Security

The requirements for data security are primarily a question of the individual case. Data protection law only provides a fairly general framework for examining the risks, the possible measures and the measures to be taken.

On the question of whether the DPA and the DPO stipulate minimum data protection requirements, the violation of which may be punishable by law, cf. here.

Breach Notification

on reporting obligations for incidents

Reporting of injuries

Data security breaches may have to be reported to the FDPIC – in the case of high risks for data subjects – and/or communicated to the data subjects (if their self-protection is important). The FDPIC provides here form, albeit one with considerable disadvantages. It should be borne in mind that the FDPIC is unfortunately subject to the principle of publicity under the Federal Data Protection Act.

However, there may be additional reporting obligations that are not motivated by data protection law, but by the specific objectives of the respective legal system. These include the following:

Reporting obligations from a contract, also from a fiduciary duty
Art. 29 FINMASA (e.g. for banks, insurers or financial institutions); see the Supervisory notice 03/2024
and the Supervisory notice 05/2020 and the requirements of the RS Operational risks and resilience
Listing Rules: Listed companies must report price-sensitive facts in accordance with the SIX Listing Rules
Article 96 of the Telecommunications Services Ordinance (FDV)
Federal Act on the Electronic Patient Record: Obligations of the parent companies
Medical devices: reporting obligation to Swissmedic under certain circumstances
Energy supplier: cf. ENTSO‑E, Code for cyber security
ISG: revised provisions with a reporting obligation for certain critical infrastructures

Reporting obligations for critical infrastructures

Das Bundesgesetz über die Informationssicherheit beim Bund (ISG) wird um Bestimmungen zur Meldepflicht der Betreiberinnen bestimmter kritischer Infrastrukturen ergänzt. Die revidierten Bestimmungen treten am 1. April 2025 in Kraft.

A summary of the relevant provisions, the corresponding dispatch, the Cybersecurity Ordinance and the explanatory report is available here in German and English: