The translation into English is by Hugh Reeves and Corinne Gilgen (both Walder Wyss). It can be used under a CC BY-ND 4.0 license be used. A version as PDF can be found here. The German version can be found here.
fold out | fold
Chapter 1: Purpose, Scope and Supervisory Authority of the Confederation
Art. 1 Purpose
This Act aims to protect the personality rights and the fundamental rights of natural persons whose personal data is processed.
Art. 2 Personal and material scope
1 This Act applies to the processing of personal data pertaining to natural persons by:
2 It does not apply to:
3 The processing of personal data and the rights of the data subjects in court proceedings and proceedings governed by the federal rules of procedure are governed by the applicable procedural law. The present Act applies to first instance administrative proceedings.
4 The public registers pertaining to private law relationships, in particular the access to these registers and the rights of the data subjects, are governed by the special provisions of the applicable federal law. If the special provisions do not contain any rules, this Act shall apply.
Art. 3 Territorial scope
1 This Act is applicable to fact patterns that have an effect in Switzerland, even if they occurred abroad.
2 The Federal Act of 18 December 1987 on Private International Law applies to claims under civil law. The provisions on the territorial scope of the Swiss Criminal Code remain reserved.
Art. 4 Federal Data Protection and Information Commissioner
1 The Federal Data Protection and Information Commissioner (FDPIC) supervises the proper application of the federal data protection regulations.
2 The following are excluded from the FDPIC’s supervision:
Chapter 2: General Provisions
Section 1 Definitions and Principles
Art. 5 Definitions
The following definitions apply in this Act:
c. sensitive personal data:
Art. 6 Principles
1 Personal data must be processed lawfully.
2 Processing must be carried out in good faith and must be proportionate.
3 Personal data may only be collected for a specific purpose which is evident to the data subject; personal data may only be processed in a way that is compatible with such purpose.
4 It is destroyed or anonymized as soon as it is no longer needed with regard to the purpose of the processing.
5 Anyone who processes personal data must ascertain that the data is accurate. He must take all appropriate measures so that the data which is inaccurate or incomplete with regard to the purposes for which it was collected or processed is corrected, deleted or destroyed. The appropriateness of the measures depends in particular on the nature and extent of the data processing and on the risks which the processing entails for the personality and fundamental rights of the data subjects.
6 If the consent of the data subject is required, such consent is only valid if it has been given freely and for one or several specific processing activities and after adequate information.
7 Consent must be given explicitly for:
Art. 7 Data protection by design and by default
1 The controller must set up technical and organisational measures in order for the data processing to meet the data protection regulations and in particular the principles set out in Article 6. It considers this obligation from the planning of the processing.
2 The technical and organisational measures must be appropriate in particular with regard to the state of the art, the type and extent of processing, as well as the risks that the processing at hand poses to the personality and the fundamental rights of the data subjects.
3 The controller is additionally bound to ensure through appropriate pre-defined settings that the processing of the personal data is limited to the minimum required by the purpose, unless the data subject directs otherwise.
Art. 8 Data security
1 The controller and the processor must ensure, through adequate technical and organizational measures, security of the personal data that appropriately addresses the risk.
2 The measures must enable the avoidance of data security breaches.
3 The Federal Council shall issue provisions on the minimum requirements for data security.
Art. 9 Data processing by processors
1 The processing of personal data may be assigned by agreement or by legislation to a processor if:
2 The controller must ensure in particular that the processor is able to guarantee data security.
3 The processor may only assign the processing to a third party with the prior authorization of the controller.
4 It may invoke the same justifications as the controller.
Art. 10 Data protection advisor
1 Private controllers may appoint a data protection advisor.
2 The data protection advisor is the contact point for the data subjects and for the competent data protection authorities responsible for data protection matters in Switzerland. In particular, he or she has the following duties:
3 Private controllers may invoke the exception set out in Article 23 paragraph 4 if the following requirements are fulfilled:
4 The Federal Council regulates the appointment of data protection advisors by the federal bodies.
Art. 11 Codes of conduct
1 Professional associations, industry associations and business associations whose statutes entitle them to defend the economic interests of their members, as well as federal bodies, may submit codes of conduct to the FDPIC.
