DSV auf Englisch
Die Über­set­zung ins Eng­li­sche stammt von Hugh Ree­ves und Corin­ne Gil­gen (bei­de Wal­der Wyss). Sie kann unter einer CC BY-ND 4.0‑Lizenz ver­wen­det wer­den. Eine Fas­sung als PDF fin­det sich hier. Die deut­sche Fas­sung fin­det sich hier.
aus­klap­pen | ein­klap­pen

Chap­ter 1 Gene­ral Provisions

Sec­tion 1 Data Security

Art. 1 Principles

1 In order to ensu­re ade­qua­te data secu­ri­ty, the con­trol­ler and the pro­ces­sor must deter­mi­ne the need for pro­tec­tion of per­so­nal data and spe­ci­fy the tech­ni­cal and orga­ni­sa­tio­nal mea­su­res that are appro­pria­te in view of the risk.

2 The need for pro­tec­tion of per­so­nal data is asses­sed accor­ding to the fol­lo­wing criteria:

a. the type of data processed;
b. the pur­po­se, natu­re, ext­ent and cir­cum­stances of the processing.

3 The risk to the per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject is asses­sed accor­ding to the fol­lo­wing criteria:

a. cau­ses of the risk;
b. main dangers;
c. mea­su­res taken or envi­sa­ged to redu­ce the risk;
d. the likeli­hood and seve­ri­ty of a data secu­ri­ty breach despi­te the mea­su­res taken or envisaged.

4 The fol­lo­wing cri­te­ria shall also be taken into account when deter­mi­ning the tech­ni­cal and orga­ni­sa­tio­nal measures:

a. the sta­te of the art;
b. costs of implementation.

5 The need for pro­tec­tion of per­so­nal data, the risk and the tech­ni­cal and orga­ni­sa­tio­nal mea­su­res shall be review­ed over the enti­re pro­ce­s­sing peri­od. The mea­su­res shall be adapt­ed if necessary.

Art. 2 Objectives

The con­trol­ler and the pro­ces­sor must take tech­ni­cal and orga­ni­sa­tio­nal mea­su­res to ensu­re that in accordance with its need for pro­tec­tion the data pro­ce­s­sed is:

a. only acce­s­si­ble to aut­ho­ri­sed per­sons (con­fi­den­tia­li­ty);
b. available when it is nee­ded (avai­la­bi­li­ty);
c. not chan­ged by unaut­ho­ri­sed per­sons or not chan­ged unin­ten­tio­nal­ly (inte­gri­ty);
d. pro­ce­s­sed in a traceable man­ner (tracea­bi­li­ty).

Art. 3 Tech­ni­cal and orga­ni­sa­tio­nal measures

1 In order to ensu­re con­fi­den­tia­li­ty, the con­trol­ler and the pro­ces­sor must take appro­pria­te mea­su­res to gua­ran­tee that:

a. access by aut­ho­ri­sed per­sons is limi­t­ed to the per­so­nal data that they requi­re to ful­fil their tasks (access control);
b. unaut­ho­ri­sed per­sons are denied access to the pre­mi­ses and instal­la­ti­ons in which per­so­nal data is being pro­ce­s­sed (ent­rance control);
c. unaut­ho­ri­sed per­sons may not use auto­ma­ted data pro­ce­s­sing systems by means of devices for data trans­mis­si­on (usa­ge control).

2 In order to ensu­re avai­la­bi­li­ty and inte­gri­ty, the con­trol­ler and the pro­ces­sor must take appro­pria­te mea­su­res to gua­ran­tee that:

a. unaut­ho­ri­sed per­sons may not read, copy, alter, move, dele­te or destroy data car­ri­ers (data car­ri­er control);
b. unaut­ho­ri­sed per­sons may not store, read, chan­ge, dele­te or destroy per­so­nal data in sto­rage (sto­rage control);
c. when dis­clo­sing per­so­nal data and during the trans­port of data car­ri­ers, unaut­ho­ri­sed per­sons may not read, copy, alter, dele­te or destroy per­so­nal data (trans­port control);
d. the avai­la­bi­li­ty of and access to per­so­nal data can be rapid­ly resto­red in the event of a phy­si­cal or tech­ni­cal inci­dent (reco­very);
e. all func­tions of the auto­ma­ted data pro­ce­s­sing system are available (avai­la­bi­li­ty), that mal­func­tions are repor­ted (relia­bi­li­ty) and that stored per­so­nal data can­not be dama­ged by system mal­func­tions (data integrity);
f. ope­ra­ting systems and appli­ca­ti­on soft­ware are always kept up to date and known cri­ti­cal gaps are clo­sed (system security).

3 In order to ensu­re tracea­bi­li­ty, the con­trol­ler and the pro­ces­sor must take appro­pria­te mea­su­res to gua­ran­tee that:

a. it can be checked what per­so­nal data is ente­red or alte­red in the auto­ma­ted data pro­ce­s­sing system, at what time and by which per­son (input control);
b. it can be checked to whom per­so­nal data has been dis­c­lo­sed by means of devices for data trans­mis­si­on (dis­clo­sure control);
c. data secu­ri­ty brea­ches can be quick­ly detec­ted (detec­tion), and mea­su­res can be taken to miti­ga­te or eli­mi­na­te their impact (eli­mi­na­ti­on).

