Section 3: Disclosure abroad
Art. 5 Publication in electronic form
If personal data is made generally available to the public by means of automated information and communication services for the purpose of providing information, this shall not be deemed to be a transfer abroad.
Art. 6 Transparency and information
1 The controller of the data file shall inform the Commissioner prior to [disclosure abroad of the guarantees and data protection rules in accordance with Article 6 paragraph 2 letters a and g FADP. If prior information is not possible, it must be provided immediately after disclosure.
2 If the Commissioner has been informed of the guarantees and the data protection rules, the information obligation shall be deemed to have been fulfilled for all further disclosures that:
a. under the same safeguards, provided that the categories of recipients, the purpose of the processing and the categories of data remain substantially unchanged; or
b. take place within the same legal entity or company or between legal entities or companies under unified management, to the extent that the data protection rules continue to provide adequate protection.
3 The duty to inform shall also be deemed to have been fulfilled if data are transmitted on the basis of model contracts or standard contractual clauses drawn up or recognized by the commissioner and the commissioner has been informed in general terms by the controller of the data file about the use of these model contracts or standard contractual clauses. The commissioner shall publish a list of the model contracts and standard contractual clauses created or recognized by it.
4 The data controller shall take reasonable measures to ensure that the recipient complies with the safeguards and data protection rules.
5 The Commissioner shall examine the guarantees and the data protection rules communicated to him (Art. 31 para. 1 let. e FADP) and shall notify the controller of the data file of the result of his examination within 30 days of receipt of the information.
Art. 7 List of states with adequate data protection legislation
The commissioner publishes a list of states whose legislation ensures adequate data protection.
Section 4: Technical and organizational measures
Art. 8 General measures
1 Anyone who processes personal data or provides a data communications network as a private individual shall ensure the confidentiality, availability and integrity of the data in order to guarantee adequate data protection. In particular, he shall protect the systems against the following risks:
a. unauthorized or accidental destruction;
b. accidental loss;
c. technical errors;
d. Forgery, theft or unlawful use;
e. unauthorized alteration, copying, access or other unauthorized editing.
2 The technical and organizational measures must be appropriate. In particular, they shall take into account the following criteria:
a. Purpose of data processing;
b. The nature and extent of data processing;
c. Assessment of the possible risks for the persons concerned;
d. current state of the art.
3 These measures shall be reviewed periodically.
Art. 9 Special measures
1 The controller of the data file shall, in particular in the case of automated processing of personal data, take the technical and organizational measures appropriate to meet the following objectives in particular:
a. Access control: unauthorized persons shall be denied access to the facilities where personal data are processed;
b. Personal data carrier control: unauthorized persons must be prevented from reading, copying, modifying or removing data carriers;
c. Transport control: during the disclosure of personal data as well as during the transport of data carriers, it must be prevented that the data can be read, copied, changed or deleted without authorization;
d. Disclosure control: Data recipients to whom personal data are disclosed by means of data transmission equipment must be identifiable;
e. Memory control: unauthorized entry into the memory and unauthorized viewing, modification or deletion of stored personal data must be prevented;
f. User control: the use of automated data processing systems by means of data transmission equipment by unauthorized persons shall be prevented;
g. Access control: the access of authorized persons shall be limited to those personal data that they need for the fulfillment of their task;
h. Input control: in automated systems, it must be possible to check retrospectively which personal data was entered at what time and by which person.
2 The data collections must be designed in such a way that the data subjects can exercise their right to information and their right to rectification.
Art. 10 Logging
1 The controller of the data file shall log the automated processing of sensitive personal data or personality profiles if preventive measures cannot guarantee data protection. Logging must be carried out in particular if it cannot otherwise be determined retrospectively whether the data was processed for the purposes for which it was collected or disclosed. The commissioner may also recommend logging for other processing operations.
2 The minutes must be recorded in an auditable form for a period of one year. They are accessible only to the bodies or private persons responsible for monitoring data protection regulations and may be used only for this purpose.
Art. 11 Processing regulations
1 The controller of an automated data file subject to notification ([Art. 11a para. 3 FADP) that is not exempted from the notification requirement on the basis of Article 11a para. 5 letters b‑d FADP shall draw up processing regulations that describe in particular the internal organization as well as the data processing and control procedure and contain the documents relating to the planning, implementation and operation of the data file and the IT resources.
2 The controller of the data file shall update the regulations regularly. He shall make it available to the Commissioner or the data protection officer in accordance with Article 11a paragraph 5 letter e FADP on request in a form that they can understand.
