- The Zurich High Court does not consider Art. 62 FADP to be a permanent offense: The offense is completed with the disclosure (making accessible) of personal data.
- It remains disputed whether disclosure is only completed when third parties take note of it or already when it is made available; admissibility under data protection law remains decisive.
The Zurich High Court has ruled in Judgment UE240022 of July 4, 2024 (Swisslex) with Art. 62 FADP (data secrecy) not a permanent offense (and the same applies to Art. 179novies StGB, unauthorized procurement of personal data).
Rather, the offense consists of the Revelation of personal data and not any subsequent data processing:
In the case of Art. 62 FADP, the offense consists in the disclosure of personal data. This is the making available of personal data to third parties who do not yet know them […]. The offense is completed with the disclosure. In particular, it is not a continuing offense.
This meant that any corresponding infringement was time-barred under Art. 66 FADP (five years). The OGer ZH did not address the question of whether a shorter limitation period should be applied as a lex mitior under transitional law.
However, one may wonder whether it is true that the Revelation within the meaning of Art. 62 FADP consists of making accessible. In the case of secrecy provisions, following the ruling of the Federal Supreme Court 6B_1403/2017 Art. 162 StGB (trade secrets) assumed that the offense of disclosure was only committed with Acknowledgement of the disclosed secret is completed by an unauthorized person (“Rather, in this question the doctrine is to be followed according to which the act is completed as soon as an outsider gains knowledge of the secret in question thanks to the perpetrator’s conduct”). Although this is later judgment of the OGer ZH which, however, did not deal with this question in detail. The same applies to the present judgment. The question has thus not been conclusively answered, but the ruling of the Federal Supreme Court still appears to be more reliable, also due to the subsequently published doctrine.
A further question would be whether “disclosure” within the meaning of Art. 62 FADP is to be understood in the same way as the equivalent term in professional secrecy law, or whether it is more a question of the Disclosure under data protection law where disclosure is deemed sufficient. This question is related to the legal nature of Art. 62 FADP: This provision can be understood as a genuine right to protect secrets, i.e. as an extension of Art. 321 StGB. This is supported by the message, and Rosenthal has also taken this view.
However, the law on the protection of secrets Underlying special relationship which generally arises from a special trust in discretion (e.g. towards employees of banks, lawyers, etc.). This basic relationship is primarily of a civil law nature (banking contract, lawyer’s mandate, protection of privacy), although institutional considerations also play a role. In the area of data protection law, however, the basic relationship to be protected under criminal law is obviously to be found in the substantive provisions of the FADP. Although Art. 62 FADP also establishes a special offense, the offense nevertheless involves the disclosure of personal data and not other data, so that the connection to data protection law obviously remains. In my opinion, this means that disclosure in compliance with data protection law cannot be punishable under Art. 62 FADP. Mathys/Thommen take this view in the BSK.
This in turn suggests that the term “disclosure” in Art. 62 FADP should be understood as a non-technical synonym of “disclosure”. Announcement However, in the event of criminal liability, not only the requirements of Art. 62 FADP itself, but also the admissibility of the disclosure or disclosure under data protection law must be examined. Thus, the statement of the OGer ZH in the present judgment would be correct in this respect, the making available would be the correct criterion in this – but only in this – sense.