Current Swiss data protection law also covers data relating to specified or identifiable legal persons (Art. 3 lit. a and b FADP) – an anomaly within Europe that raises questions in the case of cross-border data disclosures (in particular, whether a data transfer agreement must be concluded when data relating to legal persons are transferred to a state with otherwise adequate protection and whether the EU standard contractual clauses must be extended to data relating to legal persons; cf. the FDPIC explanatory notes on the transfer of personal data under the revised FADP, April 2011.).
The “Normkonzept”, the report of the accompanying group Revision DSG of November 29, 2014.The advisory group was still in favor of protecting legal entities in the revised FADP. Even then, however, a minority of the advisory group was of the opinion that legal entities should not be included as data subjects.
In its Response of August 2016 to the Béglé motion (16.3379): Promoting Switzerland as a universal virtual data vault However, the Federal Council has now stated that it wishes to exclude legal entities from the material scope of application of the revised FADP. It has stated the following in this regard:
The Federal Council considers it important to take into account the state of data protection law within the framework of the Council of Europe and the European Union. Therefore, it is planned to waive the protection of personal data of legal persons. This will improve cross-border data traffic, because the disclosure of data of legal persons abroad is no longer conditional on adequate data protection being guaranteed in the country of destination (Art. 6 FADP). The majority of experts consulted for the regulatory impact assessment of the revision of the Data Protection Act were also in favor of waiving the protection of legal entities’ personal data. Moreover, the practical scope of this protection provided for in Article 2(1) and Article 3(b) FADP is limited. […]
It can therefore be assumed that the preliminary draft of the revised DPA, which is expected in the next few days, intends to dispense with such protection.
It is true that such an amendment would be conceptually questionable insofar as, according to Art. 53 of the Civil Code, legal persons are “capable of all rights and duties” which “do not have the natural characteristics of a human being, such as sex, age or kinship, as a necessary prerequisite.” In substance, however – i.e. with a view to the legal consequences – it is correct not to protect legal persons via the DPA:
- Both within Switzerland and – after disclosure abroad – abroad, the protection in other areas of law, e.g. criminal law, the law of fair dealing and procedural law, is sufficient.
- When Art. 6 (1) DPA was created, serious dangers were envisaged, such as protection against data transfers to unjust regimes. Such a “serious” danger is not to be seen in the transfer of data of legal persons.
- In principle, an adequate level of protection can also be assumed for states that comply with Council of Europe Convention 108.
- And finally, in electronic data processing, a processor will generally not make a distinction between personal and other data, unless it is a matter of requests for information and correction.