Art. 4 Records

1 If sen­si­ti­ve per­so­nal data is pro­ce­s­sed auto­ma­ti­cal­ly on a broad sca­le or if high-risk pro­fil­ing is car­ri­ed out and the pre­ven­ti­ve mea­su­res can­not gua­ran­tee data pro­tec­tion, the pri­va­te con­trol­ler and its pri­va­te pro­ces­sor must at least record the sto­rage, altera­ti­on, rea­ding, dis­clo­sure, dele­ti­on and des­truc­tion of the data. The records must be kept in par­ti­cu­lar if it is other­wi­se not pos­si­ble to estab­lish retroac­tively whe­ther the data was pro­ce­s­sed for the pur­po­ses for which it was coll­ec­ted or disclosed.

2 During the auto­ma­ted pro­ce­s­sing of per­so­nal data, the fede­ral body respon­si­ble and its pro­ces­sor shall
at least record the sto­rage, altera­ti­on, rea­ding, dis­clo­sure, dele­ti­on or des­truc­tion of the data.

3 In the case of per­so­nal data that is gene­ral­ly acce­s­si­ble to the public, the sto­rage, altera­ti­on, dele­ti­on and des­truc­tion of the data must at least be recorded.

4 The records must pro­vi­de infor­ma­ti­on on the iden­ti­ty of the per­son who car­ri­ed out the pro­ce­s­sing, the natu­re, date and time of the pro­ce­s­sing and, if appli­ca­ble, the iden­ti­ty of the reci­pi­ent of the data.

5 The records must be kept for at least one year sepa­ra­te­ly from the system in which the per­so­nal data is being pro­ce­s­sed. They must be acce­s­si­ble only to the bodies and per­sons respon­si­ble for moni­to­ring the appli­ca­ti­on of data pro­tec­tion regu­la­ti­ons or for main­tai­ning or resto­ring the con­fi­den­tia­li­ty, inte­gri­ty, avai­la­bi­li­ty and tracea­bi­li­ty of the data, and may only be used for this purpose.

Art. 5 Pro­ce­s­sing poli­cy for pri­va­te persons

1 The pri­va­te con­trol­ler and its pri­va­te pro­ces­sor must draw up a pro­ce­s­sing poli­cy for auto­ma­ted pro­ce­s­sing if they:

a. pro­cess sen­si­ti­ve per­so­nal data on a broad sca­le; or
b. car­ry out high-risk profiling.

2 The pro­ce­s­sing poli­cy must in par­ti­cu­lar con­tain infor­ma­ti­on on the inter­nal orga­ni­sa­ti­on, the data pro­ce­s­sing and con­trol pro­ce­du­re and the mea­su­res taken to ensu­re data security.

3 The pri­va­te con­trol­ler and its pri­va­te pro­ces­sor must update the pro­ce­s­sing poli­cy regu­lar­ly. If a data pro­tec­tion advi­sor has been appoin­ted, the pro­ce­s­sing poli­cy must be made available to such advisor.

Art. 6 Pro­ce­s­sing poli­cy for fede­ral bodies

1 The fede­ral body respon­si­ble and its pro­ces­sor shall draw up a pro­ce­s­sing poli­cy for auto­ma­ted pro­ce­s­sing if they:

a. pro­cess sen­si­ti­ve per­so­nal data;
b. car­ry out a profiling;
c. pro­cess per­so­nal data in accordance with Artic­le 34(2)(c) FADP;
d. make per­so­nal data acce­s­si­ble to can­tons, for­eign aut­ho­ri­ties, inter­na­tio­nal orga­ni­sa­ti­ons or pri­va­te persons;
e. inter­link data files; or
f. ope­ra­te an infor­ma­ti­on system in con­junc­tion with other fede­ral bodies or mana­ge data files.

2 The pro­ce­s­sing poli­cy must in par­ti­cu­lar con­tain infor­ma­ti­on on the inter­nal orga­ni­sa­ti­on, the data pro­ce­s­sing and con­trol pro­ce­du­re and the mea­su­res taken to ensu­re data security.

3 The fede­ral body respon­si­ble and its pro­ces­sor must update the pro­ce­s­sing poli­cy regu­lar­ly and make it available to the data pro­tec­tion advisor.

Sec­tion 2 Data Pro­ce­s­sing by Processors

Art. 7

1 The pri­or aut­ho­ri­sa­ti­on of the con­trol­ler allo­wing the pro­ces­sor to trans­fer the data pro­ce­s­sing to a third par­ty may be of a spe­ci­fic or gene­ral nature.

2 In the case of a gene­ral aut­ho­ri­sa­ti­on, the pro­ces­sor shall inform the con­trol­ler of any inten­ded chan­ges with regard to the invol­vement or repla­ce­ment of other third par­ties. The con­trol­ler may object to such changes.

