revFDPA (DE, with dispatch)

Text of the revi­sed DPA as per final vote. The texts have been con­ver­ted auto­ma­ti­cal­ly – we thank you for poin­ting out errors.

The arti­cles are each assi­gned the cor­re­spon­ding text of the mes­sa­ge, this without indi­ca­ti­on of the page num­bers, gene­ral remarks and the mes­sa­ge to omit­ted arti­cles. The mes­sa­ge and the draft can be found here, the adop­ted final voting text here. The cur­rent DSG is here to be found, and the draft of the revi­sed ordi­nan­ce here.

An Eng­lish ver­si­on of the revDSG (Wal­der Wyss) can be found at here.

fold out | fold

Ingress mes­sa­ge

The Federal Coun­cil con­si­ders it appro­pria­te, Arti­cle 97(1) BV to be inser­ted in the ingress. This assigns the federal government the com­pe­tence to regu­la­te the pro­tec­tion of con­su­mers. In fact, the e‑DSG con­tains some pro­vi­si­ons that impro­ve in par­ti­cu­lar the trans­pa­ren­cy of data pro­ces­sing, the con­trol by the data sub­jects and the super­vi­so­ry system of the com­mis­sio­ner. As a result, con­su­mers are bet­ter protected.

Chap­ter 1: Pur­po­se and Scope and Federal Super­vi­so­ry Authority

Art. 1 Purpose

The pur­po­se of this law is to pro­tect the per­so­na­li­ty and fun­da­men­tal rights of natu­ral per­sons about whom per­so­nal data are processed.

Bot Art. 1 Pur­po­se (count. acc. to draft)

The pur­po­se of the future DPA cor­re­sponds to the pur­po­se of the cur­rent law (Art. 1 DSG). The FADP gives con­cre­te form at the sta­tu­to­ry level to the princip­le set out in Arti­cle 13 para­graph 2 BV right to infor­ma­tio­nal self-deter­mi­na­ti­on in con­nec­tion with per­so­nal data, i.e. the right of the data sub­ject to deter­mi­ne for hims­elf or herself whe­ther and for what pur­po­ses data about him or her may be pro­ces­sed. The pro­vi­si­on is only edi­to­ri­al­ly amen­ded by expli­ci­tly limi­t­ing the pro­tec­tion to natu­ral per­sons. This adjust­ment is made due to the chan­ged scope of app­li­ca­ti­on (see the explana­ti­ons on Art. 2 E‑DSG).

Art. 2 Per­so­nal and mate­ri­al scope of application

1 This Act app­lies to the pro­ces­sing of per­so­nal data of natu­ral per­sons by:

a. pri­va­te individuals;
b. Federal Entities.

2 It is not app­li­ca­ble to:

a. Per­so­nal data pro­ces­sed by a natu­ral per­son exclu­si­ve­ly for per­so­nal use;
b. Per­so­nal data pro­ces­sed by the Federal Assem­bly and par­lia­men­ta­ry com­mit­tees in the cour­se of their deliberations;
c. per­so­nal data pro­ces­sed by insti­tu­tio­nal bene­fi­cia­ries under Arti­cle 2(1) of the Host Sta­te Act of 22 June 2007 who enjoy immu­ni­ty from juris­dic­tion in Switzerland.

3 The app­li­ca­ble pro­ce­du­ral law governs the pro­ces­sing of per­so­nal data and the rights of the per­sons con­cer­ned in court pro­ce­e­dings and in pro­ce­e­dings under federal pro­ce­du­ral codes. The pro­vi­si­ons of this Act app­ly to first-instance admi­ni­stra­ti­ve proceedings.

4 The public regi­sters of pri­va­te legal tran­sac­tions, in par­ti­cu­lar access to the­se regi­sters and the rights of the per­sons con­cer­ned, are gover­ned by the spe­cial pro­vi­si­ons of the app­li­ca­ble federal law. If the spe­cial pro­vi­si­ons do not con­tain any regu­la­ti­on, this Act shall apply.

Bot Art. 2 Scope (count. acc. to draft)

The scope of app­li­ca­ti­on of the DPA is par­ti­al­ly exten­ded by the e‑DSA, in par­ti­cu­lar to meet the requi­re­ments of the E‑SEV 108 to meet the requi­re­ments of the data pro­tec­tion law. Thus, it is plan­ned to adapt the excep­ti­ons rela­ting to pen­ding civil pro­ce­e­dings, cri­mi­nal pro­ce­e­dings, inter­na­tio­nal mutu­al legal assi­stance pro­ce­e­dings and pro­ce­e­dings under sta­te and admi­ni­stra­ti­ve law (Art. 2(2)(c) DPA) and the one rela­ting to public regi­sters of pri­va­te legal tran­sac­tions (Art. 2(2)(d) DPA). In addi­ti­on, it should be noted that the e‑DSG, just like the pre­vious law, regu­la­tes data pro­tec­tion law in gene­ral. If the pro­ces­sing of per­so­nal data falls wit­hin the scope of other federal laws, the area-spe­ci­fic data pro­tec­tion stan­dards app­ly in princip­le due to the lex spe­cia­lis rule (spe­cial stan­dards take pre­ce­dence over the gene­ral standard).

Par. 1 App­li­ca­ti­on for natu­ral persons

Accord­ing to the preli­mi­na­ry draft, the FADP app­lies to the pro­ces­sing of data of natu­ral per­sons by pri­va­te per­sons and federal bodies.

Remo­val of pro­tec­tion for data of legal persons

The E‑DSG pro­po­ses to dis­pen­se with the pro­tec­tion of data of legal per­sons. No such pro­tec­tion is pro­vi­ded for in the data pro­tec­tion legis­la­ti­on of the Euro­pean Uni­on and the Coun­cil of Euro­pe, or in the cor­re­spon­ding regu­la­ti­ons of most for­eign legis­la­tors. Such pro­tec­tion is of litt­le prac­ti­cal import­ance, and the Com­mis­sio­ner has never made a recom­men­da­ti­on in this area. Also, for legal per­sons, com­pre­hen­si­ve pro­tec­tion remains unch­an­ged, as it is gua­ran­te­ed by Arti­cles 28 et seq. of the Civil Code (CC) (vio­la­ti­ons of per­so­na­li­ty such as defa­ma­ti­on of repu­ta­ti­on), the Unfair Com­pe­ti­ti­on Act (UCA), the Copy­right Act of Octo­ber 9, 1992, or by the pro­vi­si­ons on the pro­tec­tion of pro­fes­sio­nal, com­mer­cial and indu­stri­al secrets, as well as Arti­cle 13 of the Federal Con­sti­tu­ti­on at the con­sti­tu­tio­nal level. Howe­ver, the amend­ment allo­ws to impro­ve the pro­tec­tion in tho­se are­as whe­re it is cur­r­ent­ly not suf­fi­ci­ent­ly imple­men­ted and thus to incre­a­se the credi­bi­li­ty of the law. This solu­ti­on also has the advan­ta­ge that the dis­clo­sure of data of legal per­sons abroad will no lon­ger depend on whe­ther ade­qua­te pro­tec­tion is gua­ran­te­ed in the reci­pi­ent coun­try (Art. 13 E‑DSG). This is likely to con­tri­bu­te to an incre­a­se in dis­clo­sures abroad. It should also be noted that most of the experts con­sul­ted on the revi­si­on of the DPA as part of the RFA, as well as the majo­ri­ty of the par­ti­ci­pants in the con­sul­ta­ti­on, were in favor of wai­ving the pro­tec­tion of data of legal per­sons. The same app­lies to Par­lia­ment, which did not appro­ve a moti­on that wan­ted to retain the pro­tec­tion of data of legal entities.

In the area of data pro­ces­sing by federal bodies, the aboli­ti­on of the pro­tec­tion of data of legal per­sons has the con­se­quence that the federal legal bases aut­ho­ri­zing federal bodies to pro­cess per­so­nal data are no lon­ger app­li­ca­ble if they pro­cess data of legal per­sons. Howe­ver, accord­ing to Arti­cle 5 of the Federal Con­sti­tu­ti­on, the basis of sta­te action is the law. The draft law the­re­fo­re intro­du­ces a num­ber of pro­vi­si­ons in the RVOG for federal bodies that regu­la­te their hand­ling of data of legal per­sons (cf. Sec­tion 9.2.8). In addi­ti­on, a tran­si­tio­nal pro­vi­si­on is inten­ded to pre­vent pos­si­ble legal loo­p­ho­les for five years (cf. Art. 66 E‑DSG and the explana­ti­ons under No. 9.1.11).

The Public Act of Decem­ber 17, 2004 (BGÖ) grants all per­sons the right to inspect offi­cial docu­ments of the federal aut­ho­ri­ties to which the princip­le of public access app­lies. The new scope of the E‑DSG means that access to offi­cial docu­ments con­tai­ning data of legal enti­ties can no lon­ger be restric­ted for data pro­tec­tion rea­sons, but only if this could dis­c­lo­se pro­fes­sio­nal, busi­ness or manu­fac­tu­ring secrets (Art. 7 para. 1 let. g BGÖ) or if the­re is a risk that the pri­va­cy of the legal per­son will be affec­ted, for examp­le, its good repu­ta­ti­on. In order to gua­ran­tee the rights of legal per­sons to access offi­cial docu­ments when a requ­est rela­tes to docu­ments whe­re gran­ting access could affect the pri­va­cy of the legal per­son, the draft law intro­du­ces some pro­vi­si­ons of the BGÖ adju­sted (see sec­tion 9.2.7).

The aboli­ti­on of data pro­tec­tion for legal enti­ties also means that they can no lon­ger assert a right to infor­ma­ti­on based on the e‑DSA. They can, howe­ver, assert their pro­ce­du­ral rights and, if necessa­ry, requ­est access to public docu­ments on the basis of the Free­dom of Infor­ma­ti­on Act if the­se con­tain infor­ma­ti­on that con­cerns them.

Par. 2 Excep­ti­ons from the scope

As befo­re, the FADP does not app­ly to per­so­nal data pro­ces­sed by a natu­ral per­son exclu­si­ve­ly for per­so­nal use (Art. 2(2)(a) E‑DSG); the edi­to­ri­al amend­ment does not invol­ve any mate­ri­al changes.

Also exclu­ded from the scope of app­li­ca­ti­on is the pro­ces­sing of per­so­nal data car­ri­ed out by the Federal Assem­bly and par­lia­men­ta­ry com­mit­tees in the cour­se of their deli­be­ra­ti­ons (Art. 2 para. 2 let. b E‑DSG); this is for the same rea­sons as alrea­dy sta­ted by the Federal Coun­cil in the Mes­sa­ge from March 23, 1988 has led.

Accord­ing to let­ter c, insti­tu­tio­nal bene­fi­cia­ries under Arti­cle 2(1) of the Host Sta­te Act of 22 June 2007 (HSA), who enjoy immu­ni­ty from juris­dic­tion in Switz­er­land, are not sub­ject to the E‑DSA. With regard to the ICRC, this main­tains the cur­rent situa­ti­on and expli­ci­tly men­ti­ons the other insti­tu­tio­nal bene­fi­cia­ries con­cer­ned. The­se other insti­tu­tio­nal bene­fi­cia­ries con­cer­ned also enjoy inde­pen­dence and free­dom of action, based on inter­na­tio­nal law and the GSG its­elf, so that they can ful­fill their inter­na­tio­nal func­tions. A sta­te can­not be expec­ted to sub­mit to the rules of Swiss law with respect to data pro­ces­sed by its diplo­ma­tic or con­su­lar mis­si­ons. For its part, Switz­er­land is not obli­ged to com­ply with for­eign rules on data pro­tec­tion in rela­ti­on to its net­work of repre­sen­ta­ti­ons abroad. Nor can an inter­na­tio­nal orga­niz­a­ti­on, which by defi­ni­ti­on car­ri­es out acti­vi­ties in nume­rous sta­tes, be requi­red to com­ply with the requi­re­ments of the natio­nal law of each sta­te in which it ope­ra­tes, sin­ce this would make it impos­si­ble for it to per­form the func­tions assi­gned to it by vir­tue of its statutes.

Par. 3 Pro­ces­sing of per­so­nal data in proceedings

Pur­suant to Arti­cle 2(3) of the FADP, the app­li­ca­ble pro­ce­du­ral law governs the pro­ces­sing of per­so­nal data and the rights of data sub­jects in court pro­ce­e­dings and in pro­ce­e­dings under federal pro­ce­du­ral codes. The stan­dard regu­la­tes the rela­ti­ons­hip bet­ween the FADP and pro­ce­du­ral law and sta­tes as a gene­ral princip­le that only the app­li­ca­ble pro­ce­du­ral law deter­mi­nes how per­so­nal data is pro­ces­sed in the con­text of the pro­ce­e­dings and how the rights of the data sub­jects are struc­tu­red. Wit­hin the frame­work of its regu­la­ti­ons, pro­ce­du­ral law also ensu­res the pro­tec­tion of the per­so­na­li­ty and fun­da­men­tal rights of all par­ties invol­ved and thus gua­ran­tees pro­tec­tion equi­va­lent to the DPA. If the DPA were to be app­lied in this area, the­re would be a risk of con­flic­ting norms and con­tra­dic­tions that could dis­rupt the balan­ced system of the app­li­ca­ble pro­ce­du­ral rules. For the­se rea­sons, Arti­cle 9(1)(a) also pro­vi­des for E‑SEV 108 pro­vi­des for a cor­re­spon­ding excep­ti­on. Mate­ri­al­ly, the pro­vi­si­on in the e‑DSG cor­re­sponds to the app­li­ca­ble law.

Accord­ing to the wor­d­ing, the excep­ti­on in para­graph 3 initi­al­ly covers “court pro­ce­e­dings”. The­se inclu­de all pro­ce­e­dings befo­re can­to­nal and federal cri­mi­nal, civil and admi­ni­stra­ti­ve courts, but also befo­re arbi­tra­ti­on courts with their seat in Switz­er­land. Fur­ther­mo­re, the excep­ti­on covers all pro­ce­e­dings under federal pro­ce­du­ral codes, regard­less of the aut­ho­ri­ty befo­re which they take place. Federal pro­ce­du­ral codes inclu­de the Federal Supre­me Court Act of June 17, 2005, the Admi­ni­stra­ti­ve Court Act of June 17, 2005, the Patent Court Act of March 20, 2009, the Admi­ni­stra­ti­ve Pro­ce­du­re Act (VwVG), inso­far as it does not con­cern first-instance admi­ni­stra­ti­ve pro­ce­e­dings, the Code of Civil Pro­ce­du­re (ZPO), the Federal Act of April 11, 1889 on Debt Collec­tion and Bankrupt­cy (SchKG), the Code of Cri­mi­nal Pro­ce­du­re (StPO), the Code of Cri­mi­nal Pro­ce­du­re (VStrR), the Mili­ta­ry Cri­mi­nal Pro­ce­du­re Act of March 23, 1979, and the IMAC.

Unli­ke the pre­vious law, the E‑DSG does not use the term “pen­ding pro­ce­e­dings” becau­se only civil pro­ce­du­ral law refers to lis pen­dens and this term the­re­fo­re some­ti­mes led to demar­ca­ti­on pro­blems. The decisi­ve fac­tor is now whe­ther pro­ce­e­dings take place befo­re a court or are gover­ned by a federal pro­ce­du­ral code. Pro­ce­e­dings take place befo­re a court when the court is sei­zed of a case for the first time, in that the pro­ce­e­dings have been insti­tuted in accordance with the rele­vant rules of pro­ce­du­re. Pro­ce­e­dings are gover­ned by federal rules of pro­ce­du­re as soon as a par­ti­cu­lar mat­ter is dealt with by an aut­ho­ri­ty in accordance with the pro­vi­si­ons of one of the­se laws. The rele­vant pro­ce­du­ral code remains app­li­ca­ble even after the con­clu­si­on of the pro­ce­e­dings. In order to ensu­re that the file situa­ti­on can­not be sub­se­quent­ly chan­ged by instru­ments out­side the scope of the pro­ce­e­dings, pro­ce­du­ral law pro­vi­des for inde­pen­dent pro­ce­du­res for the main­ten­an­ce of files, for the inspec­tion of files and for the reten­ti­on of files. In sum­ma­ry, the essen­ti­al cri­ter­ion for deter­mi­ning whe­ther or not the DPA is inap­p­li­ca­ble is whe­ther or not the­re is a direct con­nec­tion to a (court) pro­ce­e­ding from a func­tio­n­al point of view. Such a con­nec­tion exists if the pro­ces­sing of per­so­nal data in que­sti­on may have a con­cre­te impact on the­se pro­ce­e­dings or their out­co­me or on the pro­ce­du­ral rights of the parties.

If the pro­vi­si­on in para­graph 3 app­lies, only the app­li­ca­ble pro­ce­du­ral law governs the pro­ces­sing of per­so­nal data and the rights of the per­sons con­cer­ned. Both data pro­ces­sing by the court in rela­ti­on to the par­ties to the pro­ce­e­dings and data pro­ces­sing car­ri­ed out by the par­ties in rela­ti­on to other par­ties to the pro­ce­e­dings are gover­ned by the app­li­ca­ble pro­ce­du­ral law. This app­lies in par­ti­cu­lar to the rights of the par­ties to take cogniz­an­ce of the data invol­ved in the pro­ce­e­dings and to cor­rect cer­tain data, if necessa­ry, as well as to data pro­ces­sing in the con­text of judi­cial pro­ce­e­dings in gene­ral. This means in par­ti­cu­lar that the various legal reme­di­es under the DPA do not app­ly eit­her to data pro­ces­sing by the court in the cour­se of the pro­ce­e­dings or to data pro­ces­sing by the other par­ties to the pro­ce­e­dings. For examp­le, the par­ties to the pro­ce­e­dings can­not assert a right to infor­ma­ti­on under the FADP in order to inspect files at the court or to obtain evi­dence from other par­ties to the pro­ce­e­dings (cf. Sec­tion 9.1.5). In other words, it is not pos­si­ble to per­form pro­ce­du­ral acts towards the court or among the par­ties to the pro­ce­e­dings by way of the FADP, which would be exclu­ded under the pro­ce­du­ral law in que­sti­on or, con­ver­se­ly, which must be per­for­med under cer­tain con­di­ti­ons accord­ing to cer­tain rules and princi­ples. Even after the con­clu­si­on of the pro­ce­e­dings, the files may be amen­ded (cor­rec­tion, explana­ti­on, revi­si­on) only in accordance with the rules of pro­ce­du­ral law, sin­ce the files must be con­si­stent with the out­co­me of a pro­ce­e­ding. This does not pre­clu­de the app­li­ca­ble pro­ce­du­ral law from decla­ring the DPA app­li­ca­ble after the con­clu­si­on of the pro­ce­e­dings (cf. Art. 99 Cri­mi­nal Pro­ce­du­re Code). Inso­far as the app­li­ca­ble pro­ce­du­ral law does not con­tain any pro­vi­si­ons with regard to the right of third par­ties to inspect files after the con­clu­si­on of the pro­ce­e­dings, the app­li­ca­ti­on of the law should be gui­ded by the pro­vi­si­ons of the DPA.

Unli­ke the con­sul­ta­ti­on draft, para­graph 3 no lon­ger merely exclu­des data pro­ces­sing by cer­tain insti­tu­ti­ons from the scope of the FADP, which was the sub­ject of con­si­derable cri­ti­cism in the con­sul­ta­ti­on. Rather, data pro­ces­sing by the par­ties is also cove­r­ed. In addi­ti­on, the con­flict of norms is resol­ved in a dif­fe­rent way, in that the norm deter­mi­nes the app­li­ca­ble law. For the federal courts in par­ti­cu­lar, howe­ver, this still means that they are exclu­ded from the scope of the FADP as far as data pro­ces­sing in the cour­se of their judi­cial acti­vi­ties is con­cer­ned, which takes into account the sepa­ra­ti­on of powers.

Con­ver­se­ly, howe­ver, it also fol­lows from Arti­cle 2(3) that the FADP app­lies to data pro­ces­sing by the admi­ni­stra­ti­ve ser­vices of courts and aut­ho­ri­ties, such as the pro­ces­sing of data on staff. Like­wi­se, the courts must ensu­re data secu­ri­ty when archi­ving evi­dence and deci­si­ons. Howe­ver, the­re are excep­ti­ons to super­vi­si­on by the Com­mis­sio­ner (cf. Art. 3 para. 2 DPA and the explana­to­ry notes).

Accord­ing to the second sen­tence, the pro­vi­si­on of Arti­cle 2(3) of the e‑DSG does not app­ly to first-instance admi­ni­stra­ti­ve pro­ce­e­dings. This pro­vi­si­on from the pre­vious law is retai­ned unchanged.

Par. 4 Public regi­sters of pri­va­te legal transactions

The excep­ti­on pro­vi­ded for in Arti­cle 2(2)(d) FADP con­cer­ning public regi­sters of pri­va­te tran­sac­tions is con­si­stent with the requi­re­ments of Arti­cle 3 E‑SEV 108 not com­pa­ti­ble. Inde­ed, the future Con­ven­ti­on does not pro­vi­de for any excep­ti­on for such regi­sters. The same app­lies to the Regu­la­ti­on (EU) 2016/679.

Alt­hough it is in the inte­rest of the data sub­jects that the public regi­sters of pri­va­te tran­sac­tions com­ply with the princi­ples of data pro­tec­tion, the­re is also a public inte­rest in the main­ten­an­ce of and access to the­se regi­sters (see reci­tal 73 of the Regu­la­ti­on [EU] 2016/679). In a judgment of March 9, 2017, the Court of Jus­ti­ce of the Euro­pean Uni­on had the oppor­tu­ni­ty to rule on the deli­mi­ta­ti­on bet­ween data pro­tec­tion and publi­ci­ty of a com­mer­cial regi­ster kept by the Ita­li­an aut­ho­ri­ties. In this case, a for­mer admi­ni­stra­tor and liqui­da­tor of a bankrupt com­pa­ny reque­sted the dele­ti­on of cer­tain data con­cer­ning him from the afo­re­men­tio­ned regi­ster. In order to sett­le this dis­pu­te, the Ita­li­an Court of Cas­sa­ti­on asked the Court of Jus­ti­ce to exami­ne whe­ther the excep­ti­on pro­vi­ded for in Arti­cle 6(1)(e) of the Direc­ti­ve 95/46/EC ensh­ri­ned princip­le of data reten­ti­on, as pro­vi­ded for in the first Direc­ti­ve 68/151/EEC, should take pre­ce­dence over the regime of publi­ci­ty of com­mer­cial regi­sters. Accord­ing to this princip­le, per­so­nal data shall be kept in a form which per­mits iden­ti­fi­ca­ti­on of data sub­jects for no lon­ger than is necessa­ry for the rea­liz­a­ti­on of the pur­po­ses for which the data were collec­ted or for which they are fur­ther processed.

Accord­ing to the Court, the public natu­re of the Com­mer­cial Regi­ster is inten­ded to ensu­re legal cer­tain­ty bet­ween com­pa­nies and third par­ties and to enab­le the lat­ter to beco­me awa­re of essen­ti­al acti­vi­ties of the com­pa­ny con­cer­ned and of cer­tain data con­cer­ning the per­sons aut­ho­ri­zed to repre­sent it. The publi­ci­ty of such infor­ma­ti­on is justi­fied even after the dis­so­lu­ti­on of a com­pa­ny. This is becau­se it may pro­ve necessa­ry, for examp­le, to veri­fy the lega­li­ty of actions taken by a com­pa­ny during its busi­ness acti­vi­ty in view of pos­si­ble legal pro­ce­e­dings. Accord­ing to the Court, howe­ver, the dif­fe­rent sta­tu­tes of limi­ta­ti­on in the Mem­ber Sta­tes make it impos­si­ble to estab­lish a uni­form time limit from the dis­so­lu­ti­on of the com­pa­ny, after the expi­ry of which the data recor­ded in the com­mer­cial regi­ster are no lon­ger requi­red. Against this back­ground, the Court holds that, under Arti­cle 6(1)(e) of the Direc­ti­ve 95/46/EC can­not gua­ran­tee data sub­jects, for examp­le, a right to have their per­so­nal data dele­ted after a cer­tain peri­od of time from the dis­so­lu­ti­on of the com­pa­ny. Nevertheless, if legal cer­tain­ty and the pro­tec­tion of the inte­rests of third par­ties pre­vail, it is not exclu­ded that in spe­ci­fic and excep­tio­nal situa­tions a per­son may claim an over­ri­ding inte­rest worthy of pro­tec­tion in having access to his or her per­so­nal data restric­ted. The Court the­re­fo­re con­clu­des that it is for the Mem­ber Sta­tes to deter­mi­ne whe­ther data sub­jects may requi­re the regi­ster-kee­ping aut­ho­ri­ty to exami­ne, on a case-by-case basis, whe­ther, on the basis of an over­ri­ding inte­rest worthy of pro­tec­tion, it is excep­tio­nal­ly justi­fied to restrict access to their per­so­nal data after the expi­ry of a suf­fi­ci­ent peri­od fol­lo­wing the dis­so­lu­ti­on of the under­ta­king con­cer­ned. Alt­hough the judgment of the Court of Jus­ti­ce is based on the Direc­ti­ve 95/46/EC, which will app­ly from the ent­ry into for­ce of the Regu­la­ti­on (EU) 2016/679 is no lon­ger app­li­ca­ble, but the con­si­de­ra­ti­ons of this judgment retain their vali­di­ty for the new legis­la­ti­on as well.

Accord­ing to the in Arti­cle 9 CC estab­lished princip­le, public regi­sters pro­vi­de full pro­of of the facts atte­sted by them, as long as the incor­rect­ness of their con­t­ents is not pro­ven. In view of the pur­po­se of the­se regi­sters, the Federal Coun­cil is of the opi­ni­on that data pro­tec­tion rea­sons must not affect the public natu­re of regi­sters of pri­va­te legal tran­sac­tions. The same app­lies to the regi­sters in the area of intel­lec­tu­al pro­per­ty law: the legis­la­tor has alrea­dy weig­hed up the inte­rests and gua­ran­tees the public natu­re of the­se regi­sters. In the view of the Federal Coun­cil, it is not the task of the FADP to regu­la­te the rights of data sub­jects in this area. The­re­fo­re, a restric­tion is to be pro­vi­ded in para­graph 4 in favor of the spe­cial pro­vi­si­ons of federal law. The amend­ment rela­tes exclu­si­ve­ly to public regi­sters of pri­va­te legal tran­sac­tions kept by federal aut­ho­ri­ties, i.e. the elec­tro­nic civil sta­tus regi­ster, Zefix, the air­craft regi­ster of the Federal Office of Civil Avia­ti­on and the regi­sters of the Federal Insti­tu­te of Intel­lec­tu­al Pro­per­ty (in par­ti­cu­lar the trade­mark regi­ster, the patent regi­ster and the design register).

The public regi­sters of pri­va­te legal tran­sac­tions for which the can­tons are respon­si­ble are sub­ject to can­to­nal data pro­tec­tion law. This also app­lies if the­se data are pro­ces­sed as part of the enfor­ce­ment of federal law. Howe­ver, can­to­nal data pro­tec­tion law must not impe­de the cor­rect and uni­form app­li­ca­ti­on of federal pri­va­te law and, in par­ti­cu­lar, the princip­le of the public natu­re of the regi­sters. The repeal of Arti­cle 2(2)(d) DPA the­re­fo­re has no effect on the fol­lo­wing can­to­nal regi­sters: the land regi­ster, the regi­ster of ships, the can­to­nal com­mer­cial regi­sters, the debt enfor­ce­ment and bankrupt­cy regi­sters and the public regi­ster of reser­va­tions of tit­le. Para­graph 4 also has no effect on public-law regi­sters such as the regi­ster of medi­cal pro­fes­si­ons, to which the spe­cial law in que­sti­on app­lies, sub­si­dia­ri­ly the DPA.

Spa­ti­al scope

In con­trast to the Regu­la­ti­on (EU) 2016/679 (Art. 3), the e‑DSG does not con­tain any spe­ci­fic pro­vi­si­on on the ter­ri­to­ri­al scope of the law. In the view of the Federal Coun­cil, the exi­sting law alrea­dy offers the pos­si­bi­li­ty of app­ly­ing the DPA lar­ge­ly to situa­tions with an inter­na­tio­nal cha­rac­ter. Based on the impact theo­ry, this also app­lies to public law. The dif­fi­cul­ties are less to be found in the ter­ri­to­ri­al scope of app­li­ca­ti­on than in the imple­men­ta­ti­on and enfor­ce­ment of deci­si­ons, par­ti­cu­lar­ly in the area of the Inter­net. The Federal Coun­cil has exami­ned whe­ther the per­sons respon­si­ble and the order pro­ces­sors should be obli­ged to indi­ca­te a domic­i­le for ser­vice in Switz­er­land in order to faci­li­ta­te the enfor­ce­ment of deci­si­ons affec­ting them. It final­ly refrai­ned from doing so for the same rea­sons alrea­dy pre­sen­ted in the report of 11 Decem­ber 2015 con­cer­ning the civil lia­bi­li­ty of pro­vi­ders. Rather, a solu­ti­on via bila­te­ral or mul­ti­la­te­ral mutu­al legal assi­stance agree­ments that allow direct postal deli­very of docu­ments abroad would be pre­fera­ble. Such agree­ments alrea­dy exist in the area of civil law with some sta­tes in which well-known Inter­net com­pa­nies have their head­quar­ters, such as Ire­land or the United Sta­tes. The Federal Coun­cil con­fir­med this posi­ti­on in the area of cri­mi­nal law in its state­ment on Moti­on Lev­rat 16.4082 “Faci­li­ta­ting access to data from social net­works for law enfor­ce­ment aut­ho­ri­ties”. Final­ly, it points out that the obli­ga­ti­on to desi­gna­te a domic­i­le of ser­vice is pro­vi­ded for in the VwVG and the VGG.

The com­mis­sio­ner would have pre­fer­red that the bill con­tain a pro­vi­si­on con­si­stent with Arti­cle 3 of the Regu­la­ti­on (EU) 2016/679 would have con­tai­ned a com­pa­ra­ble pro­vi­si­on and the data con­trol­lers would have been obli­ged to have a repre­sen­ta­ti­on in Switzerland.

Art. 3 Ter­ri­to­ri­al scope

1 This law app­lies to mat­ters that have an effect in Switz­er­land, even if they are initia­ted abroad.

2 Pri­va­te law claims are gover­ned by the Federal Act of Decem­ber 18, 1987 on Pri­va­te Inter­na­tio­nal Law. The pro­vi­si­ons on the ter­ri­to­ri­al scope of the Cri­mi­nal Code are also reserved.

Art. 4 Federal Data Pro­tec­tion and Infor­ma­ti­on Commissioner

1 The Federal Data Pro­tec­tion and Infor­ma­ti­on Com­mis­sio­ner (FDPIC) over­sees the app­li­ca­ti­on of federal data pro­tec­tion regulations.

2 The fol­lo­wing are exempt from super­vi­si­on by the FDPIC:

a. the Federal Assembly;
b. the Federal Council;
c. the federal courts;
d. the Office of the Attor­ney Gene­ral of Switz­er­land: con­cer­ning the pro­ces­sing of per­so­nal data in the con­text of cri­mi­nal proceedings;
e. Federal aut­ho­ri­ties: con­cer­ning the pro­ces­sing of per­so­nal data in the con­text of a judi­cial acti­vi­ty or of pro­ce­du­res of inter­na­tio­nal mutu­al legal assi­stance in cri­mi­nal matters.
Bot Art. 3 Federal Data Pro­tec­tion and Infor­ma­ti­on Com­mis­sio­ner (count. acc. to draft)

Par. 1 Super­vi­si­on by the commissioner

Para­graph 1 names the com­pe­tent super­vi­so­ry aut­ho­ri­ty in the area of data pro­tec­tion. It sta­tes the princip­le that the Com­mis­sio­ner is the aut­ho­ri­ty respon­si­ble for moni­to­ring com­pli­an­ce with federal data pro­tec­tion regu­la­ti­ons (cf. Art. 39 ff. E‑DSG).

In the Ger­man legal text, the mas­cu­li­ne term is used exclu­si­ve­ly when the com­mis­sio­ner is addres­sed as an insti­tu­ti­on in the pro­vi­si­on in que­sti­on. This is the case in the majo­ri­ty of the legal pro­vi­si­ons. In con­trast, the first sec­tion of Chap­ter 7 (with the excep­ti­on of Art. 42 E‑DSG) refers to the per­son of the Com­mis­sio­ner. In the­se pro­vi­si­ons, the mas­cu­li­ne and femi­ni­ne forms are used.

Par. 2 Exemp­ti­ons from supervision

Para­graph 2 pro­vi­des for various excep­ti­ons to the Commissioner’s super­vi­si­on. The main rea­son for the­se excep­ti­ons is that pla­cing the afo­re­men­tio­ned aut­ho­ri­ties under the super­vi­si­on of the Com­mis­sio­ner would impair the sepa­ra­ti­on of powers and the inde­pen­dence of the judiciary.

The Federal Assem­bly (sub­pa­ra­graph (a)) and the Federal Coun­cil (sub­pa­ra­graph (b)) are exempt from the super­vi­si­on of the Commissioner.

Inso­far as the pro­ces­sing of per­so­nal data by the federal courts falls under the DPA, they are exempt from super­vi­si­on by the Com­mis­sio­ner (sub­pa­ra­graph c). The excep­ti­on must be con­si­de­red in light of the fact that the Com­mis­sio­ner is new­ly given the aut­ho­ri­ty in the e‑DSG to issue rulings vis-à-vis federal bodies. As a result, the­re would be a risk vis-à-vis the federal courts that the inde­pen­dence of the courts and the sepa­ra­ti­on of powers would be impai­red. In addi­ti­on, the Federal Admi­ni­stra­ti­ve Court and the Federal Supre­me Court, in par­ti­cu­lar, are appeal bodies for rulings by the data pro­tec­tion com­mis­sio­ner. The­re­fo­re, they could be cal­led upon to issue an appeal deci­si­on on their own merits. In order to meet the requi­re­ments of the Direc­ti­ve (EU) 2016/680 and the ESEV 108, each federal court will initia­te its own inde­pen­dent data pro­tec­tion over­sight. This will be ana­lo­gous to that of the Com­mis­sio­ner, as appro­pria­te. The estab­lish­ment will take place via the adap­t­ati­on of the rele­vant ordi­nan­ces of the respec­ti­ve federal courts as soon as the revi­sed DPA has ente­red into force.

Pur­suant to let­ter d, the Office of the Attor­ney Gene­ral of Switz­er­land is also exempt from super­vi­si­on by the Com­mis­sio­ner inso­far as it pro­ces­ses per­so­nal data wit­hin the frame­work of cri­mi­nal pro­ce­e­dings. Howe­ver, the federal poli­ce aut­ho­ri­ties remain sub­ject to the Commissioner’s super­vi­si­on, even if they act on behalf of the Office of the Attor­ney Gene­ral. The Com­mis­sio­ner app­lies the data pro­tec­tion pro­vi­si­ons of the app­li­ca­ble pro­ce­du­ral law (cf. Art. 2 para. 3 E‑DSG).

Final­ly, under let­ter e, federal aut­ho­ri­ties are exempt from the Commissioner’s super­vi­si­on inso­far as they pro­cess per­so­nal data in the cour­se of a judi­cial acti­vi­ty or in the cour­se of pro­ce­du­res for inter­na­tio­nal mutu­al legal assi­stance in cri­mi­nal mat­ters. This exemp­ti­on main­ly con­cerns the Office of the Attor­ney Gene­ral of Switz­er­land and the Federal Office of Jus­ti­ce. Accord­ing to the Federal Council’s decla­ra­ti­on on Arti­cle 1 of the Euro­pean Con­ven­ti­on on Mutu­al Assi­stance in Cri­mi­nal Mat­ters of 20 April 1959, the Federal Office of Jus­ti­ce is to be con­si­de­red a Swiss judi­cial aut­ho­ri­ty wit­hin the mea­ning of the Con­ven­ti­on. Howe­ver, the excep­ti­on is of limi­ted scope. This is becau­se the Com­mis­sio­ner may review the law­ful­ness of a data pro­ces­sing ope­ra­ti­on if a data sub­ject asserts his or her rights under Arti­cle 11c E‑IRSG.

Chap­ter 2: Gene­ral provisions

Sec­tion 1: Terms and principles

Art. 5 Terms

In this law mean:

a. Per­so­nal data: any infor­ma­ti­on rela­ting to an iden­ti­fied or iden­ti­fia­ble natu­ral person;
b. per­son con­cer­ned: natu­ral per­son about whom per­so­nal data are processed;

c. per­so­nal data requi­ring spe­cial protection:

1. data on reli­gious, ideo­lo­gi­cal, poli­ti­cal or tra­de uni­on views or activities,
2. data con­cer­ning health, pri­va­cy or racial or eth­nic affiliation,
3. gene­tic data,
4. bio­me­tric data that uni­que­ly iden­ti­fy a natu­ral person,
5. data on admi­ni­stra­ti­ve and cri­mi­nal pro­se­cu­ti­ons or sanctions,
6. data on social assi­stance measures.
d. Edit: any hand­ling of per­so­nal data, regard­less of the means and pro­ce­du­res used, in par­ti­cu­lar the acqui­si­ti­on, sto­rage, reten­ti­on, use, modi­fi­ca­ti­on, dis­clo­sure, archi­ving, dele­ti­on or dest­ruc­tion of data;
e. Announ­ce: trans­mit­ting or making avail­ab­le per­so­nal data;
f. Pro­filing: any auto­ma­ted pro­ces­sing of per­so­nal data con­si­sting in using such data to eva­lua­te cer­tain per­so­nal aspects rela­ting to a natu­ral per­son, in par­ti­cu­lar to ana­ly­ze or pre­dict aspects rela­ting to that natu­ral person’s per­for­mance at work, eco­no­mic situa­ti­on, health, per­so­nal pre­fe­ren­ces, inte­rests, relia­bi­li­ty, beha­vi­or, loca­ti­on or chan­ge of location;
g. High risk pro­filing: Pro­filing that entails a high risk for the per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject by lea­ding to a lin­kage of data that allo­ws an assess­ment of essen­ti­al aspects of the per­so­na­li­ty of a natu­ral person;
h. Data secu­ri­ty bre­ach: a bre­ach of secu­ri­ty that results in per­so­nal data being inad­ver­tent­ly or unlaw­ful­ly lost, dele­ted, destroy­ed, or alte­red, or dis­c­lo­sed or made avail­ab­le to unaut­ho­ri­zed persons;
i. Federal body: Aut­ho­ri­ty or agen­cy of the Federal Government or per­son ent­ru­sted with public func­tions of the Federal Government;
j. Per­son respon­si­ble: pri­va­te per­son or federal body that, alo­ne or tog­e­ther with others, deci­des on the pur­po­se and means of processing;
k. Order Pro­ces­sor: pri­va­te per­son or federal body that pro­ces­ses per­so­nal data on behalf of the data controller.
Bot Art. 4 Terms (count. acc. to draft)
Let. a Per­so­nal data

It should be noted that the e‑DSG gene­ral­ly uses the term per­so­nal data. Wit­hin the same para­graph, the term data is also used syn­ony­mous­ly, espe­cial­ly in the Ger­man text, when it is clear that per­so­nal data is meant.

The con­cept of per­so­nal data is chan­ged com­pa­red to the pre­vious law in that the FADP is no lon­ger app­li­ca­ble to legal enti­ties. Per­so­nal data is thus all infor­ma­ti­on that rela­tes to an iden­ti­fied or iden­ti­fia­ble natu­ral per­son. A natu­ral per­son is iden­ti­fia­ble if he or she can be iden­ti­fied direct­ly or indi­rect­ly, for examp­le by refe­rence to infor­ma­ti­on that can be dedu­ced from the cir­cum­stan­ces or con­text (iden­ti­fi­ca­ti­on num­ber, loca­ti­on data, spe­ci­fic aspects rela­ting to his or her phy­si­cal, phy­sio­lo­gi­cal, gene­tic, men­tal, eco­no­mic, cul­tu­ral or social iden­ti­ty). Iden­ti­fi­ca­ti­on may be pos­si­ble through a sin­gle pie­ce of infor­ma­ti­on (tele­pho­ne num­ber, hou­se num­ber, AHV num­ber, fin­ger­prints) or through the matching of dif­fe­rent pie­ces of infor­ma­ti­on (address, date of birth, mar­i­tal sta­tus). As under cur­rent law, the mere theo­re­ti­cal pos­si­bi­li­ty that someo­ne can be iden­ti­fied is not suf­fi­ci­ent to assu­me that a per­son is iden­ti­fia­ble. Thus, the Federal Coun­cil sta­tes in its Mes­sa­ge on the DPA of 1988 fixed:

If the effort to deter­mi­ne the per­sons con­cer­ned is so gre­at that, accord­ing to gene­ral life expe­ri­ence, it can­not be expec­ted that an inte­re­sted par­ty will take it upon hims­elf […], the­re is no determinability.”

Rather, the tota­li­ty of the means that can rea­son­ab­ly be used to iden­ti­fy a per­son must be con­si­de­red. Whe­ther the use of the­se means is rea­son­ab­le must be asses­sed with regard to the cir­cum­stan­ces, such as the time and finan­cial effort requi­red for iden­ti­fi­ca­ti­on. The tech­no­lo­gies avail­ab­le at the time of pro­ces­sing and their fur­ther deve­lo­p­ment must be taken into account.

The law does not app­ly to anony­mi­zed data if iden­ti­fi­ca­ti­on by third par­ties is impos­si­ble (the data has been com­ple­te­ly and defi­ni­tively anony­mi­zed) or if this would only be pos­si­ble at gre­at expen­se, which no inte­re­sted par­ty would take on. This also app­lies to pseud­ony­mi­zed data.

Bst. b Per­son concerned

Data sub­jects are natu­ral per­sons about whom data is pro­ces­sed. The restric­tion to natu­ral per­sons results from the remo­val of pro­tec­tion for data of legal per­sons (see the explana­ti­ons on Art. 2 (1) E‑DSG under No. 9.1.2).

Let­ter c Par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data

Item 1 is not changed.

Point 2 is sup­ple­men­ted: The con­cept of per­so­nal data requi­ring spe­cial pro­tec­tion is defi­ned in line with the Direc­ti­ve (EU) 2016/680 (Art. 10) and the Regu­la­ti­on (EU) 2016/679 exten­ded to eth­nic ori­gin data. The E‑DSG retains the refe­rence to racial ori­gin. Like the Euro­pean Uni­on, the Federal Coun­cil notes that the use of this term does not mean that it endor­ses theo­ries that attempt to pro­ve the exi­stence of dif­fe­rent human races. The bill also retains the refe­rence to data on health and pri­va­cy. Data on inti­ma­te sphe­re is name­ly the data on the sexu­al life and sexu­al ori­en­ta­ti­on of the data sub­ject (see also Con­ven­ti­on ETS 108 [Art. 6 para. 1], Direc­ti­ve [EU] 2016/680 [Art. 10] and the Regu­la­ti­on [EU] 2016/679 [Art. 9]). Depen­ding on the cir­cum­stan­ces, a person’s gen­der iden­ti­ty may also fall under this term (or under health data).

The term “per­so­nal data requi­ring spe­cial pro­tec­tion” is also expan­ded to inclu­de gene­tic data (item 3) and bio­me­tric data that uni­que­ly iden­ti­fy an indi­vi­du­al (item 4). With this amend­ment, the requi­re­ments of the E‑SEV 108 (Art. 6 para. 1) and the Direc­ti­ve (EU) 2016/680 (Art. 10) imple­men­ted. The Regu­la­ti­on (EU) 2016/679 (Art. 9) pro­vi­des for a simi­lar regulation.

Gene­tic data is infor­ma­ti­on about a person’s gene­tic make­up obtai­ned through gene­tic testing; this inclu­des the DNA pro­fi­le (Art. 3 let. l of the Federal Act of Octo­ber 8, 2004 on Gene­tic Testing in Humans [GUMG]).

Bio­me­tric data in this con­text means per­so­nal data obtai­ned by a spe­ci­fic tech­ni­cal pro­cess on the phy­si­cal, phy­sio­lo­gi­cal or beha­vio­ral cha­rac­te­ri­stics of an indi­vi­du­al that enab­les or con­firms the uni­que iden­ti­fi­ca­ti­on of the per­son con­cer­ned. The­se are, for examp­le, a digi­tal fin­ger­print, facial images, images of the iris or record­ings of the voice. The­se data must necessa­ri­ly be based on a spe­ci­fic tech­ni­cal pro­ce­du­re that allo­ws the uni­que iden­ti­fi­ca­ti­on or authen­ti­ca­ti­on of a per­son. This is not the case, for examp­le, with ordi­na­ry photographs.

Let. d Edit

The term machi­ning remains unch­an­ged in terms of con­tent. The term “pro­ces­sing” is also fre­quent­ly used syn­ony­mous­ly. Howe­ver, “sto­ring” and “deleting” have been added to the list with the aim of appro­xi­ma­ting the wor­d­ing of Euro­pean law (Art. 2 let. b E‑SEV 108, Art. 4 No. 2 of the Regu­la­ti­on [EU] 2016/679 and Art. 3 No. 2 of Direc­ti­ve [EU] 2016/680). As in the cur­rent law, the list of pos­si­ble pro­ces­sing ope­ra­ti­ons is not exhaus­ti­ve, so that nume­rous ope­ra­ti­ons may fall under it (orga­ni­zing, sorting, modi­fy­ing, eva­lua­ting data, etc.). The term “destroy” is stron­ger than the term “era­se” and implies that the data is irre­triev­a­b­ly destroy­ed. If the data exists on paper, this is to be bur­ned or shred­ded. Data dest­ruc­tion is more dif­fi­cult in the case of elec­tro­nic data. If the data was trans­mit­ted by means of a CD or a USB stick, on the one hand the data car­ri­er must be ren­de­red unus­able and on the other hand all copies must be trea­ted in such a way that the data can no lon­ger be made read­a­ble. In the case of per­so­nal data trans­mit­ted as an attach­ment to an e‑mail, any inter­me­dia­te sto­rage of this e‑mail must also be destroy­ed. Com­mon dele­ti­on com­man­ds or mere refor­mat­ting do not con­sti­tu­te dest­ruc­tion, but dele­ti­on. Unli­ke Swiss law, the Euro­pean Uni­on uses the term pro­ces­sing ins­tead of edit­ing. For rea­sons of prac­ti­ca­bi­li­ty, it was deci­ded not to adapt Swiss law in this respect as well, espe­cial­ly sin­ce the­re is no dif­fe­rence in content.

Sub­pa­ra­graph f Profiling

The Federal Coun­cil pro­po­ses to abolish the term “per­so­na­li­ty pro­fi­le”, which is defi­ned in Arti­cle 3 let­ter d FADP. The term “per­so­na­li­ty pro­fi­le” is a spe­cial fea­ture of our legis­la­ti­on. Neit­her Euro­pean law nor other for­eign legis­la­ti­ons know this term. After the ent­ry into for­ce of the DPA in 1992, it did not have much import­ance, and today it seems to be out­da­ted due to the deve­lo­p­ment of new tech­no­lo­gies. In its place, the term “pro­filing” is used in the e‑DSG. The term is found in Arti­cle 3(4) of the Direc­ti­ve (EU) 2016/680 and Arti­cle 4 point 4 of the Regu­la­ti­on (EU) 2016/679. Alt­hough the two terms have simi­la­ri­ties, they are not con­gru­ent. The per­so­na­li­ty pro­fi­le is the result of a pro­ces­sing pro­ce­du­re and thus cap­tures some­thing sta­tic. Pro­filing, on the other hand, descri­bes a spe­ci­fic form of data pro­ces­sing, i.e. a dyna­mic pro­cess. In addi­ti­on, the pro­filing pro­cess is gea­red to a spe­ci­fic purpose.

Based on the com­ments recei­ved during the con­sul­ta­ti­on pro­cess, the con­tent of the term “pro­filing” has been adap­ted to the Euro­pean ter­mi­no­lo­gy and now only covers the auto­ma­ted pro­ces­sing of per­so­nal data. Thus, pro­filing is defi­ned as the assess­ment of cer­tain cha­rac­te­ri­stics of a per­son on the basis of per­so­nal data pro­ces­sed by auto­ma­ted means, in par­ti­cu­lar in order to ana­ly­ze or pre­dict work per­for­mance, eco­no­mic cir­cum­stan­ces, health, beha­vi­or, inte­rests, place of resi­dence or mobi­li­ty. This ana­ly­sis may be done, for examp­le, to find out whe­ther a per­son is sui­ta­ble for a par­ti­cu­lar job. Pro­filing is, in other words, cha­rac­te­ri­zed by the fact that per­so­nal data are eva­lua­ted in an auto­ma­ted man­ner in order to assess the cha­rac­te­ri­stics of a per­son on the basis of this eva­lua­ti­on, also in an auto­ma­ted man­ner. Pro­filing thus only exists if the eva­lua­ti­on pro­cess is ful­ly auto­ma­ted. Any eva­lua­ti­on using com­pu­ter-assi­sted ana­ly­sis tech­ni­ques is to be regar­ded as an auto­ma­ted eva­lua­ti­on. Algo­rith­ms can also be used for this pur­po­se, but their use is not con­sti­tu­ti­ve for the exi­stence of pro­filing. Rather, all that is requi­red is that an auto­ma­ted eva­lua­ti­on pro­cess takes place; if, on the other hand, the­re is merely an accu­mu­la­ti­on of data without it being eva­lua­ted, pro­filing is not yet taking place. The auto­ma­ted eva­lua­ti­on is car­ri­ed out in par­ti­cu­lar in order to ana­ly­ze or pre­dict cer­tain beha­vi­ors of this per­son. By way of examp­le, the law men­ti­ons some cha­rac­te­ri­stics of a per­son such as work per­for­mance, eco­no­mic situa­ti­on or health. Howe­ver, other cha­rac­te­ri­stics such as inte­rests, trust­wort­hi­ness or loca­ti­on are also con­ceiva­ble. It is irrele­vant whe­ther the per­son respon­si­ble for pro­filing is doing so for his or her own pur­po­ses or for a third party.