2 The FDPIC states its opinion on the codes of conduct and publishes its opinion.
Art. 12 Inventory of processing activities
1 The controllers and the processors each keep an inventory of their processing activities.
2 The controller’s inventory contains at least the following information:
3 The processor’s inventory contains information on the identity of the processor and of the controller, the categories of processing activities performed on behalf of the controller as well as the information foreseen in paragraph 2 letters f and g.
4 The federal bodies notify the FDPIC of their inventories.
5 The Federal Council provides for exceptions for companies that have less than 250 members of staff and whose processing entails only a low risk of infringing the personality of the data subjects
Art. 13 Certification
1 The providers of data processing systems or software as well as the controllers and the processors may submit their systems, their products and their services for evaluation by recognised independent certification organisations.
2 The Federal Council issues regulations on the recognition of certification procedures and the introduction of a data protection quality label. In doing so, it shall take into account international law and internationally recognized technical norms.
Section 2 Data processing by private controllers with registered office or residence abroad
Art. 14 Representative
1 Private controllers with their domicile or residence abroad designate a representative in Switzerland if they process personal data of persons in Switzerland and the data processing fulfils the following requirements:
2 The representative serves as a contact point for the data subjects and the FDPIC.
3 The controller publishes the name and address of the representative.
Art. 15 Duties of the Representative
1 The representation office shall keep a register of the processing activities of the controller, which contains the information specified in Article 12 paragraph 2.
2 On request, it shall provide the FDPIC with the information contained in the register.
3 On request, it shall provide the data subject with information on how to exercise his rights.
Section 3 Cross-Border Disclosure of Personal Data
Art. 16 Principles
1 Personal data may be disclosed abroad if the Federal Council has determined that the legislation of the relevant State or international body guarantees an adequate level of protection.
2 In the absence of such a decision by the Federal Council under paragraph 1, personal data may be disclosed abroad only if appropriate protection is guaranteed by:
3 The Federal Council can provide for other adequate safeguards in the sense of paragraph 2.
Art. 17 Exceptions
1 By way of derogation from Article 16 paragraphs 1 and 2, personal data may be disclosed abroad if:
b. The disclosure is directly connected with the conclusion or the performance of a contract:
c. Disclosure is necessary:
2 The controller or the processor informs, upon request, the FDPIC of disclosures of personal data under paragraph 1, letters b, nr 2, c and d.
Art. 18 Publication of personal data in electronic format
If personal data is made generally accessible by means of automated information and communications services for the purpose of providing information to the general public, this is not deemed to be transborder disclosure, even if the data is accessible from abroad.
Chapter 3: Duties of the Controller and the Processor
Art. 19 Duty of information when collecting personal data
1 The controller informs the data subject appropriately about the collection of personal data; such duty of information also applies when data is not collected from the data subject.
2 At the time of collection the controller shall provide to the data subject all information which is required in order for the data subject to assert his rights according to this Act and to ensure transparent processing of data, in particular:
3 If data is not collected from the data subject, it additionally informs the data subject of the categories of personal data which is processed.
4 If personal data is disclosed abroad, the controller also informs the data subject of the name of the State or international body and, as the case may be, the safeguards according to Article 16 paragraph 2 or the applicability of one of the exceptions provided for in Article 17.
5 If data is not collected from the data subject, it provides to the data subject the information mentioned in paragraphs 2 to 4 at the latest one month after it received the personal data. If the controller discloses the personal data prior to this date, it informs the data subject at the time of disclosure at the latest.
Art. 20 Exceptions to the duty of information and restrictions
1 The duty of information according to Article 19 ceases to apply if one of the following requirements is met:
2 If personal data is not collected from the data subject, the duty of information shall also not apply if one of the following requirements is met:
3 The controller may restrict, defer or waive the provision of information in the following cases:
c. when the controller is a private person and the following conditions are fulfilled:
d. when the controller is a federal body and one of the following requirements is met:
4 The condition in paragraph 3 lit. c number 2 is deemed met if the disclosure of personal data takes place between companies controlled by the same legal entity.
