The currently valid
Law on Information and Data Protection of the Canton of Zurich.
fold out | fold
I. General provisions
Art. 1 Subject matter and purpose
1 This Act governs the handling of information by public bodies.
2 Its purpose is,
a. to make the actions of public bodies transparent, thereby promoting the free formation of opinion and the exercise of democratic rights, and to facilitate the control of government action,
b. to protect the fundamental rights of persons about whom the public bodies process data.
Art. 2 Scope
1 This Act applies to public bodies. It applies to the courts only insofar as they perform administrative tasks.
2 It does not apply:
a. to the extent that public bodies participate in economic competition and do not act in a sovereign manner,
b. for the relationship between the Cantonal Council and its standing committees and the authorities and institutions subject to its supervision.
Art. 3 Terms
In this law mean:
Public bodies:
a. The cantonal council, the municipal parliaments and the municipal assemblies,
b. Authorities and administrations of the canton and the municipalities,
c. Organizations and persons under public and private law, insofar as they are entrusted with the performance of public duties.
Information:
All records relating to the performance of a public task, regardless of their form of presentation and information carrier. Excluded are records that have not been completed or that are intended exclusively for personal use.
Personal data:
Information that relates to an identified or identifiable individual.
Special personal data:
a. Information which, because of its importance, the way in which it is processed or the possibility of its being linked to other information, involves a particular risk of infringement of personality rights, such as information about
1. religious, ideological, political or trade union views or activities,
2. health, privacy, race or ethnicity,
3. social assistance measures,
4. administrative or criminal prosecutions or sanctions.
b. Compilations of information that allow an assessment of essential aspects of the personality of natural persons.
Edit:
Any handling of information such as obtaining, storing, using, reworking, disclosing or destroying.
Announce:
Making information accessible, such as granting access, sharing or publishing.
II. principles in handling information
1. in general
Art. 4 Transparency principle
The public body shall organize the handling of information in such a way that it can provide information quickly, comprehensively and factually.
Art. 5 Information management
1 The public body shall manage its information in such a way that administrative action is comprehensible and accountability is guaranteed. If several public bodies process a common body of information, they shall regulate the responsibilities.
2 If the public body no longer requires information and finding aids for its administrative activities, it shall retain them for a maximum of ten years.
3 After expiry of the retention period, the public body shall offer the information and finding aids to the competent archive. Information that is not archived must be destroyed.
4 For the cantonal administration, the Government Council shall regulate the details in an ordinance.
Art. 6 Editing on behalf
1 The public body may delegate the processing of information to third parties, provided that there is no legal provision or contractual agreement to the contrary.
2 It shall remain responsible for handling information under this Act.
Art. 7 Information security
1 The public body shall protect information by appropriate organizational and technical measures.
2 The measures are based on the following protection objectives:
a. Information must not come to the knowledge unlawfully,
b. Information must be correct and complete,
c. Information must be available when needed,
d. Information processing must be attributable to a person,
e. Changes in information must be recognizable and traceable.
3 The measures to be taken depend on the type of information, the type and purpose of use and the respective state of the art.
2. special principles in handling personal data
Art. 8 Legality
1 The public body may process personal data insofar as this is suitable and necessary for the fulfillment of its legally defined tasks.
2 The processing of special personal data requires a sufficiently specific regulation in a formal law.
Art. 9 Earmarking
1 The public body may process personal data only for the purpose for which it was collected, unless a legal provision expressly provides for further use or the data subject consents in an individual case.
2 For a non-personal purpose, the public body may process personal data if it is made anonymous and no conclusions can be drawn about data subjects from the evaluations.
Art. 10 Prior checking
The public body shall submit any intended processing of personal data involving particular risks to the rights and freedoms of the data subjects to the Data Protection Officer in advance for review.
Art. 11 Avoidance of personal reference
1 The public body shall design data processing systems and programs in such a way that as little personal data as possible is generated that is not necessary for the performance of tasks.
2 It shall delete, anonymize or pseudonymize such personal data as soon as and insofar as this is possible.
Art. 12. recognizability of procurement transparency and information
1 The acquisition of personal data and in particular the purpose of its processing must be recognizable to the data subject.
2 When obtaining special personal data, the controller of the data collection is obliged to inform the data subject of the purpose of its processing.
Art. 13 Quality assurance
1 To ensure the quality of information processing, the public body may have its procedures, organization and technical facilities audited and evaluated by an independent and recognized body.
2 The Government Council shall regulate the details in an ordinance.
III. disclosure of information
Art. 14 Information activity ex officio
1 The public body shall provide information on its own initiative about its activities of general interest.
2 It provides information on its structure, responsibilities and contact persons.
3 The public body may only provide information on pending proceedings if this is necessary to correct or avoid false reports or if in a particularly serious or sensational case, immediate information is indicated.
4 It shall make publicly available a list of its information holdings and their purposes. It shall identify information resources that contain personal data.
Art. 15 Media
1 The public body shall, as far as possible, take into account the needs of the media in its information activities.
2 It may provide for the accreditation of media representatives.
Art. 16 Disclosure of personal data a. In general
1 The public body shall disclose personal data if
a. a legal provision authorizes it to do so,
b. the data subject has consented in the individual case or
c. it is indispensable in individual cases to avert imminent danger to life and limb or the necessary protection of other essential legal interests is to be given greater weight.
2 In individual cases, it shall also disclose personal data to another public body and to the bodies of other cantons or of the Confederation if the body requesting the personal data requires it to fulfil its statutory duties.
Art. 17 b. Special personal data
1 The public body shall disclose special personal data if
a. a sufficiently specific provision in a formal law authorizes it,
b. the data subject has expressly consented to the disclosure of special personal data in an individual case, or
c. it is indispensable in individual cases to avert imminent danger to life and limb or the necessary protection of other essential legal interests is to be given greater weight.
2 It shall also disclose special personal data to another public body and to the bodies of other cantons or of the Confederation in individual cases if the body requesting special personal data requires it in order to perform its statutory duties.
Art. 18 c. For non-personal purposes
1 The public body may disclose personal data for processing for non-personal purposes, unless this is excluded by a legal provision.
2 The recipient must provide evidence that the personal data will be made anonymous, that no conclusions can be drawn about data subjects from the evaluations and that the original personal data will be destroyed after the evaluation.
Art. 19 d. Cross-border
To recipients not subject to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, the public body shall disclose personal data if
a. adequate protection for the data transfer is ensured in the recipient state,
b. a legal basis permits this in order to protect certain interests of the data subject or overriding public interests, or
c. adequate contractual safeguards are provided by the public body.
IV. Right of access to information and other legal claims
Art. 20 Access to information
1 Everyone has the right of access to information held by a public body.
2 Every person has the right to access his or her own personal data.
3 In administrative and administrative justice proceedings that have not been finally concluded, the right of access to information shall be governed by the relevant procedural law.
Art. 21 Protection of own personal data
The data subject may request the public body to
a. corrects or destroys inaccurate personal data,
b. refrains from unlawful processing of personal data,
c. eliminates the consequences of unlawful processing,
d. establishes the unlawfulness of the processing.
Art. 22 Blocking of personal data
1 The data subject may have the disclosure of his or her personal data to private parties blocked if the public body may disclose personal data unconditionally on the basis of a special legal provision.
2 The public body shall disclose personal data despite blocking if the person making the request proves that the blocking prevents him or her from pursuing his or her own rights against the data subject.
V. Restrictions in individual cases
Art. 23 Balancing of interests
1 The public body shall refuse to disclose information in whole or in part or shall defer disclosure if a legal provision or an overriding public or private interest prevents this.
2 A public interest exists in particular if
a. the information concerns positions in contract negotiations,
b. the disclosure of the information interferes with the opinion-forming process of the public body,
c. the disclosure of the information jeopardizes the effect of investigative, safety or supervisory measures,
d. the disclosure of the information affects relations among the communes, with another canton, with the Confederation or with foreign countries,
e. the disclosure impairs the implementation of specific official measures in accordance with the objectives.
3 A private interest exists in particular if the privacy of third parties is impaired by the disclosure of the information.
VI. procedure for access to information
Art. 24 Request
1 Anyone wishing to have access to information in accordance with Art. 20 Para. 1 shall submit a written request.
2 In response to oral requests, the public body may provide information orally.
Art. 25 Examination of the application
1 The public body may refuse a request if it relates to information that is already public and available in a reasonable manner. This source must be indicated.
2 If the processing of the request involves a disproportionate effort on the part of the public body, it may make access to the information dependent on proof of an interest worthy of protection on the part of the person making the request.
Art. 26 Consultation of third parties concerned
1 If the public body wishes to grant access to the information and the request concerns personal data or information classified as confidential, the public body shall give the third parties concerned the opportunity to comment within a reasonable period.
2 If the request relates to special personal data, the public body shall refuse the request if the third parties concerned do not expressly consent to access.
Art. 27 Disposition
1 The public body shall issue an order if it wishes to refuse, restrict or postpone access to the information requested.
2 If it wishes to grant access to information contrary to the wishes of third parties, it shall notify the third parties concerned by means of an order.
Art. 28 Time limits
1 Within 30 days of receipt of the request, the public body shall grant access to the information or issue an order restricting the right of access.
2 If the public body is unable to meet this deadline, it shall notify the person making the application before it expires, stating the reasons, as to when the decision on the application will be available.
Art. 29 Fees and charges
1 The public body shall charge a fee for the processing of applications from private persons.
2 No fee is charged
a. when access to information requires a small amount of effort,
b. for the processing of requests concerning their own personal data,
c. if the application serves scientific purposes and the results of the processing are expected to be useful to the public.
3 If the processing of the application involves considerable costs, the public body shall inform the person submitting the application accordingly. In this case, it may demand a reasonable advance payment.
