Text of the current VDSG. The texts have been converted automatically – we thank you for pointing out errors.
The current DSG can be found here, the revised version here and the draft of the revised VDSG here.
Chapter 1: Processing of personal data by private persons
Section 1: Right to information
Art. 1 Modalities
1 Any person who requests information from the owner of a data file as to whether data about him or her is being processed (Art. 8 FADP) must, as a rule, request this in writing and prove his or her identity.
2 The request for information and the provision of information may be made by electronic means if the controller of the data file expressly so provides and takes reasonable measures to:
a. ensure the identification of the data subject; and
b. protect the personal data of the data subject from access by unauthorized third parties when providing information.
3 With the consent of the data controller or at his suggestion, the data subject may also inspect his data on site. The information may also be provided orally if the data subject has consented and has been identified by the controller.
4 The information or the reasoned decision on the restriction of the right to information (Art. 9 and 10 FADP) shall be provided within 30 days of receipt of the request for information. If the information cannot be provided within 30 days, the controller of the data file must notify the applicant of this and inform him of the period within which the information will be provided.
5 If one or more data files are jointly managed by several holders, the right to information may be asserted against each holder, unless one of them is responsible for handling all requests for information. If the owner of the data file is not authorized to provide information, he shall forward the request to the person responsible.
6 If the request for information relates to data processed by a third party on behalf of the controller of the data file, the controller shall forward the request to the third party for execution, unless the controller is itself in a position to provide information.
7 If information about data of a deceased person is requested, it shall be provided if the applicant proves an interest in the information and no overriding interests of relatives of the deceased person or of third parties are opposed. Close relatives and marriage to the deceased person constitute an interest.
Art. 2 Exceptions from the free of charge
1 A reasonable share of the costs may exceptionally be required if:
a. the person making the request has already been provided with the requested information in the twelve months prior to the request and no interest worthy of protection in the provision of new information can be demonstrated. An interest worthy of protection is given in particular if the personal data has been changed without notification to the person concerned;
b. the provision of information is associated with a particularly large amount of work.
2 The participation amounts to a maximum of 300 Swiss francs. The applicant must be informed of the amount of the participation before information is provided and may withdraw his request within ten days.
Section 2: Registration of data collections
Art. 3 Registration
1 Data collections (Art. 11a para. 3 FADP) must be notified to the Federal Data Protection and Information Commissioner (Commissioner) before the data collection is opened. The notification shall contain the following information:
a. Name and address of the owner of the data collection;
b. Name and full name of the data collection;
c. Person with whom the right to information can be asserted;
d. Purpose of Data Collection;
e. Categories of personal data processed;
f. Categories of data recipients;
g. Categories of participants in the data collection, i.e. third parties who may enter data into the data collection and make changes to the data.
2 Each owner of a data collection updates this information on an ongoing basis. …
Art. 4 Exemptions from the obligation to register
1 Exempt from the obligation to register the data collections are the data collections under Article 11a (5) letters a and c‑f FADP and the following data collections (Article 11a (5) letter b FADP):
a. Data collections from suppliers or customers, insofar as they do not contain any personal data or personality profiles requiring special protection;
b. Data collections whose data are used exclusively for non-personal purposes, namely in research, planning and statistics;
c. archived data collections kept only for historical or scientific purposes;
d. Data collections that contain only data that has been made public or that the data subject himself/herself has made generally accessible and the processing of which he/she has not expressly prohibited;
e. Data used exclusively to meet the requirements of Article 10;
f. Accounting records;
g. Auxiliary data collections for the personnel administration of the owner of the data collection, provided they do not contain any personal data or personality profiles requiring special protection.
2 The owner of the data files shall take the necessary measures to be able to communicate the information (Art. 3 Para. 1) on the data files not subject to the obligation to register to the commissioner or the data subjects upon request.
Section 3: Disclosure abroad
Art. 5 Publication in electronic form
If personal data is made generally available to the public by means of automated information and communication services for the purpose of providing information, this shall not be deemed to be a transfer abroad.
Art. 6 Transparency and information
1 The controller of the data file shall inform the Commissioner prior to [disclosure abroad of the guarantees and data protection rules pursuant to Article 6 paragraph 2 letters a and g FADP. If the prior information is not possible, it must be provided immediately after disclosure.