Sec­tion 3 Cross-Bor­der Dis­clo­sure of Per­so­nal Data

Art. 8 Assess­ment of the ade­qua­cy of the level of data pro­tec­tion of a Sta­te, a ter­ri­to­ry, a spe­ci­fic sec­tor in a Sta­te or an inter­na­tio­nal body

1 The Sta­tes, ter­ri­to­ries, spe­ci­fic sec­tors in a Sta­te and inter­na­tio­nal bodies with an ade­qua­te level of data pro­tec­tion are listed in Annex 1.

2 The assess­ment of whe­ther a Sta­te, ter­ri­to­ry, spe­ci­fic sec­tor within a Sta­te or inter­na­tio­nal body ensu­res an ade­qua­te level of data pro­tec­tion must in par­ti­cu­lar be based on the fol­lo­wing criteria:

a. the inter­na­tio­nal obli­ga­ti­ons of the Sta­te or inter­na­tio­nal body in par­ti­cu­lar with respect to

data pro­tec­tion;

b. the rule of law and respect for human rights;
c. the appli­ca­ble legis­la­ti­on in par­ti­cu­lar on data pro­tec­tion and its imple­men­ta­ti­on, and the

rele­vant case law;

d. the effec­ti­ve gua­ran­tee of the rights of data sub­jects and of judi­cial protection;
e. the effec­ti­ve func­tio­ning of one or more inde­pen­dent aut­ho­ri­ties com­pe­tent for data pro­tec­tion mat­ters in the Sta­te con­cer­ned or to which an inter­na­tio­nal body is ans­werable, and which have suf­fi­ci­ent powers and competences.

3 The Fede­ral Data Pro­tec­tion and Infor­ma­ti­on Com­mis­sio­ner (FDPIC) shall be con­sul­ted on each assess­ment. The assess­ments of inter­na­tio­nal bodies or for­eign aut­ho­ri­ties respon­si­ble for data pro­tec­tion may be taken into account.

4 The ade­qua­cy of the level of data pro­tec­tion shall be reas­ses­sed periodically.

5 The assess­ments shall be published.

6 If an assess­ment under para­graph 4 or other infor­ma­ti­on indi­ca­tes that an ade­qua­te level of data
pro­tec­tion is no lon­ger ensu­red, Annex 1 shall be amen­ded. This amend­ment has no effect on data
dis­clo­sures made pri­or thereto.

Art. 9 Data pro­tec­tion pro­vi­si­ons and spe­ci­fic safeguards

1 The data pro­tec­tion pro­vi­si­ons of a con­tract in accordance with Artic­le 16(2)(b) FADP and the spe­ci­fic safe­guards in accordance with Artic­le 16(2)(c) FADP must at least con­tain the fol­lo­wing aspects:

a. the appli­ca­ti­on of the prin­ci­ples of lawful­ness, good faith, pro­por­tio­na­li­ty, trans­pa­ren­cy, pur­po­se limi­ta­ti­on and accuracy;
b. the cate­go­ries of per­so­nal data dis­c­lo­sed as well as the data subjects;
c. the natu­re and pur­po­se of the dis­clo­sure of per­so­nal data;
d. whe­re appli­ca­ble, the names of the Sta­tes or inter­na­tio­nal bodies to which per­so­nal data is dis­c­lo­sed and the requi­re­ments for disclosure;
e. the requi­re­ments for the reten­ti­on, dele­ti­on and des­truc­tion of per­so­nal data;
f. the reci­pi­en­ts or the cate­go­ries of recipients;
g. the mea­su­res to ensu­re data security;
h. the duty to report data secu­ri­ty breaches;
i. if reci­pi­en­ts are con­trol­lers: the duty to inform the data sub­jects of the processing;

j. the rights of the data sub­jects, in particular:

1. access right and right of data portability,
2. right to object to the dis­clo­sure of data,
3. right to cor­rec­tion, dele­ti­on or des­truc­tion of per­so­nal data,
4. right to seek judi­cial pro­tec­tion from an inde­pen­dent authority.

2 The con­trol­ler and, in the case of data pro­tec­tion pro­vi­si­ons of a con­tract, the pro­ces­sor must take appro­pria­te mea­su­res to ensu­re that the reci­pi­ent com­plies with the­se pro­vi­si­ons or the spe­ci­fic safeguards.

3 If the FDPIC has been infor­med of the data pro­tec­tion pro­vi­si­ons of a con­tract or the spe­ci­fic safe­guards, the duty of infor­ma­ti­on shall be dee­med to be ful­fil­led for all fur­ther dis­clo­sures that:

a. are made sub­ject to the same data pro­tec­tion pro­vi­si­ons or safe­guards, pro­vi­ded the cate­go­ries of reci­pi­en­ts, the pur­po­se of the pro­ce­s­sing and the data cate­go­ries remain essen­ti­al­ly unch­an­ged; or
b. take place within the same legal per­son or com­pa­ny or bet­ween legal per­sons or com­pa­nies belon­ging to the same group.