Sin­ce the term per­so­na­li­ty pro­fi­le is no lon­ger used, the legal bases that allow federal bodies to pro­cess per­so­na­li­ty pro­files must also be adap­ted (cf. Sec­tion 9.2.2).

Data that ari­se as a result of pro­filing are in princip­le per­so­nal data wit­hin the mea­ning of Arti­cle 4 let­ter a E‑DSG. Depen­ding on the sub­ject mat­ter, this may also be per­so­nal data requi­ring spe­cial protection.

Let­ter g Data secu­ri­ty breach

Unli­ke the preli­mi­na­ry draft, the e‑DSG con­tains a defi­ni­ti­on of data secu­ri­ty bre­ach becau­se it beca­me appa­rent during the con­sul­ta­ti­on pro­cess that the term was not suf­fi­ci­ent­ly clear. Accord­in­gly, it is a data bre­ach if a pro­cess results in per­so­nal data being lost, dele­ted or destroy­ed, modi­fied or dis­c­lo­sed or made acces­si­ble to unaut­ho­ri­zed per­sons. This app­lies regard­less of whe­ther the pro­cess is inten­tio­nal or not, whe­ther it is unlaw­ful or not. The term ties in with Arti­cle 7, accord­ing to which the con­trol­ler and the pro­ces­sor must take tech­ni­cal and orga­niz­a­tio­nal mea­su­res to ensu­re data secu­ri­ty. In terms of con­tent, the term cor­re­sponds to Arti­cle 7(2) E‑SEV 108, Arti­cle 3 point 11 of the Direc­ti­ve (EU) 2016/680 and Arti­cle 4 item 12 of the Regu­la­ti­on (EU) 2016/679.

The only decisi­ve fac­tor is whe­ther the pro­ces­ses in que­sti­on took place. It is also irrele­vant for the exi­stence of a bre­ach of data secu­ri­ty whe­ther the­re was merely the pos­si­bi­li­ty that the per­so­nal data was dis­c­lo­sed or made acces­si­ble to unaut­ho­ri­zed per­sons or whe­ther such access actual­ly took place. If, for examp­le, a data car­ri­er is lost, it is often dif­fi­cult to pro­ve whe­ther the data stored on it was actual­ly view­ed or used by unaut­ho­ri­zed per­sons. The­re­fo­re, the loss as such alrea­dy con­sti­tu­tes a bre­ach of data secu­ri­ty. The extent and signi­fi­can­ce of a data secu­ri­ty bre­ach are rather rele­vant for the mea­su­res to be taken, in par­ti­cu­lar the assess­ment of the risk pur­suant to Arti­cle 22 (1).

Let­ter i Respon­si­ble person

The e‑DSG pro­vi­des for the repla­ce­ment of the term “data con­trol­ler” with “data con­trol­ler” in order to use the same ter­mi­no­lo­gy as in the E‑SEV 108 (Art. 2 let. d), in which Direc­ti­ve (EU) 2016/680 (Art. 3 No. 8) and in the Regu­la­ti­on (EU) 2016/679 (Art. 4 No. 7) is used. Apart from the fact that the refe­rence to the data collec­tion is remo­ved, the­re is no mate­ri­al chan­ge here. The con­trol­ler, like the owner of the data collec­tion, is the per­son who deci­des on the pur­po­se and means (mate­ri­al or auto­ma­ted pro­ces­sing, soft­ware used) of the pro­ces­sing. In the Ger­man legal text, only the mas­cu­li­ne form is used, sin­ce the data con­trol­ler is pre­do­mi­nant­ly, but not exclu­si­ve­ly, a legal entity.

Bst. j Order processor

This is the pri­va­te per­son or federal body that pro­ces­ses data on behalf of the data con­trol­ler. This term cor­re­sponds to that in the E‑SEV 108 (Art. 2 let. f), in which Direc­ti­ve (EU) 2016/680 (Art. 3 No. 9) and in the Regu­la­ti­on (EU) 2016/679 (Art. 4 item 8).

The con­tract bet­ween the per­son respon­si­ble and the order pro­ces­sor can be of dif­fe­rent types. Depen­ding on the obli­ga­ti­ons of the order pro­ces­sor, it may be an order (Art. 394 ff. CO), a con­tract for work (Art. 363 ff. CO) or a mixed con­tract. The order pro­ces­sor is no lon­ger a third par­ty from the moment it begins its con­trac­tu­al acti­vi­ty on behalf of the controller.

In the Ger­man legal text, only the mas­cu­li­ne form is used, as the order pro­ces­sors are pre­do­mi­nant­ly, but not exclu­si­ve­ly, legal entities.

Unch­an­ged terms

The fol­lo­wing terms remain unch­an­ged or under­go only edi­to­ri­al chan­ges com­pa­red to the cur­rent law: Announ­ce (sub­pa­ra­graph (e)) and federal body (sub­pa­ra­graph (h)).

Repealed terms

In addi­ti­on to the terms per­so­na­li­ty pro­fi­le and data collec­tion owner, the bill repeals the fol­lo­wing terms:

  • Data collec­tion: The e‑DSG envi­sa­ges dis­pen­sing with this term. This cor­re­sponds to the solu­ti­on in the E‑SEV 108in which the term – edit­ing data is used ins­tead. Thanks to new tech­no­lo­gies, data can now be used like a data collec­tion, even if it is not stored cen­tral­ly. An illu­stra­ti­ve examp­le is pro­filing, which invol­ves acces­sing various sources that are not data collec­tions in order to assess cer­tain cha­rac­te­ri­stics of an indi­vi­du­al based on the data collec­ted. Under cur­rent law, such acti­vi­ties are not cove­r­ed by the legal pro­vi­si­ons that requi­re the exi­stence of a data collec­tion – such as the right of access (Art. 8 DSG) or the duty to inform (Art. 14 FADP) – while more trans­pa­ren­cy is requi­red pre­cise­ly in this con­text. Moreo­ver, the Federal Coun­cil points out that part of the doc­tri­ne inter­prets the term data collec­tion very broad­ly. The decisi­ve cri­ter­ion here is that the allo­ca­ti­on of data to a per­son must not cau­se dis­pro­por­tio­na­te effort. Law in the for­mal sen­se: The e‑DSG envi­sa­ges dis­pen­sing with this defi­ni­ti­on of the term, as it is not necessary.
  • Law in the for­mal sen­se: The E‑DSG pro­vi­des for dis­pen­sing with this defi­ni­ti­on of terms, as it is not necessary.

Art. 6 Principles

1 Per­so­nal data must be pro­ces­sed lawfully.

2 The pro­ces­sing must be car­ri­ed out in good faith and be proportionate.

3 Per­so­nal data may only be obtai­ned for a spe­ci­fic pur­po­se that is appa­rent to the data sub­ject; it may only be pro­ces­sed in a man­ner that is com­pa­ti­ble with that purpose.

4 They are destroy­ed or anony­mi­zed as soon as they are no lon­ger requi­red for the pur­po­se of processing.

5 Anyo­ne who pro­ces­ses per­so­nal data must ensu­re that it is accu­ra­te. He or she must take all rea­son­ab­le mea­su­res to ensu­re that data which is inac­cu­ra­te or incom­ple­te in rela­ti­on to the pur­po­se for which it was obtai­ned or pro­ces­sed is cor­rec­ted, dele­ted or destroy­ed. The appro­pria­teness of the mea­su­res depends in par­ti­cu­lar on the type and scope of the pro­ces­sing and the risk that the pro­ces­sing entails for the per­so­na­li­ty and fun­da­men­tal rights of the data subjects.

6 If the con­sent of the data sub­ject is requi­red, this con­sent is only valid if it is given volun­ta­ri­ly for one or more spe­ci­fic pro­ces­sing ope­ra­ti­ons after appro­pria­te infor­ma­ti­on has been provided.

7 Con­sent must be express­ly given for:

a. the pro­ces­sing of per­so­nal data requi­ring spe­cial protection;
b. high-risk pro­filing by a pri­va­te per­son; or
c. pro­filing by a federal entity.
Bot Art. 5 Princi­ples (count. acc. to draft)
Par. 2 Lega­li­ty and proportionality

The French ver­si­on of para­graph 2 under­goes an edi­to­ri­al change.

Accord­ing to the princip­le of pro­por­tio­na­li­ty, only data that is sui­ta­ble and necessa­ry for the pur­po­se of the pro­ces­sing may be pro­ces­sed. In addi­ti­on, the­re must be a rea­son­ab­le rela­ti­ons­hip bet­ween the pur­po­se and the means used, and the rights of the data sub­jects must be pre­ser­ved as far as pos­si­ble (princip­le of pro­por­tio­na­li­ty in the nar­rower sen­se). The princi­ples of data avo­id­ance and data eco­no­my are both expres­si­ons of this. The first implies that this opti­on is to be pre­fer­red if the pur­po­se of the pro­ces­sing can be achie­ved without obtai­ning new data. The second requi­res that only data that are abso­lute­ly necessa­ry for the pur­po­se pur­sued be pro­ces­sed. The­se two princi­ples must alrea­dy be taken into account when plan­ning new systems. Thus, they part­ly over­lap with the princi­ples of data pro­tec­tion by design and by data pro­tec­tion-friend­ly default set­tings (see explana­ti­ons on Art. 6 E‑DSG).

Par. 3 Pur­po­se limi­ta­ti­on and recognizability

Para­graph 3 com­bi­nes the princi­ples of pur­po­se limi­ta­ti­on and iden­ti­fia­bi­li­ty cur­r­ent­ly con­tai­ned in para­graphs 3 and 4 of the Act. In order to make federal law more con­si­stent with the wor­d­ing of the E‑SEV 108 (Art. 5(4)(b)), the e‑DSA pro­vi­des that data may only be obtai­ned for a spe­ci­fic pur­po­se that is iden­ti­fia­ble to the data sub­ject. This new wor­d­ing does not result in any mate­ri­al chan­ges com­pa­red to the cur­rent law. Both the pro­cu­re­ment of the data and the pur­po­se of its pro­ces­sing must be reco­gniz­ab­le. This is gene­ral­ly the case if the data sub­ject is infor­med, the pro­ces­sing is pro­vi­ded for by law or is clear­ly evi­dent from the cir­cum­stan­ces. The defi­ni­teness of the pur­po­se means that vague, unde­fi­ned or impre­cise pro­ces­sing pur­po­ses are not suf­fi­ci­ent. This cha­rac­te­ri­stic is asses­sed accord­ing to the cir­cum­stan­ces, wher­eby a balan­ce must be struck bet­ween the inte­rests of the data sub­jects and tho­se of the con­trol­ler or the order pro­ces­sor and the company.

Para­graph 3 sta­tes that data may only be pro­ces­sed in a man­ner that is com­pa­ti­ble with the initi­al pur­po­se. This new wor­d­ing allo­ws for a ter­mi­no­lo­gi­cal appro­xi­ma­ti­on of the law to the E‑SEV 108 (Art. 5(4)(b)). Howe­ver, it does not entail any signi­fi­cant chan­ges: as is alrea­dy the case today, fur­ther pro­ces­sing is not per­mit­ted if the data sub­ject can justi­fia­b­ly con­si­der this to be unex­pec­ted, inap­pro­pria­te or objec­tion­ab­le (see also para­graph 47 of the explana­to­ry report on the E‑SEV 108 from CAHDATA). The fol­lo­wing cases are conceivable:

  • the re-use for adver­ti­sing pur­po­ses of addres­ses collec­ted when collec­ting signa­tures for a poli­ti­cal campaign;
  • obtai­ning and ana­ly­zing data on con­su­mer habits (for pur­po­ses other than fraud pre­ven­ti­on) based on pay­ments made with a credit or debit card without the con­sent of the data subject;
  • the collec­tion and use of e‑mail addres­ses pro­vi­ded by the data sub­ject for a spe­ci­fic pur­po­se via the Inter­net, in order to later send spam messages; the acqui­si­ti­on by a pri­va­te com­pa­ny of IP addres­ses of con­nec­tion hol­ders offe­ring pira­ted down­loads. If, on the other hand, the data sub­ject trans­mits his or her address with a view to obtai­ning a loyal­ty card or for pla­cing an order (online or not), the con­ti­nued use of this address by the com­pa­ny con­cer­ned for adver­ti­sing pur­po­ses is wit­hin the scope of an initi­al­ly iden­ti­fia­ble pur­po­se and can the­re­fo­re be con­si­de­red com­pa­ti­ble with the initi­al pur­po­se. If the chan­ge of the initi­al pur­po­se is pro­vi­ded for by law, if it is requi­red by a chan­ge in the law or if it is legi­ti­mi­zed by ano­t­her justi­fi­ca­ti­on (e.g. by the con­sent of the data sub­ject), the fur­ther pro­ces­sing is also deemed to be com­pa­ti­ble with the initi­al purpose.

Par. 4 Dura­ti­on of reten­ti­on of per­so­nal data

Accord­ing to para­graph 4, data must be destroy­ed or made anony­mous as soon as it is no lon­ger requi­red for the pur­po­se of pro­ces­sing. This com­plies with the requi­re­ments of the E‑SEV 108 (Art. 5 para. 4 let. e, cf. also para. 51 of the draft explana­to­ry report to the E‑SEV 108 from CAHDATA), the Direc­ti­ve (EU) 2016/680 (Art. 4 para. 1 let. e) and the Regu­la­ti­on (EU) 2016/679 (Art. 5(1)(e)). The obli­ga­ti­on also ari­ses impli­ci­tly from the gene­ral princip­le of pro­por­tio­na­li­ty, which is set out in para­graph 2 of the pro­vi­si­on. Howe­ver, the Federal Coun­cil con­si­ders it important to expli­ci­tly sta­te this obli­ga­ti­on in view of the tech­no­lo­gi­cal deve­lo­p­ment and the almost unli­mi­ted sto­rage pos­si­bi­li­ties. Com­pli­an­ce with this obli­ga­ti­on requi­res the respon­si­ble par­ty to spe­ci­fy reten­ti­on peri­ods. This is sub­ject to spe­cial regu­la­ti­ons that pro­vi­de for spe­cial reten­ti­on periods.

Par. 5 Correctness

Arti­cle 5(5) of the e‑DSG incor­po­ra­tes the princip­le of accu­ra­cy of data cur­r­ent­ly set out in Arti­cle 5 FADP is inclu­ded. In this way, the most important data pro­tec­tion princi­ples are com­bi­ned in a sin­gle pro­vi­si­on, as is also the case in Arti­cle 5 E‑SEV 108, in Arti­cle 4 of the Direc­ti­ve (EU) 2016/680 and in Arti­cle 5 of the Regu­la­ti­on (EU) 2016/679 is the case. In the French text, the term “cor­rec­tes” is repla­ced by “exac­tes”; in Ger­man and Ita­li­an, the ter­mi­no­lo­gy used is alrea­dy consistent.

The para­graph sta­tes that any per­son who pro­ces­ses data must ensu­re that it is accu­ra­te. It must take all rea­son­ab­le mea­su­res to ensu­re that data which is inac­cu­ra­te or incom­ple­te in rela­ti­on to the pur­po­se for which it was obtai­ned or pro­ces­sed is cor­rec­ted, dele­ted or destroy­ed. Data that can­not be cor­rec­ted or com­ple­ted shall be dele­ted or destroy­ed. The scope of this duty to veri­fy must be deter­mi­ned on a case-by-case basis. It depends in par­ti­cu­lar on the pur­po­se and scope of the pro­ces­sing and on the type of data pro­ces­sed. Depen­ding on the case, this obli­ga­ti­on may mean that the data is kept up to date.

Cer­tain legal obli­ga­ti­ons may pre­vent the cor­rec­tion, dele­ti­on or upda­ting of data. In addi­ti­on, the princip­le of accu­ra­cy and the asso­cia­ted obli­ga­ti­ons must be view­ed in a dif­fe­ren­tia­ted man­ner with regard to the acti­vi­ties of archi­ves, muse­ums, libra­ries and other memo­ry insti­tu­ti­ons. The task of such insti­tu­ti­ons is name­ly to collect, index, pre­ser­ve and com­mu­ni­ca­te docu­ments (inclu­ding digi­tal ones) of all kinds (cf. Art. 2(1) of the Natio­nal Libra­ry Act of 18 Decem­ber 1992). The docu­ments in que­sti­on as such may not be chan­ged in the pro­cess, becau­se this would run coun­ter to the pur­po­se of archi­ving. The pur­po­se of archi­ves is to pro­vi­de a snapshot of the past by means of docu­ments, the “accu­ra­cy” of which rela­tes sole­ly to the fact that the docu­ments in que­sti­on are repro­du­ced faith­ful­ly in their ori­gi­nal form. In other words, archi­ves repro­du­ce how some­thing was in the past, regard­less of whe­ther this is still con­si­de­red accu­ra­te from a cur­rent per­spec­ti­ve. The­re is a con­si­derable public inte­rest in this spe­ci­fic acti­vi­ty (in this regard, see Art. 28 Para. 1 Let­ter b and 37 Para. 5 E‑DSG as well as the cor­re­spon­ding explana­ti­ons under Sec­tions 9.1.6 and9.1.7).

Par. 6 Consent

If the data subject’s con­sent is requi­red, such con­sent is only valid pur­suant to para­graph 6 if it is given volun­ta­ri­ly and unam­bi­guous­ly for one or more spe­ci­fic pro­ces­sing ope­ra­ti­ons after appro­pria­te infor­ma­ti­on has been pro­vi­ded. In this way, the data sub­ject expres­ses his or her con­sent to an infrin­ge­ment of his or her per­so­na­li­ty, which in the pre­sent case occurs as a result of data processing.

The slight­ly modi­fied wor­d­ing allo­ws a ter­mi­no­lo­gi­cal appro­xi­ma­ti­on to the E‑SEV 108 (Art. 5(2)) in order to meet its requi­re­ments. Howe­ver, this does not result in any fun­da­men­tal chan­ge to the cur­rent legal situa­ti­on. As is alrea­dy the case under exi­sting law, the pro­ces­sing, in par­ti­cu­lar its scope and pur­po­se, must be suf­fi­ci­ent­ly defi­ned for con­sent to be valid. Con­sent can also be given for several simi­lar or dif­fe­rent pro­ces­sing ope­ra­ti­ons. It is also pos­si­ble that the pur­po­se of pro­ces­sing requi­res dif­fe­rent pro­ces­sing. For examp­le, tre­at­ment by a doc­tor may requi­re an exchan­ge with pre- or post-tre­at­ment spe­cia­lists and ser­vices, as may pro­ces­sing for bil­ling pur­po­ses or cla­ri­fi­ca­ti­ons with insuran­ce com­pa­nies. The con­sent must cover the pur­po­se of the pro­ces­sing for which it ser­ves as a justi­fi­ca­ti­on. If the data is pro­ces­sed for other pur­po­ses for which con­sent was not given, this pro­ces­sing must be justi­fied by other rea­sons. The con­sent must also be unam­bi­guous. Accord­in­gly, the data subject’s decla­ra­ti­on must unequi­vo­cal­ly sta­te his or her intent. This depends on the spe­ci­fic cir­cum­stan­ces of the indi­vi­du­al case. Accord­ing to the princip­le of pro­por­tio­na­li­ty, the more sen­si­ti­ve the per­so­nal data in que­sti­on, the clea­rer the con­sent must be. Con­sent can still be given without a spe­ci­fic form and is the­re­fo­re not bound to a writ­ten decla­ra­ti­on. Unam­bi­guous con­sent wit­hin the mea­ning of para­graph 6 can also be given by an implied decla­ra­ti­on of intent (cf. Art. 1 CO). This is the case if the expres­si­on of the will does not result from the decla­ra­ti­on its­elf, but from con­duct which can be under­s­tood as an unam­bi­guous expres­si­on of the will on the basis of the cir­cum­stan­ces in which it occurs. This is the case with so-cal­led implied (con­clu­si­ve) con­duct, in which the decla­ring per­son expres­ses his will by making it clear through a cor­re­spon­ding action, e.g. by ful­fil­ling his con­trac­tu­al obli­ga­ti­on. The­re must the­re­fo­re be an expres­si­on of will, so that in princip­le mere silence or inac­ti­vi­ty can­not be regar­ded as valid con­sent to an infrin­ge­ment of per­so­na­li­ty. The fol­lo­wing remains reser­ved Arti­cle 6 COif the par­ties have agreed silence as consent.

Accord­ing to the second sen­tence of para­graph 6, con­sent must be given expli­ci­tly when it comes to the pro­ces­sing of par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data and pro­filing. Incre­a­sed requi­re­ments are also pla­ced on con­sent for pro­filing, as is alrea­dy the case in cur­rent law for the pro­ces­sing of per­so­na­li­ty pro­files. “Expli­cit” is a heigh­te­ned requi­re­ment for “unam­bi­guous” con­sent under the first sen­tence of this pro­vi­si­on. The scope of this requi­re­ment is alrea­dy par­ti­al­ly dis­puted under cur­rent law. The Federal Coun­cil, howe­ver, sees no rea­son to devia­te from the cur­rent legal situa­ti­on. Howe­ver, in order to cla­ri­fy the ter­mi­no­lo­gy, the terms “expli­ci­te” and “espli­ci­to” are repla­ced by the terms “exprès” and “espres­so” in the French and Ita­li­an ver­si­ons of the text, thus aligning them with the ter­mi­no­lo­gy of Arti­cle 1 CO adap­ted. The Ger­man text does not under­go any chan­ge. A decla­ra­ti­on of intent is “express” if it is made by writ­ten or spo­ken words or a sign and the expres­sed intent is immedia­te­ly clear from the words used or the sign. The expres­si­on of the will as such must alrea­dy pro­vi­de cla­ri­ty about the will by the man­ner in which it is made. This is pos­si­ble, in par­ti­cu­lar, by ticking a box, actively selec­ting cer­tain tech­ni­cal para­me­ters for the ser­vices of an infor­ma­ti­on pro­ces­sing com­pa­ny or other­wi­se making a decla­ra­ti­on. The same app­lies to the non-ver­bal expres­si­on by means of a sign that is clear in the spe­ci­fic con­text or a cor­re­spon­ding move­ment, which can fre­quent­ly be the case in the con­text of a medi­cal tre­at­ment rela­ti­ons­hip in par­ti­cu­lar. Examp­les inclu­de nod­ding one’s head in agree­ment or ope­ning one’s mouth to remo­ve buc­cal muco­sa fol­lo­wing clear explana­ti­on. Whe­re express con­sent is requi­red, this can­not be given by implication.

Art. 7 Data pro­tec­tion by design and pri­va­cy-friend­ly default settings

1 The con­trol­ler is obli­ged to design the data pro­ces­sing tech­ni­cal­ly and orga­niz­a­tio­nal­ly in such a way that the data pro­tec­tion regu­la­ti­ons are com­plied with, in par­ti­cu­lar the princi­ples accord­ing to Arti­cle 6. He shall take this into account from the plan­ning stage.

2 In par­ti­cu­lar, the tech­ni­cal and orga­niz­a­tio­nal mea­su­res must be appro­pria­te to the sta­te of the art, the type and scope of the data pro­ces­sing, and the risk that the pro­ces­sing poses to the per­so­na­li­ty or fun­da­men­tal rights of the data subjects.

3 The con­trol­ler is obli­ged to ensu­re by means of sui­ta­ble default set­tings that the pro­ces­sing of per­so­nal data is limi­ted to the mini­mum necessa­ry for the pur­po­se of use, unless the data sub­ject spe­ci­fies otherwise.

Bot Art. 6 Data pro­tec­tion through tech­no­lo­gy and data pro­tec­tion-friend­ly default set­tings (count. acc. to draft)

Arti­cle 6 E‑DSG intro­du­ces the obli­ga­ti­on to pro­tect data through tech­no­lo­gy as well as through data pro­tec­tion-friend­ly default set­tings. Becau­se the­se obli­ga­ti­ons are clo­se­ly rela­ted to the data pro­tec­tion princi­ples, they have been trans­fer­red to the gene­ral data pro­tec­tion pro­vi­si­ons. The stan­dard imple­ments the requi­re­ments of Arti­cle 8 nume­ral 3 E‑SEV 108 and of Arti­cle 20, para­graph 1 of the Direc­ti­ve (EU) 2016/680 um. The Arti­cle 25 of the Regu­la­ti­on (EU) 2016/679 con­tains a simi­lar provision.

Par. 1 Data pro­tec­tion through technology

Para­graph 1 requi­res the con­trol­ler to design data pro­ces­sing from the time of plan­ning in such a way that the data pro­tec­tion regu­la­ti­ons are imple­men­ted by the mea­su­res taken. This intro­du­ces the new obli­ga­ti­on for so-cal­led “data pro­tec­tion by tech­no­lo­gy” (Pri­va­cy by Design). The basic idea of tech­no­lo­gy-based data pro­tec­tion is that tech­no­lo­gy and law com­ple­ment each other. Data pro­tec­tion-friend­ly tech­no­lo­gy can redu­ce the need for legal rules (or codes of con­duct) by making it impos­si­ble to vio­la­te data pro­tec­tion regu­la­ti­ons or at least signi­fi­cant­ly redu­cing the risk. At the same time, data pro­tec­tion-friend­ly tech­no­lo­gies are indis­pensable for the prac­ti­cal imple­men­ta­ti­on of data pro­tec­tion regu­la­ti­ons. After all, data pro­ces­sing is alrea­dy ubi­qui­tous in many respects and will tend to incre­a­se fur­ther (ubi­qui­tous com­pu­ting). This crea­tes volu­mes of data that are almost impos­si­ble to keep track of and that must be pro­ces­sed in com­pli­an­ce with data pro­tec­tion regu­la­ti­ons, for which tech­ni­cal pre­cau­ti­ons are cen­tral. Over­all, tech­no­lo­gy-sup­por­ted data pro­tec­tion does not tar­get a spe­ci­fic tech­no­lo­gy. Rather, the aim is to design data pro­ces­sing systems tech­ni­cal­ly and orga­niz­a­tio­nal­ly in such a way that they com­ply in par­ti­cu­lar with the princi­ples set out in Arti­cle 5 of the e‑DSG. In other words, the legal requi­re­ments for data pro­tec­tion-com­pli­ant pro­ces­sing are alrea­dy imple­men­ted in the system in such a way that it redu­ces or eli­mi­na­tes the risk of vio­la­ti­ons of data pro­tec­tion regu­la­ti­ons. For examp­le, it can be ensu­red that data is dele­ted at regu­lar inter­vals or anony­mi­zed as stan­dard. Par­ti­cu­lar­ly signi­fi­cant for tech­no­lo­gy-sup­por­ted data pro­tec­tion is data mini­miz­a­ti­on, which is alrea­dy deri­ved from the gene­ral princi­ples set out in Arti­cle 5 of the e‑DSG. In accordance with the con­cept of data mini­miz­a­ti­on, data pro­ces­sing is desi­gned from the out­set in such a way that as litt­le data as pos­si­ble is gene­ra­ted and pro­ces­sed or that data is at least retai­ned for only as short a peri­od as possible.

Federal bodies must alrea­dy noti­fy their desi­gna­ted data pro­tec­tion offi­cer or, if no such offi­cer exists, the Com­mis­sio­ner without delay of all pro­jects invol­ving the auto­ma­ted pro­ces­sing of per­so­nal data so that data pro­tec­tion requi­re­ments are taken into account at the plan­ning sta­ge (Art. 20 VDSG).

Par. 2 Ade­quacy of the arrangements

Para­graph 2 spe­ci­fies the requi­re­ments for the pre­cau­ti­ons refer­red to in para­graph 1. In par­ti­cu­lar, the­se must be appro­pria­te in view of the sta­te of the art, the natu­re and scope of the data pro­ces­sing, and the likeli­hood and seve­ri­ty of the risks that the pro­ces­sing in que­sti­on entails for the per­so­na­li­ty and fun­da­men­tal rights of the data sub­ject. The pre­sent pro­vi­si­on refers to data pro­ces­sing by pri­va­te pro­ces­sors and federal bodies, so that the risks to the per­so­na­li­ty and fun­da­men­tal rights are refer­red to.

The stan­dard expres­ses the risk-based approach. The risk asso­cia­ted with pro­ces­sing must be rela­ted to the tech­ni­cal pos­si­bi­li­ties for redu­cing it. The hig­her the risk, the grea­ter the pro­ba­bi­li­ty of occur­rence and the more exten­si­ve the data pro­ces­sing, the hig­her the requi­re­ments for the tech­ni­cal pre­cau­ti­ons so that they can be con­si­de­red appro­pria­te in the sen­se of this provision.

Par. 3 Pri­va­cy-friend­ly default settings

Accord­ing to para­graph 3, the con­trol­ler is obli­ga­ted to ensu­re by means of sui­ta­ble default set­tings that, as a mat­ter of princip­le, only as litt­le per­so­nal data is pro­ces­sed as is pos­si­ble with regard to the pur­po­se of use, unless the data sub­ject spe­ci­fies other­wi­se. This intro­du­ces the new obli­ga­ti­on to use data pro­tec­tion-friend­ly default set­tings (pri­va­cy by default). Default set­tings are tho­se set­tings, in par­ti­cu­lar of soft­ware, which are app­lied by default, i.e. if no devia­ting input is made by the user. The­se default set­tings may be avail­ab­le at the fac­to­ry or may be pro­gram­med accord­in­gly, as is the case, for examp­le, when a cer­tain prin­ter is defi­ned as the default prin­ter. In the con­text of data pro­ces­sing, this means that the pro­ces­sing ope­ra­ti­on in que­sti­on is set up as data pro­tec­tion-friend­ly as pos­si­ble by default, unless the data sub­ject would chan­ge the­se default set­tings. For examp­le, it would be con­ceiva­ble for a web­site to basi­cal­ly allow purcha­ses without having to crea­te a user pro­fi­le. Custo­mers would only have to pro­vi­de mini­mal infor­ma­ti­on such as name and address. Howe­ver, if custo­mers want to bene­fit from other ser­vices offe­red by the web­site, such as access to all their past purcha­ses or the crea­ti­on of lists of shop­ping pre­fe­ren­ces, they will have to crea­te a user pro­fi­le, which will also invol­ve more exten­si­ve pro­ces­sing of their per­so­nal data. This high­lights the clo­se con­nec­tion with the use of data pro­tec­tion-friend­ly tech­no­lo­gy and the princip­le of data mini­miz­a­ti­on. Thus, cor­re­spon­ding default set­tings are regu­lar­ly part of the data pro­tec­tion-friend­ly design of an enti­re system. What is spe­ci­fic to data pro­tec­tion-friend­ly default set­tings, howe­ver, is the abi­li­ty of the data sub­ject to influ­ence them. While the data sub­ject can hard­ly influ­ence the system as such, data pro­tec­tion-friend­ly default set­tings at best give him or her the oppor­tu­ni­ty to make a dif­fe­rent choice. They are the­re­fo­re clo­se­ly rela­ted to the con­sent of the data sub­ject (cf. Art. 5(6) E‑DSG). Thus, data pro­tec­tion-friend­ly default set­tings allow the data sub­ject to con­sent to a cer­tain data processing.

The princip­le of data pro­tec­tion by default plays a sub­or­di­na­te role in the public sec­tor, sin­ce data pro­ces­sing the­re is based less on the con­sent of the data sub­ject than on legal obligations.

The con­trol­ler may demon­stra­te, in par­ti­cu­lar through cer­ti­fi­ca­ti­on or a data pro­tec­tion impact assess­ment, that it com­plies with the obli­ga­ti­ons of this provision.

Art. 8 Data security

1 The con­trol­ler and the order pro­ces­sor shall ensu­re data secu­ri­ty appro­pria­te to the risk by means of sui­ta­ble tech­ni­cal and orga­niz­a­tio­nal measures.

2 The mea­su­res must make it pos­si­ble to avoid data secu­ri­ty breaches.

3 The Federal Coun­cil shall issue pro­vi­si­ons on the mini­mum requi­re­ments for data security.

Bot Art. 7 Data secu­ri­ty (count. acc. to draft)

Arti­cle 7 E‑DSG adopts Arti­cle 7 DSG with some chan­ges. The obli­ga­ti­on to ensu­re data secu­ri­ty is a requi­re­ment of the E‑SEV 108 (Art. 7) and the Direc­ti­ve (EU) 2016/680 (Art. 29). The Regu­la­ti­on (EU) 2016/679 (Art. 32) con­tains a simi­lar regu­la­ti­on. The con­trol­ler and the pro­ces­sor must take appro­pria­te tech­ni­cal and orga­niz­a­tio­nal mea­su­res to ensu­re data secu­ri­ty com­men­sura­te with the risk. This expres­ses the risk-based approach. The grea­ter the risk of a data secu­ri­ty bre­ach, the hig­her the requi­re­ments for the mea­su­res to be taken.

Para­graph 2 defi­nes the objec­ti­ve of the­se mea­su­res. The­se should make it pos­si­ble to pre­vent brea­ches of data secu­ri­ty, i.e. any bre­ach of secu­ri­ty which, regard­less of intent or unlaw­ful­ness, results in per­so­nal data being lost, dele­ted, destroy­ed or alte­red, or dis­c­lo­sed or made acces­si­ble to unaut­ho­ri­zed per­sons (Art. 4 let. g e‑DSG). Such pre­cau­ti­ons may inclu­de, for examp­le: the pseud­ony­miz­a­ti­on of per­so­nal data, mea­su­res to main­tain the con­fi­dentia­li­ty and avai­la­bi­li­ty of the system or its ser­vices, the deve­lo­p­ment of pro­ce­du­res to regu­lar­ly check, ana­ly­ze and eva­lua­te whe­ther the secu­ri­ty pre­cau­ti­ons taken are effective.

Alt­hough data pri­va­cy and data secu­ri­ty inter­act, they must be distin­guis­hed from one ano­t­her. Data pro­tec­tion is con­cer­ned with the pro­tec­tion of the per­so­na­li­ty of the indi­vi­du­al. Data secu­ri­ty, on the other hand, is gene­ral­ly aimed at the data held by a data con­trol­ler or pro­ces­sor and encom­pas­ses the gene­ral tech­ni­cal and orga­niz­a­tio­nal frame­work for data pro­ces­sing. Accord­in­gly, indi­vi­du­al data pro­tec­tion is only pos­si­ble if gene­ral tech­ni­cal pre­cau­ti­ons for data secu­ri­ty are taken at the same time. This also results in the demar­ca­ti­on of the obli­ga­ti­on for data secu­ri­ty under Arti­cle 7 E‑DSG from data pro­tec­tion by tech­no­lo­gy under Arti­cle 6 (1) E‑DSG. Arti­cle 7 obli­ga­tes both the con­trol­ler and the pro­ces­sor to pro­vi­de an appro­pria­te secu­ri­ty archi­tec­tu­re for their systems and to pro­tect them against mal­wa­re or data loss, for examp­le. Arti­cle 6(1), on the other hand, aims to ensu­re com­pli­an­ce with data pro­tec­tion regu­la­ti­ons by tech­ni­cal means, e.g., that data pro­ces­sing remains pro­por­tio­na­te. In this con­text, indi­vi­du­al mea­su­res such as the anony­miz­a­ti­on of data can be signi­fi­cant for both obligations.

Para­graph 3 requi­res the Federal Coun­cil to defi­ne mini­mum data secu­ri­ty requirements.

Art. 9 Pro­ces­sing by order processors

1 The pro­ces­sing of per­so­nal data may be ent­ru­sted by con­tract or by legis­la­ti­on to a pro­ces­sor if:

a. the data is pro­ces­sed as the data con­trol­ler would be per­mit­ted to do; and
b. no legal or con­trac­tu­al con­fi­dentia­li­ty obli­ga­ti­on pro­hi­bits the transfer.

2 In par­ti­cu­lar, the con­trol­ler must ensu­re that the order pro­ces­sor is capa­ble of gua­ran­te­eing data security.

3 The Order Pro­ces­sor may only trans­fer the pro­ces­sing to a third par­ty with the pri­or appro­val of the Respon­si­ble Party.

4 He may invo­ke the same grounds for justi­fi­ca­ti­on as the respon­si­ble person.

Bot Art. 8 Pro­ces­sing by order pro­ces­sor (count. acc. to draft)

Arti­cle 8 essen­ti­al­ly takes over the cur­rent Arti­cle 10a DSG (data pro­ces­sing by third par­ties). In para­graphs 1, 2 and 4, ter­mi­no­lo­gi­cal chan­ges are made that are necessa­ry as a result of the new terms (pro­ces­sor, con­trol­ler). As under the pre­vious law, it can be sta­ted in par­ti­cu­lar that the order pro­ces­sing for per­so­nal data that is pro­ces­sed by Arti­cle 321 StGB (e.g. data cove­r­ed by medi­cal secrecy) is not exclu­ded by the pro­vi­si­on in Arti­cle 8 (1) let­ter bE-DSG if the third par­ties are to be qua­li­fied as auxi­li­a­ries wit­hin the mea­ning of Arti­cle 321 (1) (1) StGB. If the other requi­re­ments for order pro­ces­sing are met, this is thus per­mis­si­ble without the data sub­ject having to give addi­tio­nal con­sent. Para­graph 1 estab­lishes a duty of care for the con­trol­ler to safe­guard the rights of the data sub­ject when pro­ces­sing the order. The con­trol­ler must actively ensu­re that the order pro­ces­sor com­plies with the law to the same extent as he does hims­elf. This app­lies in par­ti­cu­lar to com­pli­an­ce with the gene­ral princi­ples, the rules regar­ding data secu­ri­ty, which are expli­ci­tly men­tio­ned in para­graph 2, and the rules regar­ding dis­clo­sure abroad. The data con­trol­ler must, ana­lo­gous­ly to Arti­cle 55 CO pre­vent vio­la­ti­ons of the DPA. He is the­re­fo­re obli­ged to select his pro­ces­sor care­ful­ly, to inst­ruct him appro­pria­te­ly and to moni­tor him as far as necessa­ry. Para­graph 3 is new and pro­vi­des that the pro­ces­sor may only trans­fer the pro­ces­sing to a third par­ty with the pri­or con­sent of the con­trol­ler. In the pri­va­te sec­tor, the aut­ho­riz­a­ti­on is not tied to any par­ti­cu­lar form. Howe­ver, the order pro­ces­sor must pro­ve that the aut­ho­riz­a­ti­on has been obtai­ned. It is the­re­fo­re in his inte­rest to docu­ment this. In the public sec­tor, on the other hand, the aut­ho­riz­a­ti­on must be in wri­ting. This is a requi­re­ment of the Direc­ti­ve (EU) 2016/680 (Art. 22 Para. 2). The Federal Coun­cil will spe­ci­fy this in an ordi­nan­ce. In both the pri­va­te and the public sec­tor, the aut­ho­riz­a­ti­on may be spe­ci­fic or gene­ral. In the lat­ter case, the pro­ces­sor shall inform the con­trol­ler of any chan­ge (invol­ve­ment or repla­ce­ment of other pro­ces­sors) so that the con­trol­ler can object to such changes.

Data pro­ces­sing wit­hin the same legal enti­ty (branch, admi­ni­stra­ti­ve unit, employees) does not con­sti­tu­te pro­ces­sing by order pro­ces­sors. If data is stored in a so-cal­led cloud, this is basi­cal­ly an app­li­ca­ti­on of order pro­ces­sing, which must meet the cor­re­spon­ding requi­re­ments. If data is dis­c­lo­sed abroad for this pur­po­se, the requi­re­ments of Arti­cles 13 and 14 must also be met.

Art. 10 Data pro­tec­tion advisor

1 Pri­va­te data con­trol­lers may appoint a data pro­tec­tion advisor.

2 The data pro­tec­tion advi­sor is the point of con­ta­ct for data sub­jects and for the aut­ho­ri­ties respon­si­ble for data pro­tec­tion in Switz­er­land. She or he has the fol­lo­wing tasks in particular:

a. Trai­ning and advi­sing the pri­va­te con­trol­ler on pri­va­cy issues;
b. Par­ti­ci­pa­ti­on in the app­li­ca­ti­on of data pro­tec­tion rules.

3 Pri­va­te respon­si­ble par­ties may make use of the excep­ti­on under Arti­cle 23(4) if the fol­lo­wing con­di­ti­ons are met:

a. The data pro­tec­tion advi­sor shall exer­cise his or her func­tion vis-à-vis the con­trol­ler in a pro­fes­sio­nal­ly inde­pen­dent man­ner and not bound by instructions.
b. She or he shall not enga­ge in any acti­vi­ty that is incom­pa­ti­ble with her or his duties as a pri­va­cy consultant.
c. She or he has the necessa­ry expertise.
d. The data con­trol­ler shall publish the con­ta­ct details of the data pro­tec­tion advi­sor and com­mu­ni­ca­te them to the FDPIC.

4 The Federal Coun­cil shall regu­la­te the appoint­ment of data pro­tec­tion advi­sors by federal bodies.

Bot Art. 9 Data pro­tec­tion advi­ser ‑advi­ser (count. acc. to draft).

Arti­cle 9 regu­la­tes the inter­nal data pro­tec­tion advi­sor. The exi­sting law uses the term data pro­tec­tion offi­cer in Ger­man, responsa­bi­le in Ita­li­an, while in French it refers to the con­seil­ler (Art. 11a (5) (e) FADP). In order to avoid con­fu­si­on with the data con­trol­ler under Arti­cle 4(i) DPA or with the responsa­bi­le under Arti­cle 4(j) DPA, the DPA intro­du­ces the term data pro­tec­tion advi­sor or con­su­len­te per la pro­te­zio­ne dei dati in Ger­man and Ita­li­an. This makes the ter­mi­no­lo­gy con­si­stent in all three languages.

The data pro­tec­tion advi­sor moni­tors com­pli­an­ce with data pro­tec­tion regu­la­ti­ons wit­hin a com­pa­ny and advi­ses the per­son respon­si­ble on data pro­tec­tion mat­ters. Howe­ver, the per­son respon­si­ble bears sole respon­si­bi­li­ty for ensu­ring that per­so­nal data is pro­ces­sed in com­pli­an­ce with data pro­tec­tion regulations.

The pro­vi­si­on will be added to the e‑DSG as a result of the con­sul­ta­ti­on. It has shown that an expli­cit men­ti­on of the data pro­tec­tion advi­sor in the law is desi­ra­ble. Howe­ver, the E‑DSG goes less far than Euro­pean law, which pro­vi­des for an obli­ga­ti­on to appoint a data pro­tec­tion advi­sor in cer­tain cases. This solu­ti­on would also have been pre­fer­red by the Com­mis­sio­ner. Under the E‑DSG, on the other hand, it is left up to com­pa­nies to deci­de whe­ther they want to appoint a data pro­tec­tion advi­sor, while federal bodies are in princip­le obli­ged to appoint one.

Par. 1 and 2 Appointment

Pri­va­te data con­trol­lers may in princip­le appoint a data pro­tec­tion advi­sor at any time, as sta­ted in para­graph 1. Howe­ver, the law pro­vi­des for faci­li­ta­ti­ons with regard to the data pro­tec­tion impact assess­ment for con­trol­lers who have appoin­ted such an advisor.

Para­graph 2 defi­nes the requi­re­ments that must be met for the­se faci­li­ta­ti­ons to app­ly (sub­pa­ra­graph a). In this respect, the e‑DSG lar­ge­ly adopts exi­sting law (cf. Art. 12a f. VDSG).

The con­trol­ler may appoint an employee or a third par­ty as data pro­tec­tion advi­sor. Accord­ing to let­ter a, howe­ver, the per­son must exer­cise his or her func­tion inde­pendent­ly; he or she is not bound by inst­ruc­tions to the data con­trol­ler. If the per­son is an employee, the hier­ar­chi­cal clas­si­fi­ca­ti­on wit­hin the com­pa­ny must ensu­re that the data pro­tec­tion advi­sor remains inde­pen­dent. In princip­le, he or she should report direct­ly to the manage­ment of the controller.

Let­ter b fur­ther spe­ci­fies the inde­pen­dence of the data pro­tec­tion advi­sor. Accord­in­gly, the­se per­sons may not take on any acti­vi­ties that are incom­pa­ti­ble with their duties. This could be the case, for examp­le, if the data pro­tec­tion advi­sor is a mem­ber of the manage­ment, exer­cises func­tions in are­as of per­son­nel manage­ment or infor­ma­ti­on system manage­ment, or belongs to a depart­ment that its­elf pro­ces­ses per­so­nal data requi­ring spe­cial pro­tec­tion. On the other hand, it is con­ceiva­ble, for examp­le, to cumu­la­te the task of the data pro­tec­tion advi­sor with that of the infor­ma­ti­on secu­ri­ty officer.

Final­ly, accord­ing to let­ter c, the data pro­tec­tion advi­sor must have the necessa­ry exper­ti­se to take on this task. Thus, this acti­vi­ty requi­res exper­ti­se both in data pro­tec­tion legis­la­ti­on and in tech­ni­cal stan­dards for data security.

The data pro­tec­tion advi­sor is an important con­ta­ct per­son for both the data sub­ject and the data con­trol­ler with regard to the data pro­ces­sing acti­vi­ties car­ri­ed out by the com­pa­ny in que­sti­on. Accord­ing to let­ter d, the con­trol­ler must the­re­fo­re publish the con­ta­ct details of the data pro­tec­tion advi­sor and com­mu­ni­ca­te them to the Com­mis­sio­ner. An ana­lo­gous obli­ga­ti­on is also to be pro­vi­ded for in the Ordi­nan­ce for federal bodies.

Par. 3 Data pro­tec­tion advi­sor ‑advi­sor of federal bodies

Para­graph 3 requi­res the Federal Coun­cil to issue rules on the appoint­ment of the data pro­tec­tion advi­sor by federal bodies. The­se are also pre­do­mi­nant­ly in the ordi­nan­ce under pre­vious law.

The federal bodies are aut­ho­ri­zed to act in the Schen­gen area on the basis of Arti­cle 32 of the Direc­ti­ve (EU) 2016/680 requi­red to appoint a data pro­tec­tion advisor.

Art. 11 Codes of conduct

1 Pro­fes­sio­nal, branch and tra­de asso­cia­ti­ons that are aut­ho­ri­zed by their sta­tu­tes to pro­tect the eco­no­mic inte­rests of their mem­bers, as well as federal bodies, may sub­mit codes of con­duct to the FDPIC.

2 The lat­ter com­ments on the codes of con­duct and publishes its opinions.

Bot Art. 10 Codes of con­duct (count. acc. to draft)

The Federal Coun­cil would like to pro­mo­te the deve­lo­p­ment of codes of con­duct. The­se meet a need reve­a­led by the regu­la­to­ry impact assess­ment (cf. para. 1.8) in view of the gene­ral natu­re of the legis­la­ti­on and its extre­me­ly broad per­so­nal and mate­ri­al scope. In such codes, indi­vi­du­al con­cepts such as high risk (Art. 20 E‑DSG) or the moda­li­ties of obli­ga­ti­ons such as the duty to inform (Art. 17 – 19 E‑DSG) and the duty to con­duct a data pro­tec­tion impact assess­ment (Art. 20 E‑DSG) can be spe­ci­fied. In addi­ti­on, more pre­cise solu­ti­ons are to be found in are­as which today rai­se nume­rous que­sti­ons, for examp­le video sur­veil­lan­ce, cloud com­pu­ting or social networks.

By enab­ling inte­re­sted par­ties to beco­me acti­ve them­sel­ves and con­tri­bu­te to the regu­la­ti­on of indi­vi­du­al are­as, the Federal Coun­cil wis­hes to pro­mo­te con­cer­ted and broad-based indu­stry solu­ti­ons. To pro­mo­te self-regu­la­ti­on, it also pro­po­ses that data con­trol­lers who com­ply with codes of con­duct can wai­ve the requi­re­ment to con­duct a data pro­tec­tion impact assess­ment under cer­tain con­di­ti­ons (Art. 20 (5) E‑DSG).

Encou­ra­ging sta­tes and regu­la­tors to adopt codes of con­duct is also important in the Regu­la­ti­on (EU) 2016/679 (Art. 40 and 57 para. 1 let. m).

In the pri­va­te sec­tor, the codes of con­duct must come from pro­fes­sio­nal or tra­de asso­cia­ti­ons that are aut­ho­ri­zed by their sta­tu­tes to pro­tect the eco­no­mic inte­rests of their mem­bers. Indi­vi­du­al respon­si­ble par­ties or con­tract pro­ces­sors can­not sub­mit codes of con­duct to the Com­mis­sio­ner becau­se the pur­po­se of codes of con­duct is to achie­ve a degree of uni­for­mi­ty wit­hin a par­ti­cu­lar indu­stry. In the public sec­tor, howe­ver, codes of con­duct may ori­gi­na­te from a sin­gle federal body. This is justi­fied in par­ti­cu­lar becau­se of the nume­rous legal bases and the diver­si­ty of the tasks of the various bodies.

Para­graph 1 pro­vi­des that the codes of con­duct may be sub­mit­ted to the Com­mis­sio­ner. The lat­ter shall com­ment on them (para­graph 2). The peri­od wit­hin which he must com­ment depends on the cir­cum­stan­ces of the indi­vi­du­al case.