2 If the Commissioner has been informed of the safeguards and the data protection rules, the obligation to inform shall be deemed to have been fulfilled for all further disclosures that:
a. under the same guarantees, provided that the categories of recipients, the purpose of the processing and the categories of data remain substantially unchanged; or
b. take place within the same legal entity or company or between legal entities or companies under unified management, to the extent that data protection rules continue to provide adequate protection.
3 The information obligation shall also be deemed to be fulfilled if data are transmitted on the basis of model contracts or standard contractual clauses drawn up or recognized by the commissioner and the commissioner has been informed in general terms by the controller of the data file about the use of these model contracts or standard contractual clauses. The commissioner shall publish a list of the model contracts and standard contractual clauses drawn up or recognized by it.
4 The Data Controller shall take reasonable measures to ensure that the Recipient complies with the safeguards and data protection rules.
5 The Commissioner shall examine the guarantees and data protection rules communicated to him (Art. 31(1)(e) FADP) and shall notify the controller of the data file of the result of his examination within 30 days of receipt of the information.
Art. 7 List of states with adequate data protection legislation
The commissioner publishes a list of states whose legislation ensures adequate data protection.
Section 4: Technical and organizational measures
Art. 8 General measures
1 Anyone who processes personal data or provides a data communications network as a private individual shall ensure the confidentiality, availability and integrity of the data in order to guarantee adequate data protection. In particular, he protects the systems against the following risks:
a. unauthorized or accidental destruction;
b. accidental loss;
c. technical errors;
d. Forgery, theft or unlawful use;
e. unauthorized modification, copying, access or other unauthorized editing.
2 The technical and organizational measures must be appropriate. In particular, they shall take into account the following criteria:
a. Purpose of data processing;
b. Nature and scope of data processing;
c. Assessment of potential risks to affected individuals;
d. current state of the art.
3 These measures are to be reviewed periodically.
Art. 9 Special measures
1 In particular, the data controller shall take technical and organizational measures for the automated processing of personal data that are suitable to meet the following objectives:
a. Access control: unauthorized persons shall be denied access to the facilities where personal data are processed;
b. Personal data carrier control: unauthorized persons must be prevented from reading, copying, modifying or removing data carriers;
c. Transport control: during the disclosure of personal data as well as during the transport of data carriers, it must be prevented that the data can be read, copied, changed or deleted without authorization;
d. Disclosure control: Data recipients to whom personal data is disclosed by means of data transmission equipment must be identifiable;
e. Memory control: unauthorized entry into the memory and unauthorized viewing, modification or deletion of stored personal data must be prevented;
f. User control: the use of automated data processing systems by means of data transmission equipment by unauthorized persons shall be prevented;
g. Access control: the access of authorized persons shall be limited to those personal data they need to fulfill their task;
h. Input control: in automated systems, it must be possible to check retrospectively which personal data was entered at what time and by which person.
2 The data collections shall be designed in such a way that the data subjects can exercise their right of access and their right of rectification.
Art. 10 Logging
1 The controller of the data file shall log the automated processing of personal data or personality profiles requiring special protection if the preventive measures cannot guarantee data protection. Logging must be carried out in particular if it cannot otherwise be determined retrospectively whether the data was processed for the purposes for which it was collected or disclosed. The commissioner14 may also recommend logging for other processing operations.
2 The minutes shall be recorded in an auditable manner for a period of one year. They are accessible exclusively to the bodies or private persons who are responsible for monitoring data protection regulations and may be used only for this purpose.
Art. 11 Processing regulations
1 The controller of an automated data file subject to notification ([Art. 11a para. 3 FADP) that is not exempt from the notification requirement on the basis of Article 11a para. 5 letters b‑d FADP shall draw up processing regulations that describe in particular the internal organization as well as the data processing and control procedure and contain the documents relating to the planning, realization and operation of the data file and the IT resources.
2 The controller of the data file shall update the regulations regularly. He shall make it available to the commissioner or the data protection officer pursuant to Article 11a (5) letter e FADP on request in a form that they can understand.
Art. 12 Disclosure of data
The data controller shall notify the data recipient of the timeliness and reliability of the personal data disclosed by the data controller, unless this information is apparent from the data itself or from the circumstances.