Art. 10 Stan­dard data pro­tec­tion clauses

1 If the con­trol­ler or the pro­ces­sor dis­c­lo­ses per­so­nal data abroad by means of stan­dard data pro­tec­tion clau­ses in accordance with Artic­le 16(2)(d) FADP, the con­trol­ler or the pro­ces­sor shall take appro­pria­te mea­su­res to ensu­re that the reci­pi­ent com­plies therewith.

2 The FDPIC has published a list of stan­dard data pro­tec­tion clau­ses that he has appro­ved, estab­lished or reco­g­nis­ed. He shall com­mu­ni­ca­te the result of his exami­na­ti­on of the stan­dard data pro­tec­tion clau­ses sub­mit­ted to him within 90 days.

Art. 11 Bin­ding cor­po­ra­te rules on data protection

1 Bin­ding cor­po­ra­te rules on data pro­tec­tion in accordance with Artic­le 16(2)(e) FADP app­ly to all com­pa­nies belon­ging to the same group.

2 They shall at least con­tain the aspects men­tio­ned in Artic­le 9(1) as well as the fol­lo­wing information:

a. the orga­ni­sa­ti­on and cont­act details of the group and its companies;
b. the mea­su­res taken within the group to ensu­re com­pli­ance with the bin­ding cor­po­ra­te rules on data protection.

3 The FDPIC shall com­mu­ni­ca­te the result of his exami­na­ti­on of the bin­ding cor­po­ra­te rules on data pro­tec­tion sub­mit­ted to him within 90 days.

Art. 12 Codes of con­duct and certifications

1 Per­so­nal data may be dis­c­lo­sed abroad if an ade­qua­te level of data pro­tec­tion is ensu­red by a code of con­duct or certification.

2 The code of con­duct must be sub­mit­ted to the FDPIC for pri­or approval.

3 The code of con­duct or cer­ti­fi­ca­ti­on must be lin­ked to a bin­ding and enforceable obli­ga­ti­on on the part of the con­trol­ler or the pro­ces­sor in the third coun­try to app­ly the mea­su­res con­tai­ned therein.

Chap­ter 2 Duties of the Controller

Art. 13 Moda­li­ties of the duty of information

The con­trol­ler must com­mu­ni­ca­te to the data sub­ject the infor­ma­ti­on on the coll­ec­tion of per­so­nal data in a pre­cise, trans­pa­rent, com­pre­hen­si­ble and easi­ly acce­s­si­ble form.

Art. 14 Reten­ti­on of data pro­tec­tion impact assessment

The con­trol­ler must retain the data pro­tec­tion impact assess­ment for at least two years after ter­mi­na­ti­on of the data pro­ce­s­sing activity.

Art. 15 Noti­fi­ca­ti­on of data secu­ri­ty breaches

1 The noti­fi­ca­ti­on of a data secu­ri­ty breach to the FDPIC must con­tain the fol­lo­wing information:

a. the natu­re of the data secu­ri­ty breach;
b. as far as pos­si­ble, the time and dura­ti­on of the data secu­ri­ty breach;
c. as far as pos­si­ble, the cate­go­ries and the appro­xi­ma­te num­ber of per­so­nal data concerned;
d. as far as pos­si­ble, the cate­go­ries and the appro­xi­ma­te num­ber of data subjects;
e. the impact, inclu­ding any risks, for the data subjects;
f. what mea­su­res have been taken or are envi­sa­ged to reme­dy the defect and miti­ga­te the impact,

inclu­ding any risks;

g. the name and cont­act details of a cont­act person.

2 If the con­trol­ler is unable to pro­vi­de all the infor­ma­ti­on at the same time, it shall pro­vi­de the miss­ing infor­ma­ti­on as soon as possible.

3 If the con­trol­ler is obli­ged to inform the data sub­jects, the con­trol­ler shall inform the data sub­jects in simp­le and com­pre­hen­si­ble lan­guage of at least the infor­ma­ti­on refer­red to in para­graph 1 let­ters a and e – g.

4 The con­trol­ler must docu­ment data secu­ri­ty brea­ches. The docu­men­ta­ti­on must con­tain all facts rela­ting to the inci­dents, their effects and the mea­su­res taken. The docu­men­ta­ti­on must be retai­ned for at least two years from the date of noti­fi­ca­ti­on accor­ding to para­graph 1.

Chap­ter 3 Rights of the Data Subject

Sec­tion 1 Access Right

Art. 16 Modalities

1 Anyo­ne who requests infor­ma­ti­on from the con­trol­ler as to whe­ther per­so­nal data about him or her is being pro­ce­s­sed must do so in wri­ting. If the con­trol­ler agrees, the request may also be made verbally.

2 The infor­ma­ti­on shall be pro­vi­ded in wri­ting or in the form in which the data is available. With the agree­ment of the con­trol­ler, the data sub­ject may also inspect his or her data in situ. The infor­ma­ti­on may be pro­vi­ded ver­bal­ly if the data sub­ject agrees.

3 The infor­ma­ti­on request and the pro­vi­si­on of infor­ma­ti­on may be made electronically.

4 The infor­ma­ti­on must be pro­vi­ded to the data sub­ject in a com­pre­hen­si­ble form.

5 The con­trol­ler must take rea­sonable mea­su­res to iden­ti­fy the data sub­ject. Data sub­jects are obli­ged to cooperate.

Art. 17 Responsibilities

1 If seve­ral con­trol­lers joint­ly pro­cess per­so­nal data, the data sub­ject may assert his or her access right against each controller.

2 If the infor­ma­ti­on request rela­tes to data that is being pro­ce­s­sed by a pro­ces­sor, the pro­ces­sor shall assist the con­trol­ler in pro­vi­ding the infor­ma­ti­on, unless the pro­ces­sor is respon­ding to the request on behalf of the controller.

Art. 18 Time limits

1 The infor­ma­ti­on must be pro­vi­ded within 30 days of rece­ipt of the infor­ma­ti­on request.

2 If the infor­ma­ti­on can­not be pro­vi­ded within 30 days, the con­trol­ler must noti­fy the data sub­ject the­reof and of the peri­od within which the infor­ma­ti­on will be provided.

3 If the con­trol­ler refu­ses, rest­ricts or defers the pro­vi­si­on of the infor­ma­ti­on, it must noti­fy the data sub­ject the­reof within the same period.

Art. 19 Excep­ti­ons to the exemp­ti­on from costs

1 The con­trol­ler may request from the data sub­ject the payment of an appro­pria­te share of the costs if the pro­vi­si­on of infor­ma­ti­on invol­ves a dis­pro­por­tio­na­te effort.

2 The share of the costs amounts to a maxi­mum of 300 Swiss Francs.

3 The con­trol­ler must inform the data sub­ject of the amount of the share befo­re the infor­ma­ti­on is pro­vi­ded. If the data sub­ject does not con­firm the infor­ma­ti­on request within ten days, it shall be dee­med to have been with­drawn wit­hout incur­ring any costs. The time limit in accordance with Artic­le 18(1) shall begin to run after the expiry of the ten-day reflec­tion period.

Sec­tion 2 Right of Data Portability

Art. 20 Scope of claim

1 Per­so­nal data which the data sub­ject has dis­c­lo­sed to the con­trol­ler is dee­med to be:

a. data that the data sub­ject kno­wing­ly and wil­lingly makes available to the controller;
b. data coll­ec­ted by the con­trol­ler about the data sub­ject and his or her beha­viour in the con­text of the use of a ser­vice or device.

2 Per­so­nal data gene­ra­ted by the con­trol­ler through its own eva­lua­ti­on of the per­so­nal data pro­vi­ded or
obser­ved shall not be dee­med to be per­so­nal data which the data sub­ject has dis­c­lo­sed to the controller.

Art. 21 Tech­ni­cal requi­re­ments for implementation

1 Com­mon elec­tro­nic for­mats are tho­se that allow the per­so­nal data to be trans­fer­red with a
rea­sonable effort and to be fur­ther used by the data sub­ject or ano­ther controller.

2 The right of data por­ta­bi­li­ty does not crea­te an obli­ga­ti­on for the con­trol­ler to adopt or main­tain tech­ni­cal­ly com­pa­ti­ble data pro­ce­s­sing systems.

3 A dis­pro­por­tio­na­te effort for the trans­fer of per­so­nal data to ano­ther con­trol­ler exists if the trans­fer is tech­ni­cal­ly not possible.

Art. 22 Time limits, moda­li­ties and responsibilities

Artic­les 16(1) and (5), and 17 – 19 app­ly muta­tis mut­an­dis to the right of data portability.

Chap­ter 4 Spe­cial Pro­vi­si­ons for Data Pro­ce­s­sing by Pri­va­te Persons

Art. 23 Data pro­tec­tion advisor

The con­trol­ler must pro­vi­de the data pro­tec­tion advi­sor with:

a. the neces­sa­ry resources;
b. access to all infor­ma­ti­on, docu­ments, invent­ories of pro­ce­s­sing acti­vi­ties and per­so­nal data that the data pro­tec­tion advi­sor requi­res in order to ful­fil his or her duties.
c. the right to inform the hig­hest manage­ment or admi­ni­stra­ti­ve body in important cases.

Art. 24 Exemp­ti­ons from the duty to keep an inven­to­ry of pro­ce­s­sing activities

Com­pa­nies and other orga­ni­sa­ti­ons under pri­va­te law which employ fewer than 250 mem­bers of staff on 1 Janu­ary of a year, as well as natu­ral per­sons, are exempt from the duty to keep an inven­to­ry of pro­ce­s­sing acti­vi­ties, unless one of the fol­lo­wing con­di­ti­ons is met:

a. Sen­si­ti­ve per­so­nal data is being pro­ce­s­sed on a broad scale.
b. High-risk pro­fil­ing is car­ri­ed out.

Chap­ter 5 Spe­cial Pro­vi­si­ons for Data Pro­ce­s­sing by Fede­ral Bodies

Sec­tion 1 Data Pro­tec­tion Advisor

Art. 25 Appointment

Each fede­ral body appoints a data pro­tec­tion advi­sor. Seve­ral fede­ral bodies may joint­ly appoint a data pro­tec­tion advisor.

Art. 26 Requi­re­ments and duties

1 The data pro­tec­tion advi­sor must meet the fol­lo­wing requirements:

a. The data pro­tec­tion advi­sor has the neces­sa­ry pro­fes­sio­nal knowledge.
b. The data pro­tec­tion advi­sor per­forms his or her func­tion towards the fede­ral body in a pro­fes­sio­nal­ly inde­pen­dent man­ner and wit­hout being bound by instructions.

2 The data pro­tec­tion advi­sor must per­form the fol­lo­wing duties:

a. The data pro­tec­tion advi­sor assists in the appli­ca­ti­on of the data pro­tec­tion regu­la­ti­ons, in par­ti­cu­lar by:

1. audi­ting the pro­ce­s­sing of per­so­nal data and recom­men­ding cor­rec­ti­ve mea­su­res if an inf­rin­ge­ment of the data pro­tec­tion regu­la­ti­ons is detected;
2. advi­sing the con­trol­ler on the pre­pa­ra­ti­on of the data pro­tec­tion impact assess­ment and revie­w­ing its implementation.
b. The data pro­tec­tion advi­sor ser­ves as a cont­act point for data subjects.
c. The data pro­tec­tion advi­sor trains and advi­ses the mem­bers of staff of the fede­ral body on data pro­tec­tion matters.

Art. 27 Duties of the fede­ral body

1 The fede­ral body has the fol­lo­wing duties towards the data pro­tec­tion advisor:

a. The fede­ral body shall grant the data pro­tec­tion advi­sor access to all infor­ma­ti­on, docu­ments, invent­ories of pro­ce­s­sing acti­vi­ties and per­so­nal data that the data pro­tec­tion advi­sor requi­res in order to ful­fil his or her duties.
b. The fede­ral body shall ensu­re that the data pro­tec­tion advi­sor is infor­med of any data secu­ri­ty breaches.

2 The fede­ral body publishes the cont­act details of the data pro­tec­tion advi­sor on the inter­net and com­mu­ni­ca­tes them to the FDPIC.

Art. 28 Cont­act point of the FDPIC

The data pro­tec­tion advi­sor ser­ves as a cont­act point for the FDPIC for que­sti­ons rela­ting to the pro­ce­s­sing of per­so­nal data by the fede­ral body concerned.

Sec­tion 2 Duties of Information

Art. 29 Duty of infor­ma­ti­on when dis­clo­sing per­so­nal data

The fede­ral body respon­si­ble shall noti­fy the reci­pi­ent of the up-to-daten­ess, relia­bi­li­ty and com­ple­ten­ess of the per­so­nal data that it dis­c­lo­ses, pro­vi­ded this infor­ma­ti­on is not evi­dent from the data its­elf or from the circumstances.

Art. 30 Duty of infor­ma­ti­on in the case of syste­ma­tic coll­ec­tion of per­so­nal data

Whe­re a fede­ral body coll­ects per­so­nal data syste­ma­ti­cal­ly, the fede­ral body respon­si­ble must inform accor­din­gly the data sub­jects who are not obli­ged to pro­vi­de information.

Sec­tion 3 Noti­fi­ca­ti­on to the FDPIC of Pro­jects Invol­ving Auto­ma­ted Pro­ce­s­sing of Per­so­nal Data

Art. 31

1 The fede­ral body respon­si­ble shall noti­fy the FDPIC of the plan­ned auto­ma­ted pro­ce­s­sing acti­vi­ties at
the time of the decis­i­on on the deve­lo­p­ment of the pro­ject or the pro­ject approval.

2 The noti­fi­ca­ti­on must include the infor­ma­ti­on spe­ci­fi­ed in Artic­le 12(2)(a‑d) FADP and the expec­ted
date of com­mence­ment of the pro­ce­s­sing activities.

3 The FDPIC shall include this noti­fi­ca­ti­on in its regi­ster on pro­ce­s­sing activities.

4 The fede­ral body respon­si­ble shall update the noti­fi­ca­ti­on at the time of the tran­si­ti­on into pro­duc­ti­ve
ope­ra­ti­on or when the pro­ject is discontinued.

Sec­tion 4 Pilot Projects

Art. 32 Indis­pensa­bi­li­ty of pilot project

A pilot pro­ject is indis­pensable if one of the fol­lo­wing con­di­ti­ons is met:

a. The ful­film­ent of a task requi­res tech­ni­cal inno­va­tions, the effects of which must first be evaluated.
b. The ful­film­ent of a task requi­res signi­fi­cant orga­ni­sa­tio­nal or tech­ni­cal mea­su­res, the effec­ti­ve­ness of which must first be eva­lua­ted, in par­ti­cu­lar in the case of coope­ra­ti­on bet­ween fede­ral and can­to­nal bodies.
c. The ful­film­ent of a task requi­res that per­so­nal data be acce­s­si­ble in a retrie­val procedure.

Art. 33 Pro­ce­du­re for aut­ho­ri­sa­ti­on of pilot project

1 Befo­re con­sul­ting the inte­re­sted admi­ni­stra­ti­ve units, the fede­ral body respon­si­ble for the pilot pro­ject shall com­mu­ni­ca­te as to how it is inten­ded to meet com­pli­ance with the requi­re­ments of Artic­le 35 FADP, and invi­te the FDPIC to com­ment thereon.

2 The FDPIC shall com­ment on the issue of whe­ther the aut­ho­ri­sa­ti­on requi­re­ments in terms of Artic­le 35 FADP are ful­fil­led. The fede­ral body shall pro­vi­de him with all the docu­ments requi­red, and in par­ti­cu­lar with:

a. a gene­ral descrip­ti­on of the pilot project;
b. a report that pro­ves that the ful­film­ent of tasks pro­vi­ded for by law requi­res a processing

in accordance with Artic­le 34(2) FADP and that a test pha­se befo­re a for­mal law enters into force is indispensable;

c. a descrip­ti­on of the inter­nal orga­ni­sa­ti­on as well as the data pro­ce­s­sing and con­trol procedures;
d. a descrip­ti­on of the secu­ri­ty and data pro­tec­tion measures;
e. the draft of or the con­cept for an ordi­nan­ce that regu­la­tes the details of the processing;
f. the plan­ning of the various pha­ses of the pilot project.

4 The fede­ral body shall inform the FDPIC of any important modi­fi­ca­ti­on rela­ting to com­pli­ance with the requi­re­ments of Artic­le 35 FADP. If requi­red, the FDPIC shall again sta­te his views thereon.

5 The opi­ni­on of the FDPIC must be inclu­ded in the appli­ca­ti­on to the Fede­ral Council.

6 Auto­ma­ted data pro­ce­s­sing is regu­la­ted in an ordinance.

Art. 34 Eva­lua­ti­on report

1 The com­pe­tent fede­ral body shall sub­mit the draft of the eva­lua­ti­on report for the Fede­ral Coun­cil to the FDPIC for comment.

2 The com­pe­tent fede­ral body shall sub­mit the eva­lua­ti­on report with the opi­ni­on of the FDPIC to the Fede­ral Council.

Sec­tion 5 Data Pro­ce­s­sing for Rese­arch, Plan­ning and Statistics

Art. 35

If per­so­nal data is pro­ce­s­sed for pur­po­ses not rela­ted to spe­ci­fic per­sons, in par­ti­cu­lar rese­arch, plan­ning and sta­tis­tics, and at the same time for ano­ther pur­po­se, the excep­ti­ons under Artic­le 39(2) FADP are only appli­ca­ble to pro­ce­s­sing for the pur­po­ses not rela­ted to spe­ci­fic persons.

Chap­ter 6 Fede­ral Data Pro­tec­tion and Infor­ma­ti­on Commissioner

Art. 36 Head­quar­ters and per­ma­nent secretariat

1 The FDPIC’s head­quar­ters are loca­ted in Bern.

2 The employment of the mem­bers of the FDPIC’s per­ma­nent secre­ta­ri­at is gover­ned by the Fede­ral Per­son­nel Act. The employees are insu­red with the Fede­ral Pen­si­on Fund within the frame­work of the Fede­ral Pen­si­on Plan.

Art. 37 Com­mu­ni­ca­ti­on channel

1 The FDPIC com­mu­ni­ca­tes with the Fede­ral Coun­cil via the Fede­ral Chan­cell­or. The Fede­ral Chan­cell­or shall pass on any pro­po­sals, opi­ni­ons and reports from the FDPIC unch­an­ged to the Fede­ral Council.

2 The FDPIC sub­mits reports to the Fede­ral Assem­bly via the Par­lia­men­ta­ry Services.

Art. 38 Noti­fi­ca­ti­on of decis­i­ons, gui­de­lines and projects

1 The depart­ments and the Fede­ral Chan­cel­lery noti­fy the FDPIC of their data pro­tec­tion decis­i­ons as well as their data pro­tec­tion gui­de­lines in anony­mi­sed form.

2 The fede­ral bodies shall sub­mit to the FDPIC all draft legis­la­ti­on that rela­tes to the pro­ce­s­sing of per­so­nal data, data pro­tec­tion or access to offi­ci­al documents.