The opi­ni­on does not con­sti­tu­te an order. Inte­re­sted par­ties can the­re­fo­re not deri­ve any rights from a posi­ti­ve opi­ni­on or a wai­ver of an opi­ni­on. Nevertheless, in the event of a posi­ti­ve opi­ni­on by the Com­mis­sio­ner, it can be assu­med that con­duct in com­pli­an­ce with the Code of Con­duct will not result in admi­ni­stra­ti­ve mea­su­res. The com­mis­sio­ner publishes his opi­ni­on, irre­spec­ti­ve of whe­ther he asses­ses the sub­mit­ted code of con­duct posi­tively or negatively.

The com­mis­sio­ner would have pre­fer­red it if the asso­cia­ti­ons had been obli­ged to sub­mit the codes to him for appro­val. The Federal Coun­cil refrai­ned from doing so becau­se of the results of the con­sul­ta­ti­on, but also becau­se the Com­mis­sio­ner would have had to deci­de on this by way of an order, which would have entail­ed addi­tio­nal costs.

Art. 12 List of pro­ces­sing activities

1 The per­sons in char­ge and the order pro­ces­sors shall each keep a regi­ster of their pro­ces­sing activities.

2 The list of the respon­si­ble per­son shall con­tain at least:

a. the iden­ti­ty of the per­son responsible;
b. the pur­po­se of processing;
c. a descrip­ti­on of the cate­go­ries of data sub­jects and the cate­go­ries of per­so­nal data processed;
d. the cate­go­ries of recipients;
e. if pos­si­ble, the reten­ti­on peri­od of the per­so­nal data or the cri­te­ria for deter­mi­ning this period;
f. if pos­si­ble, a gene­ral descrip­ti­on of the mea­su­res taken to ensu­re data secu­ri­ty in accordance with Arti­cle 8;
g. if the data are dis­c­lo­sed abroad, the indi­ca­ti­on of the Sta­te and the gua­ran­tees refer­red to in Arti­cle 16, para­graph 2.

3 The list of the pro­ces­sor shall con­tain infor­ma­ti­on on the iden­ti­ty of the pro­ces­sor and the con­trol­ler, on the cate­go­ries of pro­ces­sing car­ri­ed out on behalf of the con­trol­ler and the infor­ma­ti­on refer­red to in para­graph 2(f) and (g).

4 The federal bodies report their direc­to­ries to the FDPIC.

5 The Federal Coun­cil pro­vi­des for excep­ti­ons for com­pa­nies that employ fewer than 250 employees and who­se data pro­ces­sing invol­ves a low risk of vio­la­ti­ons of the per­so­na­li­ty of the per­sons concerned.

Bot Art. 11 List of pro­ces­sing acti­vi­ties (count. acc. to draft)

Ins­tead of the docu­men­ta­ti­on obli­ga­ti­on in the preli­mi­na­ry draft, the e‑DSG pro­vi­des for the obli­ga­ti­on to keep a regi­ster of pro­ces­sing acti­vi­ties. The con­sul­ta­ti­on reve­a­led that it was not clear enough what the docu­men­ta­ti­on obli­ga­ti­on covers. In addi­ti­on, the direc­to­ry of pro­ces­sing acti­vi­ties is now clas­si­fied under the gene­ral data pro­tec­tion pro­vi­si­ons. This cla­ri­fies the clo­se con­nec­tion with the data pro­tec­tion princi­ples. The obli­ga­ti­on to main­tain a direc­to­ry replaces the obli­ga­ti­on to report data collec­tions under the pre­vious law. The Direc­ti­ve (EU) 2016/680 pro­vi­des for such a list in Arti­cle 24; the Regu­la­ti­on (EU) 2016/679 con­tains an ana­lo­gous pro­vi­si­on in Arti­cle 30.

The obli­ga­ti­on to main­tain a regi­ster is incum­bent on the con­trol­ler and the pro­ces­sor in accordance with para­graph 1.

Para­graph 2 lists the mini­mum infor­ma­ti­on that the direc­to­ry must con­tain. First of all, this inclu­des the iden­ti­ty (name) of the con­trol­ler (a) and the pur­po­se of the pro­ces­sing (b). A descrip­ti­on of the cate­go­ries of data sub­jects and the cate­go­ries of per­so­nal data pro­ces­sed must also be pro­vi­ded (c). Cate­go­ries of data sub­jects refer to typi­fied groups that have cer­tain com­mon cha­rac­te­ri­stics, such as “con­su­mers”, “mem­bers of the armed for­ces” or “employees”. Cate­go­ries of per­so­nal data pro­ces­sed refers to the type of data pro­ces­sed, e.g. per­so­nal data requi­ring spe­cial pro­tec­tion. The cate­go­ries of reci­pi­ents (let­ter d) to whom the per­so­nal data may be dis­c­lo­sed must also be listed. Again, this refers to typi­fied groups with com­mon cha­rac­te­ri­stics, such as “super­vi­so­ry aut­ho­ri­ties”. Accord­ing to let­ter e, the direc­to­ry must con­tain the reten­ti­on peri­od of the per­so­nal data. Sin­ce the reten­ti­on peri­od under Arti­cle 5(4) is based on the pur­po­se of use, it is some­ti­mes not pos­si­ble to spe­ci­fy the reten­ti­on peri­od exact­ly, which is expres­sed by the phra­se “if pos­si­ble”. If pre­cise infor­ma­ti­on is not pos­si­ble, the list must at least con­tain the cri­te­ria accord­ing to which this dura­ti­on is deter­mi­ned. Final­ly, accord­ing to let­ter f, the inven­to­ry must con­tain a gene­ral descrip­ti­on of the mea­su­res taken to ensu­re data secu­ri­ty pur­suant to Arti­cle 7, to the extent pos­si­ble. By means of the descrip­ti­on, the direc­to­ry should make it pos­si­ble to iden­ti­fy defi­ci­en­ci­es in the secu­ri­ty mea­su­res. The phra­se “if pos­si­ble” makes it clear that the descrip­ti­on should only be given if the pre­cau­ti­ons can be descri­bed in suf­fi­ci­ent­ly con­cre­te terms. If the­se reci­pi­ents are loca­ted abroad, it must also be clear from the list whe­ther, in princip­le, the requi­re­ments for dis­clo­sure abroad are met. The­re­fo­re, accord­ing to let­ter g, the sta­te must be indi­ca­ted as well as the gua­ran­tees accord­ing to Arti­cle 13 para­graph 2.

The list in para­graph 2 makes it clear that the direc­to­ry is a gene­ral descrip­ti­on of the pro­ces­sing acti­vi­ty, from which the type and scope of pro­ces­sing results. On the other hand, the direc­to­ry is not a jour­nal of all data pro­ces­sing acti­vi­ties of the con­trol­ler or the pro­ces­sor, in which indi­vi­du­al actions are listed in the form of a pro­to­col. The direc­to­ry is the­re­fo­re a writ­ten pre­sen­ta­ti­on of the essen­ti­al infor­ma­ti­on on all data pro­ces­sing acti­vi­ties of a data con­trol­ler or pro­ces­sor. It thus allo­ws signi­fi­cant con­clu­si­ons to be drawn as to whe­ther or not a data pro­ces­sing ope­ra­ti­on is desi­gned to com­ply with data pro­tec­tion princi­ples. In addi­ti­on, the mini­mum infor­ma­ti­on in the direc­to­ry in para­graph 2 cor­re­la­tes in many respects with the infor­ma­ti­on that the data sub­ject must recei­ve based on the duty to inform and the right to information.

Para­graph 3 con­tains an abbre­via­ted list of mini­mum infor­ma­ti­on to be pro­vi­ded by the pro­ces­sor. In par­ti­cu­lar, this must list the cate­go­ries of pro­ces­sing car­ri­ed out on behalf of each con­trol­ler. The list of the com­mis­sio­ned pro­ces­sor shall also con­tain the iden­ti­ty of the con­trol­lers for whom it acts. Pur­suant to para­graph 4, federal bodies shall report their direc­to­ries to the Com­mis­sio­ner. The lat­ter shall keep a regi­ster of the pro­ces­sing acti­vi­ties of the federal bodies in accordance with Arti­cle 50. This regi­ster is published. In princip­le, this will not result in any chan­ges for federal bodies in rela­ti­on to the pre­vious law. This is becau­se they alrea­dy have to draw up pro­ces­sing regu­la­ti­ons and regi­ster their data collec­tion with the Commissioner.

Para­graph 5 gives the Federal Coun­cil the opti­on of pro­vi­ding for exemp­ti­ons from the obli­ga­ti­on to keep a regi­ster for com­pa­nies that employ fewer than 50 peop­le. This ser­ves in par­ti­cu­lar to relie­ve the bur­den on small and medi­um-sized enter­pri­ses. Howe­ver, the Federal Coun­cil will not base this sole­ly on the size of a com­pa­ny, but will also take into account the risks asso­cia­ted with data processing.

Art. 13 Certification

1 Manu­fac­tu­rers of data pro­ces­sing systems or pro­grams, as well as data con­trol­lers and order pro­ces­sors, may sub­ject their systems, pro­ducts and ser­vices to eva­lua­ti­on by reco­gni­zed inde­pen­dent cer­ti­fi­ca­ti­on bodies.
2 The Federal Coun­cil shall issue regu­la­ti­ons on the reco­gni­ti­on of cer­ti­fi­ca­ti­on pro­ce­du­res and the intro­duc­tion of a data pro­tec­tion qua­li­ty mark. In doing so, it shall take into account inter­na­tio­nal law and inter­na­tio­nal­ly reco­gni­zed tech­ni­cal standards.

Bot Art. 12 Cer­ti­fi­ca­ti­on (count. acc. to draft)

Arti­cle 12 of the e‑DSG governs the optio­nal cer­ti­fi­ca­ti­on cur­r­ent­ly avail­ab­le in Arti­cle 11 DSG is regu­la­ted. In addi­ti­on to data pro­ces­sing systems (pro­ce­du­res, orga­niz­a­ti­on) and pro­ducts (pro­grams, systems), it will also be pos­si­ble to cer­ti­fy cer­tain ser­vices in the future.

Cer­ti­fied data con­trol­lers are exempt from the obli­ga­ti­on to con­duct a data pro­tec­tion impact assess­ment (Art. 20 (5) E‑DSG).

The accredi­ta­ti­on pro­ce­du­re for inde­pen­dent cer­ti­fi­ca­ti­on bodies by the Swiss accredi­ta­ti­on body, with which the com­mis­sio­ner is also asso­cia­ted, remains unch­an­ged. The com­mis­sio­ner would have pre­fer­red it if a cer­ti­fi­ca­ti­on requi­re­ment had been intro­du­ced for high-risk pro­ces­sing ope­ra­ti­ons. The Federal Coun­cil has refrai­ned from doing so becau­se this is not a requi­re­ment of Euro­pean law.

Sec­tion 2: Data Pro­ces­sing by Pri­va­te Con­trol­lers with Seat or Resi­dence Abroad

Art. 14 Representation

1 Pri­va­te con­trol­lers domic­i­led or resi­dent abroad desi­gna­te a repre­sen­ta­ti­ve office in Switz­er­land if they pro­cess per­so­nal data of indi­vi­du­als in Switz­er­land and the data pro­ces­sing meets the fol­lo­wing requirements:

a. The pro­ces­sing is rela­ted to the offer of goods and ser­vices or the obser­va­ti­on of the beha­vi­or of per­sons in Switzerland.
b. This is an exten­si­ve machi­ning operation.
c. It is a regu­lar processing.
d. Pro­ces­sing invol­ves a high risk to the per­so­na­li­ty of the per­sons concerned.

2 The repre­sen­ta­ti­on ser­ves as a point of con­ta­ct for the data sub­jects and the FDPIC.

3 The respon­si­ble per­son publishes the name and address of the representative.

Art. 15 Duties of the representation

1 The Repre­sen­ta­ti­on shall keep a regi­ster of the controller’s pro­ces­sing acti­vi­ties, which shall con­tain the infor­ma­ti­on refer­red to in Arti­cle 12(2).

2 Upon requ­est, it shall inform the FDPIC of the infor­ma­ti­on con­tai­ned in the list.

3 Upon requ­est, it shall pro­vi­de the data sub­ject with infor­ma­ti­on on how to exer­cise his/her rights.

Sec­tion 3: Dis­clo­sure of per­so­nal data abroad

Art. 16 Principles

1 Per­so­nal data may be dis­c­lo­sed abroad if the Federal Coun­cil has deter­mi­ned that the legis­la­ti­on of the sta­te in que­sti­on or the inter­na­tio­nal body ensu­res ade­qua­te protection.

2 In the absence of a deci­si­on by the Federal Coun­cil under para­graph 1, per­so­nal data may be dis­c­lo­sed abroad if appro­pria­te data pro­tec­tion is gua­ran­te­ed by:

a. a trea­ty under inter­na­tio­nal law;
b. Data pro­tec­tion clau­ses in a con­tract bet­ween the con­trol­ler or pro­ces­sor and its con­trac­tu­al part­ner that have been noti­fied in advan­ce to the FDPIC;
c. spe­ci­fic gua­ran­tees drawn up by the com­pe­tent federal body and com­mu­ni­ca­ted in advan­ce to the FDPIC;
d. Stan­dard data pro­tec­tion clau­ses that the FDPIC has pre­vious­ly appro­ved, issued or ack­now­led­ged; or
e. bin­ding inter­nal com­pa­ny data pro­tec­tion regu­la­ti­ons that have been appro­ved in advan­ce by the FDPIC or by an aut­ho­ri­ty respon­si­ble for data pro­tec­tion in a sta­te that ensu­res ade­qua­te protection.

3 The Federal Coun­cil may pro­vi­de for other sui­ta­ble gua­ran­tees wit­hin the mea­ning of para­graph 2

Bot Art. 13 Princi­ples (count. acc. to draft)

This pro­vi­si­on meets the requi­re­ments of Arti­cle 12 E‑SEV 108, accord­ing to which data may in princip­le only be trans­fer­red abroad if an ade­qua­te level of data pro­tec­tion exists (para­graph 2). Arti­cle 12 (3) E‑SEV 108 defi­nes the cases in which this requi­re­ment is met. The pro­vi­si­on in Arti­cle 13 E‑DSG also aligns the law with that of the Euro­pean Uni­on (Art. 45 et seq. of the Regu­la­ti­on [EU] 2016/679).

The pro­vi­si­ons on the dis­clo­sure of per­so­nal data abroad have been par­ti­al­ly revi­sed in light of the results of the con­sul­ta­ti­on pro­cess. The princip­le accord­ing to which per­so­nal data may not be dis­c­lo­sed abroad if this would serious­ly end­an­ger the per­so­na­li­ty of the per­sons con­cer­ned has been abolished, as it crea­tes legal uncer­tain­ty with regard to the syste­ma­tics of the regu­la­ti­on. The ter­mi­no­lo­gy regar­ding the dis­clo­sure of per­so­nal data abroad on the basis of appro­pria­te safe­guards is ali­gned with that of the Regu­la­ti­on (EU) 2016/679 adju­sted. The excep­ti­ons in con­nec­tion with the dis­clo­sure of per­so­nal data to a sta­te who­se legis­la­ti­on does not pro­vi­de ade­qua­te data pro­tec­tion are also slight­ly rela­xed. Final­ly, only the excep­ti­ons pro­vi­ded for by the E‑SEV 108 Main­tain requi­red duties to inform the com­mis­sio­ner and obtain the commissioner’s approval.

Par. 1 Deter­mi­na­ti­on by deci­si­on of the Federal Council

Accord­ing to para­graph 1, data may be dis­c­lo­sed abroad if the Federal Coun­cil has deter­mi­ned that the legis­la­ti­on of the sta­te con­cer­ned or the inter­na­tio­nal body ensu­res ade­qua­te pro­tec­tion. This pro­vi­si­on express­ly con­fers on the Federal Coun­cil the respon­si­bi­li­ty to exami­ne the ade­quacy of for­eign legis­la­ti­on in the area of data protection.

The cur­rent situa­ti­on is unsa­tis­fac­to­ry becau­se it is up to the owner of a data collec­tion who wis­hes to dis­c­lo­se data to check whe­ther the legis­la­ti­on of the sta­te in que­sti­on ensu­res ade­qua­te pro­tec­tion. If necessa­ry, he must con­sult the Commissioner’s list of sta­tes that meet this requi­re­ment (Art. 7VDSG). In order to ensu­re uni­form app­li­ca­ti­on of Arti­cle 13, the ade­quacy of for­eign legis­la­ti­on will in future be exami­ned by the Federal Coun­cil. In its exami­na­ti­on, the Federal Coun­cil must not only exami­ne whe­ther the for­eign sta­te has legis­la­ti­on that mate­ri­al­ly meets the requi­re­ments of the E‑SEV 108 is suf­fi­ci­ent, but also how this legis­la­ti­on is app­lied. The Federal Coun­cil may also exami­ne whe­ther the data pro­tec­tion gua­ran­te­ed by an inter­na­tio­nal body is ade­qua­te. The term “inter­na­tio­nal body” refers to all inter­na­tio­nal insti­tu­ti­ons, be they orga­niz­a­ti­ons or courts.

The result of this exami­na­ti­on will be published in an ordi­nan­ce of the Federal Coun­cil, which will be inclu­ded in the Offi­cial Com­pi­la­ti­on. The future ordi­nan­ce will spe­ci­fy that the Federal Coun­cil will perio­di­cal­ly eva­lua­te the situa­ti­on and that the Com­mis­sio­ner will publish on his web­site a list of sta­tes or inter­na­tio­nal bodies that, accord­ing to the Federal Council’s deter­mi­na­ti­on, ensu­re ade­qua­te data protection.

The ordi­nan­ce is desi­gned as a posi­ti­ve list and con­tains a list of tho­se sta­tes that have legis­la­ti­on on the basis of which ade­qua­te pro­tec­tion is ensu­red. If a for­eign sta­te is not inclu­ded in the ordi­nan­ce of the Federal Coun­cil, this can have two rea­sons: Eit­her the legis­la­ti­on of the sta­te in que­sti­on has not yet been exami­ned, or the Federal Coun­cil has con­clu­ded that the state’s legis­la­ti­on does not meet the requi­re­ments of ensu­ring ade­qua­te pro­tec­tion. With the revi­si­on, the Federal Council’s deter­mi­na­ti­on beco­mes a legal­ly bin­ding cri­ter­ion for tho­se respon­si­ble for dis­clo­sing data abroad, whe­re­as the pre­vious list of the com­mis­sio­ner was merely inten­ded as a tool to be made avail­ab­le to them. This solu­ti­on ser­ves legal certainty.

For its exami­na­ti­on, the Federal Coun­cil can rely on the avail­ab­le sources, name­ly the eva­lua­tions car­ri­ed out wit­hin the frame­work of Con­ven­ti­on ETS 108 or by the Euro­pean Uni­on. It would also be con­ceiva­ble to coope­ra­te with for­eign aut­ho­ri­ties and join their eva­lua­ti­on process.

If the Federal Coun­cil deter­mi­nes that the legis­la­ti­on of a sta­te or an inter­na­tio­nal body pro­vi­des ade­qua­te pro­tec­tion, the free move­ment of per­so­nal data from Switz­er­land to that sta­te or body is per­mit­ted both by pri­va­te con­trol­lers and by federal bodies.

Par. 2 No deci­si­on of the Federal Council

If the­re is no deci­si­on by the Federal Coun­cil under para­graph 1, para­graph 2 pro­vi­des that per­so­nal data may be dis­c­lo­sed abroad if appro­pria­te data pro­tec­tion is guaranteed.

Accord­ing to let­ter a, appro­pria­te pro­tec­tion may be pro­vi­ded by an inter­na­tio­nal trea­ty. By “inter­na­tio­nal trea­ty” is meant not only an inter­na­tio­nal data pro­tec­tion con­ven­ti­on such as Con­ven­ti­on ETS 108 and its Addi­tio­nal Pro­to­col to which the reci­pi­ent sta­te is a par­ty and who­se requi­re­ments have been imple­men­ted by the con­trac­ting par­ty in its dome­stic law, but also any other inter­na­tio­nal trea­ty that pro­vi­des for an exchan­ge of data bet­ween the con­trac­ting par­ties and mate­ri­al­ly com­plies with the requi­re­ments of Con­ven­ti­on ETS 108. This may also be an inter­na­tio­nal trea­ty con­clu­ded by the Federal Coun­cil wit­hin the scope of Arti­cle 61 let­ter b E‑DSG.

Para­graph 2(b‑d) com­plies with the requi­re­ments of Arti­cle 12(3)(b) E‑SEV 108. This pro­vi­des that an ade­qua­te level of data pro­tec­tion may be ensu­red by appro­ved ad hoc and stan­dar­di­zed safe­guards based on legal­ly bin­ding and enfor­ce­ab­le instru­ments agreed upon and imple­men­ted by the per­sons invol­ved in the dis­clo­sure and fur­ther pro­ces­sing of the data. In Arti­cle 46 of the Regu­la­ti­on (EU) 2016/679 and in Arti­cle 37 of the Direc­ti­ve (EU) 2016/680 cor­re­spon­ding regu­la­ti­ons are pro­vi­ded for.

Bst. b Data pro­tec­tion clau­ses in a contract

Accord­ing to para­graph 2 let­ter b, per­so­nal data may be dis­c­lo­sed abroad if the con­trol­ler and the con­trac­ting par­ty have agreed on data pro­tec­tion clau­ses in their con­tract. The term “data pro­tec­tion clau­ses” cor­re­sponds to the ter­mi­no­lo­gy of Arti­cle 46(3)(a) of the Regu­la­ti­on (EU) 2016/679. The clau­ses must be com­mu­ni­ca­ted in advan­ce to the per­son in char­ge. As soon as the per­son respon­si­ble has com­plied with this obli­ga­ti­on, the per­so­nal data may be dis­c­lo­sed abroad. If necessa­ry, the com­mis­sio­ner must open an inve­sti­ga­ti­on to deter­mi­ne whe­ther the clau­ses meet the requi­re­ments. As is alrea­dy the case today, it is up to the con­trol­ler to demon­stra­te that it has taken all necessa­ry mea­su­res to ensu­re that ade­qua­te pro­tec­tion exists and that the reci­pi­ent com­plies with the con­trac­tu­al data pro­tec­tion clau­ses. In con­trast to the stan­dard data pro­tec­tion clau­ses (see point d), the data pro­tec­tion clau­ses in a con­tract only app­ly to the dis­clo­sure pro­vi­ded for in the rele­vant contract.

Let. c Spe­ci­fic guarantees

In the public sec­tor, a federal body that grants a for­eign sta­te a com­mit­ment to coope­ra­te may link the com­mit­ment to spe­ci­fic gua­ran­tees in the area of data pro­tec­tion. The­se may, for examp­le, be cor­re­spon­ding agree­ments with the for­eign sta­te body in que­sti­on. The federal organ must noti­fy them to the Com­mis­sio­ner in advan­ce. As soon as the offi­cer has com­plied with this obli­ga­ti­on, the per­so­nal data may be dis­c­lo­sed abroad.

Let­ter d Stan­dard data pro­tec­tion clauses

Accord­ing to para­graph 2 let­ter d, data may be dis­c­lo­sed abroad based on stan­dard data pro­tec­tion clau­ses. The pro­vi­si­on adopts the ter­mi­no­lo­gy of Arti­cle 46(2)(c) and (d) of the Regu­la­ti­on (EU) 2016/679. Stan­dard clau­ses may be deve­lo­ped by pri­va­te par­ties, inte­re­sted par­ties, or federal bodies, or issued or reco­gni­zed by the Com­mis­sio­ner. Federal bodies may also use the­se types of safe­guards. For examp­le, the term “stan­dard pri­va­cy clau­se” refers to stan­dar­di­zed con­trac­tu­al clau­ses that are inser­ted into the con­tract bet­ween the con­trol­ler and the reci­pi­ent. It may also refer to a code of con­duct drawn up by pri­va­te par­ties, to which pri­va­te par­ties may volun­ta­ri­ly subscribe.

In the first case, the stan­dard data pro­tec­tion clau­ses must be appro­ved in advan­ce by the com­mis­sio­ner. This con­di­ti­on repres­ents a chan­ge from the cur­rent law, accord­ing to which the com­mis­sio­ner only has to be infor­med ( Art. 6 para. 3 DSG), con­sti­tu­tes a tigh­tening. It cor­re­sponds to the requi­re­ment of Arti­cle 12(2)(b) E‑SEV 108. The Con­trol­ler may not dis­c­lo­se any data abroad based on the stan­dard data pro­tec­tion clau­ses until it has recei­ved from the Com­mis­sio­ner an appro­pria­te appeal­ab­le order (Art. 5 VwVG”>Art. 5 VwVG) has been recei­ved. During the dura­ti­on of the pro­ce­du­re, he may rely on Arti­cle 13(2)(b) or (c). The time limit wit­hin which the respon­si­ble par­ty must issue an order is gover­ned by the Ordi­nan­ce on Ordi­na­ry Time Limits of 25 May 2011 (OrFV). Accord­ing to Arti­cle 4 OrFV, the peri­od wit­hin which an aut­ho­ri­ty issu­es its deci­si­on depends on the com­ple­xi­ty of the deci­si­on, with a maxi­mum peri­od of three mon­ths. In the second case, the respon­si­ble par­ty can also make use of stan­dard data pro­tec­tion clau­ses issued or reco­gni­zed by the com­mis­sio­ner, such as model contracts.

If a con­trol­ler deci­des to dis­c­lo­se data abroad on the basis of stan­dard data pro­tec­tion clau­ses wit­hin the mea­ning of para­graph 2 let­ter d, it shall be pre­su­med that it has taken all necessa­ry mea­su­res to ensu­re ade­qua­te pro­tec­tion. Howe­ver, this presump­ti­on does not exempt him from lia­bi­li­ty for any dis­ad­van­ta­ges that may result from a bre­ach of the­se clau­ses, in par­ti­cu­lar by the reci­pi­ent of the data. The future regu­la­ti­on should the­re­fo­re pro­vi­de for the duty of the Com­mis­sio­ner to publish a list of the stan­dard data pro­tec­tion clau­ses issued or reco­gni­zed, as is other­wi­se pro­vi­ded for in the cur­rent law (Art. 6(3) DDPA).

Bst. e Bin­ding cor­po­ra­te data pro­tec­tion regulations

Accord­ing to para­graph 2 let­ter e, the dis­clo­sure of data abroad may also be based on bin­ding inter­nal com­pa­ny data pro­tec­tion regu­la­ti­ons that have been appro­ved in advan­ce by the Com­mis­sio­ner or by a for­eign aut­ho­ri­ty respon­si­ble for data pro­tec­tion. This pro­vi­si­on replaces Arti­cle 6(2)(g) DPA. Para­graph 2 let­ter e appro­xi­ma­tes the law of the Euro­pean Uni­on, which is set forth in Arti­cle 47 of the Regu­la­ti­on (EU) 2016/679 pro­vi­des that data may be trans­fer­red bet­ween mem­bers of a cor­po­ra­te group based on bin­ding inter­nal data pro­tec­tion rules appro­ved in advan­ce by the data pro­tec­tion super­vi­so­ry aut­ho­ri­ty. The appro­val of bin­ding cor­po­ra­te inter­nal rules is pro­vi­ded for in Arti­cle 57(1)(s) of the Regu­la­ti­on (EU) 2016/679 noted. Para­graph 2(e) repres­ents a tigh­tening of the cur­rent law in that the bin­ding cor­po­ra­te data pro­tec­tion rules must be new­ly appro­ved. The con­trol­ler may not dis­c­lo­se any data abroad on the basis of the bin­ding cor­po­ra­te data pro­tec­tion rules until it has recei­ved an appeal­ab­le order from the Com­mis­sio­ner. Art. 5 VwVG”>Art. 5 VwVG) has been recei­ved. During the dura­ti­on of the pro­ce­e­dings, he may rely on Arti­cle 13(2)(b) or (c).

In order to take into account the needs of groups of com­pa­nies that span several coun­tries, para­graph 2(e) pro­vi­des that a com­pa­ny estab­lished in Switz­er­land that is part of such a group may also com­ply with bin­ding data pro­tec­tion rules that have been appro­ved by a for­eign aut­ho­ri­ty that is com­pe­tent for data pro­tec­tion and that belongs to a sta­te that ensu­res ade­qua­te protection.

The instru­ments men­tio­ned in para­graph 2 let­ter e must be “man­da­to­ry” in the sen­se that all com­pa­nies belon­ging to the same group of com­pa­nies must com­ply with and app­ly the rules. The­se stan­dards shall spe­ci­fy at least the data dis­clo­sure in que­sti­on, the cate­go­ries of data dis­c­lo­sed, the pur­po­se of the pro­ces­sing, the cate­go­ries of data sub­jects and the reci­pi­ent coun­tries. Fur­ther­mo­re, the norms must regu­la­te the rights of the data sub­jects and also con­tain infor­ma­ti­on on the mecha­nisms that have been set up wit­hin the group of com­pa­nies to check their com­pli­an­ce. If necessa­ry, the Federal Coun­cil may defi­ne cri­te­ria in the imple­men­ting ordi­nan­ce that the bin­ding cor­po­ra­te group stan­dards must meet.

Par. 3 Legis­la­ti­ve delegation

In this pro­vi­si­on, the Federal Coun­cil is aut­ho­ri­zed to pro­vi­de for other appro­pria­te safe­guards in accordance with para­graph 2. This is becau­se it can­not be ruled out that other systems will be deve­lo­ped, such as self-cer­ti­fi­ca­ti­on sche­mes based on the Swiss-US Pri­va­cy Shield model (see Art. 46 para. 2 let. f of the Regu­la­ti­on [EU] 2016/679).

Art. 17 Exceptions

1 Not­with­stan­ding Arti­cle 16 para­graphs 1 and 2, per­so­nal data may be dis­c­lo­sed abroad in the fol­lo­wing cases:

a. The data sub­ject has express­ly con­sen­ted to the disclosure;

b. The dis­clo­sure is direct­ly rela­ted to the con­clu­si­on or exe­cu­ti­on of a contract:

1. bet­ween the per­son respon­si­ble and the data sub­ject, or
2. bet­ween the data con­trol­ler and its con­trac­tu­al part­ner in the inte­rest of the data subject.

c. Dis­clo­sure is necessa­ry for:

1. the pro­tec­tion of an over­ri­ding public inte­rest, or
2. the estab­lish­ment, exer­cise or enfor­ce­ment of legal claims befo­re a court or other com­pe­tent for­eign authority.
d. The dis­clo­sure is necessa­ry to pro­tect the life or phy­si­cal inte­gri­ty of the data sub­ject or a third par­ty and it is not pos­si­ble to obtain the data subject’s con­sent wit­hin a rea­son­ab­le time.
e. The data sub­ject has made the data gene­ral­ly acces­si­ble and has not express­ly pro­hi­bi­ted processing.
f. The data ori­gi­na­te from a regi­ster pro­vi­ded for by law, which is acces­si­ble to the public or to per­sons with an inte­rest worthy of pro­tec­tion, inso­far as the legal requi­re­ments for inspec­tion are met in the indi­vi­du­al case.

2 The con­trol­ler or the pro­ces­sor shall inform the FDPIC upon requ­est of the dis­clo­sure of per­so­nal data pur­suant to para­graph 1(b)(2), (c) and (d).

Bot Art. 14 Excep­ti­ons (count. acc. to draft)

Para. 1

In accordance with the app­li­ca­ble law (Art. 6 para. 2 DSG), Arti­cle 14 (1) E‑DSG regu­la­tes the cases in which data can be dis­c­lo­sed abroad even though ade­qua­te pro­tec­tion is lacking abroad. It essen­ti­al­ly cor­re­sponds to Arti­cle 12(4) E‑SEV 108 and Arti­cle 49 of the Regu­la­ti­on (EU) 2016/679. The Direc­ti­ve (EU) 2016/680 con­tains a cor­re­spon­ding pro­vi­si­on in Arti­cle 38.

Let­ter a cor­re­sponds to Arti­cle 6(2)(b) DPA, with the express con­sent of the data sub­ject and the dele­ti­on of the expres­si­on “in indi­vi­du­al cases”. The expli­cit con­sent is a requi­re­ment of the E‑SEV 108 (Art. 12 para. 4 let. a). In this regard, refe­rence can be made to the explana­ti­ons on Arti­cle 5 (6) E‑DSG. In par­ti­cu­lar, the data sub­ject must know the name of the third coun­try (Art. 17(4) E‑DSG) and be infor­med of the risks of dis­clo­sure in con­nec­tion with the level of data pro­tec­tion in the for­eign sta­te. As far as the expres­si­on “in indi­vi­du­al cases” is con­cer­ned, the Federal Coun­cil is of the opi­ni­on that it can be dele­ted. As can be seen from Arti­cle 5(6) of the e‑DSG, the data sub­ject cons­ents to one or more spe­ci­fic pro­ces­sing ope­ra­ti­ons. The spe­ci­fi­ca­ti­on “in indi­vi­du­al cases” is the­re­fo­re superfluous.

Let­ter b cor­re­sponds to Arti­cle 6(2)(c) FADP, sub­ject to the pro­vi­so that per­so­nal data may be dis­c­lo­sed abroad if the dis­clo­sure is direct­ly rela­ted to the con­clu­si­on or per­for­mance of a con­tract bet­ween the con­trol­ler and the data sub­ject or bet­ween the con­trol­ler and its con­trac­tu­al part­ner in the inte­rest of the data sub­ject. Arti­cle 49(1) of the Regu­la­ti­on (EU) 2016/679 pro­vi­des for an ana­lo­gous provision.

Point (c)(1) cor­re­sponds to the first part of the sen­tence of Arti­cle 6(2)(d) DPA. The term “indis­pensable” is repla­ced by “necessa­ry” in the intro­duc­to­ry sen­tence, fol­lo­wing the Euro­pean legal acts. The exi­stence of an over­ri­ding public inte­rest must be demon­stra­ted in the spe­ci­fic cir­cum­stan­ces. A pure­ly hypo­the­ti­cal inte­rest is not suf­fi­ci­ent. The “safe­guar­ding of an over­ri­ding public inte­rest” is under­s­tood to mean, for examp­le, the inter­nal secu­ri­ty of Switz­er­land or a third coun­try. Based on this pro­vi­si­on, per­so­nal data may also be dis­c­lo­sed abroad for huma­ni­ta­ri­an rea­sons, for examp­le, if the con­trol­ler dis­c­lo­ses it in order to assist in the search for per­sons who are mis­sing in an area of con­flict or in a regi­on whe­re a natu­ral dis­a­ster has occurred.

Point (c)(2) cor­re­sponds to the second sen­tence of Arti­cle 6(2)(d) of the FADP, except that the phra­se “befo­re a court”, which is found to be too nar­row, is repla­ced by “befo­re a court or other com­pe­tent for­eign authority”.

Let­ter d spe­ci­fies that dis­clo­sure is also per­mit­ted if it is necessa­ry to pro­tect the life or phy­si­cal inte­gri­ty of the data sub­ject or a third par­ty, inso­far as it is not pos­si­ble to obtain the data subject’s con­sent wit­hin a rea­son­ab­le peri­od. This may be the case becau­se the per­son is phy­si­cal­ly unab­le to do so or becau­se he or she can­not be rea­ched by the usu­al means of communication.

Let­ter e cor­re­sponds to Arti­cle 6(2)(f) FADP.

Let­ter f is a new pro­vi­si­on. It spe­ci­fies that the requi­re­ment of ade­qua­te pro­tec­tion does not app­ly if the data to be dis­c­lo­sed abroad ori­gi­na­te from a public regi­ster regu­la­ted by law and cer­tain legal requi­re­ments are met. Arti­cle 49(1)(g) of the Regu­la­ti­on (EU) 2016/679 fol­lows the same thrust: it pro­vi­des that the dis­clo­sure of data from a regi­ster is per­mis­si­ble despi­te the lack of ade­qua­te pro­tec­tion if the regi­ster is inten­ded to pro­vi­de infor­ma­ti­on to the public in accordance with the law of the Euro­pean Uni­on or the Mem­ber Sta­tes and if cer­tain legal requi­re­ments are met.

Para. 2

Accord­ing to this pro­vi­si­on, the Com­mis­sio­ner may requ­est the Con­trol­ler or the Pro­ces­sor to noti­fy him of the dis­clo­sures of per­so­nal data made under para­graph 1(b)(2), (c) and (d). The pro­vi­si­on com­plies with the requi­re­ments of Arti­cle 12(5) E‑SEV 108. The pen­ul­ti­ma­te sen­tence of Arti­cle 49(1) of the Regu­la­ti­on (EU) 2016/679 goes fur­ther than this pro­vi­si­on, sin­ce it pro­vi­des that data con­trol­lers shall inform the super­vi­so­ry aut­ho­ri­ty of their own accord of the trans­fers of per­so­nal data made pur­suant to Arti­cle 47.

Art. 18 Publi­ca­ti­on of per­so­nal data in elec­tro­nic form

If per­so­nal data is made gene­ral­ly avail­ab­le for the pur­po­se of infor­ming the public by means of auto­ma­ted infor­ma­ti­on and com­mu­ni­ca­ti­on ser­vices, this shall not be deemed to be dis­clo­sure abroad, even if the data is acces­si­ble from abroad.

Bot Art. 15 Publi­ca­ti­on of per­so­nal data in elec­tro­nic form (count. acc. to draft)

This pro­vi­si­on takes over the con­tent of Arti­cle 5 VDSG. It regu­la­tes the publi­ca­ti­on of per­so­nal data via the Inter­net or other infor­ma­ti­on and com­mu­ni­ca­ti­on ser­vices for the pur­po­se of infor­ming the public. Thus, it is pos­si­ble to access infor­ma­ti­on on the Inter­net with or without per­so­nal data abroad – even in coun­tries that do not ensu­re ade­qua­te data pro­tec­tion. The publi­ca­ti­on of per­so­nal data on the Inter­net for the pur­po­se of infor­ming the public, as in the case of the media, for examp­le, is not con­si­de­red to be the dis­clo­sure of per­so­nal data abroad.

Chap­ter 3: Obli­ga­ti­ons of the con­trol­ler and the processor

Art. 19 Duty to pro­vi­de infor­ma­ti­on when obtai­ning per­so­nal data

1 The data con­trol­ler shall inform the data sub­ject appro­pria­te­ly about the pro­cu­re­ment of per­so­nal data; this duty to inform shall also app­ly if the data is not pro­cu­red from the data subject.

2 It shall noti­fy the data sub­ject when obtai­ning such infor­ma­ti­on as is necessa­ry to enab­le the data sub­ject to assert his or her rights under this Act and to ensu­re trans­pa­rent data pro­ces­sing; at a mini­mum, it shall noti­fy the data subject:

a. the iden­ti­ty and con­ta­ct details of the per­son responsible;
b. the pur­po­se of processing;
c. if app­li­ca­ble, the reci­pi­ents or cate­go­ries of reci­pi­ents to whom per­so­nal data are disclosed.

3 If the data are not obtai­ned from the data sub­ject, he/she shall also inform him/her of the cate­go­ries of per­so­nal data processed.

4 If the per­so­nal data are dis­c­lo­sed abroad, it shall also inform the data sub­ject of the Sta­te or inter­na­tio­nal body and, whe­re app­li­ca­ble, of the gua­ran­tees refer­red to in Arti­cle 16, para­graph 2, or of the app­li­ca­ti­on of an excep­ti­on refer­red to in Arti­cle 17.

5 If the data are not obtai­ned from the data sub­ject, he shall noti­fy him of the infor­ma­ti­on pur­suant to para­graphs 2 – 4 no later than one mon­th after he has obtai­ned the data. If the data con­trol­ler dis­c­lo­ses the per­so­nal data befo­re the expi­ry of this peri­od, he shall inform the data sub­ject at the latest at the time of disclosure.

Bot Art. 17 Duty to pro­vi­de infor­ma­ti­on when obtai­ning per­so­nal data (count. acc. to draft)

Arti­cle 17 of the e‑DSG now regu­la­tes the duty to pro­vi­de infor­ma­ti­on when data is pro­cu­red. Arti­cles 14, 18 and 18a of the FADP are thus mer­ged into one stan­dard. This avoids dupli­ca­ti­on and pro­vi­des a uni­form regu­la­ti­on for data pro­ces­sing by federal bodies and pri­va­te data con­trol­lers. The pro­vi­si­on meets the requi­re­ments of Arti­cle 7E‑SEV 108 as well as Arti­cle 13 of the Direc­ti­ve (EU) 2016/680. Arti­cles 13 f. of the Regu­la­ti­on (EU) 2016/679 con­tain a simi­lar provision.

The obli­ga­ti­on to pro­vi­de infor­ma­ti­on impro­ves trans­pa­ren­cy in data pro­ces­sing, which is a cen­tral goal of the revi­si­on. This is becau­se, as a rule, the data sub­ject can­not reco­gni­ze that data about him or her is being pro­ces­sed without the appro­pria­te infor­ma­ti­on. At the same time, the data sub­ject can only exer­cise his or her rights under the FADP if he or she is awa­re that data is being pro­ces­sed. Impro­ved trans­pa­ren­cy in data pro­ces­sing the­re­fo­re also streng­t­hens the rights of the data sub­ject, which is also a cen­tral con­cern of the revi­si­on. Final­ly, the obli­ga­ti­on to pro­vi­de infor­ma­ti­on ser­ves to rai­se public awa­reness of data pro­tec­tion, which is also the aim of the revision.

Par. 1 Principle

Accord­ing to para­graph 1, the data con­trol­ler must inform the data sub­ject about the pro­cu­re­ment of per­so­nal data. This also app­lies if the data is not obtai­ned from the data subject.

The e‑DSG does not spe­ci­fy how the infor­ma­ti­on must be pro­vi­ded. Howe­ver, the data con­trol­ler must ensu­re that the data sub­ject can actual­ly take note of the infor­ma­ti­on. What must be ensu­red is the pos­si­bi­li­ty of obtai­ning infor­ma­ti­on in an easi­ly acces­si­ble man­ner, but not that the data sub­ject actual­ly obtains infor­ma­ti­on in the spe­ci­fic case. This pos­si­bi­li­ty to take note of infor­ma­ti­on essen­ti­al­ly depends on whe­ther the data is obtai­ned from the data sub­ject or not.

Thus, gene­ral infor­ma­ti­on may be suf­fi­ci­ent if the per­so­nal data is obtai­ned from the data sub­ject (for gene­ral terms and con­di­ti­ons, see Art. 18(1)). In this case, a pri­va­cy state­ment on a web­site is con­ceiva­ble, but also sym­bols or pic­to­grams, if app­li­ca­ble, inso­far as they reflect the necessa­ry infor­ma­ti­on. If a gene­ral form is cho­sen, the infor­ma­ti­on must be easi­ly acces­si­ble, com­ple­te and made suf­fi­ci­ent­ly visi­ble. Mul­ti-level access is also pos­si­ble, con­tai­ning, for examp­le, an over­view on a first level, which gives access to detail­ed infor­ma­ti­on on a second level. On the other hand, it is not suf­fi­ci­ent if sim­ply a con­ta­ct per­son is given. The per­son con­cer­ned should recei­ve the infor­ma­ti­on without having to ask for it first.

If, on the other hand, the data are not obtai­ned from the data sub­ject, the con­trol­ler must check how the infor­ma­ti­on must be pro­vi­ded so that the data sub­ject can actual­ly take note of it. If necessa­ry, it is not suf­fi­ci­ent in this case to merely pro­vi­de infor­ma­ti­on, but the data sub­ject must be actively infor­med, whe­ther in a sui­ta­ble gene­ral form or by indi­vi­du­al infor­ma­ti­on. For examp­le, a per­son who never buys books is unli­kely to visit the web­site of an online book­sel­ler and read its pri­va­cy poli­cy. Accord­in­gly, she will not learn on the basis of this gene­ral state­ment that the online book­sel­ler pro­ces­ses data about her, becau­se she does not expect it at all. The infor­ma­ti­on obli­ga­ti­on is thus also inten­ded to pre­vent data about the data sub­ject from being pro­ces­sed without his or her know­ledge, sub­ject to the excep­ti­ons in Arti­cle 18.

Alt­hough the infor­ma­ti­on is not sub­ject to any for­mal requi­re­ment, a form should be cho­sen over­all that meets the pur­po­se of trans­pa­rent data pro­ces­sing. For rea­sons of pro­of, it is also advi­s­able to docu­ment the infor­ma­ti­on or to pro­vi­de it in wri­ting. The infor­ma­ti­on must also be writ­ten in a com­pre­hen­si­ble man­ner so that it actual­ly ser­ves the pur­po­se of trans­pa­rent data processing.

Par. 2 Infor­ma­ti­on to be communicated

The intro­duc­to­ry sen­tence of para­graph 2 sets out the princip­le that must gui­de the con­trol­ler when com­mu­ni­ca­ting infor­ma­ti­on. Accord­in­gly, the data con­trol­ler must pro­vi­de the data sub­ject with the infor­ma­ti­on necessa­ry to exer­cise his or her rights under the law and to ensu­re trans­pa­rent data pro­ces­sing. Let­ters a‑c spe­ci­fy this princip­le by means of mini­mum infor­ma­ti­on that must be pro­vi­ded to the data sub­ject in any case. Accord­ing to let­ter a, this is the iden­ti­ty, i.e. the name, and the con­ta­ct details of the data con­trol­ler, and accord­ing to let­ter b, the pur­po­se of the pro­ces­sing. If app­li­ca­ble, the reci­pi­ents or cate­go­ries of reci­pi­ents to whom the per­so­nal data are dis­c­lo­sed must also be indi­ca­ted in accordance with let­ter c. The data sub­ject may choo­se whe­ther or not to dis­c­lo­se the per­so­nal data. The con­trol­ler has a choice as to whe­ther to spe­ci­fy the reci­pi­ents or only the cate­go­ries of reci­pi­ents. As is also the case in the Euro­pean Uni­on (cf. Art. 4 No. 9 of the Regu­la­ti­on [EU] 2016/679), order pro­ces­sors are also reci­pi­ents wit­hin the mea­ning of the pro­vi­si­on. Howe­ver, if the con­trol­ler does not want to dis­c­lo­se their iden­ti­ty, he can make do with spe­ci­fy­ing the cate­go­ry. The com­mis­sio­ned pro­ces­sor would have pre­fer­red if, in addi­ti­on, the legal basis of the pro­ces­sing also had to be disclosed.

The com­bi­na­ti­on of a gene­ral pro­vi­si­on, which con­tains the basic requi­re­ments for the infor­ma­ti­on to be pro­vi­ded, and spe­ci­fic mini­mum infor­ma­ti­on allo­ws the infor­ma­ti­on obli­ga­ti­on to be hand­led fle­xi­b­ly. Depen­ding on the type of data pro­ces­sed, the natu­re and scope of the data pro­ces­sing in que­sti­on, the con­trol­ler may or may not need to pro­vi­de more infor­ma­ti­on. For examp­le, it may also be necessa­ry to inform about the dura­ti­on of the pro­ces­sing, or the anony­miz­a­ti­on of data. This fle­xi­bi­li­ty is necessa­ry becau­se the FADP app­lies to a varie­ty of dif­fe­rent data pro­ces­sing ope­ra­ti­ons. At the same time, a fle­xi­ble regu­la­ti­on ensu­res that data con­trol­lers do not have to pro­vi­de unnecessa­ry infor­ma­ti­on and that data sub­jects only recei­ve necessa­ry infor­ma­ti­on. Like­wi­se, this allo­ws data con­trol­lers to spe­ci­fy the infor­ma­ti­on obli­ga­ti­on for their spe­ci­fic indu­stry in codes of conduct.

Par. 3 Cate­go­ries of per­so­nal data

Only if the data are not obtai­ned from the data sub­ject, para­graph 3 also requi­res the con­trol­ler to inform the data sub­ject of the cate­go­ries of per­so­nal data it pro­ces­ses. This restric­tion results from the assump­ti­on that the data sub­ject should at least be awa­re of the cate­go­ries of data or even the data if they are obtai­ned from him. If the data are not obtai­ned from the data sub­ject, the data sub­ject has no way of kno­wing what cate­go­ries of data are being pro­ces­sed about him or her and must the­re­fo­re be infor­med accordingly.

Par. 4 Dis­clo­sure abroad

If the per­so­nal data are dis­c­lo­sed abroad, the con­trol­ler must also inform the data sub­ject about the sta­te to which the data are trans­fer­red. If this sta­te does not ensu­re ade­qua­te pro­tec­tion and the con­trol­ler has recour­se to gua­ran­tees pur­suant to Arti­cle 13(2), he must also inform the data sub­ject of the­se gua­ran­tees. The same app­lies if the dis­clo­sure is made on the basis of an excep­ti­on under Arti­cle 14.

Par. 5 Time of information

If the data is obtai­ned from the data sub­ject, he or she must be infor­med at this time. This fol­lows from para­graph 2.

Para­graph 5 regu­la­tes the timing of the infor­ma­ti­on if the data is not obtai­ned from the data sub­ject. The pro­vi­si­on sets a maxi­mum peri­od of one mon­th wit­hin which the infor­ma­ti­on must be pro­vi­ded. Sen­tence 2 con­tains a shor­ter peri­od in the event that the con­trol­ler dis­c­lo­ses the per­so­nal data to reci­pi­ents befo­re the expi­ra­ti­on of this one-mon­th peri­od. In this case, the data sub­ject must be infor­med at the latest at the time of disclosure.

In sum­ma­ry, a basic dead­line of one mon­th app­lies after the data con­trol­ler has recei­ved the data. This peri­od app­lies regard­less of what the per­so­nal data is used for. A shor­ter peri­od app­lies only if the con­trol­ler dis­c­lo­ses the per­so­nal data to recipients.