Section 5: Data Protection Officer
Art. 12a Designation of the data protection officer and notification to the commissioner
1 If the controller of the data file wishes to be exempted from the obligation to register the data file pursuant to Article 11a paragraph 5 letter e FADP, he must:
a. designate an operational data protection officer who meets the requirements of paragraph 2 and of Article 12b; and
b. inform the Commissioner of the designation of the data protection officer.
2 The owner of the data collection may designate an employee or a third party as data protection officer. This person may not perform any other activities that are incompatible with his/her duties as data protection officer and must have the required expertise.
Art. 12b Tasks and position of the data protection officer
1 The data protection officer has the following tasks in particular:
a. It reviews the processing of personal data and recommends corrective measures if it finds that data protection regulations have been violated.
b. It shall maintain a list of the data files pursuant to Article 11a paragraph 3 FADP kept by the data file owner; this list shall be made available to the commissioner or to data subjects who submit a request to this effect.
2 The Data Protection Officer:
a. exercises his function in a professionally independent manner, without being subject to instructions from the owner of the data collection in this respect;
b. has the resources necessary to perform its duties;
c. has access to all data collections and data processing, as well as to all information he needs to fulfill his task.
Chapter 2: Processing of Personal Data by Federal Bodies
Section 1: Right to information
Art. 13 Modalities
Articles 1 and 2 shall apply mutatis mutandis to requests for information addressed to federal bodies.
Art. 14 Requests for information to Swiss diplomatic missions abroad
1 Switzerland’s representations abroad and its missions to the European Communities and to international organizations shall forward requests for information submitted to them to the competent office in the Federal Department of Foreign Affairs. The Department regulates the responsibilities.
2 In all other respects, the provisions of the Ordinance of 10 December 2004 on Military Control apply to requests for information on military control abroad.
Section 2: Registration of data collections
Art. 16 Registration
1 The responsible federal bodies (Art. 16 FADP) shall notify the Commissioner of all data collections they maintain before they are opened. The notification shall contain the following information:
a. Name and address of the responsible federal body;
b. Name and full name of the data collection;
c. the body to which the right of access may be asserted;
d. Legal basis and purpose of data collection;
e. Categories of personal data processed;
f. Categories of recipients of the data;
g. Categories of participants in the data collection, i.e. third parties who may enter and modify data in a data collection.
2 The responsible federal body updates this information on an ongoing basis.
Art. 18 Exemptions from the obligation to register
1 The following data collections are not subject to the obligation to register, provided that the federal bodies use them exclusively for internal administrative purposes:
a. Correspondence registries;
b. Data collections from suppliers or customers, insofar as they do not contain any personal data or personality profiles requiring special protection;
c. Address collections that are used solely for addressing purposes, provided they do not contain any personal data or personality profiles that require special protection;
d. Lists for compensation payments;
e. Accounting records;
f. Auxiliary data collections for federal personnel administration, insofar as they do not contain any personal data or personality profiles requiring special protection;
g. Library data collections (author catalogs, borrower and user directories).
2 Also not subject to the registration requirement:
a. Data collections archived at the Federal Archives;
b. Data collections made available to the public in the form of directories;
c. Data collections whose data are used exclusively for non-personal purposes, namely in research, planning and statistics.
3 The federal body responsible shall take the necessary measures to be able to communicate the information (Art. 16 para. 1) on data files not subject to the obligation to declare to the Commissioner or to the data subjects upon request.
Section 3: Disclosure abroad
If a federal body discloses personal data abroad on the basis of Article 6 paragraph 2 letter a FADP, Article 6 shall apply.
Section 4: Technical and organizational measures
Art. 20 Principles
1 The federal bodies responsible shall take the technical and organizational measures required in accordance with Articles 8 – 10 to protect the personality and fundamental rights of the persons about whom data are processed. In the case of automated data processing, the federal bodies shall cooperate with the Federal Strategy Unit for IT (FSUIT).
2 The federal bodies responsible shall notify the data protection officer pursuant to Article 11a paragraph 5 letter e FADP or, if there is no such officer, the Commissioner without delay of all projects involving the automated processing of personal data so that the requirements of data protection are taken into account immediately. The notification to the Commissioner shall be made via the FSUIT if the project must also be notified to the latter.
