the data subjects in plain and intelligible language at least the information referred to in paragraph 1 letters a, e, f and g.
4 If the person responsible is a federal body, the notification to the FDPIC shall be made via the data protection advisor.
5 The responsible person must document the violations. The documentation must contain all facts relating to the incidents, their effects and the measures taken. It must be kept for at least three years from the time of notification in accordance with paragraph 1.
Chapter 3: Rights of the data subject
Section 1: Right to information
Art. 20 Modalities
1 The request for information shall be made in writing. If the person responsible agrees, the request may also be made orally.
2 As a rule, information shall be provided in writing. In agreement with the person responsible or at his suggestion, the data subject may also inspect his data on site. The information may also be provided orally if the data subject has consented.
3 The information must be comprehensible to the data subject.
4 The controller must take appropriate measures to ensure the identification of the data subject and to protect the data subject’s personal data from access by unauthorized third parties when providing information. The data subject must cooperate in their identification.
5 The person responsible must document the reasons for refusing, restricting or postponing the information. The documentation shall be kept for at least three years.
Art. 21 Competence
1 If several persons are responsible for the processing of personal data, the data subject may exercise his or her right of access with any of the persons responsible.
2 If a responsible person is not responsible for dealing with the request, he or she shall forward it to the responsible person in charge.
3 If the request relates to data processed by a processor, the controller shall forward the request to the processor if the controller is not in a position to provide information itself.
Art. 22 Time limit
1 The information shall be provided within 30 days of receipt of the request. If the person responsible refuses, restricts or postpones the information, he must notify this within the same period.
2 If the information cannot be provided within 30 days, the controller must notify the data subject and inform him of the period within which the information will be provided.
Art. 23 Exceptions to the free of charge
1 A reasonable contribution to the costs may be requested if the provision of information involves disproportionate effort.
2 The maximum contribution is 300 Swiss francs.
3 The person concerned must be informed of the amount of the participation before the information is provided and may withdraw his or her request within ten days.
Section 2: Right to issue or transfer data
Art. 24
Articles 20(1), (4) and (5), as well as 21, 22 and 23 shall apply mutatis mutandis to the right to issue and transfer data, as well as their limitations.
Chapter 4: Special provisions on data processing by private persons
Art. 25 Data protection advisor
1 The data protection advisor of a private controller must perform the following tasks:
a. He or she reviews the processing of personal data and its requirements and recommends corrective measures if he or she finds that data protection regulations have been violated.
b. He or she shall participate in the preparation of the data protection impact assessment and review it, in any case if the private controller wishes to refrain from consulting the FDPIC within the meaning of Art. 23(4) FADP.
2 The private controller must notify the data protection advisor:
a. provide the necessary resources;
b. grant access to all information, documents, records of processing activities and personal data that he or she needs to perform his or her duties.
Art. 26 Exemption from the obligation to keep a register of processing activities
Companies and other organizations under private law that employ fewer than 250 employees at the beginning of a year, as well as natural persons, are exempt from the obligation to keep a register of processing activities, unless one of the following conditions is met:
a. Extensive personal data requiring special protection is processed.
b. High risk profiling is performed.
Chapter 5: Special Provisions on Data Processing by Federal Bodies
Section 1: Data protection advisor
Art. 27 Appointment
Each federal body shall appoint a data protection advisor. Several federal bodies may jointly appoint a data protection advisor.
Art. 28 Requirements and tasks
1 The privacy consultant must meet the following requirements:
a. She or he has the necessary expertise.
b. He or she shall exercise his or her function vis-à-vis the federal body in a professionally independent manner and without being bound by instructions.
2 She or he must perform the following duties:
a. He or she reviews the processing of personal data and its requirements and recommends corrective measures if he or she finds that data protection regulations have been violated.
b. She or he participates in the preparation of the data protection impact assessment and reviews it.
c. She or he reports data security breaches to the FDPIC.
d. She or he serves as a point of contact for affected individuals.
f. She or he trains and advises the federal body and its employees on data protection issues.
Art. 29 Duties of the federal body
1 The federal body shall grant the data protection advisor access to all information, documents, lists of processing activities and personal data that he or she requires to perform his or her duties.
2 It shall publish the contact details of the data protection advisor on the internet and communicate these to the FDPIC.
Art. 30 Contact point of the FDPIC
The data protection advisor serves as a point of contact for the FDPIC for questions relating to the processing of personal data by the federal body concerned.
Section 2: Projects of Federal Bodies for the Automated Processing of Personal Data
Art. 31 Information to the data protection advisor
The federal body responsible shall inform the data protection advisor in good time when planning a project for the automated processing of personal data and in the event of adjustments after completion of the project so that data protection requirements are taken into account immediately.
Art. 32 Notification to the FDPIC
1 The responsible federal body shall notify the FDPIC of the planned automated processing activities at the time of the project approval or the decision to develop the project. The FDPIC shall include this notification in the register of processing activities.
2 The notification must contain the information in accordance with Article 12 paragraph 2 letters a‑d FADP and the expected date of commencement of the processing activities.
3 The responsible federal body shall update the notification upon transition to productive operation or upon project termination.
Section 3: Pilot testing
Art. 33 Indispensability of the test phase
A test phase as a pilot test is indispensable if one of the following conditions is met:
a. The fulfillment of a task requires technical innovations, the effects of which must first be evaluated.
b. The fulfillment of a task requires significant organizational or technical measures, the effectiveness of which must first be tested, especially in the case of cooperation between federal and cantonal bodies.
c. The fulfillment of the tasks requires that the personal data be made accessible by means of a retrieval procedure.
Art. 34 Authorization
1 Prior to consulting the interested administrative units, the federal body responsible for the pilot scheme shall explain to the FDPIC how compliance with the requirements under Article 35 FADP is to be ensured and shall invite the FDPIC to submit comments.
2 The FDPIC issues an opinion on whether the licensing requirements under Article 35 FADP have been met. The competent federal body shall provide him with all the documents necessary for this purpose, in particular:
a. A general description of the pilot test;
b. a report proving that the fulfillment of the tasks provided for by law requires processing within the meaning of Article 34 paragraph 2 FADP and that a test phase prior to the entry into force of the law is indispensable in the formal sense (Article 35 paragraph 1 letter c FADP);
c. a description of the internal organization and data processing and control procedures;
d. a description of the security and data protection measures;
e. the draft of an ordinance regulating the details of processing, or the concept of an ordinance;
f. the information concerning the planning of the different phases of the pilot test.
3 The FDPIC may request further documents and carry out additional investigations.
4 The competent federal body shall inform the FDPIC of any important change affecting compliance with the requirements of Article 35 FADP. The FDPIC shall comment again if necessary.
5 The opinion of the FDPIC must be attached to the application to the Federal Council.
6 The modalities of automated data processing are governed by an ordinance.
Art. 35 Evaluation report
The competent federal body shall submit the draft evaluation report to the FDPIC for the Federal Council’s opinion. The opinion of the FDPIC shall be brought to the attention of the Federal Council.
Section 4: Data processing for non-personal purposes
Art. 36
If personal data are processed for non-personal purposes, in particular research, planning and statistics, and at the same time for another purpose, the exceptions under Article 39 paragraph 2 FADP shall only apply to processing for the non-personal purposes.
Chapter 6: Federal Data Protection and Information Commissioner
Art. 37 Headquarters and permanent secretariat
1 The seat of the FDPIC is in Bern.
2 The employment relationships of the employees of the permanent secretariat of the FDPIC are governed by federal personnel legislation. The employees of the permanent secretariat of the FDPIC are insured against the economic consequences of old age, disability and death with the Federal Pension Fund PUBLICA.
Art. 38 Communication channel
1 The FDPIC communicates with the Federal Council via the Federal Chancellor. The latter shall forward the proposals, opinions and reports unchanged to the Federal Council.
2 It shall submit reports to the Federal Assembly via the Parliamentary Services.
Art. 39 Notification of guidelines and decisions
1 The departments and the Federal Chancellery shall notify the FDPIC of their guidelines in the area of data protection and their decisions in anonymous form.
2 The federal bodies shall submit to the FDPIC all draft legislation relating to the processing of personal data, data protection and access to official documents.
Art. 40 Processing of personal data
The FDPIC processes personal data, including personal data requiring special protection, in particular for the following purposes:
a. to carry out its supervisory activities;
b. to investigate breaches of data protection regulations;
c. for training and consulting of federal bodies and private persons;
d. to cooperate with federal, cantonal and foreign authorities;
e. to conduct conciliation proceedings and evaluations in accordance with the Federal Act of December 17, 2004 2 on the Principle of Publicity of the Administration (BGÖ);
f. To respond to citizen inquiries.
Art. 41 Self-regulation
1 The FDPIC shall draw up processing regulations for all automated processing operations. Article 5 paragraph 1 does not apply.
2 It shall provide for internal processes to ensure that processing is carried out in accordance with the processing regulations. It shall review annually whether the processing regulations are being complied with.
Art. 42 Cooperation with the National Cyber Security Center (NCSC).
1 The FDPIC may forward the data breach notification information to the NCSC for the purpose of analyzing the incident. The FDPIC must first obtain the consent of the person responsible for the notification.
2 It shall invite the NCSC to submit its comments before ordering a measure in accordance with Article 51 paragraph 3 letter b FADP in respect of data security vis-à-vis a federal body.
Art. 43 Register of processing activities of federal bodies
1 The register of processing activities of federal bodies contains the information provided by federal bodies and their commissioned processors in accordance with Article 12 paragraphs 2 and 3 FADP and Article 32 paragraph 2 of this Ordinance.
2 It shall be published on the internet. The register entries on planned automated processing activities in accordance with Article 32 shall not be published.
Art. 44 Codes of conduct
If a code of conduct is submitted to the FDPIC, the FDPIC shall state in its opinion whether the code of conduct meets the requirements of Article 22(5)(a) and (b) FADP.
Art. 45 Fees
1 The fees charged by the FDPIC are based on the time spent.
2 An hourly rate of 150 to 350 francs shall apply. This is based on the complexity of the transaction and the function of the person responsible for processing it.
3 In all other respects, the General Fees Ordinance of September 8, 2004 3 shall apply.
Chapter 7: Final Provisions
Art. 46 Repeal and amendment of other enactments
The repeal and amendment of other enactments are regulated in Annex 2.
Art. 47 Transitional provision concerning the notification of planned automated processing activities to the FDPIC
Article 32 does not apply to planned automated processing activities for which the project approval or project development decision has already been made at the time of entry into force.
Art. 48 Entry into force
This Regulation shall enter into force on .…
Annex 1 (Article 8(5)) States, territories, specific sectors within a State, and international bodies with adequate data protection […] Annex 2 (Article 46) Repeal and Amendment of Other Decrees […]