Art. 20 Excep­ti­ons to the obli­ga­ti­on to pro­vi­de infor­ma­ti­on and restrictions

1 The obli­ga­ti­on to pro­vi­de infor­ma­ti­on pur­suant to Arti­cle 19 shall not app­ly if one of the fol­lo­wing con­di­ti­ons is met:

a. The data sub­ject alrea­dy has the rele­vant information.
b. The pro­ces­sing is pro­vi­ded by law.
c. The per­son respon­si­ble is a pri­va­te per­son who is legal­ly bound to secrecy.
d. The requi­re­ments under Arti­cle 27 are met.

2 In addi­ti­on, if the per­so­nal data is not obtai­ned from the data sub­ject, the duty to pro­vi­de infor­ma­ti­on does not app­ly if one of the fol­lo­wing con­di­ti­ons is met:

a. The infor­ma­ti­on is not possible.
b. The infor­ma­ti­on requi­res a dis­pro­por­tio­na­te effort.

3 The respon­si­ble par­ty may limit, defer, or wai­ve dis­clo­sure of the infor­ma­ti­on in the fol­lo­wing circumstances:

a. Over­ri­ding inte­rests of third par­ties requi­re the measure.
b. The infor­ma­ti­on defeats the pur­po­se of the processing.

c. The respon­si­ble per­son is a pri­va­te per­son and the fol­lo­wing requi­re­ments are met:

1. over­ri­ding inte­rests of the per­son respon­si­ble requi­re the measure,
2. the per­son respon­si­ble does not dis­c­lo­se the per­so­nal data to third parties

d. The respon­si­ble par­ty is a federal enti­ty and one of the fol­lo­wing con­di­ti­ons is met:

1. the mea­su­re is necessa­ry becau­se of over­ri­ding public inte­rests, in par­ti­cu­lar the inter­nal or exter­nal secu­ri­ty of Switzerland.
2. com­mu­ni­ca­ti­on of the infor­ma­ti­on may jeo­par­di­ze an inve­sti­ga­ti­on, inqui­ry, or admi­ni­stra­ti­ve or judi­cial proceeding.

4 Com­pa­nies belon­ging to the same group shall not be deemed to be third par­ties wit­hin the mea­ning of para­graph 3(c)(2).

Bot Art. 18 Excep­ti­ons to the obli­ga­ti­on to pro­vi­de infor­ma­ti­on and restric­tions (count. acc. to draft)

Arti­cle 18 E‑DSG regu­la­tes under which cir­cum­stan­ces the duty to pro­vi­de infor­ma­ti­on does not app­ly at all (paras. 1 and 2), and when the infor­ma­ti­on can be restric­ted, alt­hough the duty to pro­vi­de infor­ma­ti­on exists in princip­le (para. 3). The two con­stel­la­ti­ons must be clear­ly distin­guis­hed from each other. The pro­vi­si­on ther­eby par­ti­al­ly adopts exi­sting law (Art. 9, Art. 14 Para. 4 and 5, as well as 18b FADP), which is mer­ged into one pro­vi­si­on for the sake of clarity.

Par. 1 Gene­ral exemp­ti­ons from the obli­ga­ti­on to pro­vi­de information

Para­graph 1 spe­ci­fies some con­stel­la­ti­ons in which the infor­ma­ti­on obli­ga­ti­on does not app­ly at all and the con­trol­ler the­re­fo­re does not have to inform the data sub­ject at all. Accord­ing to let­ter a, the con­trol­ler is exempt from the infor­ma­ti­on obli­ga­ti­on if the data sub­ject alrea­dy has the infor­ma­ti­on pur­suant to Arti­cle 17. This can be assu­med in various cases. First of all, it is pos­si­ble that the data sub­ject has alrea­dy been infor­med at an ear­lier point in time and that the infor­ma­ti­on which must be com­mu­ni­ca­ted has not chan­ged in the mean­ti­me. In princip­le, it must also be assu­med that the data sub­ject has alrea­dy recei­ved the infor­ma­ti­on in order to con­sent to data pro­ces­sing. This is becau­se valid con­sent is only pos­si­ble if the data sub­ject has been ade­qua­te­ly infor­med. The infor­ma­ti­on requi­red for this cor­re­sponds to or even exce­eds that which must be pro­vi­ded under Arti­cle 17. As a rule, con­sent is given by means of gene­ral terms and con­di­ti­ons (GTC). The­se can thus in princip­le also ser­ve to inform the data sub­ject, inso­far as they con­tain the necessa­ry infor­ma­ti­on. If the data sub­ject has made the data acces­si­ble himself/herself without the assi­stance of the data con­trol­ler, he/she shall also be deemed to have been infor­med about the data collec­tion (e.g. deli­very of app­li­ca­ti­on documents).

Pur­suant to let­ter b, the obli­ga­ti­on to pro­vi­de infor­ma­ti­on does not app­ly if the pro­ces­sing is pro­vi­ded for by law. This may inclu­de pro­ces­sing by both federal bodies and pri­va­te indi­vi­du­als. In any case, federal bodies can only pro­cess data if the­re is a legal basis for doing so. The cor­re­spon­ding infor­ma­ti­on can regu­lar­ly be taken from this. The same app­lies to pri­va­te par­ties who are obli­ged by law to pro­cess cer­tain data, as is the case, for examp­le, with regard to money laundering.

Accord­ing to let­ter c, the pri­va­te respon­si­ble par­ty is released from the duty to pro­vi­de infor­ma­ti­on if it is sub­ject to a sta­tu­to­ry duty of con­fi­dentia­li­ty. This regu­la­tes a pos­si­ble con­flict of norms to the effect that, in princip­le, the duty of con­fi­dentia­li­ty takes pre­ce­dence over the duty to pro­vi­de information.

Final­ly, accord­ing to let­ter d, the duty to pro­vi­de infor­ma­ti­on does not app­ly if the requi­re­ments of Arti­cle 25 are met. This arti­cle regu­la­tes the restric­tion of the right to infor­ma­ti­on with regard to perio­di­cal­ly published media. For the same rea­sons, an ana­lo­gous media pri­vi­le­ge is also necessa­ry for the duty to pro­vi­de infor­ma­ti­on in order to do suf­fi­ci­ent jus­ti­ce to the spe­cial func­tion of the media.
Par. 2 Spe­ci­fic restriction

Para­graph 2 pro­vi­des for a spe­ci­fic restric­tion of the duty to inform in cases whe­re data are not obtai­ned from the data sub­ject. The duty to inform the data sub­ject does not app­ly if the infor­ma­ti­on is not pos­si­ble (sub­pa­ra­graph a) or requi­res dis­pro­por­tio­na­te effort (sub­pa­ra­graph b).

The infor­ma­ti­on is not pos­si­ble if the per­son con­cer­ned can­not be iden­ti­fied at all, e.g. becau­se the pho­to is of a stran­ger. Howe­ver, it is not suf­fi­ci­ent to merely assu­me that iden­ti­fi­ca­ti­on is impos­si­ble. Rather, inve­sti­ga­ti­ons of a pro­por­tio­na­te scope are requi­red. The effort requi­red to inform the data sub­ject is dis­pro­por­tio­na­te if the effort to be expen­ded does not appe­ar objec­tively justi­fied in rela­ti­on to the infor­ma­ti­on gai­ned by the data sub­ject. In par­ti­cu­lar, it must be taken into account whe­ther a very lar­ge num­ber of per­sons are affec­ted. For examp­le, the infor­ma­ti­on may invol­ve a dis­pro­por­tio­na­te effort if per­so­nal data is pro­ces­sed exclu­si­ve­ly for archi­ving pur­po­ses in the public inte­rest. It would regu­lar­ly invol­ve an extre­me­ly high effort to inform all data sub­jects, and their inte­rest in the infor­ma­ti­on is often likely to be limi­ted, e.g. becau­se the data in que­sti­on is very old.

This excep­ti­on must be inter­pre­ted nar­row­ly. The respon­si­ble par­ty may not be con­tent with the assump­ti­on that the infor­ma­ti­on is impos­si­ble or can only be pro­vi­ded with dis­pro­por­tio­na­te effort. Rather, he must in princip­le take all mea­su­res that can be expec­ted of him under the given cir­cum­stan­ces in order to com­ply with the duty to inform. Only if the­se mea­su­res are unsuc­cess­ful may the respon­si­ble par­ty assu­me that the infor­ma­ti­on is impossible.

Par. 3 Restric­tion of information

Para­graph 3 spe­ci­fies the con­di­ti­ons under which the con­trol­ler may wai­ve, limit or post­po­ne the com­mu­ni­ca­ti­on of infor­ma­ti­on. In con­trast to para­graphs 1 and 2, para­graph 3 thus covers con­stel­la­ti­ons in which a balan­cing of inte­rests takes place. In some cases, a distinc­tion is made as to whe­ther the per­son respon­si­ble is a federal body or a pri­va­te per­son. Based on the balan­cing of inte­rests, the respon­si­ble par­ty must struc­tu­re the infor­ma­ti­on accord­in­gly, i.e. depen­ding on the case, it must restrict, post­po­ne or com­ple­te­ly wai­ve its com­mu­ni­ca­ti­on. The list of the various excep­ti­ons is exhaus­ti­ve and the pro­vi­si­on must be inter­pre­ted restric­tively in princip­le. Infor­ma­ti­on should be restric­ted only to the extent that it is real­ly indis­pensable. The rea­son for the restric­tion of the duty to pro­vi­de infor­ma­ti­on and the inte­rest in trans­pa­rent data pro­ces­sing must be con­si­de­red in rela­ti­on to each other. In princip­le, the most favor­able solu­ti­on for the data sub­ject should be cho­sen, which ensu­res trans­pa­rent data pro­ces­sing as far as pos­si­ble under the given circumstances.

Let. a

Accord­ing to let­ter a, each data con­trol­ler may restrict, post­po­ne or wai­ve the com­mu­ni­ca­ti­on of infor­ma­ti­on if this is necessa­ry due to the over­ri­ding inte­rests of third par­ties. The focus here is on con­stel­la­ti­ons in which the data sub­ject also recei­ves infor­ma­ti­on about third par­ties as a result of the infor­ma­ti­on about the data pro­ces­sing and the inte­rests of the­se third par­ties may be affec­ted as a result.

Let. b

Pur­suant to let­ter b, any data con­trol­ler may limit, post­po­ne or wai­ve the com­mu­ni­ca­ti­on of the infor­ma­ti­on if the infor­ma­ti­on fru­stra­tes the pur­po­se of the data pro­ces­sing. This excep­ti­on must be inter­pre­ted nar­row­ly. The con­trol­ler may only invo­ke it if the infor­ma­ti­on com­ple­te­ly pre­clu­des the data sub­ject from simul­ta­ne­ous­ly achie­ving the pur­po­se of the pro­ces­sing. If several pur­po­ses are pur­sued with a pro­ces­sing, the cen­tral pur­po­se is decisi­ve. This must be a pur­po­se that is of con­si­derable import­ance and justi­fies such a far-rea­ching restric­tion of the duty to pro­vi­de infor­ma­ti­on. One can think, for examp­le, of inve­sti­ga­ti­ve jour­na­lism, which does not fall under the excep­ti­on in Arti­cle 18(1)(d) E‑DSG. For examp­le, a jour­na­list working on unco­vering a poli­ti­cal scan­dal for a docu­men­ta­ry film could be pre­ven­ted by the duty to inform from inve­sti­ga­ting the facts in que­sti­on without inter­fe­rence. The­re is also a con­si­derable public inte­rest in such acti­vi­ty, which justi­fies a far-rea­ching restric­tion of the duty to inform. It is also con­ceiva­ble that data is pro­ces­sed in direct con­nec­tion with pro­ce­e­dings with a high amount in dis­pu­te, which is only to be used in the cour­se of the pro­ce­e­dings. In this case, too, the ear­ly dis­clo­sure of the data would com­ple­te­ly fru­stra­te the pur­po­se of the pro­ces­sing. In addi­ti­on, this is a pro­ces­sing that repres­ents an indi­vi­du­al case for both the data con­trol­ler and the data sub­ject, becau­se it can be assu­med that both are not invol­ved in such legal pro­ce­e­dings on a dai­ly basis. In both examp­les, the­re is a weigh­ty inte­rest in the data pro­ces­sing and the dan­ger that the pur­po­se of the pro­ces­sing will be com­ple­te­ly thwar­ted by the infor­ma­ti­on obli­ga­ti­on is immedia­te and con­cre­te. Final­ly, in both cases, the data sub­ject learns about the data pro­ces­sing at the latest at the time of publi­ca­ti­on of the data in que­sti­on or its use in the court proceedings.

In accordance with the syste­ma­tic clas­si­fi­ca­ti­on in para­graph 3, the duty to pro­vi­de infor­ma­ti­on remains in princip­le. The con­trol­ler may only restrict, post­po­ne or wai­ve the infor­ma­ti­on to the extent that it direct­ly fru­stra­tes the pur­po­se of the pro­ces­sing. In doing so, the con­trol­ler must take the mea­su­re that is the mil­dest from the per­spec­ti­ve of the data sub­ject and restricts his or her right to trans­pa­rent data pro­ces­sing as litt­le as pos­si­ble with regard to the rea­sons for restric­ting the information.

Final­ly, the excep­ti­on under let­ter b must be distin­guis­hed from that under let­ter c. Let­ter b must be inter­pre­ted nar­row­ly and can only be app­lied whe­re infor­ming the data sub­ject would com­ple­te­ly fru­stra­te the pur­po­se of the pro­ces­sing. On the other hand, the con­trol­ler can­not invo­ke let­ter b if it would merely be more con­ve­ni­ent or prac­ti­cal for him to dis­pen­se with the infor­ma­ti­on. Like­wi­se, a con­trol­ler could not syste­ma­ti­cal­ly invo­ke the excep­ti­on for its enti­re pro­ces­sing acti­vi­ty. Final­ly, pure­ly eco­no­mic inte­rests (e.g. use of the data for adver­ti­sing pur­po­ses) do not gene­ral­ly fall wit­hin the scope of let­ter b. If necessa­ry, such less weigh­ty inte­rests of the con­trol­ler may, howe­ver, fall under let­ter c.

Let. c

Pur­suant to para­graph 3, let­ter c, the pri­va­te con­trol­ler may limit, post­po­ne or wai­ve the com­mu­ni­ca­ti­on of infor­ma­ti­on if its own over­ri­ding inte­rests so requi­re and it does not dis­c­lo­se the data to third par­ties. Such an over­ri­ding inte­rest is not to be assu­med light­ly. The inte­rest of the data sub­ject to be infor­med about a cer­tain data pro­ces­sing in order to be able to assert his or her rights must be care­ful­ly weig­hed against any inte­rests of the con­trol­ler. The type of data pro­ces­sed and the man­ner in which it is pro­ces­sed may be of import­ance, as well as the extent of the risk of a vio­la­ti­on of pri­va­cy, the pur­po­se of the data pro­ces­sing and the extent to which infor­ming the data sub­ject may con­flict with this pur­po­se, as well as the signi­fi­can­ce of this pur­po­se with regard to the acti­vi­ties of the data controller.

Let. d

In accordance with para­graph 3, let­ter d, a federal body may restrict, defer or wai­ve noti­fi­ca­ti­on if this is necessa­ry becau­se of over­ri­ding public inte­rests (para. 1). An over­ri­ding public inte­rest is deemed to be, in par­ti­cu­lar, the inter­nal or exter­nal secu­ri­ty of the Con­fe­de­ra­ti­on. The con­cept of exter­nal secu­ri­ty inclu­des, in addi­ti­on to the obser­van­ce of obli­ga­ti­ons under inter­na­tio­nal law, the main­ten­an­ce of good rela­ti­ons with other coun­tries. The federal body may also restrict, post­po­ne or wai­ve noti­fi­ca­ti­on if this could jeo­par­di­ze inve­sti­ga­ti­ons, inqui­ries or offi­cial or judi­cial pro­ce­e­dings (para. 2). This is to ensu­re that the pro­vi­si­ons on the right to be heard etc. under the pro­ce­du­ral laws can­not be cir­cum­ven­ted via the detour of the FADP.

Art. 21 Duty to pro­vi­de infor­ma­ti­on in the case of auto­ma­ted indi­vi­du­al decision-making

1 The data con­trol­ler shall inform the data sub­ject of a deci­si­on based exclu­si­ve­ly on auto­ma­ted pro­ces­sing that invol­ves a legal con­se­quence for him or her or signi­fi­cant­ly affects him or her (auto­ma­ted indi­vi­du­al decision).

2 It shall give the data sub­ject the oppor­tu­ni­ty to sta­te his or her posi­ti­on upon requ­est. The data sub­ject may requ­est that the auto­ma­ted indi­vi­du­al deci­si­on be review­ed by a natu­ral person.

3 Para­graphs 1 and 2 do not app­ly if:

a. the auto­ma­ted indi­vi­du­al deci­si­on is direct­ly rela­ted to the con­clu­si­on or per­for­mance of a con­tract bet­ween the con­trol­ler and the data sub­ject and the data subject’s requ­est is gran­ted; or
b. the data sub­ject has express­ly con­sen­ted to the deci­si­on being automated.

4 If the auto­ma­ted indi­vi­du­al deci­si­on is made by a federal body, it must mark the deci­si­on accord­in­gly. Para­graph 2 does not app­ly if the per­son con­cer­ned does not have to be heard befo­re the deci­si­on is taken under Arti­cle 30 para­graph 2 of the Admi­ni­stra­ti­ve Pro­ce­du­re Act of 20 Decem­ber 1968 (VwVG) or under ano­t­her federal act.

Bot Art. 19 Duty to pro­vi­de infor­ma­ti­on in the case of an auto­ma­ted indi­vi­du­al deci­si­on (count. as per draft).

Accord­ing to Arti­cle 19 of the e‑DSG, the­re is an obli­ga­ti­on to pro­vi­de infor­ma­ti­on in the case of an auto­ma­ted indi­vi­du­al deci­si­on. This cor­re­sponds to the requi­re­ments of Arti­cle 8(a) E‑SEV 108 as well as Arti­cle 11 of the Direc­ti­ve (EU) 2016/680. Arti­cle 22 of the Regu­la­ti­on (EU) 2016/679 con­tains a simi­lar pro­vi­si­on. The intro­duc­tion of this new term occurs becau­se, due to tech­no­lo­gi­cal deve­lo­p­ment, such deci­si­ons will occur more and more frequently.

Par. 1 Information

Accord­ing to para­graph 1, the con­trol­ler must inform the data sub­ject of a deci­si­on based sole­ly on auto­ma­ted pro­ces­sing, inclu­ding pro­filing, which invol­ves a legal con­se­quence for the data sub­ject or signi­fi­cant­ly affects him or her.

If necessa­ry, the Federal Coun­cil will spe­ci­fy in the ordi­nan­ce when a deci­si­on exists that is based exclu­si­ve­ly on auto­ma­ted pro­ces­sing. This is the case when no sub­stan­ti­ve assess­ment and deci­si­on based on it has taken place by a natu­ral per­son. In other words, the sub­stan­ti­ve assess­ment of the facts on which the deci­si­on is based was made without the inter­ven­ti­on of a natu­ral per­son. Fur­ther­mo­re, the deci­si­on that is made on the basis of this assess­ment of the facts is also not made by a natu­ral per­son. An auto­ma­ted indi­vi­du­al deci­si­on can exist even if it is sub­se­quent­ly com­mu­ni­ca­ted by a natu­ral per­son if the natu­ral per­son can no lon­ger influ­ence the auto­ma­ti­cal­ly made deci­si­on. The decisi­ve fac­tor is the­re­fo­re the extent to which a natu­ral per­son can car­ry out an exami­na­ti­on of the con­tent and, based on this, make the final deci­si­on. Howe­ver, it is necessa­ry that the deci­si­on has a cer­tain com­ple­xi­ty. Pure if-then deci­si­ons are not cove­r­ed by the term, as is the case, for examp­le, with an ATM with­dra­wal (reque­sted amount of money is spent if the­re is suf­fi­ci­ent coverage in the account).

The data sub­ject does not have to be infor­med about every auto­ma­ted indi­vi­du­al deci­si­on. Rather, this is only requi­red if the deci­si­on invol­ves a legal con­se­quence for the data sub­ject or signi­fi­cant­ly affects him or her. The deci­si­on is asso­cia­ted with a legal con­se­quence if it entails direct, legal­ly fore­se­en con­se­quen­ces for the data sub­ject. In the area of pri­va­te law, this is the case when a con­tract is con­clu­ded or ter­mi­na­ted. Here, a dif­fe­ren­tia­ted con­si­de­ra­ti­on is necessa­ry. For examp­le, the con­clu­si­on of an insuran­ce con­tract has a legal con­se­quence for the per­son con­cer­ned. If, on the other hand, the per­son con­cer­ned is sub­se­quent­ly sent a pre­mi­um invoice at regu­lar inter­vals, each indi­vi­du­al pre­mi­um invoice is not in its­elf a fur­ther indi­vi­du­al deci­si­on with a legal con­se­quence, becau­se the invoi­cing results from the con­clu­si­on of the con­tract. It is also not asso­cia­ted with a legal con­se­quence if no con­tract is con­clu­ded with the per­son con­cer­ned. In the area of public law, a legal con­se­quence exists in par­ti­cu­lar if deci­si­ons are made on the basis of an auto­ma­ted indi­vi­du­al deci­si­on, e.g. an auto­ma­ted tax assessment.

A signi­fi­cant impairment of the per­son con­cer­ned is assu­med if he or she is restric­ted in a lasting way, e.g. in his or her eco­no­mic or per­so­nal inte­rests. Mere hara­ss­ment is not suf­fi­ci­ent for this. The con­cre­te cir­cum­stan­ces of the indi­vi­du­al case are decisi­ve. In par­ti­cu­lar, it must be taken into account how important the good in que­sti­on is for the per­son con­cer­ned, how lasting the effects of the deci­si­on are and whe­ther alter­na­ti­ves are avail­ab­le. Depen­ding on the spe­ci­fic effects, a fail­u­re to con­clu­de a con­tract may or may not the­re­fo­re con­sti­tu­te a signi­fi­cant impairment. A signi­fi­cant impairment may also exist if medi­cal ser­vices are allo­ca­ted on the basis of auto­ma­ted decisions.

The con­trol­ler must also inform the data sub­ject about pro­filing if it leads to a deci­si­on that has a legal con­se­quence for the data sub­ject or signi­fi­cant­ly affects him or her. For examp­le, it is pos­si­ble that the data sub­ject may not be able to enter into a credit card agree­ment sole­ly on the basis of a nega­ti­ve credit score. This examp­le in par­ti­cu­lar also high­lights the pro­blem of auto­ma­ted indi­vi­du­al deci­si­ons. A nega­ti­ve credit score may well reflect the actu­al finan­cial cir­cum­stan­ces of a per­son. Howe­ver, it is equal­ly pos­si­ble that this credit sco­ring is based on incor­rect or out­da­ted data that com­ple­te­ly con­tra­dicts the actu­al finan­cial cir­cum­stan­ces of the per­son con­cer­ned. In this case, the auto­ma­ted deci­si­on results in unju­sti­fied impairment for them.

Par. 2 Pre­sen­ta­ti­on of the position

The data con­trol­ler must give the data sub­ject in accordance with para­graph 2 the oppor­tu­ni­ty to sta­te his or her point of view if he or she so requests. In par­ti­cu­lar, he or she shall be given the oppor­tu­ni­ty to express his or her view on the out­co­me of the deci­si­on and, if necessa­ry, to ask how the deci­si­on was rea­ched. This is inten­ded, among other things, to pre­vent data pro­ces­sing from being based on incom­ple­te, out­da­ted or inac­cu­ra­te data. This is also in the inte­rest of the data con­trol­ler, becau­se inac­cu­ra­te auto­ma­ted indi­vi­du­al deci­si­ons can also have nega­ti­ve con­se­quen­ces for him, for examp­le by not con­clu­ding a con­tract with a per­son becau­se he was wron­gly clas­si­fied as not credit­wor­thy. This does not affect the free­dom of contract.

The law does not spe­ci­fy when the data sub­ject must be infor­med and when he or she is given the oppor­tu­ni­ty to sta­te his or her posi­ti­on. Accord­in­gly, this can take place befo­re or after the deci­si­on. Thus, infor­ma­ti­on and con­sul­ta­ti­on is also pos­si­ble, for examp­le, by sen­ding the data sub­ject an auto­ma­ted deci­si­on that is mar­ked accord­in­gly and then giving him or her the oppor­tu­ni­ty to express his or her views wit­hin the frame­work of the legal hea­ring or by filing an appeal. Howe­ver, this must not be asso­cia­ted with such high costs for the data sub­ject (e.g. pro­ce­du­ral costs) that he or she refrains from doing so.

Par. 3 Exceptions

Accord­ing to para­graph 3, the obli­ga­ti­on to pro­vi­de infor­ma­ti­on and to be heard does not app­ly if the auto­ma­ted indi­vi­du­al deci­si­on is direct­ly rela­ted to the con­clu­si­on or per­for­mance of a con­tract bet­ween the data sub­ject and the con­trol­ler, inso­far as the data subject’s requ­est is gran­ted (sub­pa­ra­graph a). In such a case, it shall be assu­med that the data sub­ject no lon­ger has an inte­rest in the infor­ma­ti­on. The data subject’s requ­est will be gran­ted if the con­tract is con­clu­ded exact­ly on the terms that were pre­sen­ted in the offer, for examp­le, or that the data sub­ject reque­sted. For examp­le, their requ­est will be gran­ted if a lea­sing con­tract is con­clu­ded at the inte­rest rate sta­ted in the offer; this is not the case if the lea­sing con­tract is con­clu­ded but at a less favor­able inte­rest rate than sta­ted in the offer due to the data subject’s poor credit rating. The decisi­ve fac­tor is whe­ther the requests of the per­son con­cer­ned have been gran­ted in their enti­re­ty. It is not suf­fi­ci­ent if this is the case only with regard to indi­vi­du­al elements.

The obli­ga­ti­on to pro­vi­de infor­ma­ti­on and to be heard also does not app­ly if the data sub­ject has express­ly con­sen­ted to a deci­si­on being made auto­ma­ti­cal­ly (sub­pa­ra­graph b). This excep­ti­on is logi­cal becau­se the data sub­ject must alrea­dy be infor­med in order to give valid consent.
Par. 4 Indi­vi­du­al deci­si­ons by federal bodies

Para­graph 4 con­cerns auto­ma­ted indi­vi­du­al deci­si­ons issued by a federal body. In princip­le, the­se are orders. Accord­ing to para­graph 4, the federal body must label them as auto­ma­ted indi­vi­du­al deci­si­ons so that the data sub­ject can reco­gni­ze that the deci­si­on was not pro­ces­sed by a natu­ral per­son. In princip­le, the data sub­ject has a right of appeal against rulings, in which the data sub­ject can sta­te his or her posi­ti­on and a natu­ral per­son reviews the deci­si­on. In other words, the rights under Arti­cle 19(2) of the e‑Data Act are alrea­dy gua­ran­te­ed by the legal pro­cess. The­re­fo­re, sen­tence 2 of the pro­vi­si­on pro­vi­des that para­graph 2 of Arti­cle 19 does not app­ly if the data sub­ject can take legal recourse.

Art. 22 Data pro­tec­tion impact assessment

1 The con­trol­ler shall pre­pa­re a data pro­tec­tion impact assess­ment in advan­ce if a pro­ces­sing ope­ra­ti­on may entail a high risk for the per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject. If several simi­lar pro­ces­sing ope­ra­ti­ons are plan­ned, a joint assess­ment may be prepared.

2 The high risk ari­ses, espe­cial­ly when new tech­no­lo­gies are used, from the natu­re, scope, cir­cum­stan­ces and pur­po­se of the pro­ces­sing. It is pre­sent in particular:

a. in the case of exten­si­ve pro­ces­sing of per­so­nal data requi­ring spe­cial protection;
b. when exten­si­ve public are­as are syste­ma­ti­cal­ly monitored.

3 The data pro­tec­tion impact assess­ment con­tains a descrip­ti­on of the plan­ned pro­ces­sing, an assess­ment of the risks to the per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject, and the mea­su­res to pro­tect the per­so­na­li­ty and fun­da­men­tal rights.

4 Pri­va­te con­trol­lers are exempt from pre­pa­ring a data pro­tec­tion impact assess­ment if they are requi­red by law to pro­cess the data.

5 The pri­va­te con­trol­ler may wai­ve the requi­re­ment to pre­pa­re a data pro­tec­tion impact assess­ment if it uses a system, pro­duct or ser­vice that is cer­ti­fied for its inten­ded use under Arti­cle 13 or if it com­plies with a code of con­duct under Arti­cle 11 that meets the fol­lo­wing requirements:

a. The Code of Con­duct is based on a data pro­tec­tion impact assessment.
b. It pro­vi­des for mea­su­res to pro­tect the per­so­na­li­ty and fun­da­men­tal rights of the per­son concerned.
c. It was sub­mit­ted to the FDPIC.
Bot Art. 20 Data pro­tec­tion impact assess­ment (count. acc. to draft)

Arti­cle 20 E‑DSG intro­du­ces a new obli­ga­ti­on to pre­pa­re a data pro­tec­tion impact assess­ment. This pro­vi­si­on imple­ments the requi­re­ments of Arti­cle 8(2) E‑SEV 108 and of Arti­cle 27 f. of the Direc­ti­ve (EU) 2016/680. Arti­cles 35 f. of the Regu­la­ti­on (EU) 2016/679 con­tain simi­lar provisions.

The term and func­tion of the data pro­tec­tion impact assess­ment are deri­ved from Arti­cle 20(3). A data pro­tec­tion impact assess­ment is a tool to iden­ti­fy and eva­lua­te risks that may ari­se for the data sub­ject from the use of cer­tain data pro­ces­sing acti­vi­ties. Based on this assess­ment, appro­pria­te mea­su­res should be defi­ned, if necessa­ry, to mana­ge the­se risks for the data sub­ject. Such an assess­ment is the­re­fo­re also bene­fi­cial for the data con­trol­ler, becau­se it allo­ws him to address any data pro­tec­tion pro­blems pre­ven­tively and, not least, to save costs as a result.

The federal bodies are alrea­dy obli­ged to noti­fy the data pro­tec­tion offi­cer or, if the­re is no such offi­cer, the com­mis­sio­ner of pro­jects invol­ving the auto­ma­ted pro­ces­sing of data (Art. 20 Para. 2 VDSG). The pro­ce­du­re accord­ing to the Her­mes pro­ject manage­ment method should lar­ge­ly cor­re­spond to the requi­re­ments of a data pro­tec­tion impact assessment.

Paras. 1 and 2 Rea­sons for the data pro­tec­tion impact assessment

Accord­ing to para­graph 1, the con­trol­ler must con­duct a data pro­tec­tion impact assess­ment if the inten­ded data pro­ces­sing is likely to result in a high risk to the per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject. This pro­vi­si­on app­lies to both pri­va­te data con­trol­lers and federal bodies, which is why it refers not only to a risk to the per­so­na­li­ty of the data sub­ject, but also to his or her fun­da­men­tal rights. Accord­in­gly, the con­trol­ler is obli­ged to make a pro­gno­sis as to what con­se­quen­ces a plan­ned data pro­ces­sing will have for the data sub­ject. The decisi­ve fac­tor here is, in par­ti­cu­lar, in what way and to what extent pro­ces­sing will affect the per­so­na­li­ty or fun­da­men­tal rights of the data subject.

The right to infor­ma­tio­nal self-deter­mi­na­ti­on and the right to pri­va­cy are at the fore­front of the con­cretiz­a­ti­on of this risk. The­se pro­tect both the auto­no­my of the indi­vi­du­al and his or her digni­ty and iden­ti­ty. With regard to data, auto­no­my means in par­ti­cu­lar being able to dis­po­se of per­so­nal data inde­pendent­ly and not having to assu­me that it is in unknown quan­ti­ties in the hands of a lar­ge num­ber of third par­ties who can dis­po­se of it without restric­tion. This is becau­se data is clo­se­ly lin­ked to a person’s iden­ti­ty. Anyo­ne who has data about a per­son and links them tog­e­ther can obtain a very inti­ma­te and com­pre­hen­si­ve pic­tu­re of a per­son, which he or she would perhaps volun­ta­ri­ly dis­c­lo­se only to par­ti­cu­lar­ly clo­se peop­le. This is not only pro­ble­ma­tic in terms of free­dom of dis­po­sal. Rather, infor­ma­ti­on about ano­t­her per­son can influ­ence his or her rela­ti­ons­hips with the envi­ron­ment in many ways, pos­si­b­ly without the per­son con­cer­ned kno­wing the rea­sons (e.g. stig­ma­tiz­a­ti­on becau­se of an ill­ness, restric­tions on con­clu­ding con­tracts becau­se of a credit rating, etc.). The data sub­ject may also feel com­pel­led to chan­ge his or her beha­vi­or, for examp­le, becau­se he or she knows that his or her beha­vi­or is being moni­to­red. Final­ly, such infor­ma­ti­on can also invi­te abu­se, which can have a sen­si­ti­ve impact on the digni­ty of the individual.

To eva­lua­te the risk, infor­ma­tio­nal self-deter­mi­na­ti­on and the right to pri­va­cy must be rela­ted to the data pro­ces­sing in que­sti­on. In other words, the pro­ces­sing must be con­si­de­red with regard to the self-deter­mi­na­ti­on, iden­ti­ty and digni­ty of a data sub­ject. In princip­le, a high risk must be assu­med if the spe­ci­fic cha­rac­te­ri­stics of the plan­ned data pro­ces­sing sug­gest that the data subject’s free­dom of dis­po­sal over his or her data will or may be restric­ted to a high degree. The high risk may ari­se, for examp­le, from the type of data pro­ces­sed or its con­tent (e.g. data requi­ring spe­cial pro­tec­tion), the type and pur­po­se of the data pro­ces­sing (e.g. pro­filing), the amount of data pro­ces­sed, the trans­fer to third coun­tries (e.g. if for­eign legis­la­ti­on does not ensu­re ade­qua­te pro­tec­tion) or if a lar­ge or even unli­mi­ted num­ber of per­sons can access the data.

Para­graph 2 fur­ther spe­ci­fies this and sta­tes that the high risk results from the type, scope, cir­cum­stan­ces and pur­po­se of the pro­ces­sing. The more exten­si­ve the pro­ces­sing, the more sen­si­ti­ve the pro­ces­sed data, the more exten­si­ve the pur­po­se of the pro­ces­sing, the more likely a high risk is to be assu­med. By way of examp­le, the pro­vi­si­on lists two cases in which a high risk exists. Accord­ing to let­ter a, such a risk exists if par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data is pro­ces­sed in an exten­si­ve form, as may be the case in medi­cal rese­arch pro­jects, for examp­le. Accord­ing to let­ter b, the­re is also a high risk in the case of pro­filing. The same may app­ly in the case of deci­si­ons based exclu­si­ve­ly on auto­ma­ted pro­ces­sing, inclu­ding pro­filing, which entail a legal con­se­quence for the data sub­ject or signi­fi­cant­ly affect him or her. Whe­re app­li­ca­ble, such deci­si­ons may be asso­cia­ted with signi­fi­cant con­se­quen­ces for the data sub­ject. In such cases, a data pro­tec­tion impact assess­ment is also requi­red. Final­ly, accord­ing to let­ter c, the­re is a high risk if exten­si­ve public are­as are syste­ma­ti­cal­ly moni­to­red. For examp­le, the moni­to­ring of a train sta­ti­on con­cour­se comes to mind.

Sen­tence 2 of para­graph 1 allo­ws the per­son respon­si­ble to make a joint esti­ma­te if he plans several simi­lar pro­ces­sing ope­ra­ti­ons. This refers in par­ti­cu­lar to pro­ces­sing ope­ra­ti­ons that have an over­ar­ching com­mon pur­po­se. Accord­in­gly, indi­vi­du­al pro­ces­sing steps of a pro­ces­sing plat­form do not have to be exami­ned sepa­r­ate­ly, but the data pro­tec­tion impact assess­ment can cover the enti­re pro­ces­sing platform.

Par. 3 Con­tent of the data pro­tec­tion impact assessment

Accord­ing to para­graph 3, the data pro­tec­tion impact assess­ment must first set out the plan­ned pro­ces­sing. For examp­le, the various pro­ces­sing ope­ra­ti­ons (e.g. the tech­no­lo­gy used), the pur­po­se of the pro­ces­sing or the reten­ti­on peri­od must be listed. Fur­ther­mo­re, accord­ing to para­graph 3, it must be shown what risks to the per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject the pro­ces­sing ope­ra­ti­ons in que­sti­on may entail. This is a deepe­ning of the risk assess­ment, which must alrea­dy be car­ri­ed out with regard to the neces­si­ty of a data pro­tec­tion impact assess­ment. It must be shown in which respect the data pro­ces­sing in que­sti­on poses a high risk to the per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject and how this risk is to be asses­sed. Final­ly, the data pro­tec­tion impact assess­ment in accordance with para­graph 3 must exp­lain which mea­su­res are to be used to mana­ge the­se risks. The princi­ples set out in Arti­cle 5 of the Data Pro­tec­tion Act are par­ti­cu­lar­ly rele­vant here, but the obli­ga­ti­on to pro­tect data by tech­no­lo­gy and by data pro­tec­tion-friend­ly default set­tings (pri­va­cy by design/by default; Arti­cle 6 of the Data Pro­tec­tion Act) may also be rele­vant. The­se mea­su­res may also invol­ve a balan­cing of the inte­rests of the data sub­ject and tho­se of the con­trol­ler. This balan­cing of inte­rests must also be listed in the data pro­tec­tion impact assess­ment and justi­fied accordingly.

Par. 4 Excep­ti­ons for legal obligations

Accord­ing to para­graph 4, pri­va­te con­trol­lers pro­ces­sing data in ful­fill­ment of a legal obli­ga­ti­on do not have to pre­pa­re a data pro­tec­tion impact assess­ment. This inclu­des, for examp­le, the pro­ces­sing of data to com­bat ter­ro­rism or money laun­de­ring. If data is pro­ces­sed sole­ly for such pur­po­ses on the basis of a legal obli­ga­ti­on, it must be assu­med that the legis­la­tor has weig­hed up any risks for the data sub­ject in com­pa­ri­son to the pur­po­se of the pro­ces­sing and, if necessa­ry, issued appro­pria­te regulations.

Howe­ver, para­graph 4 does not cover pro­ces­sing by pri­va­te indi­vi­du­als that is not car­ri­ed out exclu­si­ve­ly to ful­fill a legal obli­ga­ti­on. In this case, a data pro­tec­tion impact assess­ment must be prepared.

Par. 5 Exceptions

Pri­va­te con­trol­lers may refrain from pre­pa­ring a data pro­tec­tion impact assess­ment if they have under­go­ne cer­ti­fi­ca­ti­on pur­suant to Arti­cle 12. The cer­ti­fi­ca­ti­on must cover the pro­ces­sing in que­sti­on, which would have to be asses­sed by means of the data pro­tec­tion impact assess­ment. The Com­mis­sio­ner would have pre­fer­red that the exemp­ti­on be limi­ted to cer­ti­fi­ca­ti­on only.

In addi­ti­on, they may wai­ve this if they com­ply with a code of con­duct that ful­fills the requi­re­ments of para­graph 5 let­ters a‑c. This is a code of con­duct pur­suant to Arti­cle 10, which must be based on a data pro­tec­tion impact assess­ment in which the pro­ces­sing in que­sti­on has been exami­ned (sub­pa­ra. a). The code of con­duct must pro­vi­de for mea­su­res to pro­tect the per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject (sub­pa­ra­graph b). In addi­ti­on, the code of con­duct must have been sub­mit­ted to the com­mis­sio­ner (sub­pa­ra­graph c). For examp­le, it is con­ceiva­ble that a pro­fes­sio­nal orga­niz­a­ti­on for lawy­ers has a plat­form deve­lo­ped for the manage­ment of cli­ent data, car­ri­es out a data pro­tec­tion impact assess­ment for this and deve­lo­ps a code of con­duct based on the result of this assess­ment. If a pri­va­te con­trol­ler now com­plies with this code when using the plat­form, it is exempt from pre­pa­ring a data pro­tec­tion impact assessment.

The Com­mis­sio­ner would have pre­fer­red that this excep­ti­on be limi­ted to the case of certification.

Art. 23 Con­sul­ta­ti­on of the FDPIC

1 If the data pro­tec­tion impact assess­ment shows that the plan­ned pro­ces­sing will still result in a high risk to the per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject despi­te the mea­su­res envi­sa­ged by the con­trol­ler, the con­trol­ler shall obtain the opi­ni­on of the FDPIC in advance.

2 The FDPIC shall noti­fy the data con­trol­ler of his objec­tions to the plan­ned pro­ces­sing wit­hin two mon­ths. This peri­od may be exten­ded by one mon­th if the data pro­ces­sing is complex.

3 If the FDPIC has objec­tions to the plan­ned pro­ces­sing, he pro­po­ses appro­pria­te mea­su­res to the per­son responsible.

4 The pri­va­te con­trol­ler may refrain from con­sul­ting the FDPIC if it has con­sul­ted the data pro­tec­tion advi­sor pur­suant to Arti­cle 10.

Bot Art. 21 Con­sul­ta­ti­on of the com­mis­sio­ner (count. acc. to draft)

In con­trast to the con­sul­ta­ti­on draft, the noti­fi­ca­ti­on of the result of a data pro­tec­tion impact assess­ment to the Com­mis­sio­ner is regu­la­ted in a sepa­ra­te pro­vi­si­on in the e‑DSG.

Par. 1 Duty to consult

Pur­suant to para­graph 1, the con­trol­ler must obtain the opi­ni­on of the Com­mis­sio­ner in advan­ce if the data pro­tec­tion impact assess­ment shows that the plan­ned pro­ces­sing would result in a high risk to the per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject if the con­trol­ler did not take mea­su­res. This con­sul­ta­ti­on shall be car­ri­ed out by the E‑SEV 108 not pre­scri­bed, but it com­plies with Euro­pean regu­la­ti­ons (Art. 28 of Direc­ti­ve [EU] 2016/680 and Art. 36 of the Regu­la­ti­on [EU] 2016/679). It is inclu­ded in the e‑DSG by name becau­se it allo­ws the offi­cer to act pre­ven­tively and in an advi­so­ry capa­ci­ty. Last but not least, this is also more effi­ci­ent for the con­trol­ler, as pos­si­ble data pro­tec­tion dif­fi­cul­ties can be resol­ved at an ear­ly sta­ge of data processing.

Par. 2 and 3 Objec­tions of the commissioner

Pur­suant to para­graph 2, the com­mis­sio­ner has two mon­ths to noti­fy the per­son respon­si­ble of his or her objec­tions to the plan­ned pro­ces­sing. In par­ti­cu­lar­ly com­plex cases, this peri­od may be exten­ded by one mon­th. If the respon­si­ble par­ty does not recei­ve any mes­sa­ge from the com­mis­sio­ner wit­hin the two-mon­th peri­od, he can basi­cal­ly assu­me that the com­mis­sio­ner has no objec­tions to the pro­po­sed measures.

After being noti­fied of a data pro­tec­tion impact assess­ment, the offi­cer checks whe­ther the pro­po­sed mea­su­res are suf­fi­ci­ent to pro­tect the fun­da­men­tal rights and per­so­na­li­ty of the data sub­ject. If he con­clu­des that the plan­ned pro­ces­sing in the pro­po­sed form would vio­la­te data pro­tec­tion regu­la­ti­ons, he pro­po­ses appro­pria­te mea­su­res to the con­trol­ler to miti­ga­te the iden­ti­fied risks.

The data pro­tec­tion offi­cer is nevertheless free to open an inve­sti­ga­ti­on at a later point in time if the requi­re­ments under Arti­cle 43 e‑DSG are met. This may be the case, in par­ti­cu­lar, if the risks were not cor­rect­ly asses­sed as part of the data pro­tec­tion impact assess­ment and, accord­in­gly, the mea­su­res in que­sti­on also pro­ve to be inac­cu­ra­te or insufficient.

Par. 4 Con­sul­ta­ti­on of the data pro­tec­tion advisor

The pri­va­te con­trol­ler may refrain from con­sul­ting the Com­mis­sio­ner if it has appoin­ted a data pro­tec­tion advi­sor pur­suant to Arti­cle 9 of the e‑DSG and has con­sul­ted the advi­sor with regard to the data pro­tec­tion impact assess­ment. The data pro­tec­tion advi­sor must have actual­ly dealt with the data pro­tec­tion impact assess­ment. This means that it is not suf­fi­ci­ent for the pri­vi­le­ge that the con­trol­ler merely appoints a data pro­tec­tion advi­sor. Rather, the lat­ter must be actively invol­ved in the deve­lo­p­ment of the data pro­tec­tion impact assess­ment. In par­ti­cu­lar, he or she must review the risk assess­ment and the pro­po­sed mea­su­res to address the­se risks. The pro­vi­si­on is inten­ded to relie­ve com­pa­nies and at the same time give them an incen­ti­ve to appoint a data pro­tec­tion advisor.

Such an excep­ti­on was dis­cus­sed at the Euro­pean level, but was ulti­mate­ly rejec­ted in the Regu­la­ti­on (EU) 2016/679 not pro­vi­ded for. It seems sen­si­ble to the Federal Coun­cil to pro­vi­de for more far-rea­ching sim­pli­fi­ca­ti­ons on this point, in par­ti­cu­lar to redu­ce the admi­ni­stra­ti­ve bur­den. The Com­mis­sio­ner would have pre­fer­red that this pro­vi­si­on had not been inclu­ded in the draft.

Art. 24 Noti­fi­ca­ti­on of data secu­ri­ty breaches

1 The con­trol­ler shall noti­fy the FDPIC as soon as pos­si­ble of a data bre­ach that is likely to result in a high risk to the per­so­na­li­ty or fun­da­men­tal rights of the data subject.

2 The noti­fi­ca­ti­on shall at least spe­ci­fy the natu­re of the data bre­ach, its con­se­quen­ces and the mea­su­res taken or envisaged.

3 The Order Pro­ces­sor shall report a data bre­ach to the Respon­si­ble Par­ty as soon as possible.

4 The data con­trol­ler shall inform the data sub­ject if it is necessa­ry for his or her pro­tec­tion or if the FDPIC so requests.

5 It may limit, post­po­ne or wai­ve the infor­ma­ti­on to the data sub­ject if:

a. the­re is a rea­son under Arti­cle 26(1)(b) or (2)(b) or a sta­tu­to­ry duty of con­fi­dentia­li­ty pro­hi­bits this;
b. the infor­ma­ti­on is impos­si­ble or requi­res a dis­pro­por­tio­na­te effort; or
c. the infor­ma­ti­on of the per­son con­cer­ned is ensu­red by a public announ­ce­ment in a com­pa­ra­ble manner.

6 A report made pur­suant to this arti­cle may be used in cri­mi­nal pro­ce­e­dings against the per­son requi­red to make the report only with that person’s consent.

Bot Art. 22 Noti­fi­ca­ti­on of data secu­ri­ty brea­ches (count. acc. to draft)

Arti­cle 22 E‑DSG intro­du­ces the obli­ga­ti­on to report data secu­ri­ty brea­ches. This pro­vi­si­on imple­ments the requi­re­ments of Arti­cle 7(2) E‑SEV 108 as well as Arti­cle 30 f. of the Direc­ti­ve (EU) 2016/680. Arti­cles 33 f. of the Regu­la­ti­on (EU) 2016/679 con­tain a simi­lar provision.
Par. 1 Term and principle

Accord­ing to para­graph 1, the data con­trol­ler shall noti­fy the data pro­tec­tion com­mis­sio­ner as soon as pos­si­ble of a data bre­ach that is likely to result in a high risk to the per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject. This pro­vi­si­on app­lies to both pri­va­te data con­trol­lers and federal bodies, which is why it refers not only to a risk to the per­so­na­li­ty of the data sub­ject, but also to his or her fun­da­men­tal rights.

The bre­ach of data secu­ri­ty is defi­ned in Arti­cle 4 let­ter g E‑DSG. Accord­ing to this, it is a bre­ach of secu­ri­ty that, regard­less of intent or unlaw­ful­ness, results in per­so­nal data being lost, dele­ted or destroy­ed, alte­red, or dis­c­lo­sed or made acces­si­ble to unaut­ho­ri­zed per­sons. The bre­ach may be cau­sed by third par­ties, but also by employees who abu­se their aut­ho­ri­ty or act negli­gent­ly. A data bre­ach can cau­se the data sub­ject to lose con­trol over his or her data, or that data may be misus­ed. In addi­ti­on, it may also lead to a vio­la­ti­on of the data subject’s per­so­na­li­ty, for examp­le, by dis­clo­sing secret infor­ma­ti­on about him or her. Accord­in­gly, under Arti­cle 26(2)(a) E‑DSG, a bre­ach of data secu­ri­ty is con­si­de­red a vio­la­ti­on of personality.

The data sub­ject can only react to the­se thre­ats if he or she is awa­re of the data secu­ri­ty bre­ach. The­re­fo­re, in princip­le, the con­trol­ler must report unaut­ho­ri­zed pro­ces­sing, with the report first going to the offi­cer and only to the data sub­ject under the con­di­ti­ons of para­graph 4. The noti­fi­ca­ti­on must be made as soon as pos­si­ble from the moment it beco­mes known. In princip­le, the offi­cer must act quick­ly, but the pro­vi­si­on gives some dis­cre­ti­on. The decisi­ve fac­tor is, among other things, the extent of the risk to the per­son con­cer­ned. The more signi­fi­cant the risk, the grea­ter the num­ber of per­sons affec­ted, the faster the respon­si­ble per­son must act.