3 The Commissioner and the FSUIT shall cooperate within the framework of their activities concerning technical measures. The Commissioner shall obtain the opinion of the FSUIT before recommending such measures.
4 In all other respects, the directives issued by the responsible federal bodies on the basis of the Federal IT Ordinance of September 26, 2003 are applicable.
Art. 21 Processing regulations
1 The responsible federal bodies shall establish processing regulations for automated data collections that:
a. contain particularly sensitive data or personality profiles;
b. be used by several federal bodies;
c. made available to cantons, foreign authorities, international organizations or private persons; or
d. are linked to other data collections.
2 The responsible federal body defines its internal organization in the processing regulations. These regulations describe in particular the data processing and control procedures and contain all the documents relating to the planning, implementation and operation of the data collection. The regulations contain the information required for the reporting obligation (Art. 16) as well as information on:
a. the body responsible for data protection and data security of the data;
b. the origin of the data;
c. the purposes for which the data are regularly disclosed;
d. the control procedures and in particular the technical and organizational measures pursuant to Article 20;
e. the description of the data fields and the organizational units that have access to them;
f. The nature and extent of access by users of the data collection;
g. the data processing procedures, in particular those relating to the rectification, blocking, anonymization, storage, retention, archiving or destruction of the data;
h. the configuration of the informatics means;
i. the procedure for exercising the right to information.
3 The regulations are updated regularly. It is made available to the responsible control bodies in a form that they can understand.
2 The federal body that has personal data processed by third parties remains responsible for data protection. It shall ensure that the data are processed in accordance with the mandate, in particular with regard to their use and disclosure.
3 If the third party is not subject to the FADP, the responsible body shall ensure that other legal provisions guarantee equivalent data protection, otherwise it shall ensure this by contractual means.
Art. 23 Advisor for data protection
1 The Federal Chancellery and the departments shall each designate at least one advisor for data protection. This advisor has the following tasks:
a. Support of the responsible bodies and users;
b. Promote information and training of employees;
c. Participate in the enforcement of data protection regulations.
2 If federal bodies wish to be exempted from the obligation to register their data files pursuant to Article 11a paragraph 5 letter e FADP, Articles 12a and 12b shall apply.
3 Federal agencies communicate with the Commissioner through the Consultant.
Section 5: Special provisions
Art. 24 Obtaining personal data
If the person questioned is not obliged to provide information, the federal body systematically obtaining the personal data by means of a questionnaire must inform him or her that the provision of information is voluntary.
Art. 25 Personal identification number
1 The federal body that introduces a personal identification number for the management of its data collection creates a non-speaking number that is used in its own field of activity. A non-speaking number is any unique or reversibly unique sum of characters assigned to each person registered in a data collection, from which no conclusions can be drawn about the person.
2 The use of the personal identification number by other federal or cantonal bodies and by private persons must be authorized by the federal body concerned.
3 Authorization may be granted if there is a close connection between the intended data processing and the data processing for which the personal identification number was created.
4 In all other respects, the use of the AHV number is governed by AHV legislation.
Art. 26 Disclosure of data
The responsible federal body shall notify the data recipient of the timeliness and reliability of the personal data disclosed by it, unless this information is evident from the data itself or from the circumstances.
Art. 27 Procedure for the approval of pilot trials
1 Prior to consulting the interested administrative units, the federal body responsible for the pilot test shall set out for the attention of the Commissioner how compliance with the requirements under Article 17a FADP is to be ensured and shall invite the Commissioner to submit comments.
2 The Commissioner shall comment on whether the licensing requirements under Article 17a paragraphs 1 and 2 FADP are met. The competent federal body shall provide him with all documents necessary for this purpose, in particular:
a. A general description of the pilot test;
b. a report proving that the fulfillment of the tasks provided for by law requires the processing of personal data or personality profiles requiring special protection and that a test phase is mandatory in the formal sense before the law enters into force (Art. 17a para. 1 let. c FADP);
c. a description of the internal organization and the data processing and control procedures (Art. 21);
d. a description of the security and data protection measures;
e. the draft or concept of an ordinance regulating the details of processing;
f. the information concerning the planning of the different phases of the pilot test.
3 The commissioner may request further documents and make additional clarifications.
4 The competent federal body shall inform the Commissioner of any important change affecting compliance with the requirements of Article 17a FADP. The Commissioner shall comment again if necessary.