Art. 21 Duty of information in the case of an automated individual decision
1 The controller informs the data subject of a decision which is taken exclusively on the basis of an automated processing and which has legal effects on the data subject or affects him significantly (automated individual decision).
2 It shall give the data subject upon request the opportunity to state his position. The data subject can request that the decision be reviewed by a natural person.
3 Paragraphs 1 and 2 shall not apply if:
4 If the automated individual decision comes from a federal body, the latter must designate it as such. Paragraph 2 does not apply if the data subject does not need to be heard before the decision in accordance with Article 30 paragraph 2 of the Administrative Procedure Act of 20 December 1968 (APA) or another federal act.
Art. 22 Data protection impact assessment
1 If the intended data processing may lead to a high risk for the data subject’s personality or fundamental rights, the controller must conduct beforehand a data protection impact assessment. If the controller considers performing several similar processing operations, it may establish a joint impact analysis.
2 The existence of a high risk, particularly when new technologies are used, depends on the nature, the extent, the circumstances and the purpose of the processing. Such a risk exists in particular in the following cases:
3 The data protection impact assessment contains a description of the intended processing, an evaluation of the risks as regards the data subject’s personality or fundamental rights, as well as the intended measures to protect the data subject’s personality or fundamental rights.
4 Private controllers are relieved from their obligation to establish a data protection impact assessment if they are legally bound to perform the processing.
5 The private controller can abstain from establishing a data protection impact assessment if it uses a system, product or service that is certified for the intended use in accordance with Article 13 or if it complies with a code of conduct in accordance with Article 11 which meets the following requirements:
Art. 23 Consultation of the FDPIC
1 The controller consults the FDPIC prior to the processing when the data protection impact assessment shows that the processing presents a high risk for the personality or fundamental rights of the data subject despite the measures envisaged by the controller.
2 The FDPIC informs the controller of its objections against the envisaged processing within two months. This deadline can be extended by one month in cases of complex data processing.
3 If the FDPIC has objections against the envisaged processing, he suggests appropriate measures to the controller.
4 The private controller can abstain from consulting the FDPIC if it consulted the data protection advisor according to Article 10.
Art. 24 Notification of data security breaches
1 The controller shall notify the FDPIC as soon as possible of a data security breach that is probable to result in a high risk to the personality rights or the fundamental rights of the data subject.
2 In the notification, it must at least indicate the nature of the data security breach, its consequences and the measures taken or foreseen.
3 The processor shall notify the controller as soon as possible of any data security breach.
4 The controller shall also inform the data subject if this is necessary for the protection of the data subject or if the FDPIC so requests.
5 It can restrict the information to the data subject, defer it or refrain from providing information if:
6 A notification based on this Article can be used in criminal proceedings against the person subject to notification only with such person’s consent.
Chapter 4: Rights of the Data Subject
Art. 25 Access right
1 Any person may request information from the controller as to whether personal data concerning him is being processed.
2 The data subject shall receive the information required in order to enable him to assert his rights under this Act and to ensure the transparent processing of data. In any case, the following information is provided to the data subject:
3 Personal data on the data subject’s health may be communicated to the data subject, provided his consent is given, by a healthcare professional designated by him.
4 If the controller has personal data processed by a processor, the controller remains under the obligation to provide information.
5 No one may waive the right to information in advance.
6 The controller provides the requested information free of charge. The Federal Council may provide for exceptions where information shall not be provided free of charge, in particular if the effort involved is disproportionate.
7 As a rule, the information shall be provided within 30 days.
Art. 26 Limitations to the access right
1 The controller may refuse, restrict or defer provision of information if:
2 Additionally, it is possible to refuse, restrict or defer the provision of information in the following cases:
a. when the controller is a private person and the following conditions are fulfilled:
b. when the controller is a federal body and one of the following requirements is met:
3 The requirement under paragraph 2 lit. a number 2 is considered to be met if the disclosure of personal data takes place between companies controlled by the same legal entity.