Howe­ver, noti­fi­ca­ti­on to the Com­mis­sio­ner is only necessa­ry if the data bre­ach is likely to result in a high risk to the per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject. This is to pre­vent even insi­gni­fi­cant brea­ches from having to be repor­ted. For this pur­po­se, the data con­trol­ler must make a pro­gno­sis regar­ding the pos­si­ble effects of the bre­ach on the data subject.

Par. 2 Con­tent of the message

Para­graph 2 con­tains the mini­mum requi­re­ments for a noti­fi­ca­ti­on to the offi­cer. The data con­trol­ler must first sta­te the natu­re of the data secu­ri­ty bre­ach, inso­far as he or she is able to do so. Four types of bre­ach can be distin­guis­hed: dest­ruc­tion or dele­ti­on, loss, modi­fi­ca­ti­on and dis­clo­sure of data to unaut­ho­ri­zed per­sons. The con­se­quen­ces of the data secu­ri­ty bre­ach must also be descri­bed as far as pos­si­ble. The focus here is on the con­se­quen­ces for the data sub­ject; this does not mean tho­se for the con­trol­ler its­elf. Final­ly, the respon­si­ble par­ty must sta­te what mea­su­res it has taken as a result of the bre­ach or what mea­su­res it pro­po­ses for the future. This invol­ves mea­su­res that eli­mi­na­te the vio­la­ti­on or miti­ga­te its con­se­quen­ces. Over­all, the noti­fi­ca­ti­on should allow the offi­cer to inter­vene as prompt­ly and effec­tively as possible.

Par. 3 Noti­fi­ca­ti­on by the order processor

A bre­ach of data secu­ri­ty can also occur at the order pro­ces­sor. The­re­fo­re, accord­ing to para­graph 3, the lat­ter is obli­ged to report any unaut­ho­ri­zed data pro­ces­sing to the data con­trol­ler as soon as pos­si­ble. It is up to the data con­trol­ler to sub­se­quent­ly car­ry out a risk assess­ment and deci­de to what extent the­re is an obli­ga­ti­on to noti­fy the data pro­ces­sor and the data subject.

Par. 4 Infor­ma­ti­on to the data subject

In princip­le, the data sub­ject does not have to be noti­fied. Howe­ver, accord­ing to para­graph 4, he or she must be infor­med of the data bre­ach if it is necessa­ry for his or her pro­tec­tion or if the com­mis­sio­ner requests it. The­re is a cer­tain degree of dis­cre­ti­on in this regard. In par­ti­cu­lar, it is signi­fi­cant whe­ther the infor­ma­ti­on can redu­ce the risks to the per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject. This is par­ti­cu­lar­ly the case if the data sub­ject must take appro­pria­te pre­cau­ti­ons to pro­tect him or herself, for examp­le by chan­ging his or her access data or passwords.

Par. 5 Limi­ta­ti­on of the obli­ga­ti­on to inform the data subject

Pur­suant to para­graph 5, the con­trol­ler may restrict, post­po­ne or wai­ve the pro­vi­si­on of infor­ma­ti­on to the data sub­ject if one of the grounds of Arti­cle 24(1)(b) or (2)(b) of the e‑Data Act app­lies or if a sta­tu­to­ry duty of con­fi­dentia­li­ty pro­hi­bits this (sub­pa­ra­graph a.). Accord­ing to para­graph 5 let­ter b, the restric­tion is also per­mis­si­ble if the infor­ma­ti­on is impos­si­ble or requi­res a dis­pro­por­tio­na­te effort. Infor­ma­ti­on is impos­si­ble if the con­trol­ler does not even know which indi­vi­du­als are affec­ted by the data bre­ach, for examp­le becau­se the log files from which this would be evi­dent are no lon­ger avail­ab­le. A dis­pro­por­tio­na­te effort would exist, for examp­le, if, in the case of a lar­ge num­ber of data sub­jects, the­se would have to be infor­med indi­vi­du­al­ly and the costs ther­eby incur­red appeared dis­pro­por­tio­na­te in rela­ti­on to the gain in infor­ma­ti­on for the data sub­ject. Par­ti­cu­lar­ly in such con­stel­la­ti­ons, para­graph 5(c) may app­ly, which allo­ws the con­trol­ler to inform the data sub­jects by means of a public noti­ce if this informs them in a com­pa­ra­ble man­ner. This is the case if the infor­ma­ti­on of the data sub­ject is not sub­stan­ti­al­ly impro­ved by indi­vi­du­al information.

Par. 6 Con­sent of the per­son obli­ged to notify

The reporting obli­ga­ti­on under Arti­cle 22 E‑DSG may come into con­flict with the princip­le that no one need incri­mi­na­te them­sel­ves. Para­graph 6 pro­vi­des for this con­stel­la­ti­on that a report made in ful­fill­ment of the reporting obli­ga­ti­on under Arti­cle 22 E‑DSG may only be used in cri­mi­nal pro­ce­e­dings against the per­son requi­red to report if that per­son agrees. The pro­vi­si­on covers both data con­trol­lers and order pro­ces­sors who report a data breach.

Chap­ter 4 regu­la­tes the rights of the data sub­ject. Spe­ci­fic claims against pri­va­te data con­trol­lers are set out in Chap­ter 5, and tho­se against federal bodies in Chap­ter 6.

Chap­ter 4: Rights of the data subject

Art. 25 Right to information

1 Any per­son may requ­est infor­ma­ti­on from the data con­trol­ler as to whe­ther per­so­nal data con­cer­ning him or her is being processed.

2 The data sub­ject shall recei­ve such infor­ma­ti­on as is necessa­ry to enab­le him/her to exer­cise his/her rights under this Act and to ensu­re trans­pa­rent data pro­ces­sing. In any case, the fol­lo­wing infor­ma­ti­on will be com­mu­ni­ca­ted to him/her:

a. the iden­ti­ty and con­ta­ct details of the per­son responsible;
b. the pro­ces­sed per­so­nal data as such;
c. the pur­po­se of processing;
d. the reten­ti­on peri­od of the per­so­nal data or, if this is not pos­si­ble, the cri­te­ria for deter­mi­ning this period;
e. the avail­ab­le infor­ma­ti­on on the ori­gin of the per­so­nal data, inso­far as it has not been obtai­ned from the data subject;
f. whe­re app­li­ca­ble, the exi­stence of an auto­ma­ted indi­vi­du­al deci­si­on and the logic on which the deci­si­on is based.
g. whe­re app­li­ca­ble, the reci­pi­ents or cate­go­ries of reci­pi­ents to whom per­so­nal data are dis­c­lo­sed and the infor­ma­ti­on pur­suant to Arti­cle 19 para­graph 4.

3 Per­so­nal data con­cer­ning health may be dis­c­lo­sed to the data sub­ject, with the data subject’s con­sent, by a health pro­fes­sio­nal desi­gna­ted by the data subject.

4 If the con­trol­ler has per­so­nal data pro­ces­sed by an order pro­ces­sor, he remains obli­ged to pro­vi­de information.

5 No one can wai­ve the right to infor­ma­ti­on in advance.

6 The per­son respon­si­ble must pro­vi­de infor­ma­ti­on free of char­ge. The Federal Coun­cil may pro­vi­de for excep­ti­ons, name­ly if the expen­se is disproportionate.

7 The infor­ma­ti­on is usual­ly pro­vi­ded wit­hin 30 days.

Bot Art. 23 Right to infor­ma­ti­on (count. acc. to draft)

The right to infor­ma­ti­on sup­ple­ments the data controller’s duty to pro­vi­de infor­ma­ti­on and forms the cen­tral basis for the data sub­ject to be able to exer­cise his or her rights under this law at all. The right to infor­ma­ti­on is a sub­jec­ti­ve, high­ly per­so­nal right that can also be exer­cis­ed inde­pendent­ly by per­sons inca­pa­ble of acting without the con­sent of their legal repre­sen­ta­ti­ve. It also fol­lows from the natu­re of the high­ly per­so­nal right that no one can wai­ve the right to infor­ma­ti­on in advan­ce (Art. 23 (5) E‑Data Act).

Par. 1 Principle

Accord­ing to para­graph 1, any per­son may requ­est infor­ma­ti­on free of char­ge from the con­trol­ler as to whe­ther data rela­ting to him or her is being pro­ces­sed. Apart from edi­to­ri­al adjust­ments, the pro­vi­si­on remains unch­an­ged in rela­ti­on to the pre­vious law.

Par. 2 Infor­ma­ti­on to be communicated

Para­graph 2 sta­tes that, based on a requ­est for infor­ma­ti­on, the data sub­ject recei­ves the infor­ma­ti­on that must also be dis­c­lo­sed to him or her based on the duty to inform (cf. Art. 17 (2) E‑DSG). This is basi­cal­ly the infor­ma­ti­on that is requi­red to enab­le the data sub­ject to assert his or her rights under the law and thus to ensu­re trans­pa­rent data pro­ces­sing. This illu­stra­tes the clo­se con­nec­tion bet­ween the right to infor­ma­ti­on and the duty to pro­vi­de infor­ma­ti­on. At the same time, the cen­tral pur­po­se of the right to infor­ma­ti­on is empha­si­zed in this way, as also sta­ted by the Federal Supre­me Court, name­ly to enab­le the data sub­ject to assert his or her rights in the area of data pro­tec­tion. The cla­ri­fi­ca­ti­on is made against the back­ground of the nume­rous com­ments in the con­sul­ta­ti­on as well as in the doc­tri­ne, which cri­ti­ci­ze that the right to infor­ma­ti­on is often used for other, non-data pro­tec­tion pur­po­ses. This refers in par­ti­cu­lar to cases in which the right to infor­ma­ti­on is used exclu­si­ve­ly to obtain evi­dence for civil pro­ce­e­dings that have no con­nec­tion with data pro­tec­tion. This makes it pos­si­ble to obtain evi­dence that is also to be desi­gna­ted as per­so­nal data under the FADP in a form that is not pro­vi­ded for in the app­li­ca­ble pro­ce­du­ral law. Other evi­dence that does not con­sti­tu­te per­so­nal data, on the other hand, must be obtai­ned through the usu­al pro­ce­du­ral chan­nels. This results in dif­fe­ren­ces in the pro­cu­re­ment of evi­dence that are not objec­tively justified.

Let­ters a to g con­tain a list of the infor­ma­ti­on that must be com­mu­ni­ca­ted to the data sub­ject in any case. The non-exhaus­ti­ve list basi­cal­ly covers all infor­ma­ti­on that the data con­trol­ler must pro­vi­de to the data sub­ject. Sub­si­dia­ri­ly, the gene­ral clau­se in the intro­duc­to­ry sen­tence allo­ws to requ­est fur­ther infor­ma­ti­on, if necessa­ry, if this is requi­red for the data sub­ject to assert his rights under this Act and to ensu­re trans­pa­rent data pro­ces­sing. If it pro­ces­ses lar­ge amounts of data about the data sub­ject, the par­ty respon­si­ble for pro­vi­ding infor­ma­ti­on may, if necessa­ry, requ­est that the data sub­ject spe­ci­fy to which infor­ma­ti­on or which pro­ces­sing ope­ra­ti­ons its requ­est for infor­ma­ti­on rela­tes. In any case, the data sub­ject will first recei­ve infor­ma­ti­on about the iden­ti­ty and con­ta­ct details of the con­trol­ler (sub­pa­ra­graph a). Depen­ding on the case, she will alrea­dy have this infor­ma­ti­on (e.g. due to the duty to inform) and it will be con­fir­med to her. Howe­ver, it is also con­ceiva­ble that the data sub­ject will only learn of a data con­trol­ler at this point, e.g. if the­re are several data con­trol­lers. In addi­ti­on, the data sub­ject must be infor­med of the per­so­nal data pro­ces­sed (sub­pa­ra­graph b) and the pur­po­se of the pro­ces­sing (sub­pa­ra­graph c). The data sub­ject must also be infor­med about how long the data will be retai­ned or, if this is not pos­si­ble, about the cri­te­ria used to deter­mi­ne the reten­ti­on peri­od (sub­pa­ra­graph d). In par­ti­cu­lar, this infor­ma­ti­on allo­ws him or her to under­stand whe­ther the data con­trol­ler is pro­ces­sing the data in accordance with the princi­ples in Arti­cle 5 of the e‑Data Pro­tec­tion Act. Sin­ce the reten­ti­on peri­od does not usual­ly have to be dis­c­lo­sed due to the obli­ga­ti­on to pro­vi­de infor­ma­ti­on, the data sub­ject should recei­ve it in any case as part of the right to infor­ma­ti­on. The data sub­ject shall also recei­ve the avail­ab­le infor­ma­ti­on on the ori­gin of the data, inso­far as it was not collec­ted from him or her (sub­pa­ra­graph e). If app­li­ca­ble, the data sub­ject will be infor­med whe­ther an auto­ma­ted indi­vi­du­al deci­si­on has been made (sub­pa­ra­graph f). In this case, he or she will also recei­ve infor­ma­ti­on about the logic on which the deci­si­on is based. In this con­text, the algo­rith­ms that form the basis of the deci­si­on do not necessa­ri­ly have to be com­mu­ni­ca­ted, becau­se the­se are regu­lar­ly busi­ness secrets. Rather, the basic assump­ti­ons of the algo­rithm logic on which the auto­ma­ted indi­vi­du­al deci­si­on is based must be sta­ted. This means, for examp­le, that the data sub­ject must be infor­med that, due to a nega­ti­ve sco­ring result, he or she may con­clu­de a con­tract on worse terms than tho­se offe­red. In addi­ti­on, the data sub­ject must also be infor­med about the amount and type of infor­ma­ti­on used for sco­ring and how it is weigh­ted. Final­ly, the data sub­ject recei­ves infor­ma­ti­on about the reci­pi­ents or cate­go­ries of reci­pi­ents to whom the per­so­nal data are dis­c­lo­sed (sub­pa­ra­graph g). If the reci­pi­ents are loca­ted abroad, the par­ty requi­red to pro­vi­de infor­ma­ti­on shall also sta­te the coun­try to which the data are dis­c­lo­sed and, if app­li­ca­ble, the gua­ran­tees pur­suant to Arti­cle 13 (2) E‑DSG or the app­li­ca­ti­on of an excep­ti­on pur­suant to Arti­cle 14 E‑DSG.

Para. 3 and 4

Para­graph 3 has been taken over unch­an­ged from the cur­rent law, accord­ing to which the respon­si­ble per­son may com­mu­ni­ca­te infor­ma­ti­on about the health of the data sub­ject through a health pro­fes­sio­nal desi­gna­ted by the data sub­ject. The health pro­fes­sio­nal must have the qua­li­fi­ca­ti­ons requi­red in the case in que­sti­on. Howe­ver, pro­vi­si­on is now made for the con­sent of the data sub­ject to have the data com­mu­ni­ca­ted to him or her through ano­t­her per­son. This impro­ves the choice of the per­son con­cer­ned. The cir­cle of pos­si­ble per­sons is also expan­ded by refer­ring to a health pro­fes­sio­nal. Both amend­ments are based on the consultation.

Sen­tence 1 of para­graph 4 remains unch­an­ged. Accord­in­gly, the con­trol­ler is always obli­ga­ted to pro­vi­de infor­ma­ti­on, even if he dele­ga­tes the pro­ces­sing to a pro­ces­sor. If the data sub­ject inad­ver­tent­ly sends a requ­est for infor­ma­ti­on to the pro­ces­sor, the pro­ces­sor must name the data con­trol­ler or for­ward the requ­est accord­in­gly. In such a case, the pro­ces­sor does not have to pro­vi­de infor­ma­ti­on hims­elf, but he may also not hin­der the data sub­ject in exer­ci­s­ing his right to infor­ma­ti­on. Sen­tence 2 of the pro­vi­si­on, on the other hand, is deleted.

Par. 5

This pro­vi­si­on cor­re­sponds to the pre­vious Arti­cle 8 para­graph 6 DPA.

Par. 6

Para­graph 6 gives the Federal Coun­cil the opti­on of pro­vi­ding for excep­ti­ons to the free-of-char­ge requi­re­ment in the ordi­nan­ce. This pos­si­bi­li­ty alrea­dy exists in the pre­vious law (cf. Art. 2 VDSG). In the con­sul­ta­ti­on draft, it was dele­ted, which was cri­ti­ci­zed con­si­der­ab­ly, among other things on the grounds that excep­ti­ons to the free-of-char­ge rule were a way of pre­ven­ting abu­se of the right to infor­ma­ti­on. Due to the cri­ti­cism in the con­sul­ta­ti­on, this pro­vi­si­on will now be retai­ned. In doing so, the Federal Coun­cil will take into account the fact that cer­tain requests for infor­ma­ti­on invol­ve a gre­at deal of effort on the part of the per­son responsible.

Art. 26 Restric­tions on the right to information

1 The respon­si­ble par­ty may refu­se, limit or post­po­ne the infor­ma­ti­on if:

a. a law in the for­mal sen­se pro­vi­des for this, name­ly in order to pro­tect a pro­fes­sio­nal secret;
b. this is necessa­ry due to the over­ri­ding inte­rests of third par­ties; or
c. the requ­est for infor­ma­ti­on is mani­fest­ly unfoun­ded, name­ly if it pur­su­es a pur­po­se con­tra­ry to data pro­tec­tion or is mani­fest­ly querulous.

2 In addi­ti­on, it is pos­si­ble to refu­se, limit or post­po­ne the infor­ma­ti­on in the fol­lo­wing cases:

a. The respon­si­ble per­son is a pri­va­te per­son and the fol­lo­wing requi­re­ments are met:

1. over­ri­ding inte­rests of the per­son respon­si­ble requi­re the measure.
2. the per­son respon­si­ble does not dis­c­lo­se the per­so­nal data to third parties

b. The respon­si­ble par­ty is a federal enti­ty and one of the fol­lo­wing con­di­ti­ons is met:

1. the mea­su­re is necessa­ry becau­se of over­ri­ding public inte­rests, in par­ti­cu­lar the inter­nal or exter­nal secu­ri­ty of Switzerland.
2. com­mu­ni­ca­ti­on of the infor­ma­ti­on may jeo­par­di­ze an inve­sti­ga­ti­on, inqui­ry, or admi­ni­stra­ti­ve or judi­cial proceeding.

3 Com­pa­nies belon­ging to the same group shall not be deemed to be third par­ties wit­hin the mea­ning of para­graph 2(a)(2).

4 The respon­si­ble par­ty must sta­te why it is refu­sing, limi­t­ing or defer­ring the information.

Bot Art. 24 Restric­tions on the right to infor­ma­ti­on (count. acc. to draft)

Arti­cle 24 governs the restric­tions on the right to infor­ma­ti­on. They have been taken over unch­an­ged from the pre­vious law with a few edi­to­ri­al adjustments.

Para. 1 let. c

The only new pro­vi­si­on is Arti­cle 24(1)(c). Accord­ing to this pro­vi­si­on, the con­trol­ler may refu­se, limit or post­po­ne the pro­vi­si­on of infor­ma­ti­on if the requ­est for infor­ma­ti­on is mani­fest­ly unfoun­ded or que­ru­lous. The pro­vi­si­on was inclu­ded as a result of the con­sul­ta­ti­on. In terms of con­tent, it is based on Arti­cle 12(5) of the Regu­la­ti­on (EU) 2016/679but uses Swiss ter­mi­no­lo­gy, such as that found in Arti­cle 108 BGG and Arti­cles 132 and 253 ZPO. This is a serious restric­tion of fun­da­men­tal rights, which is why it must be pro­vi­ded for in the law its­elf and not in the ordinance.

The excep­ti­on under para­graph 1(c) must be inter­pre­ted nar­row­ly. This app­lies in two respects. On the one hand, the con­trol­ler may not light­ly assu­me that a requ­est for infor­ma­ti­on is mani­fest­ly unfoun­ded or that it is que­ru­lous. On the other hand, even in the event that such a requ­est is made, he must choo­se the most favor­able solu­ti­on for the per­son con­cer­ned. The­re­fo­re, as far as pos­si­ble, he must only limit the infor­ma­ti­on, may post­po­ne it if necessa­ry and may only refu­se it in abso­lute­ly clear, obvious cases. In any case, the data sub­ject must be infor­med of the refu­sal, restric­tion or post­po­ne­ment of the infor­ma­ti­on (see para­graph 3).

The right to infor­ma­ti­on may be asser­ted without pro­of of an inte­rest and without a state­ment of rea­sons. Mere curio­si­ty is also suf­fi­ci­ent. This is made clear by the refe­rence to trans­pa­rent data pro­ces­sing in Arti­cle 23 (2) E‑DSG. In princip­le, the con­trol­ler may the­re­fo­re not demand a state­ment of rea­sons for an infor­ma­ti­on requ­est. Howe­ver, the Federal Supre­me Court held that the par­ty respon­si­ble for pro­vi­ding infor­ma­ti­on may demand a state­ment of rea­sons for the requ­est for infor­ma­ti­on if, in the spe­ci­fic case, a legal abu­se of the right to infor­ma­ti­on is in que­sti­on. The Federal Supre­me Court con­si­de­red the use of the right to infor­ma­ti­on for pur­po­ses con­tra­ry to data pro­tec­tion, for examp­le to save the costs of obtai­ning evi­dence or to find out about a pos­si­ble coun­ter­par­ty, to be a pos­si­ble abu­se of rights. If the data sub­ject who requests infor­ma­ti­on sub­se­quent­ly puts for­ward a rea­son that alrea­dy pro­ves to be ground­less without in-depth exami­na­ti­on and without doubt, the con­trol­ler may restrict the right to infor­ma­ti­on. Only under the­se cir­cum­stan­ces can the­re be an obvious­ly unfoun­ded requ­est for infor­ma­ti­on. In other words, it must be obvious that the requ­est for infor­ma­ti­on was made for rea­sons that have not­hing to do with its pur­po­se under the FADP, or that this was done with other (e.g. frau­du­lent) intent. If the­re are doubts as to whe­ther this is the case, the requ­est is not obvious­ly unfounded.

Que­ru­lous are requests for infor­ma­ti­on that are, for examp­le, fre­quent­ly repeated without plau­si­ble justi­fi­ca­ti­on, or that are addres­sed to a data con­trol­ler of whom the app­li­cant alrea­dy knows that he or she does not pro­cess any data about him or her. The data con­trol­ler may also not light­ly assu­me that a requ­est is querulous.

Over­all, the con­trol­ler may not alrea­dy make use of the restric­tion under para­graph 1(c) if he merely wis­hes to pro­tect his own inte­rests. For this, the requi­re­ments of Arti­cle 24(2)(a) must be met. Rather, the pro­vi­si­on in para­graph 1(c) is inten­ded to allow the con­trol­ler to deal rea­son­ab­ly with requests for infor­ma­ti­on that are obvious­ly made in com­ple­te iso­la­ti­on from the pur­po­se ser­ved by the right of information.

The Com­mis­sio­ner is of the opi­ni­on that the excep­ti­on to the right of access pro­vi­ded for in Arti­cle 24(1)(c) E‑DSA is not com­pa­ti­ble with Con­ven­ti­on ETS 108.

Para. 3

If the data con­trol­ler refu­ses, restricts or post­po­nes the infor­ma­ti­on, he must inform the data con­trol­ler accord­in­gly and give rea­sons in accordance with para­graph 3. In princip­le, only the requi­re­ments under para­graphs 1 and 2 may be con­si­de­red as grounds. In this case, federal bodies must issue a con­testa­ble ruling. Pri­va­te respon­si­ble par­ties, on the other hand, are not sub­ject to any for­mal requi­re­ments. For rea­sons of pro­of, howe­ver, the rea­sons should be sent to the per­son con­cer­ned in writing.

On the basis of the state­ment of rea­sons, the data sub­ject must be able to veri­fy whe­ther the infor­ma­ti­on was right­ly refu­sed, restric­ted or post­po­ned. Howe­ver, the requi­re­ments for the state­ment of rea­sons can­not be too high if they con­flict with the rea­son for the refu­sal of information.

Art. 27 Restric­tions on the right to infor­ma­ti­on for the media

1 If per­so­nal data are pro­ces­sed exclu­si­ve­ly for publi­ca­ti­on in the edi­to­ri­al sec­tion of a perio­di­cal­ly published medi­um, the per­son respon­si­ble may refu­se, limit or post­po­ne dis­clo­sure for one of the fol­lo­wing reasons:

a. The data pro­vi­de infor­ma­ti­on on the sources of information.
b. The infor­ma­ti­on would pro­vi­de access to drafts of publications.
c. Publi­ca­ti­on would jeo­par­di­ze the public’s free­dom of expression.

2 Media repre­sen­ta­ti­ves may also refu­se, restrict or post­po­ne the pro­vi­si­on of infor­ma­ti­on if the per­so­nal data ser­ves them exclu­si­ve­ly as a per­so­nal working tool.

Bot Art. 25 Restric­tions on the right to infor­ma­ti­on for media pro­fes­sio­nals (count. acc. to draft)

Arti­cle 25 E‑DSG adopts the cur­rent Arti­cle 10 DSG con­cer­ning the restric­tion of the right to infor­ma­ti­on for media pro­fes­sio­nals. No mate­ri­al chan­ges are made. The cri­ter­ion of publi­ca­ti­on in the edi­to­ri­al sec­tion of a medi­um remains. This means that only data collec­ted with regard to the publi­ca­ti­on of a jour­na­li­stic work in the part of a medi­um reser­ved for edi­to­ri­al con­tri­bu­ti­ons is cove­r­ed. In addi­ti­on, it must be a perio­di­cal­ly published medi­um. This inclu­des, in par­ti­cu­lar, news­pa­pers, maga­zi­nes, radio and tele­vi­si­on broad­casts, press agen­ci­es and online news ser­vices that are updated con­ti­nuous­ly and with a regu­la­ri­ty known to the public.

Chap­ter 5 regu­la­tes spe­ci­fic claims against pri­va­te data con­trol­lers. The regu­la­ti­ons on the pro­ces­sing of per­so­nal data by pri­va­te per­sons con­creti­ze the pro­tec­tion of per­so­na­li­ty in accordance with Arti­cle 28 CC with regard to data pro­tec­tion and thus ser­ve to rea­li­ze infor­ma­tio­nal self-deter­mi­na­ti­on among pri­va­te indi­vi­du­als (see Art. 35(1) and (3) BV). The three pro­vi­si­ons of this sec­tion should be read tog­e­ther: Arti­cle 26 E‑DSG spe­ci­fies per­so­na­li­ty vio­la­ti­ons in the area of data pro­tec­tion, Arti­cle 27 E‑DSG defi­nes spe­ci­fic grounds for justi­fi­ca­ti­on, and Arti­cle 28 E‑DSG regu­la­tes the legal claims that can be asser­ted on the basis of a per­so­na­li­ty vio­la­ti­on cau­sed by data pro­ces­sing. The pre­sent draft lar­ge­ly retains the exi­sting regu­la­ti­on. Howe­ver, some edi­to­ri­al chan­ges have been made with the aim of making the pro­vi­si­ons clea­rer and more acces­si­ble overall.

The eva­lua­ti­on has also shown that the per­sons con­cer­ned hard­ly exer­cise their rights, espe­cial­ly in the pri­va­te sec­tor. This is main­ly attri­buted to the cost risks of liti­ga­ti­on, which are to be off­set by adjust­ments to the cost regu­la­ti­on in civil pro­ce­e­dings (cf. Sec­tion 9.2.15).

Art. 28 Right to issue and trans­fer data 

1 Any per­son may requ­est from the data con­trol­ler the release of his per­so­nal data, which he has dis­c­lo­sed to him, in a com­mon­ly used elec­tro­nic for­mat, if:

a. the data con­trol­ler pro­ces­ses the data auto­ma­ti­cal­ly; and
b. the data is pro­ces­sed with the con­sent of the data sub­ject or in direct con­nec­tion with the con­clu­si­on or per­for­mance of a con­tract bet­ween the con­trol­ler and the data subject.

2 The data sub­ject may also requ­est the con­trol­ler to trans­fer his or her per­so­nal data to ano­t­her con­trol­ler if the requi­re­ments under para­graph 1 are met and this does not requi­re dis­pro­por­tio­na­te effort.

3 The data con­trol­ler must pro­vi­de or trans­fer the per­so­nal data free of char­ge. The Federal Coun­cil may pro­vi­de for excep­ti­ons, name­ly if the expen­se is disproportionate.

Art. 29 Restric­tions on the right to issue and trans­fer data

1 The data con­trol­ler may refu­se, limit or post­po­ne the release or trans­fer of the per­so­nal data for the rea­sons listed in Arti­cle 26, para­graphs 1 and 2.

2 The respon­si­ble par­ty must sta­te why it is refu­sing, restric­ting, or defer­ring the release or transfer.

Chap­ter 5: Spe­cial pro­vi­si­ons on data pro­ces­sing by pri­va­te persons

Art. 30 Vio­la­ti­on of per­so­na­li­ty rights

1 Anyo­ne who pro­ces­ses per­so­nal data must not unlaw­ful­ly infrin­ge the per­so­na­li­ty of the per­sons concerned.

2 A vio­la­ti­on of per­so­na­li­ty rights exists in par­ti­cu­lar if:

a. per­so­nal data is pro­ces­sed con­tra­ry to the princi­ples set out in Arti­cles 6 and 8;
b. per­so­nal data is pro­ces­sed con­tra­ry to the express decla­ra­ti­on of intent of the data subject;
c. third par­ties are pro­vi­ded with per­so­nal data that is par­ti­cu­lar­ly worthy of protection.

3 As a rule, the­re is no vio­la­ti­on of pri­va­cy if the per­son con­cer­ned has made the per­so­nal data gene­ral­ly acces­si­ble and has not express­ly pro­hi­bi­ted processing.

Bot Art. 26 Per­so­na­li­ty vio­la­ti­ons (count. acc. to draft)

The con­cept of vio­la­ti­on of per­so­na­li­ty is defi­ned in Arti­cle 28 CC not defi­ned. Arti­cle 26 of the draft con­creti­zes this term for vio­la­ti­ons of per­so­na­li­ty through the pro­ces­sing of per­so­nal data.

Par. 1 Principle

Para­graph 1 sta­tes that data pro­ces­sing must not unlaw­ful­ly infrin­ge the per­so­na­li­ty of the data sub­ject. The wor­d­ing remains unch­an­ged. The indi­vi­du­al right to dis­po­se of per­so­nal data, which is pro­tec­ted by infor­ma­tio­nal self-deter­mi­na­ti­on, is quick­ly severely restric­ted by data pro­ces­sing. Com­pli­an­ce with the princi­ples of data pro­ces­sing by pri­va­te data con­trol­lers is the­re­fo­re cen­tral to the pro­tec­tion of the per­so­na­li­ty of the data sub­ject, espe­cial­ly sin­ce pri­va­te pro­ces­sing accounts for a lar­ge pro­por­ti­on of data pro­ces­sing ope­ra­ti­ons in general.

Par. 2 Cases of vio­la­ti­on of per­so­na­li­ty rights

Para­graph 2 refers, among other things, to com­pli­an­ce with the princi­ples of data pro­ces­sing and pro­vi­des that a vio­la­ti­on of pri­va­cy exists in three constellations.

Accord­ing to let­ter a, a vio­la­ti­on of pri­va­cy occurs if data is pro­ces­sed con­tra­ry to the princi­ples of Arti­cles 5 and 7 of the e‑DSG.

Accord­ing to let­ter b, it is also a vio­la­ti­on of pri­va­cy if data is pro­ces­sed con­tra­ry to the data subject’s express decla­ra­ti­on of intent. This pro­vi­si­on thus gives the data sub­ject the right to expli­ci­tly pro­hi­bit a par­ti­cu­lar data con­trol­ler from pro­ces­sing data without having to meet spe­ci­fic requi­re­ments (opting out). This pos­si­bi­li­ty alrea­dy exi­sted under the pre­vious law and is also pro­vi­ded by Arti­cle 8 let­ter d E‑SEV 108 requi­red. A decla­ra­ti­on of intent is “expli­cit” if it is made by writ­ten or spo­ken words or a sign and the expres­sed intent is direct­ly appa­rent from the words or sign used. Accord­in­gly, the data sub­ject must direct­ly express in words or signs that he or she does not con­sent to a cer­tain data pro­ces­sing. The expres­si­on of the will as such must alrea­dy crea­te cla­ri­ty about the will through the man­ner in which it is made. In the pre­sent case, for examp­le, the data sub­ject would have to ter­mi­na­te a ser­vice that invol­ves data pro­ces­sing or make an oral or writ­ten decla­ra­ti­on to a data con­trol­ler that he or she does not want him or her to pro­cess data about him or her. In con­trast, an “implied” decla­ra­ti­on of intent is not suf­fi­ci­ent in the pre­sent case (cf. the explana­ti­ons on Arti­cle 5(6) E‑DSG in Sec­tion 9.1.3.1). For examp­le, it would not be suf­fi­ci­ent for the data sub­ject to stop using a ser­vice that invol­ves data processing.

Pur­suant to let­ter c, a vio­la­ti­on of pri­va­cy also occurs if par­ti­cu­lar­ly sen­si­ti­ve data is dis­c­lo­sed to third parties.

The list is not exhaus­ti­ve. This means that a vio­la­ti­on of pri­va­cy through the pro­ces­sing of data can also occur in a way other than through the rea­liz­a­ti­on of the­se three ele­ments. In let­ters b and c, the refe­rence to the justi­fi­ca­ti­on ground has been remo­ved, as was alrea­dy done for let­ter a in the 2003 revi­si­on. This, too, is merely for the sake of cla­ri­ty and cor­re­sponds Arti­cle 28 CCin which the vio­la­ti­on of per­so­na­li­ty and the grounds for justi­fi­ca­ti­on are also dealt with in two sub-pro­vi­si­ons. In the e‑DPA, the grounds for justi­fi­ca­ti­on are now exclu­si­ve­ly regu­la­ted in Arti­cle 27.

Par. 3 No vio­la­ti­on of personality

Accord­ing to para­graph 3, on the other hand, the­re is gene­ral­ly no vio­la­ti­on of pri­va­cy if the data sub­ject has made the data gene­ral­ly acces­si­ble and has not express­ly pro­hi­bi­ted its pro­ces­sing (for the expres­si­ve­ness, see the com­men­ta­ry abo­ve on para­graph 2 let­ter b). This pro­vi­si­on, which was adop­ted iden­ti­cal­ly from the pre­vious law, is con­si­stent. This is becau­se the individual’s free­dom of dis­po­sal over per­so­nal data is not vio­la­ted in princip­le under the­se cir­cum­stan­ces. The wor­d­ing “as a rule” expres­ses that this is a legal presump­ti­on and not an incon­tro­ver­ti­ble fic­tion. The per­son con­cer­ned thus has the opti­on of pro­ving that a vio­la­ti­on of per­so­na­li­ty rights may nevertheless exist in indi­vi­du­al cases. This pos­si­bi­li­ty is appro­pria­te and important becau­se the demar­ca­ti­on bet­ween public and pri­va­te sphe­re is incre­a­singly difficult.

Art. 31 Grounds for justification

1 A vio­la­ti­on of pri­va­cy is unlaw­ful if it is not justi­fied by the con­sent of the per­son con­cer­ned, by an over­ri­ding pri­va­te or public inte­rest or by law.

2 An over­ri­ding inte­rest of the respon­si­ble par­ty shall be con­si­de­red in par­ti­cu­lar in the fol­lo­wing cases:

a. The data con­trol­ler pro­ces­ses per­so­nal data about the con­trac­ting par­ty in direct con­nec­tion with the con­clu­si­on or per­for­mance of a contract.
b. The data con­trol­ler is or will be in eco­no­mic com­pe­ti­ti­on with ano­t­her per­son and pro­ces­ses per­so­nal data for this pur­po­se that is not dis­c­lo­sed to third par­ties; com­pa­nies that belong to the same group as the data con­trol­ler are not con­si­de­red third par­ties for the pur­po­ses of this provision.

c. The data con­trol­ler pro­ces­ses per­so­nal data to check the credit­wort­hi­ness of the data sub­ject, sub­ject to the fol­lo­wing conditions:

1. it is neit­her per­so­nal data requi­ring spe­cial pro­tec­tion nor high-risk profiling.
2. the data will only be dis­c­lo­sed to third par­ties if they requi­re the data for the con­clu­si­on or per­for­mance of a con­tract with the data subject.
3. the data are not older than ten years.
4. the per­son con­cer­ned is of age.
d. The per­son respon­si­ble pro­ces­ses the per­so­nal data pro­fes­sio­nal­ly and exclu­si­ve­ly for publi­ca­ti­on in the edi­to­ri­al sec­tion of a perio­di­cal­ly published medi­um or, if no publi­ca­ti­on takes place, the data ser­ve him/her exclu­si­ve­ly as a per­so­nal work tool.

e. The data con­trol­ler pro­ces­ses the per­so­nal data for non-per­so­nal pur­po­ses, in par­ti­cu­lar for rese­arch, plan­ning or sta­tis­tics, sub­ject to the fol­lo­wing conditions:

1. it shall anony­mi­ze the data as soon as the pur­po­se of the pro­ces­sing per­mits; if anony­miz­a­ti­on is impos­si­ble or requi­res dis­pro­por­tio­na­te effort, it shall take appro­pria­te mea­su­res to pre­vent the data sub­jects from being identified.
(2) In the case of per­so­nal data requi­ring spe­cial pro­tec­tion, it shall dis­c­lo­se such data to third par­ties in such a way that the data sub­ject can­not be iden­ti­fied; if this is not pos­si­ble, it must be ensu­red that the third par­ties pro­cess the data only for non-per­so­nal purposes.
3. the results are published in such a way that the per­sons con­cer­ned can­not be identified.
f. The respon­si­ble per­son collects per­so­nal data about a public figu­re that rela­tes to that person’s acti­vi­ties in public.
Bot Art. 27 Justi­fi­ca­ti­ons (count. acc. to draft)

Arti­cle 27 spe­ci­fies the grounds for justi­fi­ca­ti­on for data pro­ces­sing that vio­la­tes per­so­nal pri­va­cy. Apart from minor chan­ges, the stan­dard remains unchanged.

Par. 1 Principle

Para­graph 1 estab­lishes the princip­le that any vio­la­ti­on of pri­va­cy – i.e. any data pro­ces­sing that vio­la­tes pri­va­cy – is in princip­le unlaw­ful unless it is justi­fied by the con­sent of the data sub­ject, by law or by an over­ri­ding pri­va­te or public inte­rest. This pro­vi­si­on cor­re­sponds to Arti­cle 28(2) of the Civil Code. If the con­sent of the per­son con­cer­ned or a legal justi­fi­ca­ti­on exists, the­re is in princip­le no balan­cing of inte­rests and the grounds for balan­cing under para­graph 2 do not come into play. Legal justi­fi­ca­ti­on grounds inclu­de, for examp­le, pro­ces­sing or cla­ri­fi­ca­ti­on obli­ga­ti­ons (e.g. Art. 28 et seq. of the Federal Act of 23 March 2001 on Con­su­mer Credit, Art. 3 et seq. of the Anti-Money Laun­de­ring Act of 10 Octo­ber 1997) or sto­rage obli­ga­ti­ons. On the other hand, an over­ri­ding pri­va­te or public inte­rest requi­res a weig­hing of the con­flic­ting inte­rests. On the part of the data sub­ject, the­re is, among other things, an inte­rest in pre­ser­ving his or her free­dom to dis­po­se of his or her data. On the part of the data con­trol­ler, the­re is an inte­rest in data pro­ces­sing. Para­graph 2 con­tains an exem­pla­ry list of pro­ces­sing ope­ra­ti­ons for which an over­ri­ding inte­rest of the data con­trol­ler can be con­si­de­red. Only if the inte­rest in data pro­ces­sing out­weighs the inte­rest of the data sub­ject is the vio­la­ti­on of pri­va­cy justified.

Par. 2 Over­ri­ding inte­rests of the respon­si­ble person

Para­graph 2 spe­ci­fies when an over­ri­ding inte­rest of the con­trol­ler comes into con­si­de­ra­ti­on. The wor­d­ing, which has been retai­ned unch­an­ged, makes it clear that the­se are not abso­lu­te grounds for justi­fi­ca­ti­on. Rather, as in the pre­vious law, it is ulti­mate­ly the weig­hing of inte­rests in the indi­vi­du­al case that is decisi­ve. In con­trast to the pre­vious law, the refe­rence is no lon­ger to the per­son pro­ces­sing the data, but to the per­son respon­si­ble. The adjust­ment is made due to the intro­duc­tion of the con­cept of the per­son respon­si­ble. The justi­fi­ca­ti­on grounds under Arti­cle 27(2) are tailo­red to per­sons who, as data con­trol­lers, can deci­de on the pur­po­se and means of data pro­ces­sing. Other defen­dants may invo­ke justi­fi­ca­ti­on grounds under para­graph 1. Based on Arti­cle 8(4) E‑DSG, the com­mis­sio­ned pro­ces­sor can assert the same grounds for justi­fi­ca­ti­on as the con­trol­ler. Pas­si­ve legi­ti­ma­cy is also unaf­fec­ted by the amendment.

The rea­sons listed lar­ge­ly cor­re­spond to the pre­vious law. The list is not exhaus­ti­ve, so that other rea­sons than tho­se listed here can also be used as an over­ri­ding inte­rest of the con­trol­ler. The enu­me­ra­ti­on lists various pur­po­ses that justi­fy the pro­ces­sing of data and may out­weigh the inte­rest of the data sub­ject. Essen­ti­al­ly, the cata­log covers three groups of data pro­ces­sing: tho­se for cer­tain eco­no­mic acti­vi­ties, tho­se for the media and data pro­ces­sing for non-per­so­nal pur­po­ses such as rese­arch. For indi­vi­du­al pro­ces­sing pur­po­ses, the sta­ted pur­po­se alo­ne is not suf­fi­ci­ent to justi­fy the vio­la­ti­on of pri­va­cy. Rather, the pro­ces­sing must addi­tio­nal­ly ful­fill cer­tain requi­re­ments so that the justi­fi­ca­ti­on of the over­ri­ding inte­rest can be asser­ted at all. This app­lies in par­ti­cu­lar with regard to let­ters b, c, e and f. In the­se cases, it must first be exami­ned whe­ther the pro­ces­sing in que­sti­on meets the spe­ci­fic requi­re­ments befo­re the inte­rests of the spe­ci­fic indi­vi­du­al case are weig­hed against each other. If the­se spe­ci­fic con­di­ti­ons are not met, the data pro­ces­sing is only justi­fied if the­re is a justi­fi­ca­ti­on accord­ing to para­graph 1. Only let­ters c and e, whe­re the legal text has been amen­ded, are com­men­ted on below.

Para. 2 let. c Credit­wort­hi­ness check

With regard to the acti­vi­ty of eco­no­mic infor­ma­ti­on ser­vices, refe­rence should first be made to the recent ruling of the Federal Admi­ni­stra­ti­ve Court A‑4232/2015 of April 18, 2017 (Money­hou­se). Money­hou­se AG is a busi­ness infor­ma­ti­on ser­vice and obtains data in elec­tro­nic form from various public pri­va­te sources. This mul­ti­tu­de of per­so­nal data is published on www.moneyhouse.ch and used to offer various ser­vices, in par­ti­cu­lar a com­pa­ny and per­son search. While this ser­vice is free of char­ge for the public after regi­stra­ti­on, so-cal­led “pre­mi­um users” are addi­tio­nal­ly offe­red credit­wort­hi­ness and pay­ment sub­scrip­ti­ons, details on pay­ment pro­blems, debt enfor­ce­ment, land regi­ster, busi­ness and tax infor­ma­ti­on as well as ser­vices con­cer­ning com­pa­ny por­traits. For addi­tio­nal ser­vices and in order to access data of natu­ral per­sons who are not ente­red in the com­mer­cial regi­ster or in an elec­tro­nic tele­pho­ne direc­to­ry, pro­of of inte­rest must be pro­vi­ded. With regard to the pre­mi­um sub­scrip­ti­ons, which are sub­ject to a fee, the Federal Admi­ni­stra­ti­ve Court came to the con­clu­si­on that Money­hou­se AG in part crea­tes a bio­gra­phi­cal image of indi­vi­du­als in the pro­cess. The Federal Admi­ni­stra­ti­ve Court held that in this initi­al situa­ti­on, the pro­ces­sing of a per­so­na­li­ty pro­fi­le was to be affir­med, which is why the justi­fi­ca­ti­on ground of the credit check pur­suant to Arti­cle 13 para­graph 2 let­ter c FADP did not app­ly. For the Federal Admi­ni­stra­ti­ve Court, no legal basis was appa­rent as a justi­fi­ca­ti­on, nor was it pos­si­ble to pro­ve that the data sub­jects had expli­ci­tly con­sen­ted to the crea­ti­on of a per­so­na­li­ty pro­fi­le. Final­ly, an over­all weig­hing of inte­rests also show­ed that the inte­rest of the per­sons con­cer­ned in the pro­tec­tion of their per­so­nal rights pre­do­mi­na­ted. As a result, the Federal Admi­ni­stra­ti­ve Court found that the pro­ces­sing of per­so­na­li­ty pro­files was unlaw­ful and orde­red Money­hou­se AG to obtain the express con­sent of the data sub­jects for such data pro­ces­sing, other­wi­se the cor­re­spon­ding data had to be dele­ted inso­far as con­clu­si­ons could be drawn about signi­fi­cant aspects of the per­so­na­li­ty. In addi­ti­on, the court obli­ged Money­hou­se AG to con­duct an annu­al review of its data inven­to­ry to ensu­re its accu­ra­cy in the ratio of 5 % to the que­ries made on the plat­form. In addi­ti­on, the Federal Coun­cil will exami­ne spe­ci­fic mea­su­res rela­ting to credit reporting ser­vices as part of the report for Postu­la­te Schwa­ab 16.3682 “Restric­ting the acti­vi­ties of credit reporting agencies”.

Howe­ver, the e‑DSG alrea­dy addres­ses cer­tain con­cerns regar­ding the acti­vi­ties of credit reporting ser­vices. For examp­le, four con­di­ti­ons must be met in order for the credit­wort­hi­ness check to be con­si­de­red an over­ri­ding inte­rest. The pro­vi­si­on is slight­ly tigh­te­ned in rela­ti­on to the pre­vious law, in par­ti­cu­lar to take into account the high risk asso­cia­ted with this type of data processing.

Para­graphs 1 and 2 cor­re­spond to the app­li­ca­ble law, with the term “per­so­na­li­ty pro­fi­le” being repla­ced by the term “pro­filing”. The pro­ces­sing of per­so­nal data requi­ring spe­cial pro­tec­tion also remains inad­mis­si­ble. This also inclu­des the pro­ces­sing of data on cri­mi­nal pro­se­cu­ti­ons and sanc­tions. This is logi­cal, as third par­ties are also not allo­wed to inspect the cri­mi­nal regi­ster. Con­tra­ry to the sug­ge­sti­ons of various par­ti­ci­pants in the con­sul­ta­ti­on pro­cess, the FADP should not con­tain any addi­tio­nal rights for busi­ness infor­ma­ti­on services.

Items 3 and 4 have been new­ly added.

Para­graph 3 requi­res that the data must not be older than five years. Such a rein­for­ce­ment was sug­ge­sted by various par­ti­ci­pants in the con­sul­ta­ti­on pro­cess and appears justi­fied in view of the scope of a credit report for the per­son con­cer­ned. The Federal Admi­ni­stra­ti­ve Court also sta­ted that the grea­ter the risk of a vio­la­ti­on of per­so­na­li­ty rights, the hig­her the requi­re­ments to be met with regard to the qua­li­ty of the con­tent and thus also the accu­ra­cy of the data pro­ces­sed. The very low veri­fi­ca­ti­on rate of 5 per­cent impo­sed by the Federal Admi­ni­stra­ti­ve Court on Money­hou­se AG also shows the dif­fi­cul­ties of kee­ping such data­ba­ses up to date. The­re­fo­re, the Federal Coun­cil con­si­ders a gene­ral regu­la­ti­on on the dura­ti­on during which data may be used to be use­ful. Such a restric­tion can also be imple­men­ted in par­ti­cu­lar with appro­pria­te tech­ni­cal pre­cau­ti­ons (pri­va­cy by design, cf. Art. 6 E‑DSG and the explana­ti­ons the­re­to), for examp­le by auto­ma­ti­cal­ly deleting data after a cer­tain peri­od. The reten­ti­on peri­od of five years is based on the fact that, pur­suant to Arti­cle 8a (4) SchKG, pri­va­te third par­ties can only inspect the debt collec­tion regi­ster up to five years after the con­clu­si­on of the pro­ce­e­dings. Here, the rights of busi­ness infor­ma­ti­on ser­vices are not to go any further.

Para­graph 4 requi­res the per­son con­cer­ned to be of age. This requi­re­ment is inser­ted in order to impro­ve the pro­tec­tion of minors, which is one of the objec­ti­ves of the revi­si­on. The scope of this amend­ment is likely to be limi­ted due to the limi­ted capa­ci­ty of minors to act.

Par. 2 (e) Pro­ces­sing for rese­arch, plan­ning or statistics

The justi­fi­ca­ti­on for pro­ces­sing for non-per­so­nal pur­po­ses, in par­ti­cu­lar in rese­arch, plan­ning or sta­tis­tics, is slight­ly tigh­te­ned in let­ter e. The use of data for the­se pur­po­ses is now only per­mis­si­ble if the requi­re­ments of num­bers 1 – 3 are met. This pro­vi­si­on is inten­ded to streng­t­hen the pro­tec­tion of per­so­nal data requi­ring spe­cial pro­tec­tion. This is done in par­ti­cu­lar with a view to the pos­si­bi­li­ties of big data and the incre­a­sing digi­ta­liz­a­ti­on of ever­y­day life, which also leads to an ever grea­ter num­ber of per­so­nal data requi­ring spe­cial pro­tec­tion being processed.