4 If information is suitable for commercial use, a fee may be charged that is based on the market.
VII. Data Protection Officer or Representative
Art. 30. position and salary
1 At the request of the cantonal government, the cantonal council shall elect a data protection officer for a four-year term of office.
2 The salary of the Data Protection Officer shall be equal to 83% of the maximum amount of the highest salary grade of the cantonal employees.
3 The data protection officer shall be independent. She or he is administratively assigned to the management of the Cantonal Council.
Art. 31. personnel
1 The personnel law of the canton shall apply to the Commissioner and his or her staff. The provisions of this Act remain reserved.
2 The commissioner shall be responsible for the hiring and promotion of his or her staff within the limits of the budget approved by the cantonal council.17
Art. 32. budgetary management, controlling and accounting
1 The commissioner is subject to the Controlling and Accounting Act (CRG)12 and the implementing decrees of the Government Council on this Act.
2 He or she shall be on an equal footing with the Government Council with regard to spending powers. §§ Sections 19 – 25 CRG12 apply mutatis mutandis.
3 The commissioner shall keep his or her own accounts. He or she shall submit an annual overview of the development of services and finances, a draft budget and the accounts to the cantonal council.
Art. 33 Commissioner in municipalities and organizations
1 The municipalities and the organizations pursuant to § 3 may appoint their own commissioners. The cantonal government may require municipalities with at least 50,000 inhabitants to do so.
2 The communes and the organizations pursuant to § 3 shall regulate the election and organization independently. They shall ensure that the commissioners have the necessary professional qualifications and are independent in the exercise of their duties and powers. The cantonal commissioner shall exercise overall supervision.
Art. 34. tasks
The commissioner or the commissioner
a. supports and advises public bodies on data protection issues,
b. advises private individuals about their rights,
c. monitors the application of the regulations on data protection,
d. mediates between data subjects and public bodies in disputes concerning data protection,
e. informs the public about data protection concerns,
f. assesses decrees and projects that affect data protection,
g. provides education and training on data protection issues.
Art. 35 Control powers
1 Notwithstanding any obligation to maintain secrecy, the commissioner may obtain information from public bodies and commissioned third parties in accordance with § 6 about the processing of data, inspect the data and have the processing demonstrated to him or her, insofar as this is necessary for his or her activities.
2 The public bodies and the commissioned third parties shall cooperate in establishing the facts of the case.
Art. 36 Recommendations and powers of intervention
1 If the Commissioner identifies a breach of provisions on data protection, he or she shall make a recommendation to the public body as to what measures are to be taken.
2 If the public body does not wish to follow a recommendation, it shall issue an order.
3 The commissioner is entitled to appeal against the order in accordance with the Administrative Law Act of 24 May 19599.
Art. 37. cooperation
The commissioner shall cooperate with the bodies of the other cantons, the Confederation and foreign countries that perform the same tasks in order to fulfill the control task pursuant to § 35.
Art. 38. Confidentiality
The commissioner and the employees are obliged to maintain the same confidentiality with regard to information of which they become aware in the course of their work as the public body handling the matter.
Art. 39. reporting
The commissioner shall periodically report to the electoral body on the scope and focus of activities, on important findings and assessments, and on the effect of the law. The report shall be published.
Art. 39 a. Legal protection
1 Appeals against orders issued by the Commissioner in matters of personnel law or administration may be lodged with the Administrative Commission of the Executive Board of the Cantonal Council.
2 The duty of confidentiality in accordance with § 38 also applies to the appellate bodies.
3 In all other respects, legal protection shall be governed by the Administrative Jurisdiction Act of 24 May 1959.
VIII Penal provisions
Art. 40 Processing of personal data in breach of contract
1 Anyone who, as a commissioned person in accordance with Art. 6, uses personal data for himself or for others or discloses such data to others without the express authorization of the commissioning public body shall be liable to a fine.
2 The investigation and assessment of infringements is the responsibility of the governor’s offices.
IX. Final and transitional provisions
Art. 41. transitional law
Information files containing special personal data existing at the time of the entry into force of this Act may be processed or disclosed by the public body for a period of five years after the entry into force of this Act without the requirements of Section 8(2) or Section 17(1)(a) being met.
Art. 42 Adaptation of designations
1 In the following acts, the term “Data Protection Act” or “Personal Data Protection Act” is replaced by the term “Information and Data Protection Act”:
a. Law on Outsourcing of Information Technology Services8: § 3 para. 1 and 2,
b. Tax Act: Section 122, subsection 2.
2 In the following acts, the expression “personal data requiring special protection” or “data requiring special protection” is replaced by the expression “special personal data”:
a. Law on outsourcing of IT services: § 3 para. 1,
b. Financial Control Act: Section 25(2).
Art. 43. Upon the entry into force of this Act, the Data Protection Act of 6 June 1993 shall be repealed.
Art. 44. The following laws are amended as follows:
[…]