4 The controller must indicate the grounds on which it refuses, restricts or defers the provision of the information.
Art. 27 Limitations to the access right for media
1 If personal data is used exclusively for publication in the edited section of a periodically published medium, the controller may refuse, restrict or defer provision of information for one of the following reasons:
2 Journalists may also refuse, restrict or defer provision of information if they use the personal data exclusively as their personal work instrument.
Art. 28 Right of data portability
1 Any person may request from the controller, free of charge, the disclosure of the personal data that he has disclosed to him in a standard electronic format:
2 In addition, the data subject may request the controller to transfer his personal data to another controller if the requirements in accordance with paragraph 1 are met and this does not involve a disproportionate effort.
3 The Federal Council may provide for exceptions to this freedom of charge, in particular if the effort involved is disproportionate.
Art. 29 Restrictions on the right to data output and transmission
1 The controller may refuse, restrict or postpone the release and transfer of personal data for the reasons listed in Article 26 paragraphs 1 and 2.
2 The controller must give reasons for refusing, restricting or postponing the release or transfer.
Chapter 5: Special Provisions for Data Processing by Private Persons
Art. 30 Violation of the personality
1 Anyone who processes personal data must not unlawfully violate the data subjects’ personality.
2 A personality harm exists in particular if:
3 In general, there is no violation of the personality if the data subject has made the personal data generally accessible and has not expressly prohibited its processing.
Art. 31 Justifications
1 A violation of the personality is unlawful unless it is justified by the consent of the data subject, by an overriding private or public interest or by law.
2 An overriding interest of the controller may in particular be considered in the following cases:
c. The controller processes personal data in order to verify the data subject’s creditworthiness, provided that the following requirements are fulfilled:
e. The controller processes personal data for purposes not relating to a specific person, in particular for the purposes of research, planning and statistics, provided that the following requirements are fulfilled:
Art. 32 Legal claims
1 The data subject may request that incorrect personal data be corrected, unless:
2 Actions relating to the protection of personality rights are governed by Articles 28, 28a and 28g – 28l of the Civil Code. The claimant may in particular request that:
3 If neither the accuracy nor the inaccuracy of the personal data can be determined, the claimant may request for a note that indicates the objection to be added to the personal data.
4 Furthermore, the claimant may request the correction, the deletion or the destruction, the prohibition of processing or of disclosure to third parties, the note indicating the objection or the judgment to be communicated to third parties or published.
Chapter 6: Special Provisions for Data Processing by Federal Bodies
Art. 33 Control and responsibility in case of joint processing of personal data
The Federal Council regulates the control procedures and the responsibility for data protection if the federal body processes personal data together with other federal bodies, with cantonal bodies or with private persons.
Art. 34 Legal basis
1 Federal bodies may process personal data only if there is a statutory basis for doing so.
2 A statutory basis must figure in a formal law in the following cases:
3 For the processing of personal data under paragraph 2 letters a and b, a statutory basis in a substantive law is sufficient if the following requirements are fulfilled:
4 By way of derogation from paragraphs 1 to 3, federal bodies may process personal data if one of the following requirements is fulfilled:
Art. 35 Automated data processing in pilot projects
1 The Federal Council may, before a formal law enters into force, authorize the automated processing of sensitive personal data or other data processing under Article 34 paragraph 2 letters b and c if:
2 It obtains the FDPIC’s opinion in advance.
3 The competent federal body shall provide the Federal Council with an evaluation report at the latest within two years after inception of the pilot project. The report contains a proposal on whether the processing should be continued or terminated.
4 Automated data processing must be terminated in any event if within five years after inception of the pilot project no formal law has entered into force that contains the required legal basis.
Art. 36 Disclosure of personal data
1 Federal bodies may disclose personal data only if a statutory basis in accordance with Article 34 paragraphs 1 to 3 so provides.