Art. 12 Disclosure of data
The data controller shall notify the data recipient of the timeliness and reliability of the personal data disclosed by the data controller, unless this information is apparent from the data itself or from the circumstances.
Section 5: Data Protection Officer
Art. 12a Designation of the data protection officer and notification to the commissioner
1 If the controller of the data file in accordance with Article 11a paragraph 5 letter e FADP wishes to be exempted from the obligation to register the data file, he must:
a. designate an operational data protection officer who meets the requirements of paragraph 2 and of Article 12b; and
b. inform the Commissioner of the designation of the data protection officer.
2 The controller of the data file may designate an employee or a third party as data protection officer. This person may not carry out any other activities that are incompatible with his or her duties as data protection officer and must have the necessary expertise.
Art. 12b Tasks and position of the data protection officer
1 The data protection officer has the following tasks in particular:
a. It reviews the processing of personal data and recommends corrective measures if it finds that data protection regulations have been violated.
b. It shall maintain a list of the data files pursuant to Article 11a paragraph 3 FADP kept by the data file owner; this list shall be made available to the commissioner or to data subjects who submit a request to this effect.
2 The Data Protection Officer:
a. exercises his function in a professionally independent manner, without being subject to instructions from the owner of the data collection in this respect;
b. has the resources necessary to perform its duties;
c. has access to all data collections and data processing as well as to all information required for the fulfillment of his task.
Chapter 2: Processing of Personal Data by Federal Bodies
Section 1: Right to information
Art. 13 Modalities
Articles 1 and 2 shall apply mutatis mutandis to requests for information addressed to federal bodies.
Art. 14 Requests for information to Swiss diplomatic missions abroad
1 Switzerland’s representations abroad and its missions to the European Communities and to international organisations shall forward requests for information submitted to them to the competent office in the Federal Department of Foreign Affairs. The Department shall regulate the responsibilities.
2 In all other respects, the provisions of the Ordinance of 10 December 2004 on Military Control apply to requests for information on military control abroad.
Art. 15
…
Section 2: Registration of data collections
Art. 16 Registration
1 The federal bodies responsible (Art. 16 FADP) shall notify the Commissioner of all data files they maintain before they are opened. The notification shall contain the following information:
a. Name and address of the responsible federal entity;
b. Name and full designation of the data collection;
c. the body to which the right to information may be asserted;
d. Legal basis and purpose of the data collection;
e. Categories of personal data processed;
f. Categories of recipients of the data;
g. Categories of participants in the data collection, i.e. third parties who may enter and modify data in a data collection.
h. …
2 The responsible federal body shall update this information on an ongoing basis.
Art. 17
Art. 18 Exemptions from the obligation to register
1 The following data collections are not subject to the obligation to register, provided that the federal bodies use them exclusively for internal administrative purposes:
a. Correspondence registries;
b. Data collections from suppliers or customers, insofar as they do not contain any personal data or personality profiles requiring special protection;
c. Address collections that are used solely for addressing purposes, provided they do not contain any personal data or personality profiles that require special protection;
d. Lists for compensation payments;
e. Accounting records;
f. Auxiliary data collections for federal personnel administration, insofar as they do not contain any personal data or personality profiles requiring special protection;
g. Library data collections (author catalogs, borrower and user directories).
2 Also not subject to the registration requirement:
a. Data collections archived at the Federal Archives;
b. Data collections made available to the public in the form of directories;
c. Data collections whose data are used exclusively for non-personal purposes, namely in research, planning and statistics.
3 The federal body responsible shall take the necessary measures to be able to communicate the information (Art. 16 para. 1) on data files not subject to the obligation to register to the Commissioner or the data subjects on request.
Section 3: Disclosure abroad
Art. 19
If a federal body discloses personal data abroad on the basis of Article 6 paragraph 2 letter a FADP, Article 6 shall apply.
Section 4: Technical and organizational measures
Art. 20 Principles
1 The federal bodies responsible shall take the technical and organizational measures required in accordance with Articles 8 – 10 to protect the personality and fundamental rights of the persons about whom data are processed. In the case of automated data processing, the federal bodies shall cooperate with the Federal Strategy Unit for IT (FSUIT).
2 The federal bodies responsible shall notify the data protection officer in accordance with Article 11a paragraph 5 letter e FADP or, if there is no such officer, the Commissioner without delay of all projects involving the automated processing of personal data so that the requirements of data protection are taken into account immediately. The notification to the Commissioner shall be made via the FSUIT if the project must also be notified to the latter.