Accord­ing to item 1, data must be anony­mi­zed as soon as the pur­po­se of pro­ces­sing per­mits. If it is no lon­ger necessa­ry to have per­so­nal data for the pur­po­se of data pro­ces­sing for rese­arch, plan­ning or sta­tis­tics, the data must be anony­mi­zed. This requi­re­ment is also met if the dis­clo­sure is made in pseud­ony­mi­zed form and the key remains with the per­son dis­clo­sing the data (de fac­to anonymization).

This alrea­dy fol­lows in princip­le from the pro­vi­si­on in Arti­cle 5 (4) E‑DSG. Accord­ing to Arti­cle 26 (2) (a) E‑DSG, a bre­ach of the same leads to a vio­la­ti­on of pri­va­cy that can be justi­fied by one of the grounds in Arti­cle 27 E‑DSG. As a result of the pro­vi­si­on in Arti­cle 27(2)(e)(1) E‑DSG, it is now no lon­ger pos­si­ble to justi­fy a bre­ach of Arti­cle 5(4) E‑DSG on the grounds of pro­ces­sing for the pur­po­ses of rese­arch, plan­ning or sta­tis­tics, unless one of the grounds for justi­fi­ca­ti­on in Arti­cle 27(1) E‑DSG applies.

If per­so­nal data requi­ring spe­cial pro­tec­tion is dis­c­lo­sed to third par­ties, this must be done in such a way that the per­sons con­cer­ned can­not be iden­ti­fied (Sec­tion 2). Accord­ing to Arti­cle 26(2)(c) of the Federal Data Pro­tec­tion Act, the dis­clo­sure of per­so­nal data requi­ring spe­cial pro­tec­tion to third par­ties leads to a vio­la­ti­on of pri­va­cy that can be justi­fied on one of the grounds in Arti­cle 27. The pro­vi­si­on in Sec­tion 2 now rules out justi­fy­ing the dis­clo­sure of non-anony­mi­zed per­so­nal data requi­ring spe­cial pro­tec­tion on the grounds that it is being pro­ces­sed for the pur­po­ses of rese­arch, plan­ning or statistics.

Final­ly, as befo­re, the results may only be published in such a way that the per­sons con­cer­ned can­not be iden­ti­fied (item 3).

Art. 32 Legal claims

1 The data sub­ject may requ­est that inac­cu­ra­te per­so­nal data be cor­rec­ted unless:

a. a sta­tu­to­ry pro­vi­si­on pro­hi­bits the change;
b. the per­so­nal data are pro­ces­sed for archi­val pur­po­ses in the public interest.

2 Actions for the pro­tec­tion of per­so­na­li­ty are gover­ned by Arti­cles 28, 28a and 28g-28l of the Civil Code. The plain­tiff may in par­ti­cu­lar demand that:

a. a spe­ci­fic data pro­ces­sing is prohibited;
b. a spe­ci­fic dis­clo­sure of per­so­nal data to third par­ties is prohibited;
c. Per­so­nal data is dele­ted or destroyed.

3 If neit­her the accu­ra­cy nor the inac­cu­ra­cy of the per­so­nal data in que­sti­on can be estab­lished, the com­p­lai­ning par­ty may requ­est that a note of con­te­sta­ti­on be made.

4 The com­p­lai­ning par­ty may also requ­est that the cor­rec­tion, the dele­ti­on or the dest­ruc­tion, the pro­hi­bi­ti­on of pro­ces­sing or dis­clo­sure to third par­ties, the noti­ce of dis­pu­te or the judgment be com­mu­ni­ca­ted to third par­ties or published.

Bot Art. 28 Legal claims (count. acc. to draft)

Arti­cle 28 regu­la­tes the legal claims that the data sub­ject may assert against pri­va­te persons.

Par. 1 Correction

Para­graph 1 sta­tes that any per­son may requ­est the cor­rec­tion of inac­cu­ra­te per­so­nal data. This enti­t­le­ment has so far been Arti­cle 5 para­graph 2 DPA con­tai­ned. It is com­bi­ned with all other legal claims in one pro­vi­si­on in the e‑DSG. Cor­rec­tion can mean that the mis­sing data is sup­ple­men­ted or the incor­rect data is dele­ted and, if necessa­ry, repla­ced by new, cor­rect data.

As is clear from the sepa­ra­te para­graph, the right to rec­ti­fi­ca­ti­on exists inde­pendent­ly of a vio­la­ti­on of per­so­na­li­ty rights under Arti­cle 26 E‑Data Act. Like­wi­se, the justi­fi­ca­ti­on grounds of Arti­cle 27 E‑Data Act can­not be invo­ked. Rather, para­graph 1 pro­vi­des for two inde­pen­dent excep­ti­ons that exclu­de rectification.

Accord­ing to let­ter a, the cor­rec­tion of inac­cu­ra­te data is exclu­ded if a legal pro­vi­si­on pre­clu­des the modi­fi­ca­ti­on of per­so­nal data. This refers to legal pro­ces­sing and sto­rage obli­ga­ti­ons accord­ing to which pri­va­te data con­trol­lers must lea­ve data unchanged.

Let­ter b allo­ws a balan­cing of inte­rests with regard to data archi­ve hol­dings that are pro­ces­sed exclu­si­ve­ly for this pur­po­se and whe­re the­re is an over­ri­ding public inte­rest in the data remai­ning unch­an­ged. This excep­ti­on covers pri­va­te libra­ries, for example.

Par. 2 Actions

Para­graph 2 con­tains the refe­rence to actions under Arti­cles 28 et seq. ZGB, which alrea­dy exists in the pre­vious law. By ana­lo­gy with Arti­cle 28a (1) CC, this para­graph also sets out indi­vi­du­al spe­ci­fic claims that the per­son con­cer­ned can assert. For the sake of cla­ri­ty, the­se are now bet­ter high­ligh­ted in the draft with an enu­me­ra­ti­on. In par­ti­cu­lar, this enu­me­ra­ti­on spe­ci­fies the action for injunc­tion and remo­val pur­suant to Arti­cle 28a para­graph 1 items 1 and 2 CC with regard to data pro­tec­tion. Accord­ing to let­ter a, the data sub­ject may requ­est that the data pro­ces­sing be pro­hi­bi­ted. Accord­ing to let­ter b, he or she may requ­est that the dis­clo­sure of data to third par­ties be pro­hi­bi­ted. Final­ly, accord­ing to let­ter c, he or she may requ­est that data be dele­ted or destroyed.

Alt­hough it alrea­dy ari­ses impli­ci­tly from the pre­vious law, a right to dele­ti­on is expli­ci­tly for­mu­la­ted in the e‑DSG. It meets the requi­re­ments of Arti­cle 8 let­ter e E‑SEV 108. The arti­cle 17 of the Regu­la­ti­on (EU) 2016/679 con­tains a simi­lar pro­vi­si­on. In the area of data pro­tec­tion, this right to dele­ti­on cor­re­sponds to the “right to be for­got­ten” as it is gene­ral­ly deri­ved from the pro­tec­tion of per­so­na­li­ty under civil law. Accord­in­gly, a deci­si­on simi­lar to that made by the Euro­pean Court of Jus­ti­ce against Goog­le would also be pos­si­ble in Switz­er­land, for examp­le. Howe­ver, such a right to be for­got­ten does not app­ly abso­lute­ly. Rather, in the case law on the pro­tec­tion of per­so­na­li­ty, the inte­rest of the per­son con­cer­ned is weig­hed against the free­dom of opi­ni­on and infor­ma­ti­on, which regu­lar­ly result in an over­ri­ding inte­rest in the con­ti­nued exi­stence or use of the infor­ma­ti­on. Such an inte­rest may exist, for examp­le, in the case of archi­ves or libra­ries who­se task it is to collect, index, pre­ser­ve and com­mu­ni­ca­te docu­ments unch­an­ged. If the­re is an over­ri­ding inte­rest, the vio­la­ti­on of pri­va­cy is justi­fied and any claim for dele­ti­on is not app­li­ca­ble. The necessa­ry weig­hing of inte­rests in indi­vi­du­al cases is pos­si­ble and necessa­ry on the basis of Arti­cle 28 (2) E‑DSG and the refe­rence to actions under Arti­cle 28 f. ZGB are pos­si­ble and necessa­ry, so that no spe­ci­fic reser­va­tions need to be inser­ted in the legal text. The Com­mis­sio­ner would have pre­fer­red it if a right to delist (“right to be for­got­ten”) had been expli­ci­tly inserted.

Par. 3 Note of denial

Para­graph 3 con­tains the so-cal­led deni­al note, which is taken over unch­an­ged from the pre­vious law. Accord­in­gly, a cor­re­spon­ding note can be added to data if neit­her the cor­rect­ness nor the incor­rect­ness of the data can be deter­mi­ned. This pro­vi­si­on should be view­ed against the back­ground that it is some­ti­mes not pos­si­ble to ade­qua­te­ly pro­ve the incor­rect­ness of fac­tu­al claims, espe­cial­ly if they are lin­ked to value judgments. In this way, the per­son con­cer­ned recei­ves at least par­ti­al legal protection.

Par. 4 Com­mu­ni­ca­ti­on to third par­ties or publication

Para­graph 4, like the pre­vious law, pro­vi­des that the judgment, the cor­rec­tion, the dele­ti­on or dest­ruc­tion, the pro­hi­bi­ti­on of pro­ces­sing or dis­clo­sure to third par­ties or the noti­ce of con­te­sta­ti­on shall be com­mu­ni­ca­ted to third par­ties or published. This pro­vi­si­on con­creti­zes Arti­cle 28a (2) CC in the area of data protection.

Howe­ver, the pro­vi­si­on con­cer­ning the sim­pli­fied pro­ce­du­re for requests for infor­ma­ti­on is repealed. This pro­vi­si­on has beco­me obso­le­te with the intro­duc­tion of the CCP becau­se all pro­vi­si­ons on civil pro­ce­e­dings are now con­tai­ned in the CCP. The lat­ter regu­la­tes the app­li­ca­ble pro­ce­du­re (Art. 243 para. 2 let. d E‑ZPO) as well as the place of juris­dic­tion (Art. 20 let. d E‑ZPO).

Chap­ter 6: Spe­cial Pro­vi­si­ons on Data Pro­ces­sing by Federal Bodies

Art. 33 Con­trol and respon­si­bi­li­ty in the case of joint pro­ces­sing of per­so­nal data

The Federal Coun­cil shall regu­la­te the con­trol pro­ce­du­res and respon­si­bi­li­ty for data pro­tec­tion if a federal body pro­ces­ses per­so­nal data tog­e­ther with other federal bodies, with can­to­nal bodies or with pri­va­te persons.

Bot Art. 29 Con­trol and respon­si­bi­li­ty in case of joint pro­ces­sing of per­so­nal data (count. acc. to draft)

Com­pa­red to Arti­cle 16 FADP Arti­cle 29 E‑DSG under­goes few changes.

Arti­cle 16 para­graph 1 FADP is repealed. The respon­si­bi­li­ty of the federal body that pro­ces­ses per­so­nal data or has per­so­nal data pro­ces­sed results from the defi­ni­ti­on of the term “per­son respon­si­ble” (Art. 4 let. i E‑DSG).

Arti­cle 29 of the e‑DSG also chan­ges, for edi­to­ri­al rea­sons, the term “spe­ci­fi­cal­ly regu­la­te” from Arti­cle 16 para­graph 2 FADP omit­ted. In addi­ti­on, the Federal Coun­cil should not only have the pos­si­bi­li­ty to issue spe­cial rules on con­trol and respon­si­bi­li­ty for data pro­tec­tion when federal bodies pro­cess data tog­e­ther with other aut­ho­ri­ties or pri­va­te per­sons, but should be obli­ged to do so. With this amend­ment, Arti­cle 21 of the Direc­ti­ve (EU) 2016/680 imple­men­ted. Arti­cle 26 of the Regu­la­ti­on (EU) 2016/679 pro­vi­des for an ana­lo­gous regulation.

Art. 34 Legal bases

1 Federal bodies may only pro­cess per­so­nal data if the­re is a legal basis for doing so.

2 A basis in a law in the for­mal sen­se is requi­red in the fol­lo­wing cases:

a. It is the pro­ces­sing of per­so­nal data requi­ring spe­cial protection.
b. It is profiling.
c. The pur­po­se of pro­ces­sing or the man­ner in which the data is pro­ces­sed may lead to a serious inter­fe­rence with the fun­da­men­tal rights of the data subject.

3 For the pro­ces­sing of per­so­nal data under para­graph 2 let­ters a and b, a basis in a law in the sub­stan­ti­ve sen­se is suf­fi­ci­ent if the fol­lo­wing requi­re­ments are met:

a. The pro­ces­sing is indis­pensable for a task spe­ci­fied in a law in the for­mal sense.
b. The pur­po­se of the pro­ces­sing does not pose any par­ti­cu­lar risks to the fun­da­men­tal rights of the data subject.

4 In dero­ga­ti­on of para­graphs 1 – 3, federal bodies may pro­cess per­so­nal data if one of the fol­lo­wing con­di­ti­ons is met:

a. The Federal Coun­cil has appro­ved the pro­ces­sing becau­se it does not con­si­der the rights of the per­son con­cer­ned to be at risk.
b. The data sub­ject has con­sen­ted to the pro­ces­sing in the indi­vi­du­al case or has made his/her per­so­nal data gene­ral­ly acces­si­ble and has not express­ly pro­hi­bi­ted processing.
c. The pro­ces­sing is necessa­ry to pro­tect the life or phy­si­cal inte­gri­ty of the data sub­ject or a third par­ty and it is not pos­si­ble to obtain the data subject’s con­sent wit­hin a rea­son­ab­le time.
Bot Art. 30 Legal bases (count. acc. to draft)

In order to coun­ter the cri­ti­cism in the doc­tri­ne con­cer­ning the deli­mi­ta­ti­on of the excep­ti­ons in Arti­cle 17 para­graph 2 FADP and Arti­cle 19 para­graph 2 FADP to take account of this, the e‑DSG regu­la­tes the legal basis for cer­tain data pro­ces­sing in Arti­cle 30(2). Para­graph 4 pro­vi­des for the excep­ti­ons to the requi­re­ments for the legal basis.

Par. 1 Legal basis

Para­graph 1 adopts the princip­le of Arti­cle 17 para­graph 1 FADPwhich sti­pu­la­tes that, sub­ject to cer­tain excep­ti­ons, federal bodies may only pro­cess per­so­nal data if the­re is a legal basis for doing so.

Par. 2 Basis in law in the for­mal sense

As under cur­rent law, para­graph 2(a) requi­res that a basis in a law in the for­mal sen­se is requi­red for the pro­ces­sing of data requi­ring spe­cial protection.

Pur­suant to para­graph 2 let­ter b, federal bodies are exclu­si­ve­ly aut­ho­ri­zed to car­ry out pro­filing wit­hin the mea­ning of Arti­cle 4 let­ter f E‑DSG if this is pro­vi­ded for in a basis in a law in the for­mal sen­se. The pro­vi­si­on replaces in this respect Arti­cle 17 para­graph 2 FADPaccord­ing to which per­so­na­li­ty pro­files may only be pro­ces­sed if a law in the for­mal sen­se express­ly pro­vi­des for it. Due to the risk of inter­fe­rence with the fun­da­men­tal rights of the data sub­jects, the Federal Coun­cil is of the opi­ni­on that the legal basis for pro­filing must exist at the same level as in the case of the pro­ces­sing of data requi­ring spe­cial pro­tec­tion. As exp­lai­ned in the com­ments on para­graph 3, the requi­re­ment of a basis in a law in the for­mal sen­se does not app­ly abso­lute­ly to such data pro­ces­sing. Con­se­quent­ly, it will be up to the legis­la­tor to deter­mi­ne in each area whe­ther a for­mal legal basis must be crea­ted in an area-spe­ci­fic law or whe­ther a basis in a law in the sub­stan­ti­ve sen­se is suf­fi­ci­ent. It is con­ceiva­ble that pro­filing in cer­tain cases does not pose any par­ti­cu­lar risks to the fun­da­men­tal rights of the data subject.

Accord­ing to para­graph 2 let­ter c, a basis in a law in the for­mal sen­se is requi­red if the pur­po­se of the pro­ces­sing or the man­ner in which the data are pro­ces­sed may lead to a serious inter­fe­rence with the fun­da­men­tal rights of the data sub­ject. This case is defi­ned in Arti­cle 17 para­graph 2 FADP not expli­ci­tly sta­ted. Howe­ver, this is not a new requi­re­ment, becau­se accord­ing to Arti­cle 36(1) BV serious restric­tions of fun­da­men­tal rights requi­re a legal basis in a law in the for­mal sen­se. Let­ter c is necessa­ry, howe­ver, becau­se the term “per­so­na­li­ty pro­fi­le” and the cor­re­spon­ding legal bases are repealed in several federal laws. This is becau­se, in the view of the Federal Coun­cil, the aboli­ti­on of the term “per­so­na­li­ty pro­fi­le” must not lead to a lowe­ring of the requi­re­ments for the level of the legal basis.

A serious inter­fe­rence with the fun­da­men­tal rights of the data sub­ject may result from the pur­po­se of the pro­ces­sing of per­so­nal data (first app­li­ca­ti­on of sub­pa­ra­graph (c)). This is becau­se in cer­tain are­as, federal bodies may need to pro­cess cer­tain per­so­nal data in order to assess, for examp­le, the dan­ge­rous­ness, the poten­ti­al for a func­tion, the sui­ta­bi­li­ty for ful­fil­ling a legal duty or the life­style of a per­son. Depen­ding on the pur­po­se of the pro­ces­sing by the federal body, it may – regard­less of the type of data pro­ces­sed – serious­ly restrict the fun­da­men­tal rights of the data sub­ject. If this is the case, it is justi­fied that a legal basis must exist for the pro­ces­sing of per­so­nal data at the same level as for the pro­ces­sing of per­so­nal data requi­ring spe­cial protection.

A serious encroach­ment on the fun­da­men­tal rights of the data sub­ject may also result from the man­ner in which the data is pro­ces­sed (second app­li­ca­ti­on of sub­pa­ra­graph c). This app­lies in par­ti­cu­lar to auto­ma­ted indi­vi­du­al deci­si­ons pur­suant to Arti­cle 19 (1) of the e‑Data Pro­tec­tion Act. It is true that not every auto­ma­ted indi­vi­du­al deci­si­on invol­ves a serious risk to the fun­da­men­tal rights of the data sub­ject, so that a basis in a law in the sub­stan­ti­ve sen­se may also suf­fice for cer­tain such deci­si­ons. An aut­ho­riz­a­ti­on by a law in the for­mal sen­se is gene­ral­ly requi­red if the auto­ma­ted indi­vi­du­al deci­si­on is made on the basis of per­so­nal data that is par­ti­cu­lar­ly worthy of pro­tec­tion. This also meets the requi­re­ments of Arti­cle 11 of the Direc­ti­ve (EU) 2016/680 taken into account.

Par. 3 Excep­ti­ons to the requi­re­ment of a basis in a law in the for­mal sense.

This pro­vi­si­on aut­ho­ri­zes the Federal Coun­cil to issue a basis in a law in the sub­stan­ti­ve sen­se for the pro­ces­sing of per­so­nal data requi­ring spe­cial pro­tec­tion and pro­filing if two con­di­ti­ons are cumu­la­tively met. Accord­ing to let­ter a, the pro­ces­sing must be indis­pensable for a task spe­ci­fied in a law in the for­mal sen­se. For this requi­re­ment to be met, the natu­re of the tasks requi­ring the pro­ces­sing of per­so­nal data must be suf­fi­ci­ent­ly spe­ci­fied at the level of the law. The second requi­re­ment (para­graph 3 let­ter b) is new. It has the advan­ta­ge of limi­t­ing the scope of para­graph 3 in a more pre­cise man­ner than the cur­rent pro­vi­si­on in Arti­cle 17(2)(a) DPA. The lat­ter is only app­li­ca­ble by way of excep­ti­on, which can also lead to the dis­cre­ti­on being used to assu­me excep­tio­nal cases whe­re none exist.

The lowe­ring of the requi­re­ments for the level of the legal basis is par­ti­cu­lar­ly appro­pria­te for per­so­nal data requi­ring spe­cial pro­tec­tion that is excep­tio­nal­ly pro­ces­sed in Federal Coun­cil, depart­ment­al and offi­cial busi­ness (e.g. appeal deci­si­ons; sta­te lia­bi­li­ty cases; federal per­son­nel busi­ness). Strict­ly spea­king, this too requi­res, accord­ing to the app­li­ca­ble Arti­cle 17 para­graph 1 FADP a for­mal legal basis. Howe­ver, accord­ing to Arti­cle 30 (3) of the e‑Data Pro­tec­tion Act, a basis in a law in the sub­stan­ti­ve sen­se should suf­fice if the pro­ces­sing is indis­pensable for the ful­fill­ment of a task pro­vi­ded for by for­mal law and the pur­po­se of the pro­ces­sing does not pose any par­ti­cu­lar risks to the fun­da­men­tal rights of the data sub­ject. Inso­far as the­se cri­te­ria are met and access to this data is severely restric­ted, a basis in a law in the sub­stan­ti­ve sen­se will in princip­le suf­fice in the future.

Par. 4 Exceptions

Accord­ing to para­graph 4, the requi­re­ment of the legal basis (paras. 1 – 3) may be devia­ted from if one of the con­di­ti­ons accord­ing to let­ters a to c is fulfilled.

Let­ter a regu­la­tes the deci­si­on of the Federal Coun­cil that excep­tio­nal­ly allo­ws the federal body to pro­cess per­so­nal data without a legal basis. Let­ter a cor­re­sponds to the excep­ti­on under Arti­cle 17 para­graph 2 let­ter b FADP.

Accord­ing to let­ter b, federal bodies may pro­cess per­so­nal data without a legal basis if the data sub­ject gives con­sent in indi­vi­du­al cases in accordance with Arti­cle 5 para­graph 6 FADP or if he or she has made his or her per­so­nal data gene­ral­ly acces­si­ble and has not express­ly pro­hi­bi­ted pro­ces­sing. This pro­vi­si­on essen­ti­al­ly cor­re­sponds to the excep­ti­on under Arti­cle 17(2)(c) FADP.

Sub­pa­ra­graph (c) is a new excep­ti­on that is inclu­ded in Arti­cle 17 para­graph 2 FADP is not inclu­ded. It cor­re­sponds to Arti­cle 10(b) of the Direc­ti­ve (EU) 2016/680 and Arti­cle 6(1)(d) of the Regu­la­ti­on (EU) 2016/679. Accord­in­gly, pro­ces­sing is also per­mit­ted if it is necessa­ry to pro­tect the life or phy­si­cal inte­gri­ty of the data sub­ject or a third par­ty if it is not pos­si­ble to obtain the data subject’s con­sent wit­hin a rea­son­ab­le peri­od of time.

Art. 35 Auto­ma­ted data pro­ces­sing in the con­text of pilot trials

1 Pri­or to the ent­ry into for­ce of a law in the for­mal sen­se, the Federal Coun­cil may aut­ho­ri­ze the auto­ma­ted pro­ces­sing of per­so­nal data requi­ring spe­cial pro­tec­tion or other data pro­ces­sing pur­suant to Arti­cle 34 para­graph 2 let­ters b and c if:

a. the tasks on the basis of which the pro­ces­sing is requi­red are regu­la­ted in a law alrea­dy in for­ce in the for­mal sense;
b. suf­fi­ci­ent mea­su­res are taken to mini­mi­ze inter­fe­rence with the fun­da­men­tal rights of the per­sons con­cer­ned; and
c. a test pha­se pri­or to ent­ry into for­ce is indis­pensable for the prac­ti­cal imple­men­ta­ti­on of data pro­ces­sing, in par­ti­cu­lar for tech­ni­cal reasons.

2 It shall first obtain the opi­ni­on of the FDPIC.

3 The com­pe­tent federal body shall sub­mit an eva­lua­ti­on report to the Federal Coun­cil no later than two years after the start of the pilot sche­me. In this report, it shall pro­po­se the con­ti­nua­tion or dis­con­ti­nua­tion of the trial.

4 Auto­ma­ted data pro­ces­sing must be dis­con­ti­nued in any case if no law in the for­mal sen­se con­tai­ning the requi­red legal basis has ente­red into for­ce wit­hin five years of the start of the pilot test.

Bot Art. 31 Auto­ma­ted data pro­ces­sing wit­hin the scope of pilot tests (count. acc. to draft)

The pre­sent amend­ments to the cur­rent Arti­cle 17a FADP are not inten­ded to wea­ken the con­di­ti­ons under which a federal body can pro­cess data auto­ma­ti­cal­ly in a pilot test befo­re a law in the for­mal sen­se enters into for­ce. It is merely inten­ded to redu­ce the regu­la­to­ry den­si­ty. This is becau­se, sin­ce this norm came into for­ce, federal bodies have rare­ly resor­ted to it. Cer­tain pro­vi­si­ons of Arti­cle 17a FADP may also be inclu­ded in the future imple­men­ting regulation.

Apart from repla­cing the term “per­so­na­li­ty pro­files” with “other data pro­ces­sing pur­suant to Arti­cle 30(2)(b) and (c)”, the requi­re­ments under para­graphs 1 and 2 are lar­ge­ly con­si­stent with tho­se of Arti­cle 17a(1) FADP. Fur­ther­mo­re, let­ter c spe­ci­fies that a test pha­se is requi­red “in par­ti­cu­lar for tech­ni­cal rea­sons”. This chan­ge is justi­fied by the repeal of Arti­cle 17a(2) FADP, which lists the cases in which the prac­ti­cal imple­men­ta­ti­on of a data pro­ces­sing ope­ra­ti­on may necessa­ri­ly requi­re a test pha­se. For the rea­sons set out abo­ve, the­se cases can be regu­la­ted in an imple­men­ting ordinance.

Para­graphs 3 and 4 remain unch­an­ged from the cur­rent law, except for the remo­val of the term “per­so­na­li­ty pro­files” and some edi­to­ri­al changes.

Art. 36 Dis­clo­sure of per­so­nal data

1 Federal bodies may dis­c­lo­se per­so­nal data only if the­re is a legal basis for doing so in accordance with Arti­cle 34 para­graphs 1 – 3.

2 They may dis­c­lo­se per­so­nal data in dero­ga­ti­on of para­graph 1 in indi­vi­du­al cases if one of the fol­lo­wing con­di­ti­ons is met:

a. The dis­clo­sure of the data is indis­pensable for the per­son respon­si­ble or for the reci­pi­ent to ful­fill a legal task.
b. The data sub­ject has con­sen­ted to the disclosure.
c. The dis­clo­sure of the data is necessa­ry to pro­tect the life or phy­si­cal inte­gri­ty of the data sub­ject or a third par­ty and it is not pos­si­ble to obtain the data subject’s con­sent wit­hin a rea­son­ab­le time.
d. The data sub­ject has made his/her data gene­ral­ly avail­ab­le and has not express­ly pro­hi­bi­ted disclosure.
e. The reci­pi­ent shall make a credi­ble case that the data sub­ject refu­ses con­sent or objects to dis­clo­sure in order to pre­vent him or her from asser­ting legal claims or pro­tec­ting other inte­rests worthy of pro­tec­tion; the data sub­ject shall be given the oppor­tu­ni­ty to sta­te his or her posi­ti­on in advan­ce, unless this is impos­si­ble or would invol­ve dis­pro­por­tio­na­te effort.

3 In addi­ti­on, the federal bodies may dis­c­lo­se per­so­nal data wit­hin the frame­work of offi­cial infor­ma­ti­on to the public ex offi­cio or on the basis of the Public Infor­ma­ti­on Act of 17 Decem­ber 2004 if:

a. the data are rela­ted to the per­for­mance of public tasks; and
b. the­re is an over­ri­ding public inte­rest in disclosure.

4 They may also dis­c­lo­se the sur­na­me, first name, address and date of birth of a per­son on requ­est if the requi­re­ments under para­graph 1 or 2 are not met.

5 They may make per­so­nal data gene­ral­ly acces­si­ble by means of auto­ma­ted infor­ma­ti­on and com­mu­ni­ca­ti­on ser­vices if a legal basis pro­vi­des for the publi­ca­ti­on of such data or if they dis­c­lo­se data on the basis of para­graph 3. If the­re is no lon­ger any public inte­rest in making the data gene­ral­ly acces­si­ble, the data con­cer­ned shall be dele­ted from the auto­ma­ted infor­ma­ti­on and com­mu­ni­ca­ti­on service.

6 Federal bodies shall refu­se, restrict or impo­se con­di­ti­ons on dis­clo­sure if:

a. essen­ti­al public inte­rests or inte­rests of the data sub­ject that are obvious­ly worthy of pro­tec­tion requi­re it; or
b. sta­tu­to­ry con­fi­dentia­li­ty obli­ga­ti­ons or spe­cial data pro­tec­tion regu­la­ti­ons requi­re it.
Bot Art. Art. 32 Dis­clo­sure of per­so­nal data (count. acc. to draft)

Arti­cle 32 E‑DSG retains the princip­le of Arti­cle 19 DSG accord­ing to which federal bodies may in princip­le only dis­c­lo­se per­so­nal data if the­re is a legal basis for doing so. Howe­ver, it spe­ci­fies that the term legal basis cor­re­sponds to the term under Arti­cle 30(1 – 3) E‑DSA. It fol­lows from this spe­ci­fi­ca­ti­on that Arti­cle 32 does not refer to the excep­ti­ons pro­vi­ded for in Arti­cle 30(4). Accord­in­gly, the cases in which federal bodies are aut­ho­ri­zed to dis­c­lo­se per­so­nal data without a legal basis are enu­me­ra­ted exhaus­tively in Arti­cle 32(2)(a‑e) E‑DSG. This amend­ment responds to cri­ti­cism in the doc­tri­ne regar­ding the deli­mi­ta­ti­on of the excep­ti­ons in Arti­cle 17 para­graph 2 FADP and Arti­cle 19 para­graph 2 FADP taken into account.

The term “per­so­nal data” in para­graph 1 also inclu­des par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data. If Arti­cle 30 requi­res a basis in a law in the for­mal sen­se for the pro­ces­sing of a cer­tain cate­go­ry of per­so­nal data (par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data) or cer­tain pro­ces­sing ope­ra­ti­ons (pro­filing, pro­ces­sing ope­ra­ti­ons pur­suant to Arti­cle 30(2)(c)), this also app­lies to the pro­vi­si­ons gover­ning the dis­clo­sure of the per­so­nal data in que­sti­on. The dis­clo­sure of per­so­nal data is in its­elf a par­ti­cu­lar­ly sen­si­ti­ve pro­cess, so that in this area it may not be irrele­vant how the dis­c­lo­sed data is obtai­ned. The­re­fo­re, if dis­clo­sure takes place sub­se­quent to one of the par­ti­cu­lar­ly sen­si­ti­ve types of pro­ces­sing, this must be pro­vi­ded for in a law in the for­mal sen­se. The excep­ti­ons to para­graph 2 also app­ly if a federal body intends to dis­c­lo­se this type of data.

The excep­ti­on under para­graph 2 let­ter a is expan­ded. Pre­vious­ly, federal bodies were allo­wed to dis­c­lo­se data in indi­vi­du­al cases without a legal basis if the dis­clo­sure of the data was indis­pensable for the reci­pi­ent to ful­fill a legal task. Now they may also do so if this is indis­pensable for them to ful­fill a sta­tu­to­ry task.

Sub­pa­ra­graph (c) is a new excep­ti­on that is inclu­ded in Arti­cle 19 para­graph 1 FADP is not pro­vi­ded for. It is also inser­ted in the Arti­cle 30(4)(c) E‑DSA.

Arti­cle 32(3) of the e‑Data Pro­tec­tion Act cor­re­sponds to Arti­cle 19(1) of the Data Pro­tec­tion Act, with the excep­ti­on of a selec­ti­ve amend­ment. The pur­po­se of adap­ting the wor­d­ing of Arti­cle 32(3) is to faci­li­ta­te coor­di­na­ti­on bet­ween BGÖ and FADP should be impro­ved. With regard to the requi­re­ment of over­ri­ding public inte­rest in the dis­clo­sure of data (Art. 32(3)(b) DPA), it should be cla­ri­fied that this requi­re­ment app­lies not only in addi­ti­on to (as an alter­na­ti­ve to) Arti­cle 32(1) and (2), but also inde­pendent­ly. It is pro­po­sed to replace the term “also” (for which the­re is no equi­va­lent in the French ver­si­on) with “furthermore/en out­re” in the intro­duc­to­ry sen­tence of Arti­cle 32(3) E‑DSG in order to make it clear that the legal basis under para­graph 3 is in addi­ti­on to tho­se in para­graphs 1 and 2.

Arti­cle 32(4) remains unch­an­ged com­pa­red to Arti­cle 19 para­graph 2 FADP unch­an­ged. The explana­ti­ons in the Federal Coun­cil Mes­sa­ge of March 23, 1988 retain their validity.

In con­trast, the legal basis for “call-off pro­ce­du­res” (Art. 19 para. 3 FADP) in the case of federal bodies has been repealed becau­se it appears to be out­da­ted in the digi­tal age. This amend­ment does not lead to a wea­ke­n­ing of the pro­tec­tion of per­so­nal data, becau­se dis­clo­sure must always take place wit­hin the frame­work of the sta­tu­to­ry data pro­tec­tion pro­vi­si­ons. The adjust­ments to the area-spe­ci­fic data pro­tec­tion pro­vi­si­ons resul­ting from the repeal of Arti­cle 19 (3) will be made on an ongo­ing basis as part of revi­si­ons to the respec­ti­ve enactments.

Para­graphs 5 and 6 cor­re­spond to para­graphs 3 and 4 of Arti­cle 19 DSG.

Art. 37 Objec­tion to the dis­clo­sure of per­so­nal data

1 The data sub­ject who credi­b­ly demon­stra­tes an inte­rest worthy of pro­tec­tion may object to the dis­clo­sure of cer­tain per­so­nal data by the federal body responsible.

2 The federal body shall reject the requ­est if any of the fol­lo­wing con­di­ti­ons are met:

a. The­re is a legal obli­ga­ti­on to disclose.
b. The ful­fill­ment of its task would other­wi­se be jeopardized.

3 Arti­cle 36 para­graph 3 remains reserved.

Bot Art. 33 Objec­tion to dis­clo­sure of per­so­nal data (Zählg. gem. Entwurf)

This pro­vi­si­on, apart from some edi­to­ri­al chan­ges, remains unch­an­ged com­pa­red to the cur­rent law (Arti­cle 20 FADP) unch­an­ged. In the Ger­man ver­si­on, the term “blocking of dis­clo­sure” is repla­ced by “objec­tion to dis­clo­sure” in line with Euro­pean terminology.

In the opi­ni­on of the Com­mis­sio­ner, the right to object should app­ly not only to data dis­clo­sure, but also to data processing.

Art. 38 Offer of docu­ments to the Federal Archives

1 In accordance with the Archi­ving Act of 26 June 1998, federal bodies offer to the Federal Archi­ves all per­so­nal data that they no lon­ger requi­re on a per­ma­nent basis.

2 They shall destroy per­so­nal data desi­gna­ted by the Federal Archi­ves as not being of archi­val value unless:

a. the­se are anonymized;
b. the­se must be retai­ned for evi­den­tia­ry or secu­ri­ty pur­po­ses or to pro­tect the legi­ti­ma­te inte­rests of the data subject.
Bot Art. 34 Offer of records to the Federal Archi­ves (count. as per draft).

This pro­vi­si­on cor­re­sponds Arti­cle 21 FADP. It remains mate­ri­al­ly unchanged.

Art. 39 Data pro­ces­sing for non-per­so­nal purposes

1 Federal bodies may pro­cess per­so­nal data for non-per­so­nal pur­po­ses, in par­ti­cu­lar for rese­arch, plan­ning or sta­tis­tics, if:

a. the data will be anony­mi­zed as soon as the pur­po­se of pro­ces­sing permits;
b. the federal body dis­c­lo­ses per­so­nal data requi­ring spe­cial pro­tec­tion to pri­va­te per­sons only in such a way that the per­sons con­cer­ned can­not be identified;
c. the reci­pi­ent dis­c­lo­ses the data to third par­ties only with the con­sent of the federal body that dis­c­lo­sed the data; and
d. the results are published only in such a way that the per­sons con­cer­ned can­not be identified.

2 Arti­cles 6(3), 34(2) and para­graph 1 shall not apply.

Bot Art. 35 Edit for rese­arch, plan­ning and sta­tis­tics This pro­vi­si­on lar­ge­ly cor­re­sponds to Arti­cle 22DSG. (count. acc. to draft)

In addi­ti­on, a new let­ter b is added to para­graph 1, accord­ing to which federal bodies must dis­c­lo­se per­so­nal data requi­ring spe­cial pro­tec­tion to pri­va­te third par­ties in such a way that the per­son con­cer­ned can­not be iden­ti­fied. This is inten­ded to streng­t­hen the pro­tec­tion of par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data. This requi­re­ment is also met if the dis­clo­sure is made in pseud­ony­mi­zed form and the key remains with the per­son dis­clo­sing the data (de fac­to anonymization).

Para­graph 2 is also amen­ded regar­ding the refe­ren­ces to Arti­cles 5(3), 30(2) and 32(1) E‑DSG.

Art. 40 Acti­vi­ties of federal bodies under pri­va­te law

If a federal body acts under pri­va­te law, the pro­vi­si­ons for data pro­ces­sing by pri­va­te per­sons apply.

Bot Art. 36 Pri­va­te law acti­vi­ties of federal bodies (count. acc. to draft)

This pro­vi­si­on cor­re­sponds Arti­cle 23 para­graph 1 FADP. Arti­cle 23 para­graph 2 FADP can be repealed, sin­ce the same super­vi­so­ry system is pro­vi­ded for in the E‑DSG for pri­va­te per­sons and federal bodies.

Art. 41 Claims and procedure

1 Any per­son having an inte­rest worthy of pro­tec­tion may requi­re the respon­si­ble federal body to:

a. refrains from unlaw­ful pro­ces­sing of the per­so­nal data concerned;
b. eli­mi­na­tes the con­se­quen­ces of unlaw­ful processing;
c. estab­lishes the unlaw­ful­ness of the processing.

2 In par­ti­cu­lar, the app­li­cant may requ­est that the federal body:

a. cor­rects, dele­tes or destroys the per­so­nal data concerned;
b. com­mu­ni­ca­tes or publishes its deci­si­on to third par­ties, in par­ti­cu­lar on the cor­rec­tion, dele­ti­on or dest­ruc­tion, the objec­tion to dis­clo­sure in accordance with Arti­cle 37 or the note of objec­tion in accordance with para­graph 4.

3 Ins­tead of deleting or destroy­ing the per­so­nal infor­ma­ti­on, the federal agen­cy restricts pro­ces­sing if:

a. the per­son con­cer­ned dis­pu­tes the accu­ra­cy of the per­so­nal data and neit­her the accu­ra­cy nor the inac­cu­ra­cy can be established;
b. over­ri­ding inte­rests of third par­ties requi­re this;
c. an over­ri­ding public inte­rest, in par­ti­cu­lar the inter­nal or exter­nal secu­ri­ty of Switz­er­land, so requires;
d. the dele­ti­on or dest­ruc­tion of the data may jeo­par­di­ze an inve­sti­ga­ti­on, inqui­ry or admi­ni­stra­ti­ve or judi­cial proceedings.

4 If neit­her the accu­ra­cy nor the inac­cu­ra­cy of the per­so­nal data in que­sti­on can be estab­lished, the federal body shall affix a noti­ce of dis­pu­te to the data.

5 The cor­rec­tion, dele­ti­on or dest­ruc­tion of per­so­nal data can­not be reque­sted with regard to the hol­dings of publicly acces­si­ble libra­ries, edu­ca­tio­nal insti­tu­ti­ons, muse­ums, archi­ves or other public memo­ry insti­tu­ti­ons. If the app­li­cant credi­b­ly demon­stra­tes an over­ri­ding inte­rest, he or she may requ­est that the insti­tu­ti­on restrict access to the dis­puted data. Para­graphs 3 and 4 are not applicable.

6 The pro­ce­du­re is gover­ned by the VwVG. The excep­ti­ons under Arti­cles 2 and 3 VwVG are not applicable.

Bot Art. 37 Claims and pro­ce­du­res (count. acc. to draft)

In com­pa­ri­son with Arti­cle 25 DSG Arti­cle 37 E‑DSG under­goes some chan­ges, which are exp­lai­ned below.

Para. 1 Request

This pro­vi­si­on regu­la­tes the requests that the per­sons con­cer­ned may address to federal bodies. In com­pa­ri­son with Arti­cle 25 para­graph 1 FADP it is not changed.

Par. 2 Fur­ther requests

Today, the right of the data sub­ject to requ­est the dele­ti­on of his or her data ari­ses impli­ci­tly from Arti­cle 25 DSG. In order to com­ply with the requi­re­ments of Arti­cle 8(e) E‑SEV 108 and of Arti­cle 16 of the Direc­ti­ve (EU) 2016/680 to take into account, this enti­t­le­ment is now expli­ci­tly men­tio­ned in Arti­cle 37(2)(a) and (b). Arti­cle 17 of the Regu­la­ti­on (EU) 2016/679 in turn pro­vi­des for the right of the data sub­ject to requ­est the dele­ti­on of data con­cer­ning him or her under cer­tain con­di­ti­ons (“right to be for­got­ten”). The same right is intro­du­ced in Arti­cle 28 of the e‑Data Pro­tec­tion Act, so that the regu­la­ti­on is the same for pri­va­te and public data con­trol­lers (see Sec­tion 9.1.6). Howe­ver, the actu­al legal situa­ti­on does not change.

In para­graph 2(a), in com­pa­ri­son with Arti­cle 25(3)(3) FADP, the last sub-sen­tence con­cer­ning the blocking of dis­clo­sure to third par­ties is dele­ted becau­se the objec­tion to the dis­clo­sure of data is exhaus­tively regu­la­ted by Arti­cle 33 FADP. The objec­tion under Arti­cle 33 FADP is not lin­ked to unlaw­ful pro­ces­sing, which is the case with the claims under Arti­cle 37.

Howe­ver, let­ter b of this pro­vi­si­on retains the pos­si­bi­li­ty that the data sub­ject may requ­est the federal body to publish the deci­si­on on the objec­tion to dis­clo­sure under Arti­cle 33. Arti­cle 33 does not pro­vi­de for this, but it seems rea­son­ab­le that the per­son con­cer­ned can demand this at least in the case of unlaw­ful disclosure.

Par. 3 Restric­tion of processing

Para­graph 3 pro­vi­des for a mea­su­re that is less radi­cal than the dele­ti­on or dest­ruc­tion of the dis­puted per­so­nal data: the restric­tion of processing.

This regu­la­ti­on cor­re­sponds to Arti­cle 16(3) of the Direc­ti­ve (EU) 2016/680, accord­ing to which the con­trol­ler may restrict the pro­ces­sing ins­tead of deleting the dis­puted data if the data sub­ject dis­pu­tes the accu­ra­cy of the data and the accu­ra­cy or inac­cu­ra­cy can­not be estab­lished or if data must be fur­ther retai­ned for evi­den­tia­ry purposes.

Arti­cle 18 of the Regu­la­ti­on (EU) 2016/679 goes fur­ther, sin­ce accord­ing to this pro­vi­si­on the data sub­ject has a right to requ­est the restric­tion of processing.

At E‑SEV 108 on the other hand, the restric­tion of machi­ning is not included.

Para­graph 3 is to be inter­pre­ted in the sen­se that the data may con­ti­nue to be pro­ces­sed, but only for spe­ci­fic pur­po­ses. It is not a que­sti­on of exclu­ding any kind of data pro­ces­sing. Accord­ing to reci­tal 47 of the Direc­ti­ve (EU) 2016/680 the restric­tion of pro­ces­sing is to be under­s­tood as mea­ning that the federal body may pro­cess the data con­cer­ned only for the pur­po­se that pre­ven­ted their dele­ti­on. Para­graph 3 pro­vi­des four con­stel­la­ti­ons for this.

Accord­ing to para­graph 3 let­ter a, the federal body must restrict the pro­ces­sing of per­so­nal data if the per­son con­cer­ned dis­pu­tes the accu­ra­cy of the per­so­nal data and neit­her its accu­ra­cy nor inac­cu­ra­cy can be estab­lished. In this case, the restric­tion of pro­ces­sing means that the federal body may pro­cess the dis­puted data sole­ly for the pur­po­se of estab­li­shing its accu­ra­cy or inac­cu­ra­cy. As soon as the accu­ra­cy of the data is estab­lished, the federal body may con­ti­nue pro­ces­sing without restric­tions. Howe­ver, if the per­so­nal data pro­ve to be inac­cu­ra­te, the federal body must dele­te or destroy them, unless let­ter b or c app­lies in the case in question.

Para­graph 3(b) sti­pu­la­tes that the federal body must restrict pro­ces­sing if the over­ri­ding inte­rests of a third par­ty so requi­re, for examp­le if the dele­ti­on or dest­ruc­tion of cer­tain data could pre­vent a third par­ty from exer­ci­s­ing his or her rights in court. This means that the data may con­ti­nue to be pro­ces­sed, but only so that the third par­ty con­cer­ned can exer­cise his or her rights. Any pro­ces­sing for any other pur­po­se is excluded.

Under para­graph 3(c), the federal body does not have to dele­te or destroy the dis­puted data if this could jeo­par­di­ze an over­ri­ding public inte­rest, name­ly Switzerland’s inter­nal or exter­nal security.

Final­ly, para­graph 3 let­ter d sta­tes that the federal body need not dele­te or destroy the data if this may jeo­par­di­ze an inve­sti­ga­ti­on, inqui­ry or admi­ni­stra­ti­ve or judi­cial pro­ce­e­dings. In this case, the federal body may con­ti­nue to pro­cess the per­so­nal data, but only for the pur­po­se that pre­ven­ted its dele­ti­on, i.e. to con­ti­nue an inve­sti­ga­ti­on, inqui­ry or proceedings.

Restric­tion of pro­ces­sing means that the dis­puted data are mar­ked so that their future pro­ces­sing is car­ri­ed out exclu­si­ve­ly for the pur­po­se that pre­ven­ted their dele­ti­on or dest­ruc­tion. The mar­king must be clear. In prac­ti­ce, it may mean that the dis­puted data is tem­pora­ri­ly moved to ano­t­her pro­ces­sing system or that users are pre­ven­ted from acces­sing the data. In systems for auto­ma­ted data pro­ces­sing, the restric­tion of pro­ces­sing should in princip­le be gua­ran­te­ed by tech­ni­cal means so that the data can­not be fur­ther pro­ces­sed or modi­fied for pur­po­ses other than tho­se spe­ci­fied in para­graph 3.
Par. 4 Note of denial

This pro­vi­si­on con­tains the so-cal­led deni­al note, which remains unch­an­ged from the pre­vious law (Art. 25 Para. 2 FADP) has been taken over. Accord­in­gly, data may be anno­ta­ted accord­in­gly if neit­her the accu­ra­cy nor the inac­cu­ra­cy of the data can be defi­ni­tively determined.

Par. 5 Hol­dings of public memo­ry institutions

Accord­ing to para­graph 5, the cor­rec­tion, dele­ti­on or dest­ruc­tion of data can­not be reque­sted in rela­ti­on to the hol­dings of publicly acces­si­ble libra­ries, edu­ca­tio­nal insti­tu­ti­ons, muse­ums, archi­ves or other public memo­ry insti­tu­ti­ons. The excep­ti­on has limi­ted scope in that many of the­se insti­tu­ti­ons are cove­r­ed by can­to­nal data pro­tec­tion law. The pro­vi­si­on refers to public insti­tu­ti­ons who­se acti­vi­ty con­sists in par­ti­cu­lar in collec­ting, index­ing, pre­ser­ving and com­mu­ni­ca­ting docu­ments of all kinds (inclu­ding digi­tal ones). This spe­ci­fic pro­ces­sing pur­po­se would be oppo­sed to rec­ti­fi­ca­ti­on, dele­ti­on or dest­ruc­tion inso­far as it rela­tes to the archi­ve hol­dings of such insti­tu­ti­ons. The deni­al noti­ce under para­graph 4 of this arti­cle does not app­ly eit­her. This is becau­se the­se hol­dings are inten­ded to depict a moment in the past by means of docu­ments, which is only pos­si­ble if the­se docu­ments are con­tai­ned in the archi­ve true to the ori­gi­nal and thus unch­an­ged. The­re is a con­si­derable public inte­rest in this, which ari­ses from the free­dom of infor­ma­ti­on (Art. 16 Para. 3 BV).