2 In derogation from paragraph 1, they may disclose personal data in the specific case if one of the following requirements is fulfilled:
3 They may also disclose personal data in the context of official information disclosed to the general public, either ex officio or pursuant to the Freedom of Information Act of 17 December 2004 , if:
4 They may on request also disclose the name, first name, address and date of birth of a person if the requirements of paragraph 1 or 2 are not fulfilled.
5 They may make personal data generally accessible by means of automated information and communication services if a legal basis provides for the publication of such data or if they disclose data on the basis of paragraph 3. If there is no longer a public interest in making such data generally accessible, the data concerned must be deleted from the automated information and communication service.
6 Federal bodies shall refuse or restrict disclosure, or make it subject to conditions, if:
Art. 37 Objection to the disclosure of personal data
1 The data subject that credibly demonstrates an interest warranting protection may object to the disclosure of certain personal data by the competent federal body.
2 The federal body shall refuse such request if one of the following requirements is fulfilled:
3 Article 36 paragraph 3 is reserved.
Art. 38 Offering of documents to the Federal Archive
1 In accordance with the Archiving Act of 26 June 1998 , the federal bodies shall offer the Federal Archive all personal data that the federal bodies no longer constantly require.
2 The federal body shall destroy personal data designated by the Federal Archive as not being of archival value unless:
Art. 39 Data processing for research, planning and statistics
1 Federal bodies may process personal data for purposes not related to specific persons, in particular for research, planning and statistics, if:
2 Articles 6 paragraph 3, 34 paragraph 2 and Article 36 paragraph 1 do not apply.
Art. 40 Private law activities of federal bodies
Art. 41 Claims and procedure
1 Anyone with an interest warranting protection may request the responsible federal body to:
2 The claimant may in particular request that the federal body:
3 Instead of deleting or destroying the personal data, the federal body restricts the processing if
4 If it is not possible to determine the accuracy or the inaccuracy of personal data, the federal body attaches to the data a note that indicates the objection.
5 The correction, deletion or destruction of personal data may not be requested with respect to the inventory of publicly accessible libraries, educational institutions, museums, archives or other public memorial institutions. If the applicant can credibly demonstrate an overriding interest, he may request that the institution restrict access to the disputed data. Paragraphs 3 and 4 do not apply.
6 The procedure is governed by the APA. The exceptions contained in Articles 2 and 3 APA do not apply.
Art. 42 Procedure in the event of the disclosure of official documents containing personal data
If proceedings relating to access to official documents within the meaning of the Freedom of Information Act of 17 December 2004 that contain personal data are pending, the data subject may in such proceedings claim the rights given to him under Article 41 for those of the documents that are the subject matter of the access proceedings.
Chapter 7: Federal Data Protection and Information Commissioner
Section 1 Organization
Art. 43 Appointment and status
2 Anyone who is entitled to vote on federal matters is eligible.
3 The employment relationship of the commissioner is governed by the Federal Personnel Act of 24 March 2000 (BPG) , unless this Act provides otherwise.
4 The commissioner exercises his function independently without asking for or accepting instructions of any authority or third party. He is assigned to the Federal Chancellery for administrative purposes.
5 He has a permanent secretariat and his own budget. He hires his own staff.
6 He is not subject to the system of assessment under Article 4 paragraph 3 BPG.
Art. 44 Term of office, reappointment and termination of the term of office
1 The term of office of the commissioner is four years and may be renewed twice. It begins on 1 January following the start of the legislative period of the National Council.
3 The commissioner may request the Federal Assembly to be discharged from office at the end of any month subject to six months advance notice.
4 The Federal Assembly may dismiss the commissioner from office before the expiry of his term of office if he:
Art. 45 Budget
The FDPIC submits the draft of its budget annually to the Federal Council via the Federal Chancellery. The Federal Council forwards it unchanged to the Federal Assembly.
Art. 46 Incompatibility
The commissioner may not be a member of the Federal Assembly or the Federal Council and may not have an employment relationship with the Confederation.