3 The Commissioner and the FSUIT shall cooperate within the framework of their activities concerning technical measures. The Commissioner shall obtain the opinion of the FSUIT before recommending such measures.
4 In all other respects, the directives issued by the responsible federal bodies on the basis of the Federal IT Ordinance of 26 September 2003 shall apply.
Art. 21 Processing regulations
1 The responsible federal bodies shall draw up processing regulations for automated data collections that:
a. contain particularly sensitive data or personality profiles;
b. used by more than one federal agency;
c. Made available to cantons, foreign authorities, international organizations or private persons; or
d. are linked to other data collections.
2 The responsible federal body shall define its internal organisation in the processing regulations. These regulations shall describe in particular the data processing and control procedures and contain all documents relating to the planning, implementation and operation of the data file. The regulations shall contain the information required for the reporting obligation (Art. 16) as well as information on:
a. the body responsible for data protection and data security of the data;
b. the origin of the data;
c. the purposes for which the data are regularly disclosed;
d. the control procedures and in particular the technical and organizational measures in accordance with Article 20;
e. the description of the data fields and the organizational units that have access to them;
f. The nature and extent of access by users of the data collection;
g. the data processing procedures, in particular those relating to the rectification, blocking, anonymization, storage, retention, archiving or destruction of the data;
h. the configuration of the informatics means;
i. the procedure for exercising the right to information.
3 The regulations shall be updated regularly. They shall be made available to the competent control bodies in a form that they can understand.
Art. 22 [Data processing on behalf
1 …
2 The federal body that has personal data processed by third parties remains responsible for data protection. It shall ensure that the data are processed in accordance with the mandate, in particular with regard to their use and disclosure.
3 If the third party is not subject to the FADP, the responsible body shall ensure that other legal provisions guarantee equivalent data protection, otherwise it shall ensure this by contractual means.
Art. 23 Advisor for data protection
1 The Federal Chancellery and the departments shall each designate at least one advisor for data protection. This advisor shall have the following tasks:
a. Support of the responsible bodies and users;
b. Promote information and training of employees;
c. Participation in the enforcement of data protection regulations.
2 If federal bodies under Article 11a paragraph 5 letter e FADP wish to be exempted from the obligation to register their data files, Articles 12a and 12b apply.
3 The federal bodies shall communicate with the commissioner through the consultant.
Section 5: Special provisions
Art. 24 Obtaining personal data
If the person questioned is not obliged to provide information, the federal body systematically obtaining the personal data by means of a questionnaire must inform him or her that the provision of information is voluntary.
Art. 25 Personal identification number
1 The federal body that introduces a personal identification number for the management of its data collection creates a non-speaking number that is used in its own area of responsibility. A non-speaking number is any unique or reversibly unique sum of characters that is assigned to each person registered in a data collection and from which no conclusions can be drawn about the person.
2 The use of the personal identification number by other federal or cantonal bodies and by private persons must be approved by the federal body concerned.
3 Authorisation may be granted if there is a close connection between the intended data processing and the data processing for which the personal identification number was created.
4 In all other respects, the use of the AHV number is governed by AHV legislation.
Art. 26 Disclosure of data
The responsible federal body shall notify the data recipient of the timeliness and reliability of the personal data disclosed by it, unless this information is evident from the data itself or from the circumstances.
Art. 27 Procedure for the approval of pilot trials
1 Prior to consulting the interested administrative units, the federal body responsible for the pilot scheme shall set out for the attention of the Commissioner how compliance with the requirements under Article 17a FADP is to be ensured and shall invite the Commissioner to submit comments.
2 The Commissioner shall comment on whether the licensing requirements in accordance with Article 17a paragraphs 1 and 2 FADP are met. The competent federal body shall provide him with all documents necessary for this purpose, in particular:
a. a general description of the pilot test;
b. a report proving that the fulfillment of the tasks provided for by law requires the processing of personal data or personality profiles requiring special protection and that a test phase is mandatory in the formal sense before the law comes into force (Art. 17a para. 1 let. c FADP);
c. a description of the internal organization and the data processing and control procedures (Art. 21);
d. a description of the security and data protection measures;
e. the draft or concept of an ordinance regulating the details of processing;
f. the information concerning the planning of the different phases of the pilot test.