Howe­ver, the second sen­tence in para­graph 5 allo­ws the data sub­ject to requ­est that the insti­tu­ti­on in que­sti­on restrict access to the dis­puted data. For this, howe­ver, the data sub­ject must credi­b­ly demon­stra­te an over­ri­ding inte­rest. This excep­ti­on should be con­si­de­red in par­ti­cu­lar in light of the incre­a­sing ten­den­cy to make exten­si­ve hol­dings of publicly acces­si­ble memo­ry insti­tu­ti­ons avail­ab­le to anyo­ne on the Inter­net. This redu­ces the effort requi­red for tar­ge­ted sear­ches, while at the same time con­si­der­ab­ly expan­ding the group of peop­le who can access the hol­dings in que­sti­on. The law must the­re­fo­re per­mit a dif­fe­ren­tia­ted weig­hing of inte­rests for such cases. Here, the public inte­rest in unal­te­red and unre­stric­ted access to docu­ments and the inte­rest of the per­son con­cer­ned that infor­ma­ti­on about him that is untrue or vio­la­tes his per­so­na­li­ty is not gene­ral­ly acces­si­ble are oppo­sed. As is clear from sen­tence 1 of para­graph 5, the public inte­rest in free and unal­te­red access gene­ral­ly takes pre­ce­dence with regard to archi­ves and simi­lar insti­tu­ti­ons. An over­ri­ding inte­rest of the per­son con­cer­ned, on the other hand, can only be assu­med if he or she suf­fers signi­fi­cant per­so­nal dis­ad­van­ta­ges as a result of free access, which may also signi­fi­cant­ly restrict him or her in the future (e.g. in his or her pro­fes­sio­nal advan­ce­ment). The­se dis­ad­van­ta­ges must also be put in rela­ti­on to the archi­val value of the dis­puted data, which may result, for examp­le, from the histo­ri­cal signi­fi­can­ce, natu­re or con­tent of the docu­ment. An over­ri­ding inte­rest on the part of the per­son con­cer­ned is to be assu­med, in par­ti­cu­lar, if the archi­val value of the data and thus also the import­ance of unre­stric­ted public access appears to be low in rela­ti­on to the con­si­derable restric­tions on the per­son con­cer­ned. In this case, the data sub­ject may requ­est that the insti­tu­ti­on restrict access to the dis­puted data. The restric­tion must be desi­gned in the indi­vi­du­al case in such a way that it appears pro­por­tio­na­te with regard to the inte­rests at sta­ke. For examp­le, it may often be suf­fi­ci­ent that a docu­ment is not acces­si­ble on the Inter­net, but only in phy­si­cal archi­ves. In indi­vi­du­al cases, it would also be con­ceiva­ble to grant access to a docu­ment only to per­sons who need it for their sci­en­ti­fic or jour­na­li­stic activities.

Howe­ver, para­graph 5 does not cover data pro­ces­sing by such insti­tu­ti­ons that is not rela­ted to the collec­tions and is car­ri­ed out for other pur­po­ses, such as libra­ry user accounts or per­son­nel files. For the­se pro­ces­sing ope­ra­ti­ons, the rights in Arti­cle 37 are ful­ly avail­ab­le to the data subject.

Art. 42 Pro­ce­du­re in case of dis­clo­sure of offi­cial docu­ments con­tai­ning per­so­nal data

If pro­ce­e­dings con­cer­ning access to offi­cial docu­ments con­tai­ning per­so­nal data are pen­ding wit­hin the mea­ning of the Public Access Act of 17 Decem­ber 2004, the per­son con­cer­ned may assert in the­se pro­ce­e­dings the rights to which he or she is enti­t­led under Arti­cle 41 of this Act in respect of tho­se docu­ments that are the sub­ject of the access proceedings.

Bot Art. 38 Pro­ce­du­re in case of dis­clo­sure of offi­cial docu­ments con­tai­ning per­so­nal data (count. acc. to draft)

This pro­vi­si­on cor­re­sponds Arti­cle 25 DSG. It remains mate­ri­al­ly unchanged.

Chap­ter 7: Federal Data Pro­tec­tion and Infor­ma­ti­on Commissioner

Sec­tion 1: Organization

Art. 43 Elec­tion and position

1 The United Federal Assem­bly elects the head of the FDPIC (the Commissioner).

2 Anyo­ne who is enti­t­led to vote on federal mat­ters is eli­gi­ble to vote.

3 The employ­ment rela­ti­ons­hip of the appoin­tee shall be gover­ned by the Federal Per­son­nel Act of March 24, 2000 (BPG), unless other­wi­se pro­vi­ded for in this Act.

4 The Com­mis­sio­ner shall exer­cise his or her func­tion inde­pendent­ly, without see­king or accep­t­ing inst­ruc­tions from any aut­ho­ri­ty or third par­ty. He or she is admi­ni­stra­tively assi­gned to the Federal Chancellery.

5 She or he has a per­ma­nent secre­ta­ri­at and his or her own bud­get. She or he hires his or her staff.

6 He or she is not sub­ject to the app­rai­sal system pur­suant to Arti­cle 4(3) BPG.

Bot Art. 39 Appoint­ment and posi­ti­on (count. acc. to draft)
Par. 1 Appoint­ment procedure

The appoint­ment pro­cess of the appoin­tee remains unch­an­ged under para­graph (1) becau­se it is con­si­stent with the requi­re­ments of the Direc­ti­ve (EU) 2016/680 and of the E‑SEV 108 matches. The E‑SEV 108 does not con­tain any pro­vi­si­on on the mode of elec­tion or appoint­ment of the super­vi­so­ry aut­ho­ri­ty. Arti­cle 43 of the Direc­ti­ve (EU) 2016/680 obli­ges the Schen­gen Sta­tes to regu­la­te the appoint­ment pro­ce­du­re, but lea­ves them the choice bet­ween appoint­ment by the Par­lia­ment, the Government, the Head of Sta­te or by an inde­pen­dent body. In Arti­cle 53 of the Regu­la­ti­on (EU) 2016/679 the same solu­ti­on is pro­vi­ded for the mem­ber sta­tes of the Euro­pean Union.

The Federal Coun­cil has exami­ned the pro­po­sal of various con­sul­ta­ti­on par­ti­ci­pants to intro­du­ce an elec­tion by Par­lia­ment. For the fol­lo­wing rea­sons, it has come to the con­clu­si­on that this chan­ge is not appro­pria­te. The cur­rent pro­ce­du­re pro­vi­des suf­fi­ci­ent gua­ran­tees for the inde­pen­dence of the appoin­tee vis-à-vis the exe­cu­ti­ve branch. This is becau­se the Federal Assem­bly can refu­se to appro­ve the appoint­ment of the Federal Coun­cil. The Federal Coun­cil is also not con­vin­ced that an elec­tion by par­lia­ment would streng­t­hen the inde­pen­dence of the appoin­tee. This is becau­se it could be influ­en­ced by inte­rest groups. Moreo­ver, appoint­ment by the Federal Coun­cil, sub­ject to appro­val by par­lia­ment, offers the pos­si­bi­li­ty that the appoin­tee can remain admi­ni­stra­tively atta­ched to the Federal Chan­cel­le­ry. This would no lon­ger be pos­si­ble in the case of an elec­tion by par­lia­ment. If the com­mis­sio­ner were no lon­ger part of the federal admi­ni­stra­ti­on, it can­not be ruled out that it would be more dif­fi­cult for him or her to super­vi­se federal bodies and to per­sua­de them to coope­ra­te in an inve­sti­ga­ti­on. Final­ly, if the com­mis­sio­ner were elec­ted by par­lia­ment, he or she would also have to be finan­cial­ly inde­pen­dent, such as the Swiss Federal Audit Office.

Par. 3 Position

Para­graph 3, first sen­tence, spe­ci­fies the inde­pen­dence of the com­mis­sio­ner by spe­ci­fy­ing that he or she may not seek or recei­ve inst­ruc­tions from an aut­ho­ri­ty or a third par­ty. This amend­ment takes into account the requi­re­ments of Arti­cle 12(4). E‑SEV 108 and of Arti­cle 42 para­graphs 1 and 2 of the Direc­ti­ve (EU) 2016/680, which has the same wor­d­ing as Arti­cle 52(1) and (2) of the Regu­la­ti­on (EU) 2016/679.

Para. 2, 4 and 5

The­se pro­vi­si­ons remain mate­ri­al­ly unch­an­ged in rela­ti­on to the cur­rent law (Art. 26(2), (4) and (5) FADP).

The Com­mis­sio­ner belie­ves that the regu­la­ti­on of his bud­get should be ali­gned with the regu­la­ti­on for the Federal Audit Office becau­se of his super­vi­so­ry role.

Art. 44 Term of office, re-elec­tion and ter­mi­na­ti­on of the term of office

1 The term of office of the com­mis­sio­ner shall be four years and may be rene­wed twice. It begins on Janu­a­ry 1 fol­lo­wing the start of the legis­la­ti­ve peri­od of the Natio­nal Council.

2 The Com­mis­sio­ner may requ­est the Federal Assem­bly to dis­miss him or her at the end of a mon­th, giving six mon­ths’ notice.

3 The United Federal Assem­bly may remo­ve the appoin­tee from office befo­re the expi­ra­ti­on of the term of office if the appointee:

a. has serious­ly vio­la­ted offi­cial duties inten­tio­nal­ly or through gross negli­gence; or
b. has per­ma­nent­ly lost the abi­li­ty to hold office.
Bot Art. 40 Reap­point­ment and ter­mi­na­ti­on of term of office (count. acc. to draft)

Cur­r­ent­ly, the Com­mis­sio­ner may be re-elec­ted for an unli­mi­ted num­ber of terms. This princip­le is amen­ded in para­graph 1 to imple­ment the requi­re­ments of Arti­cle 44(1)(e) of the Direc­ti­ve (EU) 2016/680 amen­ded. This pro­vi­des that the Schen­gen Sta­tes must regu­la­te whe­ther and, if so, how often the mem­ber or mem­bers of the super­vi­so­ry aut­ho­ri­ty may be reap­poin­ted. Accord­ing to this pro­vi­si­on, the Schen­gen Sta­tes the­re­fo­re have a choice as to whe­ther and how often the super­vi­so­ry aut­ho­ri­ty may be reap­poin­ted. Arti­cle 54(1)(e) of the Regu­la­ti­on (EU) 2016/679 con­tains a simi­lar provision.

In accordance with the room for maneu­ver pro­vi­ded by Arti­cle 44 of the Direc­ti­ve (EU) 2016/680 gran­ted, the Federal Coun­cil pro­po­ses that the appoin­tee may be reap­poin­ted twice. He or she may the­re­fo­re remain in office for a maxi­mum of twel­ve years. This mea­su­re is inten­ded to streng­t­hen the inde­pen­dence of the appoin­tee as an aut­ho­ri­ty. She or he shall not be res­trai­ned in ful­fil­ling the sta­tu­to­ry man­da­te for fear of not being reelec­ted. If the appoin­tee rea­ches reti­re­ment age during the term of office, the employ­ment rela­ti­ons­hip shall auto­ma­ti­cal­ly ter­mi­na­te upon rea­ching the age spe­ci­fied in Arti­cle 21 of the Federal Law of 20 Decem­ber 1946 on Old Age and Sur­vi­vors’ Insuran­ce (AHVG) (Art. 10 para. 1 of the Federal Per­son­nel Act of 24 March 2000 (BPG)in con­junc­tion with Art. 14 para. 1 BPG). Para­graphs 2, 3 and 4 shall remain in for­ce in rela­ti­on to Arti­cle 26a FADP mate­ri­al­ly unchanged.

Art. 45 Budget

The FDPIC sub­mits its draft bud­get annu­al­ly to the Federal Coun­cil via the Federal Chan­cel­le­ry. The lat­ter for­wards it unch­an­ged to the Federal Assembly.

Art. 46 Incompatibility

The com­mis­sio­ner may not be a mem­ber of the Federal Assem­bly or the Federal Coun­cil and may not be employ­ed by the Confederation.

Art. 47 Secon­da­ry employment

1 The appoin­tee may not hold a second job.

2 The United Federal Assem­bly may per­mit the Com­mis­sio­ner to enga­ge in secon­da­ry employ­ment if this does not impair the exer­cise of the func­tion or the inde­pen­dence and repu­ta­ti­on of the FDPIC. The deci­si­on shall be published.

Bot Art. 41 Secon­da­ry employ­ment (count. acc. to draft)

Arti­cle 41 tigh­tens the requi­re­ments for the com­mis­sio­ner to enga­ge in secon­da­ry employ­ment. This pro­vi­si­on imple­ments the requi­re­ments of Arti­cle 42(3) of the Direc­ti­ve (EU) 2016/680 imple­men­ted, which has the same wor­d­ing as Arti­cle 52(3) of the Regu­la­ti­on (EU) 2016/679. The pro­vi­si­on app­lies only to the appoin­tee. The depu­ty and the secre­ta­ri­at are sub­ject to the BPG.

Accord­ing to Arti­cle 26b FADP merely pro­vi­des that the Federal Coun­cil may per­mit the Com­mis­sio­ner to enga­ge in other employ­ment if this does not impair his or her inde­pen­dence and repu­ta­ti­on. The first sen­tence of Arti­cle 41(1), on the other hand, lays down the princip­le that the Com­mis­sio­ner may not enga­ge in any addi­tio­nal gain­ful acti­vi­ty. The second sen­tence spe­ci­fies that he or she may also not hold an office of the Con­fe­de­ra­ti­on or of a can­ton. The term can­ton is to be under­s­tood in a broad sen­se and also inclu­des the muni­ci­pa­li­ties, districts, coun­ties and cor­po­ra­ti­ons under public law. Para­graph 1, second sen­tence fur­ther sti­pu­la­tes that the appoin­tee may also not ser­ve as a mem­ber of the manage­ment, the board of direc­tors, or the super­vi­so­ry or audit­ing body of a com­mer­cial enter­pri­se. This app­lies regard­less of whe­ther such acti­vi­ty would be remu­ne­ra­ted or not.

Para­graph 2 limits the scope of para­graph 1, pro­vi­ding that the Federal Coun­cil may per­mit the appoin­tee to enga­ge in secon­da­ry employ­ment under cer­tain con­di­ti­ons. The deci­si­on of the Federal Coun­cil shall be published.

Art. 48 Self-regu­la­ti­on of the FDPIC

The FDPIC ensu­res that the legal­ly com­pli­ant enfor­ce­ment of federal data pro­tec­tion regu­la­ti­ons is gua­ran­te­ed wit­hin its aut­ho­ri­ty by means of appro­pria­te con­trol mea­su­res, in par­ti­cu­lar with regard to data security.

Bot Art. 42 Self-regu­la­ti­on of the com­mis­sio­ner (count. acc. to draft)

This pro­vi­si­on obli­ges the Com­mis­sio­ner to take appro­pria­te con­trol mea­su­res, in par­ti­cu­lar with regard to the secu­ri­ty of per­so­nal data and the legal­ly com­pli­ant enfor­ce­ment of federal data pro­tec­tion regu­la­ti­ons. The Federal Coun­cil will spe­ci­fy the mea­su­res to be taken in the future ordinance.

Sec­tion 2: Inve­sti­ga­ti­on of Data Pro­tec­tion Breaches

Art. 49 Investigation

1 The FDPIC opens an inve­sti­ga­ti­on ex offi­cio or upon noti­fi­ca­ti­on against a federal body or a pri­va­te per­son if the­re are suf­fi­ci­ent indi­ca­ti­ons that a data pro­ces­sing ope­ra­ti­on could vio­la­te data pro­tec­tion regulations.

2 It may refrain from ope­ning an inve­sti­ga­ti­on if the bre­ach of data pro­tec­tion rules is of minor importance.

3 The federal body or the pri­va­te per­son shall pro­vi­de the FDPIC with all infor­ma­ti­on and make avail­ab­le to him all docu­ments that are necessa­ry for the inve­sti­ga­ti­on. The right to refu­se to pro­vi­de infor­ma­ti­on is gover­ned by Arti­cles 16 and 17 of the Admi­ni­stra­ti­ve Pro­ce­du­re Act, unless Arti­cle 50 para­graph 2 of this Act pro­vi­des otherwise.

4 If the data sub­ject has filed a com­p­laint, the FDPIC will inform him or her of the steps taken on the basis of this com­p­laint and the result of any investigation.

Bot Art. 43 Inve­sti­ga­ti­on (count. acc. to draft)

Under cur­rent law, the pro­cess dif­fers depen­ding on whe­ther it invol­ves the commissioner’s over­sight acti­vi­ties in the pri­va­te sec­tor or the public sec­tor. While Arti­cle 27 DSG ent­rusts the Com­mis­sio­ner with the task of moni­to­ring data pro­ces­sing by federal bodies, Arti­cle 29(1)(a‑c) FADP sti­pu­la­tes that the Com­mis­sio­ner shall open an inve­sti­ga­ti­on against a pri­va­te indi­vi­du­al if pro­ces­sing methods are likely to infrin­ge the per­so­na­li­ty of a lar­ge num­ber of indi­vi­du­als, data collec­tions pur­suant to Arti­cle 11a DSG must be regi­stered or the­re is an obli­ga­ti­on to pro­vi­de infor­ma­ti­on under Arti­cle 6(3). The moni­to­ring powers of the Com­mis­sio­ner vis-à-vis the pri­va­te sec­tor do not cur­r­ent­ly meet the requi­re­ments of the E‑SEV 108. Thus, its Arti­cle 12 does not pro­vi­de for any limi­ta­ti­on of the super­vi­so­ry authority’s powers of inve­sti­ga­ti­on and inter­ven­ti­on vis-à-vis the data controllers.

Par. 1 Ope­ning of the investigation

Accord­ing to Arti­cle 43 (1) E‑DSG, the Com­mis­sio­ner shall open an inve­sti­ga­ti­on ex offi­cio or upon noti­fi­ca­ti­on if the­re are indi­ca­ti­ons that a data pro­ces­sing ope­ra­ti­on may vio­la­te data pro­tec­tion regu­la­ti­ons. The report may be made by a third par­ty or by the data sub­ject. Howe­ver, the per­son making the report does not have par­ty sta­tus in the pro­ce­e­dings (Art. 46 para. 2 e con­tra­rio). If, on the other hand, the per­son con­cer­ned has filed a com­p­laint, the com­mis­sio­ner must inform him or her of his or her fur­ther cour­se of action and the out­co­me of any inve­sti­ga­ti­on (para. 4). The data sub­ject must assert his or her rights through the app­li­ca­ble legal reme­di­es, i.e., he or she may file a com­p­laint with a civil court if the respon­si­ble par­ty is a pri­va­te per­son, or he or she may file a com­p­laint against the deci­si­on of the respon­si­ble federal body. This is in accordance with the app­li­ca­ble law.

Par. 2 Wai­ver of the ope­ning of an investigation

The Com­mis­sio­ner may refrain from ope­ning an inve­sti­ga­ti­on if the vio­la­ti­on of data pro­tec­tion regu­la­ti­ons is of minor import­ance. This would be the case, for examp­le, if a sports or cul­tu­ral club sends an e‑mail mes­sa­ge to all its mem­bers without con­ce­aling the iden­ti­ty of the reci­pi­ents. Para­graph 2 may also app­ly if the Com­mis­sio­ner con­si­ders that the advice given to the con­trol­ler is suf­fi­ci­ent to reme­dy a situa­ti­on that is hard­ly pro­ble­ma­tic in itself.

Par. 3 Duties to cooperate

Para­graph 3 regu­la­tes the duties of coope­ra­ti­on of the pri­va­te per­son and the federal body by adop­ting the regu­la­ti­on under Arti­cles 27 para­graph 3 and 29 para­graph 2 FADP. The par­ty to the pro­ce­e­dings must pro­vi­de the com­mis­sio­ner with all the infor­ma­ti­on and docu­ments that the com­mis­sio­ner requi­res for the inve­sti­ga­ti­on. The second sen­tence of para­graph 3 sta­tes that the right to refu­se infor­ma­ti­on is gover­ned by Arti­cles 16 and 17 of the Admi­ni­stra­ti­ve Pro­ce­du­re Act. Arti­cle 16 para­graph 1 VwVG refers to Arti­cle 42 para­graphs 1 and 3 of the Federal Act of 4 Decem­ber 1947 on Federal Civil Pro­ce­du­re. Accord­ing to this pro­vi­si­on, the per­sons que­stio­ned may refu­se to testi­fy if ans­we­ring the que­sti­on may expo­se them to the risk of cri­mi­nal pro­se­cu­ti­on. This con­cerns the per­sons who must keep the secrets accord­ing to Arti­cles 321, 321 and 321StGB. For examp­le, doc­tors may refu­se to pro­vi­de the Com­mis­sio­ner with per­so­nal data about their pati­ents if the pati­ents do not con­sent to this. The same app­lies to lawy­ers and their cli­ents. Arti­cle 90 of the Regu­la­ti­on (EU) 2016/679 also pro­vi­des that Mem­ber Sta­tes shall regu­la­te the powers of super­vi­so­ry aut­ho­ri­ties with respect to con­trol­lers or pro­ces­sors who are sub­ject to pro­fes­sio­nal secrecy or an equi­va­lent obli­ga­ti­on of con­fi­dentia­li­ty under natio­nal law.

Art. 50 Powers

1 If the federal body or the pri­va­te per­son fails to com­ply with the obli­ga­ti­ons to coope­ra­te, the FDPIC may order the fol­lo­wing in par­ti­cu­lar as part of the investigation:

a. Access to all infor­ma­ti­on, docu­ments, records of pro­ces­sing acti­vi­ties and per­so­nal data necessa­ry for the investigation;
b. Access to pre­mi­ses and facilities;
c. Wit­ness interviews;
d. App­raisals by experts.

2 Pro­fes­sio­nal secrecy is reserved.

3 The FDPIC may invol­ve other federal aut­ho­ri­ties and the can­to­nal or com­mu­nal poli­ce aut­ho­ri­ties in the imple­men­ta­ti­on of the mea­su­res under para­graph 1.

Bot Art. 44 Powers (count. acc. to draft)

This pro­vi­si­on ful­fills the requi­re­ments of Arti­cle 12(2)(a). E‑SEV 108, accord­ing to which the super­vi­so­ry aut­ho­ri­ty must have powers of inve­sti­ga­ti­on and inter­ven­ti­on. Arti­cle 47(1) of the Direc­ti­ve (EU) 2016/680 sti­pu­la­tes that Schen­gen Sta­tes must pro­vi­de effec­ti­ve inve­sti­ga­ti­ve powers for the super­vi­so­ry aut­ho­ri­ty, name­ly the power to obtain from the con­trol­ler access to all data being pro­ces­sed and to all infor­ma­ti­on necessa­ry for the per­for­mance of its tasks. The Regu­la­ti­on (EU) 2016/679 in turn, pro­vi­des for an ana­lo­gous rule in Arti­cle 58(1)(e) and (f).

Par. 1 Inve­sti­ga­ti­on measures

The mea­su­res under para­graph 1 may only be orde­red if an inve­sti­ga­ti­on has been ope­ned and inso­far as the pri­va­te per­son or the federal body fails to com­ply with its obli­ga­ti­ons to coope­ra­te. In other words, the com­mis­sio­ner may only order the mea­su­res under let­ters a‑d if he has tried in vain to obtain the coope­ra­ti­on of the per­son responsible.

The cata­log of mea­su­res accord­ing to para­graph 1 is simi­lar to that accord­ing to Arti­cle 12 VwVG. This is a non-exhaus­ti­ve list. The com­mis­sio­ner is aut­ho­ri­zed, among other things, to demand access to all infor­ma­ti­on, docu­ments, pro­ces­sing lists and per­so­nal data requi­red for the inve­sti­ga­ti­on (sub­pa­ra­graph a) or to demand access to pre­mi­ses and faci­li­ties (sub­pa­ra­graph b). Like all federal aut­ho­ri­ties, it must com­ply with the app­li­ca­ble legal pro­vi­si­ons, in par­ti­cu­lar tho­se rela­ting to data pro­tec­tion and the pro­tec­tion of indu­stri­al and com­mer­cial secrets. It is also sub­ject to offi­cial secrecy pur­suant to Arti­cle 22 BPG. Con­se­quent­ly, the con­fi­denti­al tre­at­ment of per­so­nal data to which he has access in the exer­cise of his super­vi­so­ry duties is gua­ran­te­ed, name­ly when he informs the per­son who filed the report of the out­co­me of any inve­sti­ga­ti­on (Art. 43 para. 4) or when he publishes his acti­vi­ty report in accordance with Art. 51 FADP.

Par. 2 Pre­cau­tio­na­ry measures

This pro­vi­si­on gives the Com­mis­sio­ner the aut­ho­ri­ty to order pre­cau­tio­na­ry mea­su­res for the dura­ti­on of the inve­sti­ga­ti­on and to have them enfor­ced by a federal aut­ho­ri­ty or the can­to­nal or muni­ci­pal poli­ce bodies. The cur­r­ent­ly app­li­ca­ble Arti­cle 33 para­graph 2 FADP pro­vi­des that the Com­mis­sio­ner may requ­est the Pre­si­dent of the Divi­si­on of the Federal Admi­ni­stra­ti­ve Court respon­si­ble for data pro­tec­tion to take pre­cau­tio­na­ry mea­su­res if, in the cour­se of an inve­sti­ga­ti­on against a pri­va­te per­son or against a federal body, he deter­mi­nes that the per­sons con­cer­ned are threa­tened with a dis­ad­van­ta­ge that can­not be easi­ly reme­di­ed. Sin­ce Arti­cle 45 of the Draft Data Pro­tec­tion Act grants the Com­mis­sio­ner the aut­ho­ri­ty to issue orders, the Federal Admi­ni­stra­ti­ve Court is no lon­ger requi­red to order pre­cau­tio­na­ry mea­su­res and the cor­re­spon­ding pro­vi­si­on can the­re­fo­re be dele­ted. The pro­ce­du­re for appeals against pre­cau­tio­na­ry mea­su­res is gover­ned by Arti­cle 44 et seq. VwVG. The sus­pen­si­ve effect of the appeal shall be sus­pen­ded by Arti­cle 55 VwVG regulated.

The new inve­sti­ga­ti­ve powers of the com­mis­sio­ner are in view of Arti­cle 45 of the Regu­la­ti­on (EU) 2016/679 a cru­cial ele­ment in ensu­ring that the Euro­pean Com­mis­si­on renews or upholds the ade­quacy deci­si­on vis-à-vis Switzerland.

Art. 51 Admi­ni­stra­ti­ve measures

1 If the­re is a bre­ach of data pro­tec­tion regu­la­ti­ons, the FDPIC may order that the pro­ces­sing be adap­ted, inter­rup­ted or ter­mi­na­ted in who­le or in part and that the per­so­nal data be dele­ted or destroy­ed in who­le or in part.

2 It may post­po­ne or pro­hi­bit dis­clo­sure abroad if it vio­la­tes the requi­re­ments of Arti­cles 16 or 17 or pro­vi­si­ons rela­ting to the dis­clo­sure of per­so­nal data abroad in other federal acts.

3 It may order, in par­ti­cu­lar, that the federal body or pri­va­te person:

a. informs him in accordance with Arti­cles 16 para­graph 2 let­ters b and c and 17 para­graph 2;
b. takes the pre­cau­ti­ons in accordance with Arti­cles 7 and 8;
c. in accordance with Arti­cles 19 and 21, informs the per­sons concerned;
d. car­ri­es out a data pro­tec­tion impact assess­ment in accordance with Arti­cle 22;
e. con­sults him in accordance with Arti­cle 23;
f. informs him or, as the case may be, the per­sons con­cer­ned in accordance with Arti­cle 24;
g. pro­vi­des the data sub­ject with the infor­ma­ti­on pur­suant to Arti­cle 25.

4 It may also order the pri­va­te respon­si­ble par­ty domic­i­led or resi­dent abroad to desi­gna­te a repre­sen­ta­ti­ve office in accordance with Arti­cle 14.

5 If the federal body or the pri­va­te per­son has taken the necessa­ry mea­su­res during the inve­sti­ga­ti­on to res­to­re com­pli­an­ce with the data pro­tec­tion regu­la­ti­ons, the FDPIC may limit hims­elf to issuing a warning.

Bot Art. 45 Admi­ni­stra­ti­ve mea­su­res (count. acc. to draft)

Arti­cle 45 of the e‑DSG imple­ments Arti­cle 47(2) of the Direc­ti­ve (EU) 2016/680 and com­plies with the recom­men­da­ti­ons of the Schen­gen eva­lua­tors to grant the Com­mis­sio­ner powers of dis­po­sal. Arti­cle 58 para­graph 2 of the Regu­la­ti­on (EU) 2016/679 lists all the powers to take mea­su­res that the super­vi­so­ry aut­ho­ri­ty should have. In addi­ti­on to the mea­su­res pur­suant to Arti­cle 47 para­graph 2 of the Direc­ti­ve (EU) 2016/680 Accord­ing to the ordi­nan­ce, the­se are name­ly the impo­si­ti­on of admi­ni­stra­ti­ve fines (Art. 58 (2) (i)) and the order to sus­pend the trans­fer of data to a reci­pi­ent in a third coun­try or to an inter­na­tio­nal orga­niz­a­ti­on ((j)).

Arti­cle 45 E‑DSA lar­ge­ly cor­re­sponds to the requi­re­ments of Arti­cle 12(2)(c) and (6) E‑SEV108.

Howe­ver, the Federal Coun­cil pro­po­ses not to give the Com­mis­sio­ner the aut­ho­ri­ty to issue admi­ni­stra­ti­ve sanc­tions, but rather to give him the aut­ho­ri­ty to order cer­tain admi­ni­stra­ti­ve mea­su­res, non-com­pli­an­ce with which can be punis­hed under cri­mi­nal law (Art. 57 E‑DSG).

Arti­cle 45 E‑DSG lea­ves the Com­mis­sio­ner a gre­at deal of room for maneu­ver. This is becau­se it is an optio­nal pro­vi­si­on and he is not obli­ged to take admi­ni­stra­ti­ve mea­su­res. The pro­vi­si­on inclu­des two cate­go­ries of measures.

The first cate­go­ry con­sists of a seri­es of mea­su­res against data pro­ces­sing that vio­la­tes data pro­tec­tion regu­la­ti­ons (paras. 1, 2 and 4). The mea­su­res ran­ge from a simp­le warning (para. 4) to an order to destroy per­so­nal data (para. 1) to a ban on dis­clo­sing per­so­nal data abroad (para. 2). The princip­le of this regu­la­ti­on is the pre­ser­va­ti­on of pro­por­tio­na­li­ty. Thus, ins­tead of orde­ring the ter­mi­na­ti­on of the pro­ces­sing, the com­mis­sio­ner may order its modi­fi­ca­ti­on and limit the mea­su­re only to the pro­ble­ma­tic part of the pro­ces­sing. If the par­ty to the inve­sti­ga­ti­on pro­ce­e­dings has taken the necessa­ry mea­su­res during the inve­sti­ga­ti­on to res­to­re com­pli­an­ce with data pro­tec­tion regu­la­ti­ons, the com­mis­sio­ner may also limit hims­elf to issuing a warning (para. 4).

The second cate­go­ry of mea­su­res rela­tes to cases in which regu­la­to­ry pro­vi­si­ons or obli­ga­ti­ons towards the data sub­ject are not obser­ved (para. 3). Among other things, the Com­mis­sio­ner may order the federal body or the pri­va­te per­son to car­ry out a data pro­tec­tion impact assess­ment in accordance with Arti­cle 20 (let. d) or to pro­vi­de the data sub­ject with the infor­ma­ti­on in accordance with Arti­cle 23 (let. g). The list under para­graph 3 is not exhaustive.

The Com­mis­sio­ner shall inform only the par­ties to the inve­sti­ga­ti­on pro­ce­e­dings of his deci­si­on. If necessa­ry, he shall inform the public in accordance with Arti­cle 51 (2) E‑DSG. The mea­su­re taken must be suf­fi­ci­ent­ly justi­fied. In par­ti­cu­lar, the con­trol­ler must be able to deter­mi­ne which data pro­ces­sing ope­ra­ti­ons fall under the deci­si­on of the appoin­tee. The par­ties invol­ved are enti­t­led to appeal in accordance with the gene­ral pro­vi­si­ons on the admi­ni­stra­ti­on of federal jus­ti­ce (cf. Art. 46). If necessa­ry, the com­mis­sio­ner may attach a penal­ty to the mea­su­re orde­red against the data con­trol­ler (Art. 57).

Art. 52 Procedure

1 The inve­sti­ga­ti­on pro­ce­du­re and rulings pur­suant to Arti­cles 50 and 51 are gover­ned by the VwVG.

2 Only the federal body or pri­va­te per­son against whom an inve­sti­ga­ti­on has been ope­ned shall be a party.

3 The FDPIC may appeal against deci­si­ons of the Federal Admi­ni­stra­ti­ve Court.

Bot Art. 46 Pro­ce­du­re (count. acc. to draft)

Pur­suant to para­graph 1, the inve­sti­ga­ti­on pro­ce­du­re and the pro­ce­du­re for adop­ting mea­su­res under Arti­cles 44 and 45 are gover­ned by the Admi­ni­stra­ti­ve Pro­ce­du­re Act. The pri­va­te per­son or federal body that is a par­ty to the inve­sti­ga­ti­on is enti­t­led to be heard (Art. 29 et seq. VwVG).

Para­graph 2 spe­ci­fies that only the federal body or pri­va­te per­son against whom an inve­sti­ga­ti­on has been ope­ned may be a par­ty to the pro­ce­e­dings. Accord­in­gly, only the lat­ter may appeal against rulings and mea­su­res taken against them by the Com­mis­sio­ner. The per­son con­cer­ned is not a par­ty, even if the com­mis­sio­ner has ope­ned the inve­sti­ga­ti­on on his or her report. If he or she wis­hes to assert legal claims against a pri­va­te con­trol­ler, he or she must do so in accordance with Arti­cle 28 E‑DSG, i.e. befo­re the com­pe­tent civil court. In the public sec­tor, the data sub­ject must take action against the respon­si­ble federal body (Art. 37) by chal­len­ging its deci­si­on befo­re the com­pe­tent appeal aut­ho­ri­ty. This remains unch­an­ged from the cur­rent law.

Pur­suant to para­graph 3, the Com­mis­sio­ner may chal­len­ge appeal deci­si­ons of the Federal Admi­ni­stra­ti­ve Court, as he can alrea­dy do cur­r­ent­ly under Arti­cles 27(6) and 29(4) FADP.

Art. 53 Coordination

1 Federal admi­ni­stra­ti­ve aut­ho­ri­ties that super­vi­se pri­va­te per­sons or orga­niz­a­ti­ons out­side the federal admi­ni­stra­ti­on in accordance with ano­t­her federal law invi­te the FDPIC to give its opi­ni­on befo­re issuing a ruling that con­cerns data pro­tec­tion issues.

2 If the FDPIC con­ducts its own inve­sti­ga­ti­on against the same par­ty, the two aut­ho­ri­ties shall coor­di­na­te their proceedings.

Bot Art. 47 Coor­di­na­ti­on (count. acc. to draft)

Cer­tain federal aut­ho­ri­ties super­vi­se pri­va­te indi­vi­du­als or orga­niz­a­ti­ons out­side the federal admi­ni­stra­ti­on. This is the case, for examp­le, of the Federal Office of Public Health with regard to health insuran­ce com­pa­nies or the Swiss Finan­cial Mar­ket Super­vi­so­ry Aut­ho­ri­ty (FINMA) with regard to banks or other finan­cial ser­vice pro­vi­ders. The term “orga­niz­a­ti­ons out­side the Federal Admi­ni­stra­ti­on” cor­re­sponds to the term used in Arti­cle 1 para­graph 2 let­ter e VwVG.

Data pro­tec­tion issu­es may ari­se in the cour­se of a super­vi­so­ry pro­ce­du­re, which may lead to a deci­si­on by the com­pe­tent aut­ho­ri­ty. To take this issue into account, para­graph 1 pro­vi­des that the super­vi­so­ry aut­ho­ri­ty shall invi­te the appoin­tee to com­ment. If the Com­mis­sio­ner has also ope­ned pro­ce­e­dings under Arti­cle 43 E‑DSG against the same par­ty, the super­vi­so­ry aut­ho­ri­ty and the Com­mis­sio­ner must coor­di­na­te at two levels (para­graph 2): on the one hand, to cla­ri­fy whe­ther the two pro­ce­e­dings can be con­duc­ted in par­al­lel or whe­ther one of the pro­ce­e­dings should be sus­pen­ded or dis­con­ti­nued, and on the other hand, for the con­tent of their respec­ti­ve deci­si­on if the pro­ce­e­dings are con­duc­ted in par­al­lel. In the case of con­flicts of com­pe­tence, the Federal Coun­cil deci­des (Art. 9 para. 3 VwVG). Coor­di­na­ti­on must be ensu­red in a simp­le and quick man­ner. The units con­cer­ned must be infor­med of the out­co­me of this coor­di­na­ti­on and the app­li­ca­ble legis­la­ti­on so that they are awa­re of their rights and obli­ga­ti­ons as quick­ly as possible.

Sec­tion 3: Admi­ni­stra­ti­ve assistance

Art. 54 Admi­ni­stra­ti­ve assi­stance bet­ween Swiss authorities

1 Federal and can­to­nal aut­ho­ri­ties shall dis­c­lo­se to the FDPIC the infor­ma­ti­on and per­so­nal data requi­red for the per­for­mance of its sta­tu­to­ry duties.

2 The FDPIC dis­c­lo­ses to the fol­lo­wing aut­ho­ri­ties the infor­ma­ti­on and per­so­nal data necessa­ry for the per­for­mance of their sta­tu­to­ry duties:

a. the aut­ho­ri­ties respon­si­ble for data pro­tec­tion in Switzerland;
b. the com­pe­tent cri­mi­nal pro­se­cu­ti­on aut­ho­ri­ties, if it is a mat­ter of reporting an offence in accordance with Arti­cle 65 para­graph 2;
c. the federal aut­ho­ri­ties and the can­to­nal and com­mu­nal poli­ce aut­ho­ri­ties for the enfor­ce­ment of the mea­su­res in accordance with Arti­cles 50 para­graph 4 and 51.
Bot Art. 48 Admi­ni­stra­ti­ve assi­stance bet­ween Swiss aut­ho­ri­ties (count. acc. to draft)

This new pro­vi­si­on regu­la­tes admi­ni­stra­ti­ve assi­stance bet­ween the Com­mis­sio­ner and the federal and can­to­nal aut­ho­ri­ties. The cur­rent Arti­cle 31(1)(c) DPA is limi­ted to obli­ging the Com­mis­sio­ner to coope­ra­te with the Swiss data pro­tec­tion authorities.

Para­graph 1 of the new arti­cle estab­lishes the princip­le that the Swiss and can­to­nal aut­ho­ri­ties must pro­vi­de the Com­mis­sio­ner with the infor­ma­ti­on and per­so­nal data necessa­ry for the per­for­mance of his sta­tu­to­ry duties. This is a stan­dard pro­vi­si­on on admi­ni­stra­ti­ve assi­stance, which is also found in many other federal laws.

Para­graph 2 sti­pu­la­tes that the Com­mis­sio­ner must dis­c­lo­se infor­ma­ti­on and data to the can­to­nal aut­ho­ri­ties respon­si­ble for data pro­tec­tion (sub­pa­ra­graph (a)), to the com­pe­tent cri­mi­nal aut­ho­ri­ties if it is a mat­ter of reporting a cri­mi­nal offen­se pur­suant to Arti­cle 59 para­graph 2 E‑DSG (sub­pa­ra­graph (b)), and to the federal aut­ho­ri­ties and the can­to­nal and muni­ci­pal poli­ce aut­ho­ri­ties for the enfor­ce­ment of mea­su­res pur­suant to Arti­cles 44 para­graph 2 and 45 E‑DSG (sub­pa­ra­graph (c)).

The dis­clo­sure of infor­ma­ti­on refer­red to in para­graphs 1 and 2 may be spon­ta­ne­ous or upon request.

Art. 55 Admi­ni­stra­ti­ve assi­stance to for­eign authorities

1 The FDPIC may exchan­ge infor­ma­ti­on or per­so­nal data with for­eign aut­ho­ri­ties respon­si­ble for data pro­tec­tion for the per­for­mance of their respec­ti­ve tasks pro­vi­ded for by law in the area of data pro­tec­tion if the fol­lo­wing con­di­ti­ons are met:

a. Reci­pro­ci­ty of admi­ni­stra­ti­ve assi­stance is ensured.
b. The infor­ma­ti­on and per­so­nal data shall be used only for the pro­ce­du­re rela­ting to data pro­tec­tion on which the requ­est for assi­stance is based.
c. The recei­ving aut­ho­ri­ty under­ta­kes to main­tain pro­fes­sio­nal secrecy as well as busi­ness and manu­fac­tu­ring secrets.
d. The infor­ma­ti­on and per­so­nal data shall be dis­c­lo­sed only if the aut­ho­ri­ty that pro­vi­ded them so aut­ho­ri­zes in advance.
e. The recei­ving aut­ho­ri­ty under­ta­kes to com­ply with the con­di­ti­ons and restric­tions impo­sed by the aut­ho­ri­ty that pro­vi­ded it with the infor­ma­ti­on and per­so­nal data.

2 In order to justi­fy its requ­est for admi­ni­stra­ti­ve assi­stance or to com­ply with the requ­est of an aut­ho­ri­ty, the FDPIC may in par­ti­cu­lar pro­vi­de the fol­lo­wing information:

a. Iden­ti­ty of the con­trol­ler, pro­ces­sor or other third par­ty involved;
b. Cate­go­ries of data subjects;

c. Iden­ti­ty of the per­sons con­cer­ned, if:

1. the data sub­jects have con­sen­ted, or
2. the com­mu­ni­ca­ti­on of the iden­ti­ty of the data sub­jects is indis­pensable for the ful­fill­ment of the legal tasks by the FDPIC or the for­eign authority;
d. pro­ces­sed per­so­nal data or cate­go­ries of pro­ces­sed per­so­nal data;
e. Pro­ces­sing purpose;
f. Reci­pi­ents or the cate­go­ries of recipients;
g. tech­ni­cal and orga­niz­a­tio­nal measures.

3 Befo­re the FDPIC dis­c­lo­ses to a for­eign aut­ho­ri­ty infor­ma­ti­on that may con­tain a pro­fes­sio­nal secret, busi­ness secret or tra­de secret, it informs the natu­ral or legal per­sons con­cer­ned who are the bea­rers of the­se secrets and invi­tes them to com­ment, unless this is not pos­si­ble or requi­res a dis­pro­por­tio­na­te effort.

Bot Art. 49 Admi­ni­stra­ti­ve assi­stance to for­eign aut­ho­ri­ties (count. acc. to draft)

This new pro­vi­si­on regu­la­tes admi­ni­stra­ti­ve assi­stance bet­ween the Com­mis­sio­ner and for­eign data pro­tec­tion aut­ho­ri­ties. The cur­rent Arti­cle 31(1)(c) DPA is limi­ted to obli­ging the Com­mis­sio­ner to coope­ra­te with the for­eign data pro­tec­tion authorities.

The new pro­vi­si­on trans­fers Arti­cle 50 of the Direc­ti­ve (EU) 2016/680 into Swiss law. It also meets the requi­re­ments of Arti­cles 15 and 16 E‑SEV 108. The Regu­la­ti­on (EU) 2016/679 pro­vi­des for an ana­lo­gous regu­la­ti­on in Arti­cle 61.

The Com­mis­sio­ner would have favo­r­ed an addi­ti­on to the pro­vi­si­on aut­ho­ri­zing him to regu­la­te the moda­li­ties of coope­ra­ti­on with for­eign data pro­tec­tion aut­ho­ri­ties wit­hin the frame­work of an agree­ment. The Federal Coun­cil, on the other hand, pre­fers to stick to the dele­ga­ti­on of aut­ho­ri­ty pur­suant to Arti­cle 61 E‑DPA.

Par. 1 Prerequisites

Pur­suant to this pro­vi­si­on, the Com­mis­sio­ner may, under cer­tain con­di­ti­ons (sub­pa­ra­graphs a‑e), exchan­ge infor­ma­ti­on or per­so­nal data with for­eign aut­ho­ri­ties respon­si­ble for data pro­tec­tion for the per­for­mance of their respec­ti­ve data pro­tec­tion tasks pro­vi­ded for by law.

Accord­ing to the first requi­re­ment (sub­pa­ra. a), reci­pro­ci­ty of admi­ni­stra­ti­ve assi­stance in the area of data pro­tec­tion must be ensu­red bet­ween Switz­er­land and the for­eign sta­te. Second­ly, in accordance with the princip­le of spe­cia­li­ty, the infor­ma­ti­on and per­so­nal data exch­an­ged may only be used for the data pro­tec­tion pro­ce­e­dings in que­sti­on on which the requ­est for admi­ni­stra­ti­ve assi­stance is based (sub­pa­ra. b). If the data are sub­se­quent­ly to be used in cri­mi­nal pro­ce­e­dings, the princi­ples of inter­na­tio­nal mutu­al legal assi­stance in cri­mi­nal mat­ters app­ly. The third and fourth requi­re­ments ensu­re that pro­fes­sio­nal secrecy and com­mer­cial and indu­stri­al con­fi­dentia­li­ty are main­tai­ned (sub­pa­ra­graph (c)) and pro­hi­bit the dis­clo­sure of infor­ma­ti­on and per­so­nal data without the pri­or con­sent of the aut­ho­ri­ty that trans­mit­ted it (sub­pa­ra­graph (d)). Final­ly, the recei­ving aut­ho­ri­ty must com­ply with the con­di­ti­ons and restric­tions impo­sed by the aut­ho­ri­ty that trans­mit­ted the infor­ma­ti­on and per­so­nal data to it (sub­pa­ra­graph e).

The Com­mis­sio­ner may refu­se a for­eign authority’s requ­est for admi­ni­stra­ti­ve assi­stance, for examp­le, if the requi­re­ments of Arti­cle 13 E‑DSG have not been met or if one of the rea­sons pro­vi­ded for in Arti­cle 32(6) E‑DSG pre­clu­des dis­clo­sure of per­so­nal data.

Par. 2 Dis­clo­sure of per­so­nal data

Para­graph 2(a‑g) deter­mi­nes what infor­ma­ti­on the Com­mis­sio­ner may dis­c­lo­se to the for­eign aut­ho­ri­ty in order to sub­stan­tia­te his requ­est for admi­ni­stra­ti­ve assi­stance or to com­ply with the requ­est of a for­eign aut­ho­ri­ty. In order to be allo­wed to for­ward the iden­ti­ty of the per­sons con­cer­ned, the com­mis­sio­ner requi­res the con­sent of each indi­vi­du­al per­son (sub­pa­ra­graph c). The requi­re­ments of Arti­cle 5(6) E‑DSG app­ly to the con­sent (para. 2(c)(1)). Without con­sent, the iden­ti­ty may only be dis­c­lo­sed if this is indis­pensable for the ful­fill­ment of the sta­tu­to­ry tasks of the com­mis­sio­ner or the for­eign aut­ho­ri­ty (para. 2 let. c no. 2). The­se requi­re­ments cor­re­spond to tho­se under Arti­cle 32 (2) let­ters a and b E‑DSG.

Par. 3 Opinion

Befo­re the Com­mis­sio­ner dis­c­lo­ses infor­ma­ti­on in an admi­ni­stra­ti­ve assi­stance pro­ce­du­re to a for­eign aut­ho­ri­ty respon­si­ble for data pro­tec­tion that may con­tain pro­fes­sio­nal, busi­ness or tra­de secrets, he shall inform the per­sons con­cer­ned and invi­te them to com­ment. Howe­ver, he shall be released from this obli­ga­ti­on if the infor­ma­ti­on is not pos­si­ble or invol­ves a dis­pro­por­tio­na­te burden.

Sec­tion 4: Other tasks of the FDPIC

Art. 56 Register

The FDPIC main­tains a regi­ster of the pro­ces­sing acti­vi­ties of federal bodies. The regi­ster is published.

Bot Art. 50 Regi­ster (count. acc. to draft)

The pro­vi­si­on sti­pu­la­tes that the Com­mis­sio­ner shall keep a regi­ster of the data pro­ces­sing acti­vi­ties repor­ted to him by the federal bodies (Art. 11(4)). This regi­ster is to be published as it is today.

Art. 57 Information

1 The FDPIC shall report annu­al­ly to the Federal Assem­bly on his acti­vi­ties. At the same time, it sends it to the Federal Coun­cil. The report is published.

2 In cases of gene­ral inte­rest, the FDPIC informs the public about his fin­dings and rulings.

Bot Art. 51 Infor­ma­ti­on (count. acc. to draft)

Apart from the fact that the Com­mis­sio­ner must now sub­mit an annu­al acti­vi­ty report to the Federal Assem­bly and the Federal Coun­cil, para­graph 1 cor­re­sponds to the cur­rent Arti­cle 30 para­graph 1 FADP.

Para­graph 2 rein­for­ces acti­ve infor­ma­ti­on by the com­mis­sio­ner. The com­mis­sio­ner shall inform the public about his fin­dings and rulings if the­re is a gene­ral public inte­rest in doing so. The second sen­tence of Arti­cle 30(2) FADP is repealed. As an inde­pen­dent body, the com­mis­sio­ner must be able to deter­mi­ne for hims­elf what he informs the public about. Data must be made anony­mous unless the­re is an over­ri­ding public inte­rest in its dis­clo­sure (Arti­cle 32 para­graphs 3 and 5 FADP). In addi­ti­on, the requi­re­ments of Art. 32 Para. 6E-DSG apply.

The super­vi­so­ry authority’s obli­ga­ti­on to pre­pa­re an acti­vi­ty report is set out in Arti­cle 49 of the Direc­ti­ve (EU) 2016/680 and in Arti­cle 12(5)E‑SEV 108 pro­vi­ded. The Regu­la­ti­on (EU) 2016/679 con­tains an ana­lo­gous pro­vi­si­on in Arti­cle 59.