5 The opinion of the commissioner shall be attached to the application to the Federal Council.
Art. 27a Evaluation report for pilot tests
The competent federal body shall submit the draft evaluation report to the Federal Council (Art. 17a Para. 4 FADP) for the Commissioner’s opinion. The commissioner’s opinion shall be brought to the attention of the Federal Council.
Chapter 3: Register of Data Collections, Federal Data Protection and Information Commissioner and Proceedings before the Federal Administrative Court
Section 1: Register and registration of data collections
Art. 28 Register of data collections
1 The register kept by the Commissioner shall contain the information referred to in Articles 3 and 16.
2 The register is accessible to the public online. The commissioner shall provide excerpts free of charge upon request.
3 The Commissioner shall maintain a list of data file owners who are exempt from their obligation to register data files in accordance with Article 11a paragraph 5 letters e and f FADP. This directory is accessible to the public online.
4 If the owner of the data file does not register his data file or does not register it completely, the commissioner shall set him a deadline to comply with his obligations. After expiry of the deadline, he may, on the basis of the information available to him, register the data file ex officio or recommend that it be discontinued.
Section 2: [Federal Data Protection and Information Commissioner
Art. 30 Seat and legal status
1 The seat and secretariat of the commissioner are located in Bern.
2 The employment relationship of the secretariat of the Commissioner is governed by the Federal Personnel Act of March 24, 2000 and its implementing provisions.
3 The Commissioner’s budget is listed in a special section of the Chancellor’s Office budget.
Art. 31 Relations with other authorities and private persons
1 The Commissioner shall communicate with the Bundesrat through the Federal Chancellor. The latter shall forward all recommendations and reports of the Commissioner to the Bundesrat, even if he cannot agree with them.
1bis The Commissioner shall transmit the reports intended for the Federal Assembly directly to the Parliamentary Services.
2 The Commissioner shall communicate directly with the other administrative units, the federal courts, foreign data protection authorities and with all other authorities and private persons subject to federal data protection legislation or legislation on the principle of administrative openness.
Art. 32 Documentation
1 The federal bodies shall submit to the Commissioner all draft legislation relating to the processing of personal data, data protection and access to official documents. In the area of data protection, the departments and the Federal Chancellery notify him of their decisions in anonymized form as well as their guidelines.
2 The commissioner must have documentation sufficient for his activity. He shall operate an independent information and documentation system for the management, indexing and control of correspondence and dossiers, as well as for the publication of information of general interest and the register of data collections on the Internet.
3 The Federal Administrative Court has access to the scientific documentation of the Commissioner.
Art. 33 Fees
1 A fee is charged for the expert opinions (Art. 28 FADP) of the commissioner. The provisions of the General Fees Ordinance of 8 September 2004 are applicable.
2 No fee is charged to administrative units of the Confederation, authorities and cantons.
Art. 34 Checking the processing of personal data
1 For the clarification of the facts pursuant to Articles 27 and 29 FADP, in particular when checking the lawfulness of the data processing, the Commissioner may request the following information in particular from the controller of the data file:
a. technical and organizational measures (Art. 8 – 10, 20) that have been taken or are planned;
b. the regulations concerning the correction, blocking, anonymization, storage, retention and destruction of personal data;
c. the configuration of the informatics means;
d. the links with other data collections;
e. the method of disclosure of the data;
f. the description of the data fields and the organizational units that have access to them;
g. The type and extent of user access to data in the data collection.
2 In the case of disclosures abroad, the commissioner may request additional information, in particular about the processing possibilities of the data recipient or about the measures taken for data protection.
Section 3: Proceedings before the Federal Administrative Court
1 The Federal Administrative Court may request that data processing operations be submitted to it.
2 It shall notify the commissioner of its decisions.
Chapter 4: Final Provisions
Art. 36 Amendment of the previous law
Art. 37 Transitional provisions
1 Data collections in process at the time of enactment of the Privacy Act and this regulation shall be registered with the Commissioner by June 30, 1994.
2 The technical and organizational measures (Articles 8 – 11, 20 and 21) must be implemented within five years of the entry into force of this Ordinance for all automated processing and data collection.
Art. 38 Entry into force
This Regulation shall enter into force on July 1, 1993.