3 The commissioner may request further documents and carry out additional clarifications.
4 The competent federal body shall inform the Commissioner of any important change affecting compliance with the requirements of Article 17a FADP. The Commissioner shall comment again if necessary.
5 The opinion of the commissioner shall be attached to the application to the Federal Council.
Art. 27a Evaluation report for pilot tests
The competent federal body shall submit the draft evaluation report to the Federal Council (Art. 17a Para. 4 FADP) for the Commissioner’s opinion. The commissioner’s opinion shall be brought to the attention of the Federal Council.
Chapter 3: Register of Data Collections, Federal Data Protection and Information Commissioner and Proceedings before the Federal Administrative Court
Section 1: Register and registration of data collections
Art. 28 Register of data collections
1 The register kept by the commissioner shall contain the information referred to in Articles 3 and 16.
2 The register is accessible to the public online. The commissioner shall provide excerpts free of charge upon request.
3 The Commissioner shall maintain a list of data file owners who are exempt from their obligation to register data files in accordance with Article 11a paragraph 5 letters e and f FADP. This directory shall be accessible to the public online.
4 If the controller of the data file does not register his data file or does not register it completely, the Commissioner shall set him a deadline to comply with his obligations. After expiry of the deadline, he may, on the basis of the information available to him, register the data file ex officio or recommend that processing be discontinued.
Art. 29
Section 2: Federal Data Protection and Information Commissioner
Art. 30 Seat and legal status
1 The seat and secretariat of the commissioner are located in Bern.
2 The employment relationship of the secretariat of the Commissioner is governed by the Federal Personnel Act of 24 March 2000 and its implementing provisions.
3 The budget of the Commissioner shall be listed in a special section of the budget of the Federal Chancellery.
Art. 31 Relations with other authorities and private persons
1 The Commissioner shall communicate with the Federal Council through the Federal Chancellor. The latter shall forward all recommendations and reports of the Commissioner to the Federal Council, even if he cannot agree to them.
1bis The Commissioner shall transmit the reports intended for the Federal Assembly directly to the Parliamentary Services.
2 The Commissioner shall communicate directly with the other administrative units, the federal courts, foreign data protection authorities and with all other authorities and private persons who are subject to the federal data protection legislation or the legislation on the principle of administrative transparency.
Art. 32 Documentation
1 The federal bodies shall submit to the Commissioner all draft legislation relating to the processing of personal data, data protection and access to official documents. In the area of data protection, the departments and the Federal Chancellery shall notify him of their decisions in anonymous form and of their guidelines.
2 The commissioner must have sufficient documentation for his activities. He shall operate an independent information and documentation system for the management, indexing and control of correspondence and dossiers, as well as for the publication of information of general interest and the register of data collections on the Internet.
3 The Federal Administrative Court has access to the scientific documentation of the Commissioner.
Art. 33 Fees
1 A fee shall be charged for the expert opinions (Art. 28 FADP) of the Commissioner. The provisions of the General Fees Ordinance of 8 September 2004 are applicable.
2 No fee is charged to administrative units of the Confederation, authorities and cantons.
Art. 34 Checking the processing of personal data
1 For the clarification of the facts in accordance with Articles 27 and 29 FADP, in particular when checking the lawfulness of data processing, the Commissioner may request the following information in particular from the controller of the data file:
a. technical and organizational measures (Art. 8 – 10, 20) that have been taken or are planned;
b. the regulations concerning the correction, blocking, anonymization, storage, retention and destruction of personal data;
c. the configuration of the information technology resources;
d. the links with other data collections;
e. the method of disclosure of the data;
f. the description of the data fields and the organizational units that have access to them;
g. The type and extent of user access to the data in the data collection.
2 In the case of disclosures abroad, the Commissioner may request additional information, in particular on the data recipient’s processing capabilities or on the measures taken for data protection.
Section 3: Proceedings before the Federal Administrative Court
Art. 35
1 The Federal Administrative Court may request that data processing operations be submitted to it.
2 It shall notify the commissioner of its decisions.
Chapter 4: Final Provisions
Art. 36 Amendment of the previous law
[…]
Art. 37 Transitional provisions
1 Data collections in process at the time the Data Protection Act and this Ordinance come into force must be registered with the Commissioner by 30 June 1994.
2 The technical and organizational measures (Articles 8 – 11, 20 and 21) must be implemented within five years of the entry into force of this Ordinance for all automated processing and data collection.
Art. 38 Entry into force
This Regulation shall enter into force on July 1, 1993.