Art. 58 Other tasks

1 The FDPIC also per­forms the fol­lo­wing tasks in particular:

a. Pro­vi­des infor­ma­ti­on, trai­ning, and advice to federal agen­ci­es and pri­va­te per­sons on pri­va­cy issues.
b. It shall sup­port the can­to­nal bodies and coope­ra­te with Swiss and for­eign aut­ho­ri­ties respon­si­ble for data protection.
c. It shall rai­se awa­reness among the popu­la­ti­on, espe­cial­ly vul­nerable per­sons, regar­ding data protection.
d. It shall pro­vi­de data sub­jects, upon requ­est, with infor­ma­ti­on on how to exer­cise their rights.
e. It shall com­ment on draft decrees and mea­su­res of the Con­fe­de­ra­ti­on that result in data processing.
f. It shall exer­cise the powers con­fer­red on it by the Public Access Act of 17.

Decem­ber 2004 or other federal laws.

g. It shall deve­lop working tools as recom­men­da­ti­ons of good prac­ti­ce for the atten­ti­on of con­trol­lers, order pro­ces­sors and data sub­jects; for this pur­po­se, it shall take into account the spe­ci­fics of the respec­ti­ve area as well as the pro­tec­tion of vul­nerable persons.

2 It may also advi­se federal bodies that are not sub­ject to its super­vi­si­on in accordance with Arti­cles 2 and 4. The federal bodies may grant him access to files.

3 The FDPIC is aut­ho­ri­zed to decla­re to for­eign aut­ho­ri­ties respon­si­ble for data pro­tec­tion that direct ser­vice is per­mis­si­ble in the area of data pro­tec­tion in Switz­er­land, pro­vi­ded that Switz­er­land is gran­ted reci­pro­cal rights.

Bot Art. 52 Other tasks (count. acc. to draft)

In order to com­ply with Arti­cle 46(1)(d) and (e) of the Direc­ti­ve (EU) 2016/680 imple­ment, the list of the commissioner’s com­pe­ten­ces is exten­ded com­pa­red to the cur­rent law (Art. 31 FADP) sup­ple­men­ted. The new tasks also meet the requi­re­ments of Arti­cle 12(2)(e). E‑SEV 108. Pur­suant to para­graph 1, the Com­mis­sio­ner has in par­ti­cu­lar the task of infor­ming, trai­ning and advi­sing federal bodies and pri­va­te per­sons on data pro­tec­tion issu­es. This also inclu­des appro­pria­te infor­ma­ti­on events or fur­ther trai­ning, name­ly for respon­si­ble per­sons in the public sec­tor (sub­pa­ra­graph a). Ano­t­her task is to rai­se awa­reness of data pro­tec­tion among the gene­ral public, espe­cial­ly vul­nerable per­sons such as minors or the eld­er­ly (sub­pa­ra. c). In addi­ti­on, upon requ­est, it pro­vi­des infor­ma­ti­on to data sub­jects on how to exer­cise their rights (sub­pa­ra. d).

Accord­ing to let­ter e, the Com­mis­sio­ner must be con­sul­ted on all pro­po­sals for federal decrees and mea­su­res that affect data pro­ces­sing, and not only on tho­se that signi­fi­cant­ly affect data pro­tec­tion. This amend­ment cor­re­sponds to cur­rent practice.

Let­ter g pro­vi­des that the Com­mis­sio­ner shall also deve­lop gui­de­li­nes and working tools for the atten­ti­on of data con­trol­lers, pro­ces­sors and data sub­jects. He alrea­dy per­forms this task today as part of his advi­so­ry acti­vi­ties (Art. 28, 30 and 31 FADP). It is also spe­ci­fied that he takes into account the spe­cial fea­tures of the indi­vi­du­al data pro­ces­sing are­as as well as the incre­a­sed need for pro­tec­tion of par­ti­cu­lar­ly vul­nerable per­sons such as minors, dis­ab­led per­sons or the elderly.

Para­graph 2 cor­re­sponds Arti­cle 31 para­graph 2 FADP.

Repeal of Art. 33 FADP

This pro­vi­si­on may be repealed. Para­graph 1, accord­ing to which legal pro­tec­tion is gover­ned by the gene­ral pro­vi­si­ons on the admi­ni­stra­ti­on of federal jus­ti­ce, is merely decla­ra­to­ry. Para­graph 2, in turn, is super­fluous due to Arti­cle 44(2) E‑DSG.

Sec­tion 5: Fees

Art. 59

1 The FDPIC collects fees from pri­va­te per­sons for:

a. the opi­ni­on on a code of con­duct in accordance with Arti­cle 11 para­graph 2;
b. the appro­val of stan­dard data pro­tec­tion clau­ses and bin­ding cor­po­ra­te data pro­tec­tion rules pur­suant to Arti­cle 16(2) let­ters d and e;
c. the con­sul­ta­ti­on based on a data pro­tec­tion impact assess­ment pur­suant to Arti­cle 23(2);
d. pre­cau­tio­na­ry mea­su­res and mea­su­res under Arti­cle 51;
e. Con­sul­ta­ti­ons on data pro­tec­tion mat­ters pur­suant to Arti­cle 58(1)(a).

2 The Federal Coun­cil deter­mi­nes the amount of the fees.

3 It may deter­mi­ne in which cases it is pos­si­ble to wai­ve or redu­ce the collec­tion of a fee.

Bot Art. 53 (count. acc. to draft)

Pur­suant to Arti­cle 33 (1) of the Data Pro­tec­tion Act, a fee is char­ged for the app­raisals of the Com­mis­sio­ner for Pri­va­te Per­sons. The pro­vi­si­ons of the Gene­ral Fees Ordi­nan­ce of 8 Sep­tem­ber 2004 (Allg­GebV) are applicable.

Pur­suant to para­graph 1, the princip­le is estab­lished at the legis­la­ti­ve level that the Com­mis­sio­ner must char­ge a fee for cer­tain ser­vices pro­vi­ded to pri­va­te per­sons. The­se inclu­de the opi­ni­on on a code of con­duct (sub­pa­ra­graph a), the appro­val of stan­dard data pro­tec­tion clau­ses and bin­ding cor­po­ra­te data pro­tec­tion regu­la­ti­ons (sub­pa­ra­graph b), con­sul­ta­ti­on based on a data pro­tec­tion impact assess­ment (sub­pa­ra­graph c), mea­su­res pur­suant to Arti­cles 44(2) and 45 E‑DSG (sub­pa­ra­graph d), and con­sul­ta­ti­ons on data pro­tec­tion issu­es (sub­pa­ra­graph e). Con­ver­se­ly, it fol­lows from para­graph 1 that no fee is char­ged for an inve­sti­ga­ti­on that is con­clu­ded without orde­ring pre­cau­tio­na­ry mea­su­res or admi­ni­stra­ti­ve measures.

Para­graph 2 inst­ructs the Federal Coun­cil to deter­mi­ne the amount of the fees. In accordance with the requi­re­ments of Arti­cle 46a para­graph 1 RVOG it may only char­ge fees for the ser­vices pur­suant to Arti­cle 53 para­graph 1 E‑DSG. In addi­ti­on, he must set the amount of the fees so that they cover the costs of the acti­vi­ties (cost reco­very princip­le). It is the­re­fo­re not inten­ded to finan­ce the enti­re acti­vi­ty of the com­mis­sio­ner through fees. Only the costs of the acti­vi­ties refer­red to in para­graph 1 are to be cove­r­ed. When regu­la­ting the tariff, the Federal Coun­cil may set a flat rate or an hour­ly rate depen­ding on the service.

Under para­graph 3, the Federal Coun­cil may also spe­ci­fy the cases in which it is pos­si­ble to wai­ve or redu­ce the char­ging of a fee. For examp­le, char­ging may be wai­ved if the­re is an over­ri­ding public inte­rest in the ser­vice and it con­tri­bu­tes to the obser­van­ce of data pro­tec­tion. Arti­cle 3(2)(a) Allg­GebV con­tains a simi­lar solu­ti­on. The Com­mis­sio­ner may also defer, redu­ce or wai­ve the fee if the con­trol­ler or pro­ces­sor is a natu­ral per­son or a small or medi­um-sized enterprise.

Fees are only char­ged in rela­ti­on to pri­va­te per­sons. With regard to advice to can­to­nal aut­ho­ri­ties, Arti­cle 3 para­graph 1 Allg­GebV is app­li­ca­ble: The Federal Admi­ni­stra­ti­on does not char­ge fees to intercan­to­nal bodies, can­tons and com­mu­nes inso­far as they grant reci­pro­cal rights. Ser­vices for federal and can­to­nal bodies are pro­vi­ded free of charge.

Due to nume­rous cri­ti­cal com­ments on the preli­mi­na­ry draft, the Federal Coun­cil has fun­da­ment­al­ly revi­sed the penal provisions.

In the con­sul­ta­ti­on (with refe­rence to the Regu­la­ti­on [EU] 2016/679) cal­led for the intro­duc­tion of finan­cial admi­ni­stra­ti­ve sanc­tions. Howe­ver, finan­cial admi­ni­stra­ti­ve sanc­tions of a puni­ti­ve natu­re are an excep­ti­on in Switz­er­land. They clas­si­cal­ly belong to are­as whe­re com­pa­nies are sub­ject to admi­ni­stra­ti­ve super­vi­si­on becau­se they enga­ge in an eco­no­mic acti­vi­ty for which they requi­re a licen­se or per­mit or for which they recei­ve government sub­si­dies (e.g., in the postal system or for gamb­ling). They were also intro­du­ced in anti­trust law at a time when the­re was no cor­po­ra­te cri­mi­nal lia­bi­li­ty in the StGB. Such admi­ni­stra­ti­ve finan­cial sanc­tions have a puni­ti­ve cha­rac­ter, which is why cer­tain gua­ran­tees of cri­mi­nal pro­ce­du­re must be obser­ved. Howe­ver, the basi­cal­ly app­li­ca­ble admi­ni­stra­ti­ve pro­ce­du­re does not regu­la­te the­se issu­es. Moreo­ver, such sanc­tions invol­ve the direct impu­ta­ti­on of third-par­ty fault to a com­pa­ny. This is what the legis­la­tor has done with cor­po­ra­te cri­mi­nal lia­bi­li­ty under Arti­cle 102 StGB but rejec­ted: The respon­si­bi­li­ty accord­ing to Arti­cle 102 StGB is not cau­sal or strict lia­bi­li­ty, but requi­res spe­ci­fic orga­niz­a­tio­nal cul­pa­bi­li­ty. The intro­duc­tion of admi­ni­stra­ti­ve pen­al­ties in the DPA would great­ly rela­ti­vi­ze this fun­da­men­tal deci­si­on under cri­mi­nal law through the back door of admi­ni­stra­ti­ve law.

Moreo­ver, in the area of data pro­tec­tion, such admi­ni­stra­ti­ve sanc­tions would be par­ti­cu­lar­ly sen­si­ti­ve. The per­so­nal scope of the DPA is signi­fi­cant­ly broa­der than that of laws in are­as whe­re finan­cial admi­ni­stra­ti­ve sanc­tions are clas­si­cal­ly found and whe­re eco­no­mic acti­vi­ty is car­ri­ed out by com­pa­nies. Alt­hough the FADP is also direc­ted at lar­ge com­pa­nies, it equal­ly covers SMEs and natu­ral per­sons. Becau­se the­re is no codi­fied pro­ce­du­ral law for admi­ni­stra­ti­ve sanc­tions of a penal natu­re, the­re would be a risk, among other things, that the pro­ce­du­ral posi­ti­on of natu­ral per­sons would be under­mi­ned. This is par­ti­cu­lar­ly true becau­se the­re are pro­ce­du­ral dif­fe­ren­ces bet­ween legal enti­ties and natu­ral per­sons in ancil­la­ry cri­mi­nal law. In sum­ma­ry, the intro­duc­tion of finan­cial admi­ni­stra­ti­ve sanc­tions in the DPA would thus crea­te gre­at legal uncer­tain­ty, which is hard­ly justi­fia­ble (not only in the area of data protection).

The Federal Coun­cil the­re­fo­re wants to build on estab­lished struc­tures with con­so­li­da­ted prac­ti­ce. In Switz­er­land, com­pli­an­ce with basic obli­ga­ti­ons under admi­ni­stra­ti­ve law is ensu­red by means of admi­ni­stra­ti­ve cri­mi­nal law or ancil­la­ry cri­mi­nal law. The norm addres­sees are natu­ral per­sons. Alt­hough the obli­ga­ti­on under admi­ni­stra­ti­ve law is incum­bent on the com­pa­ny, its vio­la­ti­on is attri­buted to the manage­ment per­sons (cf. Art. 29 StGB and Art. 6 VStR). The con­cern expres­sed in the con­sul­ta­ti­on that any employee of a com­pa­ny could be punis­hed the­re­fo­re pro­ves to be unfoun­ded. Sanc­tio­n­ing by cri­mi­nal means also means that pro­fits deri­ved from DPA offen­ses and offen­se tools can thus be con­fis­ca­ted accord­ing to the pro­vi­si­ons of the SCC (Art. 69 et seq. SCC). Moreo­ver, the Com­mis­sio­ner should not issue cri­mi­nal sanc­tions, becau­se other­wi­se the orga­niz­a­ti­on of the Com­mis­sio­ner would have to be fun­da­ment­al­ly chan­ged and signi­fi­cant­ly expan­ded. The Federal Coun­cil the­re­fo­re pre­fers the exi­sting cri­mi­nal pro­se­cu­ti­on system.

The cri­mi­nal law pro­vi­si­ons of the DPA must be streng­t­he­ned com­pa­red to the cur­rent law. The sanc­tions must be dissua­si­ve, as requi­red by the E‑SEV 108 (Art. 10) and the Direc­ti­ve (EU) 2016/680 (Art. 57) is requi­red. A penal­ty system that is too leni­ent may result in the EU dee­ming the Swiss regu­la­ti­on no lon­ger appro­pria­te. The main fea­tures of the pro­po­sed penal­ty system are as follows:

  • The pena­liz­a­ti­on of negli­gent brea­ches of duty is wai­ved in accordance with the most recent deci­si­ons of Par­lia­ment (cf. e.g. the draft on the Money Gaming Act). The Com­mis­sio­ner, on the other hand, would have pre­fer­red that negli­gence also be punishable.
  • The admi­ni­stra­ti­ve duties were spe­ci­fied and the pena­liz­a­ti­on was limi­ted to essen­ti­al duties.
  • To com­pen­sa­te, the Com­mis­sio­ner is given the aut­ho­ri­ty to order com­pli­an­ce with the DPA obli­ga­ti­ons and to attach a thre­at of dis­obe­dience penal­ty. This model is wide­ly used in ancil­la­ry cri­mi­nal law (e.g., in the Federal Act of June 22, 2007 on the Swiss Finan­cial Mar­ket Super­vi­so­ry Aut­ho­ri­ty [FINMASA]) and cor­re­sponds to the mecha­nism of Arti­cle 292 Cri­mi­nal Code. If necessa­ry, the com­mis­sio­ner may par­ti­ci­pa­te in can­to­nal cri­mi­nal pro­ce­e­dings as a pri­va­te plaintiff.
  • The upper limit of the fine is set by the Federal Coun­cil at a maxi­mum of 250,000 Swiss francs. The incre­a­se is made in par­ti­cu­lar to com­ply with the Swiss law of the Regu­la­ti­on (EU) 2016/679 to appro­xi­ma­te. Howe­ver, it would be que­stion­ab­le to set the upper fine limit against natu­ral per­sons even hig­her on the grounds that com­pa­nies would not be deter­red by low fines. The penal pro­vi­si­ons of the E‑DSG are pri­ma­ri­ly direc­ted at natu­ral per­sons, in this case in par­ti­cu­lar at mana­gers (cf. Arti­cle 29 StGB and Arti­cle 6 VStrR). It should be noted that under FINMASA, for examp­le, negli­gent brea­ches of duty are punis­ha­ble by a fine of up to 250,000 Swiss francs (Art. 44 et seq. FINMASA), while fail­u­re to com­ply with an order is punis­ha­ble by a fine of up to 100,000 Swiss francs (Art. 48 FINMASA). The Com­mis­sio­ner, on the other hand, is of the opi­ni­on that the fines are not suf­fi­ci­ent­ly dissua­si­ve, espe­cial­ly as far as their amount is concerned.
  • Vio­la­ti­on of pro­fes­sio­nal con­fi­dentia­li­ty is a mis­de­me­a­nor as before.
  • Inso­far as data is pro­ces­sed by a com­pa­ny, the obli­ga­ti­ons deri­ved from the DPA are gene­ral­ly incum­bent on its mana­gers. The­se are legal­ly obli­ga­ted to ensu­re com­pli­an­ce with the­se duties wit­hin the com­pa­ny. Vio­la­ti­on of duties or dis­obe­dience of an order of the com­mis­sio­ner direc­ted at the com­pa­ny will the­re­fo­re be pro­se­cuted in app­li­ca­ti­on of Art. 29 StGB and Art. 6 of the Cor­po­ra­te Gover­nan­ce Code are char­ged to the mana­gers of the com­pa­ny and not to the employees who merely car­ry out the work.
  • Inso­far as the fine does not exce­ed 50,000 Swiss francs, com­pa­nies may, in app­li­ca­ti­on of Art. 7 VStrR be fined direct­ly. This also takes into account the cri­ti­cism voi­ced in the consultation.

Chap­ter 8: Penal provisions

Art. 60 Vio­la­ti­on of infor­ma­ti­on, dis­clo­sure and coope­ra­ti­on obligations

1 Fines of up to 250,000 Swiss francs are impo­sed on pri­va­te per­sons upon request:

a. who vio­la­te their obli­ga­ti­ons under Arti­cles 19, 21 and 25 – 27 by inten­tio­nal­ly pro­vi­ding fal­se or incom­ple­te information;

b. who inten­tio­nal­ly fail to do so:

1. inform the data sub­ject in accordance with Arti­cles 19(1) and 21(1); or
2. pro­vi­de it with the infor­ma­ti­on refer­red to in Arti­cle 19(2).

2 A fine of up to 250,000 Swiss francs shall be impo­sed on pri­va­te per­sons who, in bre­ach of Arti­cle 49 para­graph 3, inten­tio­nal­ly pro­vi­de fal­se infor­ma­ti­on to the FDPIC in the cour­se of an inve­sti­ga­ti­on or inten­tio­nal­ly refu­se to cooperate.

Bot Art. 54 Vio­la­ti­on of infor­ma­ti­on, dis­clo­sure and coope­ra­ti­on obli­ga­ti­ons (count. as per draft).

Arti­cle 54 E‑DSG adopts Arti­cle 34 FADPwith the excep­ti­on of Arti­cle 34(2)(a) FADP, becau­se the obli­ga­ti­ons regu­la­ted the­re are no lon­ger inclu­ded in the e‑DSG. In turn, howe­ver, the stan­dard also refers to the new duty to pro­vi­de infor­ma­ti­on in the case of an auto­ma­ted indi­vi­du­al deci­si­on (Art. 19 E‑DSG).

Para­graph 1(a) covers the inten­tio­nal pro­vi­si­on of fal­se infor­ma­ti­on, but also the inten­tio­nal pro­vi­si­on of incom­ple­te infor­ma­ti­on while crea­ting the impres­si­on that the infor­ma­ti­on is com­ple­te. The com­ple­te refu­sal to pro­vi­de infor­ma­ti­on, on the other hand, is not punis­ha­ble under let­ter a, but under let­ter b, if app­li­ca­ble. Howe­ver, a pri­va­te per­son who untruth­ful­ly claims not to have any infor­ma­ti­on on the data sub­ject is liable to pro­se­cu­ti­on under para­graph 1(a).

Para­graph 1 let­ter b app­lies in cases whe­re a pri­va­te per­son com­ple­te­ly fails to inform the data sub­ject in accordance with Arti­cles 17 para­graph 1 and 19 para­graph 1 or to pro­vi­de him with the infor­ma­ti­on in accordance with Arti­cle 17 para­graph 2. On the other hand, a pri­va­te per­son who claims that he or she is not obli­ged to pro­vi­de infor­ma­ti­on by invo­king Arti­cle 18 or 25 is not liable to pro­se­cu­ti­on. In such a case, the data sub­ject knows that data pro­ces­sing is taking place. He or she is the­re­fo­re in a posi­ti­on to assert his or her rights and to initia­te civil pro­ce­e­dings in which it can be deci­ded whe­ther the refu­sal or restric­tion of the right to infor­ma­ti­on or the obli­ga­ti­on to pro­vi­de infor­ma­ti­on is justi­fied. Para­graph 2 adopts Art. 34(2)(b) FADP, which makes it a cri­mi­nal offen­se to pro­vi­de fal­se infor­ma­ti­on or refu­se to coope­ra­te in an inve­sti­ga­ti­on by the Commissioner.

The vio­la­ti­on of the­se duties shall con­ti­nue to be an infrac­tion, but the upper limit of the fine pro­vi­ded for this pur­po­se shall be rai­sed signi­fi­cant­ly and incre­a­sed to 250,000 Swiss francs. The actu­al penal­ty shall be deter­mi­ned taking into account the eco­no­mic situa­ti­on of the offen­der (Art. 106 para. 3 SCC in con­junc­tion with Art. 47 StGB). In minor cases, the com­pa­ny may be orde­red to pay the fine ins­tead of the respon­si­ble per­son. Fur­ther­mo­re, accord­ing to Arti­cle 52 StGB refrain from pro­se­cu­ti­on or punish­ment in minor cases.

Art. 61 Vio­la­ti­on of duties of care

Fines of up to 250,000 francs shall be impo­sed on pri­va­te per­sons, upon app­li­ca­ti­on, who intentionally:

a. dis­c­lo­se per­so­nal data abroad in bre­ach of Arti­cle 16 para­graphs 1 and 2 and without the requi­re­ments of Arti­cle 17 being met;
b. hand over the data pro­ces­sing to a com­mis­sio­ned pro­ces­sor without the requi­re­ments of Arti­cle 9 para­graphs 1 and 2 being met;
c. fail to com­ply with the mini­mum data secu­ri­ty requi­re­ments issued by the Federal Coun­cil in accordance with Arti­cle 8 para­graph 3.
Bot Art. 55 Vio­la­ti­on of due dili­gence (count. acc. to draft)

This pro­vi­si­on is new. It is necessa­ry becau­se the e‑DSG pro­vi­des for new ele­men­ta­ry obli­ga­ti­ons that are not cove­r­ed by the cur­rent penal pro­vi­si­ons. Effec­ti­ve pro­tec­tion of the per­so­na­li­ty of the data sub­jects is pos­si­ble if the data con­trol­lers and the order pro­ces­sors meet their obli­ga­ti­ons. To encou­ra­ge them to com­ply with the DPA, the Federal Coun­cil pro­po­ses this addi­ti­on to the penal­ty provisions.

By its natu­re, the pro­vi­si­on is likely to be direc­ted pri­ma­ri­ly at per­sons with aut­ho­ri­ty to issue direc­ti­ves, becau­se the deci­si­on-making aut­ho­ri­ty for the ful­fill­ment of the­se duties is a manage­ment task (cf. also Art. 29 StGB).

Art. 62 Vio­la­ti­on of pro­fes­sio­nal secrecy

1 Any per­son who inten­tio­nal­ly dis­c­lo­ses secret per­so­nal data of which he or she has beco­me awa­re in the exer­cise of his or her pro­fes­si­on requi­ring know­ledge of such data shall be liable on com­p­laint to a fine of up to 250,000 francs.

2 Any per­son who inten­tio­nal­ly dis­c­lo­ses secret per­so­nal data of which he or she has beco­me awa­re while working for a per­son sub­ject to the obli­ga­ti­on of secrecy or during trai­ning with such per­son shall be punis­hed in the same manner.

3 Dis­clo­sure of secret per­so­nal data is punis­ha­ble even after ter­mi­na­ti­on of pro­fes­sio­nal prac­ti­ce or training.

Bot Art. 56 Vio­la­ti­on of pro­fes­sio­nal secrecy (count. as per draft).

Sin­ce the DPA came into for­ce, infor­ma­ti­on and com­mu­ni­ca­ti­on tech­no­lo­gy has deve­lo­ped immen­se­ly and its import­ance has incre­a­sed mar­ked­ly. Not least due to the mass dis­tri­bu­ti­on of smart­pho­nes, more and more data is being stored and pro­ces­sed by more and more peop­le on more and more systems. Against this back­ground, it is appro­pria­te to extend the pro­tec­tion of secrets to all types of per­so­nal data. The decisi­ve fac­tor is that the data is secret. This cor­re­sponds to Arti­cle 320 and 321 StGBwhich are also based sole­ly on whe­ther the infor­ma­ti­on in que­sti­on is secret or not. The mate­ri­al con­cept of secrecy under cri­mi­nal law thus app­lies. A secret pro­tec­ted by cri­mi­nal law exists if the fact is not gene­ral­ly known or acces­si­ble, if the owner of the secret has an inte­rest worthy of pro­tec­tion in its limi­ted publi­ci­ty and if he also has the will to do so. Thus, not every dis­clo­sure of per­so­nal data meets this defi­ni­ti­on. The term “dis­c­lo­se” cor­re­sponds to that used in Arti­cles 320 and 321 StGB and crea­tes cohe­rence with regard to the offen­se. Arti­cle 56 clo­ses gaps left by the restric­ted scope of offen­ses in Arti­cles 320 and 321 StGB (spe­cial offen­ses) ari­se. Arti­cle 56 E‑DSG the­re­fo­re pro­vi­des for a duty of con­fi­dentia­li­ty also for per­sons who are not cove­r­ed by Arti­cle 320 or 321 StGB fall. Vio­la­ti­on of the pro­fes­sio­nal duty of con­fi­dentia­li­ty is a mis­de­me­a­nor (app­li­ca­ti­on offen­se) and is punis­ha­ble by a fine of up to 250,000 Swiss francs.

Para­graph 2 extends cri­mi­nal lia­bi­li­ty to auxi­li­a­ry per­sons (com­mis­sio­ned data pro­ces­sors) and trai­nees. The exten­si­on cor­re­sponds to the cur­rent DPA and, in sub­stance, also to the regu­la­ti­on in Arti­cle 321 StGB (“auxi­li­a­ry per­sons”). With the adop­ti­on of the Dis­patch on the Infor­ma­ti­on Secu­ri­ty Act, the Federal Coun­cil has sub­mit­ted to Par­lia­ment a cor­re­spon­ding amend­ment of Arti­cle 320 StGB proposed.

Dis­clo­sure may be justi­fied by the con­sent of the per­son enti­t­led. The gene­ral rules and the princi­ples deve­lo­ped by case law and dog­ma­tics wit­hin the frame­work of Arti­cle 321 item 2 SCC app­ly muta­tis mutandis.

In prac­ti­ce, com­pe­ti­ti­on issu­es may ari­se, in par­ti­cu­lar with regard to Arti­cle 320 StGB (federal civil ser­vants) and Art. 321 StGB (lawy­ers, doc­tors, etc.). Howe­ver, this is alrea­dy the case under cur­rent law, so this cir­cum­stance should not pre­sent any par­ti­cu­lar problems.

Art. 63 Dis­re­gar­ding orders

A fine of up to 250,000 Swiss francs shall be impo­sed on pri­va­te indi­vi­du­als who wil­ful­ly fail to com­ply with an order of the FDPIC or a deci­si­on of the appel­la­te aut­ho­ri­ties issued with refe­rence to the thre­at of punish­ment under this article.
Bot Art. 57 Dis­re­gard of orders (count. acc. to draft)

Arti­cle 57 has been new­ly inser­ted by the Federal Coun­cil after the con­sul­ta­ti­on. Ana­lo­gous pro­vi­si­ons are widespread in the ancil­la­ry cri­mi­nal law of the Con­fe­de­ra­ti­on. On the one hand, the arti­cle ser­ves as com­pen­sa­ti­on for the omis­si­on of nume­rous cri­mi­nal pro­vi­si­ons com­pa­red to the VE-DSG. On the other hand, this pro­vi­si­on takes into account the que­sti­ons rela­ting to the princip­le nul­la poe­na sine lege, which were fre­quent­ly rai­sed in the con­sul­ta­ti­on. The same que­sti­ons would have ari­sen in con­nec­tion with admi­ni­stra­ti­ve sanc­tions, becau­se the­se are cri­mi­nal in natu­re. The pre­sent solu­ti­on allo­ws the rele­vant pro­vi­si­ons of the e‑DSG to con­ti­nue to be draf­ted in a suf­fi­ci­ent­ly gene­ral form without at the same time com­ing into con­flict with the cri­mi­nal law requi­re­ments for the pre­ci­si­on of a legal regu­la­ti­on. In addi­ti­on, this model faci­li­ta­tes the work of the com­pe­tent law enfor­ce­ment aut­ho­ri­ties and thus takes into account the con­cerns that were par­ti­al­ly expres­sed in the consultation.

With Arti­cle 57 E‑DSG, the Com­mis­sio­ner has the opti­on of orde­ring com­pli­an­ce with obli­ga­ti­ons under the E‑DSG (see Art. 45 (3) E‑DSG) and lin­king this to a thre­at of punish­ment. One advan­ta­ge of this model is that the obli­ga­ti­on can be spe­ci­fied in the order to the extent that the­re is no doubt for the addres­see as to what he must or must not do. This also faci­li­ta­tes the work of the can­to­nal pro­se­cu­ti­on aut­ho­ri­ty, which, in the event of non-com­pli­an­ce, must inve­sti­ga­te the facts of the case upon noti­fi­ca­ti­on by the com­mis­sio­ner and pass a judgment or issue a penal­ty order.

If the commissioner’s order is direc­ted to an enter­pri­se, cri­mi­nal lia­bi­li­ty ari­ses by vir­tue of Arti­cle 29 StGB with a manage­ment per­son: The duty that gives rise to the penal­ty, which is incum­bent on the com­pa­ny, is attri­buted to the natu­ral per­son. This also takes into account the cri­ti­cism voi­ced in some cases during the con­sul­ta­ti­on process.

Art. 64 Offen­ses in busi­ness establishments

1 Arti­cles 6 and 7 of the Federal Act of March 22, 1974 on Admi­ni­stra­ti­ve Cri­mi­nal Law (VStrR) are app­li­ca­ble to vio­la­ti­ons in busi­ness establishments.

2 If a fine of no more than 50,000 francs were to be con­si­de­red and if the deter­mi­na­ti­on of the amount of the fine under Arti­cle 6 VStrR If the pro­se­cu­ti­on of per­sons liable to pro­se­cu­ti­on would requi­re inve­sti­ga­ti­ve mea­su­res that would be dis­pro­por­tio­na­te to the punish­ment impo­sed, the aut­ho­ri­ties may refrain from pro­se­cu­ting such per­sons and ins­tead con­ti­nue the busi­ness (Art. 7 VStrR) to pay the fine.

Bot Art. 58 Offen­ses in busi­ness estab­lish­ments (count. acc. to draft)

Arti­cle 58 incor­po­ra­tes Arti­cles 6 and 7 of the Federal Act of 22 March 1974 on Admi­ni­stra­ti­ve Cri­mi­nal Law (VStrR). An expli­cit refe­rence is necessa­ry becau­se the VStrR is in princip­le not app­li­ca­ble in the matter.

Arti­cle 6 para­graph 2 of the Cri­mi­nal Code allo­ws for the lia­bi­li­ty of the princi­pal also in the area of the DPA. The obli­ga­ti­ons of the DPA are likely to be regu­lar­ly addres­sed to the princi­pal. Arti­cle 6 para­graph 2 of the DFR thus ful­fills a simi­lar func­tion as Arti­cle 29 StGB and addres­ses cri­mi­nal respon­si­bi­li­ty to the manage­ment level of the com­pa­ny, i.e. to exe­cu­ti­ves who have deci­si­on-making and direc­ti­ve powers. This allo­ws for an appro­pria­te allo­ca­ti­on of cri­mi­nal respon­si­bi­li­ty in companies.

The amount of the fine, up to the upper limit of which it is pos­si­ble to be fined after Arti­cle 7 VStrR to sen­tence a com­pa­ny to pay a fine ins­tead of a natu­ral per­son is incre­a­sed to 50000 francs. This adjust­ment is necessa­ry becau­se the upper fine limit in the DPA is not 10,000 francs (Art. 106 para. 1 SCC), but 250,000 francs.

Art. 65 Competence

1 The pro­se­cu­ti­on and adju­di­ca­ti­on of cri­mi­nal acts are the respon­si­bi­li­ty of the cantons.

2 The FDPIC may file a com­p­laint with the com­pe­tent pro­se­cu­ting aut­ho­ri­ty and exer­cise the rights of a pri­va­te plain­tiff in the proceedings.

Bot Art. 59 Com­pe­tence (count. acc. to draft)

As is the case today, the pro­se­cu­ti­on and adju­di­ca­ti­on of cri­mi­nal acts is fun­da­ment­al­ly the respon­si­bi­li­ty of the cantons.

The Com­mis­sio­ner has the right to file a com­p­laint and may par­ti­ci­pa­te in can­to­nal cri­mi­nal pro­ce­e­dings as a pri­va­te plain­tiff (Art. 118 ff. StPO). He can the­re­fo­re chal­len­ge dis­con­ti­nua­tion orders and appeal against can­to­nal judgments if this appears necessa­ry in the inte­rests of uni­form app­li­ca­ti­on of the DPA. Howe­ver, it can­not appeal against penal­ty orders and the sen­tence, which does not appe­ar to be necessa­ry in view of its duties.

Art. 66 Limi­ta­ti­on peri­od for prosecution

The sta­tu­te of limi­ta­ti­ons for cri­mi­nal pro­se­cu­ti­on is five years.

Bot Art. 60 Limi­ta­ti­on of pro­se­cu­ti­on (count. acc. to draft)

The sta­tu­te of limi­ta­ti­ons for vio­la­ti­ons is as fol­lows Arti­cle 109 StGB three years. Data pro­tec­tion inve­sti­ga­ti­ons requi­re tech­no­lo­gi­cal know­ledge and can be cost­ly. To ensu­re that cri­mi­nal pro­ce­e­dings in the data pro­tec­tion area do not fail becau­se the sta­tu­te of limi­ta­ti­ons is too short, the Federal Coun­cil is pro­po­sing an incre­a­se to five years.

Chap­ter 9: Con­clu­si­on of Sta­te Treaties

Art. 67

The Federal Coun­cil may con­clu­de sta­te trea­ties concerning:

a. inter­na­tio­nal coope­ra­ti­on bet­ween data pro­tec­tion authorities;
b. the mutu­al reco­gni­ti­on of ade­qua­te pro­tec­tion for the dis­clo­sure of per­so­nal data abroad.
Bot Art. 61 (count. acc. to draft)

This pro­vi­si­on replaces Arti­cle 36(5) FADPwhich is too vague, taking into account the app­li­ca­ble princi­ples regar­ding the dele­ga­ti­on of aut­ho­ri­ty. Accord­ing to Arti­cle 61 of the Federal Data Pro­tec­tion Act, the Federal Coun­cil may con­clu­de inter­na­tio­nal trea­ties with one or more sub­jects of inter­na­tio­nal law (sta­te, inter­na­tio­nal orga­niz­a­ti­on) in two cases. Accord­ing to let­ter a, the Federal Coun­cil may con­clu­de sta­te trea­ties that con­cern inter­na­tio­nal coope­ra­ti­on bet­ween data pro­tec­tion aut­ho­ri­ties. This pro­vi­si­on refers, for examp­le, to coope­ra­ti­on agree­ments on the model of the Agree­ment of 17 May 2013 bet­ween the Swiss Con­fe­de­ra­ti­on and the Euro­pean Uni­on on coope­ra­ti­on in the app­li­ca­ti­on of their com­pe­ti­ti­on laws. Pur­suant to let­ter b, the Federal Coun­cil may also con­clu­de sta­te trea­ties on the mutu­al reco­gni­ti­on of an ade­qua­te level of pro­tec­tion for the cross-bor­der dis­clo­sure of data.

The remai­ning para­graphs of Arti­cle 36 FADP are repealed. Para­graphs 1 and 4 are super­fluous inso­far as the prac­ti­ce of express­ly sta­ting that the Federal Coun­cil must issue imple­men­ting pro­vi­si­ons has been aban­do­ned. Para­graph 3, accord­ing to which the Federal Coun­cil may pro­vi­de for dero­ga­ti­ons from Arti­cles 8 and 9 for the pro­vi­si­on of infor­ma­ti­on by Swiss diplo­ma­tic and con­su­lar repre­sen­ta­ti­ons abroad, can also be repealed. Para­graph 6, in turn, is obso­le­te, sin­ce the Federal Coun­cil has never exer­cis­ed its aut­ho­ri­ty to regu­la­te how to secu­re data collec­tions who­se data could end­an­ger the life and limb of the per­sons con­cer­ned in the event of war or crisis.

Repeal of Art. 37 FADP

The con­sul­ta­ti­on pro­cess has shown that Arti­cle 37 FADP is super­fluous and must be repealed. Today, all can­tons have data pro­tec­tion regu­la­ti­ons that ensu­re ade­qua­te pro­tec­tion with regard to the requi­re­ments of Con­ven­ti­on ETS 108 and the cor­re­spon­ding addi­tio­nal protocol.

Chap­ter 10: Final Provisions

Art. 68 Repeal and amend­ment of other enactments

The repeal and amend­ment of other enact­ments are regu­la­ted in Annex 1.

Bot Art. 62 Repeal and amend­ment of other enact­ments (count. acc. to draft)

The repeal and amend­ment of other enact­ments is com­men­ted on in sec­tion 9.2.

Art. 69 Tran­si­tio­nal pro­vi­si­ons con­cer­ning cur­rent pro­ces­sing operations

Arti­cles 7, 22 and 23 are not app­li­ca­ble to data pro­ces­sing that was star­ted befo­re the ent­ry into for­ce of this Act, if the pur­po­se of pro­ces­sing remains unch­an­ged and no new data is obtained.
Bot Art. 64 Tran­si­tio­nal pro­vi­si­ons con­cer­ning pro­ces­sing (count. acc. to draft)

Arti­cle 64 con­tains various tran­si­tio­nal rules con­cer­ning processing.

Para. 1

Para­graph 1 con­cerns data pro­ces­sing that has been com­ple­ted at the time this Act enters into for­ce. This con­cerns data pro­ces­sing that was car­ri­ed out enti­re­ly in accordance with the old law and which also does not con­ti­nue after the ent­ry into for­ce. Such pro­ces­sing will con­ti­nue to be car­ri­ed out enti­re­ly in accordance with the pre­vious law. For examp­le, com­ple­ted pro­ces­sing that is law­ful under the pre­vious law can­not beco­me unlaw­ful when the new law comes into for­ce. Howe­ver, this does not app­ly to the right to infor­ma­ti­on (Art. 23 – 25); after the new law comes into for­ce, this is gover­ned exclu­si­ve­ly by the new law, even with regard to data and data pro­ces­sing that took place enti­re­ly under the old law.

Para. 2

Para­graph 2 con­cerns data pro­ces­sing that was star­ted under the pre­vious law and con­ti­nues after the law comes into for­ce, but for which the new law has tigh­te­ned the requi­re­ments. One examp­le of this is the case whe­re a vio­la­ti­on of pri­va­cy exists under the new law becau­se the requi­re­ments for the justi­fi­ca­ti­on rea­son have been chan­ged. In princip­le, such pro­ces­sing may be con­ti­nued for 2 years without fur­ther adjust­ments. During this time, the per­son respon­si­ble must ensu­re that the­se pro­ces­sing ope­ra­ti­ons are con­ver­ted to a law­ful sta­te in accordance with the new law.

Para­graph 2 does not con­cern the obli­ga­ti­ons under Arti­cles 6, 20 and 21, which are cove­r­ed by para­graph 3.

Para. 3

Para­graph 3 rela­tes to data pro­ces­sing that was com­men­ced under the pre­vious law and con­ti­nues after the Act comes into for­ce. Arti­cles 6, 20 and 21 do not app­ly to such pro­ces­sing if the pur­po­se of the pro­ces­sing remains unch­an­ged and no new data are obtai­ned. In this case, the pro­ces­sing may be con­ti­nued without mee­ting the requi­re­ments of Arti­cle 6. Like­wi­se, a data pro­tec­tion impact assess­ment does not have to be sub­se­quent­ly pre­pa­red for the­se pro­ces­sing ope­ra­ti­ons. This regu­la­ti­on is based in par­ti­cu­lar on the fact that the obli­ga­ti­ons in Arti­cles 6 and 20 f. are pri­ma­ri­ly to be ful­fil­led in advan­ce of data pro­ces­sing. The data con­trol­lers should not be obli­ged to ful­fill the­se obli­ga­ti­ons retrospectively.

If the requi­re­ments of para­graph 3 are not met, the obli­ga­ti­ons under Arti­cles 6, 20 and 21 shall also app­ly to pro­ces­sing that was com­men­ced under the pre­vious law and con­ti­nues after the Act comes into for­ce. With the excep­ti­on of the scope of Direc­ti­ve (EU) 2016/680 howe­ver, the­se pro­vi­si­ons do not come into for­ce until two years after the law comes into for­ce, so the­re is a two-year tran­si­ti­on peri­od to com­ply with the­se obligations.

Para. 4

Para­graph 4 con­cerns all data pro­ces­sing that is not cove­r­ed by para­graphs 1 to 3. In par­ti­cu­lar, this inclu­des data pro­ces­sing that was not star­ted until after the law came into for­ce, but also data pro­ces­sing that is law­ful under both the pre­vious law and the new law. For the­se data pro­ces­sing ope­ra­ti­ons, the new law app­lies from the time the pro­vi­si­ons in que­sti­on come into force.

Art. 70 Tran­si­tio­nal pro­vi­si­on con­cer­ning ongo­ing proceedings

This Act does not app­ly to inve­sti­ga­ti­ons by the FDPIC that are pen­ding at the time of its ent­ry into for­ce; it also does not app­ly to pen­ding appeals against first-instance deci­si­ons issued befo­re its ent­ry into for­ce. The­se cases are sub­ject to the pre­vious law.

Bot Art. 65 Tran­si­tio­nal pro­vi­si­on con­cer­ning ongo­ing pro­ce­du­res (count. acc. to draft)

To ensu­re legal cer­tain­ty and com­pli­an­ce with the princip­le of good faith, this pro­vi­si­on sti­pu­la­tes that inve­sti­ga­ti­ons by the Com­mis­sio­ner that are pen­ding at the time the future FADP enters into for­ce, as well as appeals against pen­ding first-instance deci­si­ons, are sub­ject to the pre­vious law. This con­cerns both the sub­stan­ti­ve data pro­tec­tion pro­vi­si­ons and the powers of the Com­mis­sio­ner and the other app­li­ca­ble pro­ce­du­ral provisions.

Art. 71 Tran­si­tio­nal pro­vi­si­on con­cer­ning data of legal entities

For federal bodies, pro­vi­si­ons in other federal decrees rela­ting to per­so­nal data shall con­ti­nue to app­ly to data rela­ting to legal per­sons for five years after this Act comes into for­ce. In par­ti­cu­lar, for five years after this Act comes into for­ce, federal bodies may con­ti­nue to dis­c­lo­se data rela­ting to legal per­sons in accordance with Arti­cle 57s para­graphs 1 and 2 of the Government and Admi­ni­stra­ti­on Orga­ni­sa­ti­on Act of 21 March 1997 if they are aut­ho­ri­sed to dis­c­lo­se per­so­nal data on the basis of a legal foundation.

Bot Art. 66 Tran­si­tio­nal pro­vi­si­on con­cer­ning data of legal enti­ties (count. acc. to draft)

The aboli­ti­on of the pro­tec­tion of data of legal per­sons in the E‑DSG and the restric­tion of the con­cept of per­so­nal data in Arti­cle 4 let­ter a E‑DSG to infor­ma­ti­on that rela­tes to an iden­ti­fied or iden­ti­fia­ble natu­ral per­son has various impli­ca­ti­ons for data pro­ces­sing by federal bodies. In par­ti­cu­lar, this inno­va­ti­on means that the federal legal bases aut­ho­ri­zing federal bodies to pro­cess and dis­c­lo­se per­so­nal data will in future no lon­ger be app­li­ca­ble if data rela­ting to legal per­sons is pro­ces­sed or dis­c­lo­sed. Due to the in Arti­cle 5 para­graph 1 BV Howe­ver, in accordance with the princip­le of lega­li­ty, every government action – and thus also every government data pro­ces­sing or data dis­clo­sure – requi­res a legal basis (cf. also Arti­cle 13 para. 2, Arti­cle 27 and Arti­cle 36 of the Federal Con­sti­tu­ti­on). The draft law the­re­fo­re intro­du­ces a num­ber of pro­vi­si­ons in the RVOG for federal bodies that regu­la­te their hand­ling of data of legal per­sons (cf. Sec­tion 9.2.8). Par­ti­cu­lar men­ti­on should be made of Arti­cle 57r E‑RVOG, which crea­tes a gene­ral legal basis for the pro­ces­sing of data of legal per­sons by federal bodies, and Arti­cle 57s E‑RVOG, which – ana­lo­gous to Arti­cle 32 E‑DSG con­cer­ning the dis­clo­sure of per­so­nal data – con­tains the requi­re­ments for the legal basis for the dis­clo­sure of data of legal per­sons. Unli­ke Arti­cle 57r E‑RVOG, Arti­cle 57s E‑RVOG thus does not con­sti­tu­te a legal basis for spe­ci­fic data dis­clo­sures by federal bodies, which is why a dis­clo­sure of data of legal per­sons must always be able to be based on a spe­cial legal basis in the future as well. An amend­ment of all pre­vious legal bases (which, due to the amend­ments in the E‑DSA, will lar­ge­ly only be app­li­ca­ble to natu­ral per­sons) would not be appro­pria­te in the con­text of this bill, as this would con­si­der­ab­ly leng­t­hen the draft bill and the dis­patch. It the­re­fo­re seems more expe­dient to the Federal Coun­cil to tho­rough­ly review the spe­cial data pro­tec­tion pro­vi­si­ons after the par­lia­men­ta­ry deli­be­ra­ti­ons on this bill and to exami­ne which pro­vi­si­ons that cur­r­ent­ly rela­te to the hand­ling of data of legal per­sons by federal bodies should con­ti­nue to be retai­ned or must be adap­ted or repealed. In order to avoid any legal gaps in the mean­ti­me, a tran­si­tio­nal pro­vi­si­on is intro­du­ced for federal bodies in Arti­cle 66 of the e‑DSG, which pro­vi­des for the con­ti­nued app­li­ca­ti­on of such spe­cial-law federal pro­vi­si­ons (in laws in both the for­mal and sub­stan­ti­ve sen­se) rela­ting to the data of legal per­sons for five years after the e‑DSG comes into for­ce for federal bodies. In par­ti­cu­lar, during this peri­od federal bodies should be able to rely on the pre­vious legal basis for the dis­clo­sure of per­so­nal data for the dis­clo­sure of data of legal persons.

Only in very iso­la­ted cases, whe­re this is alrea­dy appro­pria­te today for rea­sons of prac­ti­ca­bi­li­ty and legal cer­tain­ty, will spe­cial legal pro­vi­si­ons rela­ting to the data of legal per­sons be review­ed and adap­ted wit­hin the frame­work of this bill. This con­cerns the fol­lo­wing enactments:

  • the BGÖ (cf. item 9.2.7: Art. 3 par. 2, 9, 11, 12 par. 2 and 3, 15 par. 2 let­ter b);
  • the RVOG (cf. item 9.2.8: Art. 57h, 57h, 57i, 57j, 57k intro­duc­to­ry sen­tence, 57l sub­ject hea­ding and intro­duc­to­ry sen­tence, 57r, 57s and57t);
  • the Audit Super­vi­si­on Act of Decem­ber 16, 2005 (cf. Sec­tion 9.2.12: Art. 15b);
  • the Federal Sta­tis­tics Act of 9 Octo­ber 1992 (cf. para. 9.2.24: arts. 5 para. 2 let. a and para. 4 let. a, 14 para. 1, 14a para. 1, 15 para. 1, arts. 16 para. 1 and 19 para. 2);
  • the Federal Act of 17 June 2005 against Unde­cla­red Work (cf. para. 9.2.56: Art. 17 sub­ject hea­ding, paras. 1, 2 and 4 as well as Art. 17a);
  • the Natio­nal Bank Law of Octo­ber 3, 2003 (cf. para. 9.2.66: art. 16 par. 5 and art. 49a);
  • the Federal Law of 19 March 1976 on Inter­na­tio­nal Deve­lo­p­ment Coope­ra­ti­on and Huma­ni­ta­ri­an Aid (cf. para. 9.2.69: Art. 13a para. 1);
  • the Ener­gy Act of Sep­tem­ber 30, 2016 (cf. item 13.7: arti­cles 56 par. 1, 58 sub­ject hea­ding, par. 1 and 3, and arti­cle 59 sub­ject hea­ding, par. 1 and 2) and the Elec­tri­ci­ty Sup­ply Act to be amen­ded by the Ener­gy Act of Sep­tem­ber 30, 2016(cf. item 13.7: arti­cles 17c par. 1 and 27 par. 1)

Art. 72 Tran­si­tio­nal pro­vi­si­on con­cer­ning the elec­tion and ter­mi­na­ti­on of the term of office of the commissioner 

The elec­tion of the Com­mis­sio­ner and the ter­mi­na­ti­on of his or her term of office shall be gover­ned by the pre­vious law until the end of the legis­la­ti­ve term in which this Act enters into force.

Art. 73 Coordination

Coor­di­na­ti­on with other decrees is regu­la­ted in Annex 2.

Art. 74 Refe­ren­dum and ent­ry into force

1 This law is sub­ject to an optio­nal referendum.

2 The Federal Coun­cil shall deter­mi­ne the effec­ti­ve date.

Table of Contents