Federal Coun­cil: no pro­tec­tion of legal per­sons in the FADP under revision

Cur­rent Swiss data pro­tec­tion law also covers data rela­ting to spe­ci­fied or iden­ti­fia­ble legal per­sons (Art. 3 lit. a and b FADP) – an ano­ma­ly wit­hin Euro­pe that rai­ses que­sti­ons in the case of cross-bor­der data dis­clo­sures (in par­ti­cu­lar, whe­ther a data trans­fer agree­ment must be con­clu­ded when data rela­ting to legal per­sons are trans­fer­red to a sta­te with other­wi­se ade­qua­te pro­tec­tion and whe­ther the EU stan­dard con­trac­tu­al clau­ses must be exten­ded to data rela­ting to legal per­sons; cf. the FDPIC explana­to­ry notes on the trans­fer of per­so­nal data under the revi­sed FADP, April 2011.).

The “Norm­kon­zept”, the report of the accom­pany­ing group Revi­si­on DSG of Novem­ber 29, 2014.The advi­so­ry group was still in favor of pro­tec­ting legal enti­ties in the revi­sed FADP. Even then, howe­ver, a mino­ri­ty of the advi­so­ry group was of the opi­ni­on that legal enti­ties should not be inclu­ded as data subjects.

In its Respon­se of August 2016 to the Bég­lé moti­on (16.3379): Pro­mo­ting Switz­er­land as a uni­ver­sal vir­tu­al data vault Howe­ver, the Federal Coun­cil has now sta­ted that it wis­hes to exclu­de legal enti­ties from the mate­ri­al scope of app­li­ca­ti­on of the revi­sed FADP. It has sta­ted the fol­lo­wing in this regard: 

The Federal Coun­cil con­si­ders it important to take into account the sta­te of data pro­tec­tion law wit­hin the frame­work of the Coun­cil of Euro­pe and the Euro­pean Uni­on. The­re­fo­re, it is plan­ned to wai­ve the pro­tec­tion of per­so­nal data of legal per­sons. This will impro­ve cross-bor­der data traf­fic, becau­se the dis­clo­sure of data of legal per­sons abroad is no lon­ger con­di­tio­nal on ade­qua­te data pro­tec­tion being gua­ran­te­ed in the coun­try of desti­na­ti­on (Art. 6 FADP). The majo­ri­ty of experts con­sul­ted for the regu­la­to­ry impact assess­ment of the revi­si­on of the Data Pro­tec­tion Act were also in favor of wai­ving the pro­tec­tion of legal enti­ties’ per­so­nal data. Moreo­ver, the prac­ti­cal scope of this pro­tec­tion pro­vi­ded for in Arti­cle 2(1) and Arti­cle 3(b) FADP is limited. […]

It can the­re­fo­re be assu­med that the preli­mi­na­ry draft of the revi­sed DPA, which is expec­ted in the next few days, intends to dis­pen­se with such protection.

It is true that such an amend­ment would be con­cep­tual­ly que­stion­ab­le inso­far as, accord­ing to Art. 53 of the Civil Code, legal per­sons are “capa­ble of all rights and duties” which “do not have the natu­ral cha­rac­te­ri­stics of a human being, such as sex, age or kin­ship, as a necessa­ry pre­re­qui­si­te.” In sub­stance, howe­ver – i.e. with a view to the legal con­se­quen­ces – it is cor­rect not to pro­tect legal per­sons via the DPA:

  • Both wit­hin Switz­er­land and – after dis­clo­sure abroad – abroad, the pro­tec­tion in other are­as of law, e.g. cri­mi­nal law, the law of fair dealing and pro­ce­du­ral law, is sufficient.
  • When Art. 6 (1) DPA was crea­ted, serious dan­gers were envi­sa­ged, such as pro­tec­tion against data trans­fers to unjust regimes. Such a “serious” dan­ger is not to be seen in the trans­fer of data of legal persons.
  • In princip­le, an ade­qua­te level of pro­tec­tion can also be assu­med for sta­tes that com­ply with Coun­cil of Euro­pe Con­ven­ti­on 108.
  • And final­ly, in elec­tro­nic data pro­ces­sing, a pro­ces­sor will gene­ral­ly not make a distinc­tion bet­ween per­so­nal and other data, unless it is a mat­ter of requests for infor­ma­ti­on and correction.