Art. 47 Secondary employment
1 The commissioner must not carry out any secondary employment
2 The Federal Assembly (both chambers together) may permit
the commissioner to carry out a secondary employment provided this neither compromises the performance of the function nor independence and standing. The Federal Council’s decision in this respect is published.
Art. 48 Self-regulation of the FDPIC
Section 2 Investigation of breaches of data protection regulations
Art. 49 Investigation
1 The FDPIC initiates, ex officio or upon notification, an investigation against a federal body or a private person if there are sufficient indications that a data processing could violate the data protection regulations.
2 He may refrain from initiating an investigation if the breach of the data protection regulations is of minor significance.
3 The federal body or the private person will provide the FDPIC with all information and will make available all documents which are necessary for the investigation. The right to refuse to provide information is governed by Articles 16 and 17 APA unless Article 50 paragraph 2 provides otherwise.
4 If the data subject notified the FDPIC, he will inform the data subject of the steps undertaken in the matter based on the data subject’s notification and the results of the investigation, if any.
Art. 50 Powers
1 If the federal body or the private person does not comply with the duty to cooperate, the FDPIC may in the context of the investigation order the following:
2 Professional secrecy is reserved.
3 He may call on a federal authority or the cantonal or municipal police to enforce the measures in accordance with paragraph 1.
Art. 51 Administrative measures
1 If data protection regulations are violated, the FDPIC may order that the processing is fully or partially adjusted, suspended or terminated and that the personal data is fully or partially deleted or destroyed.
2 He may defer or prohibit disclosure abroad if it violates the requirements under Articles 13 or 14 or specific provisions on the disclosure of personal data abroad in other Federal Acts.
3 He may in particular order that the federal body or the private person:
4 He may also order that the private controller with its registered office or place of residence abroad designate a representation in accordance with Article 14.
5 If during the investigation the federal body or the private person has taken the necessary measures to restore compliance with the data protection regulations, the FDPIC may limit itself to issuing a warning.
Art. 52 Proceedings
1 Investigation proceedings and decisions under Articles 44 and 45 are governed by the APA .
2 Only the federal body or the private person against whom the investigation was initiated shall be party to the proceedings.
3 The FDPIC may file an appeal against appeal decisions issued by the Federal Administrative Court.
Art. 53 Coordination
1 Federal administrative authorities which supervise private persons or organisations outside of the Federal Administration in accordance with another federal act invite the FDPIC to submit a statement before they issue a decision pertaining to data protection issues.
2 If the FDPIC has initiated its own investigation against the same party, the two authorities will coordinate their proceedings.
Section 3 Administrative assistance
Art. 54 Administrative assistance between Swiss authorities
1 Federal and cantonal authorities provide the FDPIC with the information and personal data required for the performance of its statutory duties.
2 The FDPIC discloses to the following authorities the information and personal data required for the performance of their statutory duties:
Art. 55 Administrative assistance to foreign authorities
1 The FDPIC may exchange information and personal data with foreign authorities responsible for data protection for the performance of their respective statutory duties in the area of data protection if the following requirements are fulfilled:
2 In order to substantiate his request for administrative assistance or to comply with the request of an authority, the FDPIC may in particular provide the following information:
c. the identity of data subjects if:
3 Before the FDPIC discloses information which may contain professional, business or manufacturing secrets to a foreign authority, he informs the natural persons or legal entities concerned who are the holders of these secrets and invites them to comment, unless this is not possible or possible only with disproportionate efforts.
Section 4 Other tasks of the FDPIC
Art. 56 Register
The FDPIC keeps a register on the processing activities of the federal bodies. The register is made public.
Art. 57 Information
1 The FDPIC reports to the Federal Assembly annually on its activities. He simultaneously submits the report to the Federal Council. The report is published.
2 In cases of general interest, the FDPIC informs the public of its findings and its decisions.
Art. 58 Additional tasks
1 The FDPIC has in particular the following additional tasks:
2He may also advise federal bodies which are not subject to his supervision according to Articles 2 and 4. The federal bodies may grant him access to their files.
3 The FDPIC is authorized to declare to the foreign authorities responsible for data protection that direct delivery is permitted in Switzerland in the area of data protection, provided Switzerland is granted reciprocity.
Section 5 Fees
1 The FDPIC charges private persons fees for:
2 The Federal Council determines the amount of fees.
3 It may determine in which cases it is possible to refrain from charging a fee or to reduce it.
Chapter 8: Criminal Provisions
Art. 60 Breach of obligations to provide access and information or to cooperate
1 On complaint, private persons are liable to a fine of up to 250,000 Swiss Francs if they:
b. wilfully fail:
2 Private persons are liable to a fine of up to 250,000 Swiss Francs if, in violation of Article 49 paragraph 3, they wilfully provide false information to the FDPIC in the context of an investigation or wilfully refuse to cooperate.
Art. 61 Violation of duties of diligence
Art. 62 Breach of professional confidentiality
1 If a person wilfully discloses secret personal data of which he has gained knowledge while exercising his profession which requires knowledge of such data, he shall be liable on complaint to a fine of up to 250, 000 Swiss Francs.
2 The same penalty applies to anyone who wilfully discloses secret personal data of which he has gained knowledge in the course of his activities for a person bound by a confidentiality obligation or in the course of training with such a person.
3 The disclosure of secret personal data remains punishable after termination of such professional activities or training.
Art. 63 Disregard of decisions
Private persons shall be liable to a fine of up to 250,000 Swiss Francs if they wilfully fail to comply with a decision issued by the FDPIC with reference to the criminal penalty of this Article or a decision issued by the appellate authorities.
Art. 64 Violations committed within undertakings
1 For violations committed within undertakings, Articles 6 and 7 of the Federal Act of 22 March 1974 on Administrative Criminal Law shall apply.
2 If a fine not exceeding 50,000 Swiss Francs could come into consideration and Administrative Criminal Law required investigative measures that would be disproportionate in comparison with the penalty incurred, the authority may abstain from prosecuting these persons and instead sentence the undertaking to the payment of the fine (Article 7 of the Administrative Criminal Law).
Art. 65 Jurisdiction
1 The cantons are responsible for the prosecution and the judgment of criminal acts.
2 The FDPIC may report a criminal offense to the competent criminal prosecution authorities and exercise the rights of a private plaintiff in the proceedings.
Art. 66 Statute of limitations for criminal prosecution
The right to criminally prosecute is subject to a statute of limitations of five years.
Chapter 9: Conclusion of International Treaties
The Federal Council may conclude international treaties concerning:.
Chapter 10: Final Provisions
Art. 68 Repeal and amendments of other legislation
The repeal and the amendments of other legislation are set forth in annex 1.
Art. 69 Transitional provisions concerning ongoing processing
Articles 7, 22 and 23 do not apply to data processing operations that were started before the entry into force of this law, if the purpose of the processing remains unchanged and no new data is obtained.
Art. 70 Transitional provisions concerning ongoing proceedings
This Act does not apply to investigations of the FDPIC which are pending at the time of its entry into force, nor to pending appeals against first instance decisions rendered before its entry into force. In these matters, the previous law applies.
Art. 71 Transitional provision concerning data pertaining to legal entities
For federal bodies, the provisions of other federal regulations that concern personal data continue to apply to data pertaining to legal entities for three years after the entry into force of this Act. During that time, the federal bodies may in particular continue to disclose the data pertaining to legal entities under Article 57s, paragraph 1 and 2, of the Act of 21 March 1997 on the Organization of the Government and the Administration , if the federal bodies are entitled to disclose personal based on a legal basis.
Art. 72 Transitional provision concerning the election and termination of the term of office of the commissioner
The election of the commissioner and the termination of his term of office shall be governed by the law in force until the end of the legislative period in which this Act enters into force.
Art. 73 Coordination
Coordination with other acts is set out in annex 2.
Art. 74 Referendum and entry into force
1 This Act is subject to an optional referendum.
2 The Federal Council determines the date of entry into force.