Art. 39 Pro­ce­s­sing of per­so­nal data

The FDPIC may pro­cess per­so­nal data, inclu­ding sen­si­ti­ve per­so­nal data, in par­ti­cu­lar for the fol­lo­wing purposes:

a. to car­ry out his super­vi­so­ry activities;
b. to car­ry out his advi­so­ry activities;
c. to coope­ra­te with fede­ral, can­to­nal and for­eign authorities;
d. to per­form tasks within the frame­work of the penal pro­vi­si­ons under the FADP;
e. to con­duct media­ti­on pro­ce­e­dings and to issue recom­men­da­ti­ons in accordance with the Free­dom of Infor­ma­ti­on Act of 17 Decem­ber 2004;
f. to car­ry out eva­lua­tions in accordance with the FoIA;
g. to car­ry out pro­ce­du­res for access to offi­ci­al docu­ments in accordance with the FoIA;
h. to inform par­lia­men­ta­ry oversight;
i. to inform the public;
j. to car­ry out his trai­ning activities.

Art. 40 Self-regulation

The FDPIC draws up a pro­ce­s­sing poli­cy for all auto­ma­ted pro­ce­s­sing acti­vi­ties. Artic­le 6(1) shall not apply.

Art. 41 Coope­ra­ti­on with the NCSC

1 The FDPIC may pass on the noti­fi­ca­ti­on of a data secu­ri­ty breach to the Natio­nal Cyber Secu­ri­ty Cent­re (NCSC) for ana­ly­sis of the inci­dent with the con­sent of the con­trol­ler that is sub­ject to the noti­fi­ca­ti­on duty. The noti­fi­ca­ti­on may con­tain per­so­nal data.

2 The FDPIC shall invi­te the NCSC to sub­mit its comm­ents befo­re orde­ring the fede­ral body to take the mea­su­res in accordance with Artic­le 8 FADP.

Art. 42 Regi­ster on pro­ce­s­sing acti­vi­ties of fede­ral bodies

1 The regi­ster on the pro­ce­s­sing acti­vi­ties of fede­ral bodies con­ta­ins the infor­ma­ti­on pro­vi­ded by the fede­ral bodies accor­ding to Artic­le 12(2) FADP and Artic­le 31(2) of this Ordinance.

2 The regi­ster is published on the inter­net. The regi­ster ent­ries on plan­ned auto­ma­ted pro­ce­s­sing acti­vi­ties in accordance with Artic­le 31 shall not be published.

Art. 43 Codes of conduct

If a code of con­duct is sub­mit­ted to the FDPIC, he shall sta­te in his opi­ni­on whe­ther the code of con­duct meets the requi­re­ments of Artic­le 22(5)(a) and (b) FADP.

Art. 44 Fees

1 The fees char­ged by the FDPIC are based on the time spent.

2 An hour­ly rate of 150 to 250 Swiss Francs applies, depen­ding on the func­tion of the staff per­forming the task.

3 In the case of ser­vices of excep­tio­nal scope, par­ti­cu­lar dif­fi­cul­ty or urgen­cy, surchar­ges of up to 50 per­cent of the fees pur­su­ant to para­graph 2 may be levied.

4 If the ser­vice pro­vi­ded by the FDPIC can be fur­ther used for com­mer­cial pur­po­ses by the per­son who is
obli­ged to pay the fees, surchar­ges of up to 100 per­cent of the fees pur­su­ant to para­graph 2 may be levied.

5 In all other respects, the Gene­ral Fees Ordi­nan­ce of 8 Sep­tem­ber 2004 applies.

Chap­ter 7 Final Provisions

Art. 45 Repeal and amend­ments of other legislation

The repeal and the amend­ments of other legis­la­ti­on are set forth in Annex 2.

Art. 46 Tran­si­tio­nal provisions

1 For data pro­ce­s­sing acti­vi­ties that do not fall within the scope of Direc­ti­ve (EU) 2016/680, Artic­le 4(2) shall app­ly at the latest three years after the ent­ry into force of this Ordi­nan­ce or at the latest at the end of the life cycle of the system. In the mean­ti­me, such pro­ce­s­sing acti­vi­ties shall be sub­ject to Artic­le 4(1).

2 Artic­le 8(5) shall not app­ly to assess­ments car­ri­ed out befo­re the ent­ry into force of this Ordinance.

3 Artic­le 31 shall not app­ly to plan­ned auto­ma­ted pro­ce­s­sing acti­vi­ties for which, at the time of ent­ry into force of this Ordi­nan­ce, the pro­ject has alre­a­dy been appro­ved or the decis­i­on on the deve­lo­p­ment of the pro­ject has alre­a­dy been made.

Art. 47 Ent­ry into force

This Ordi­nan­ce comes into force on 1 Sep­tem­ber 2023.

Annex 1

(Artic­le 8(1))

Sta­tes, ter­ri­to­ries, spe­ci­fic sec­tors in a Sta­te and

inter­na­tio­nal bodies with an ade­qua­te level of data protection

1. Ger­ma­ny*
2. Andor­ra *
3. Argen­ti­na *
4. Austria*
5. Bel­gi­um*
6. Bul­ga­ria *
7. Cana­da *

An ade­qua­te level of data pro­tec­tion is ensu­red when the Cana­di­an fede­ral law “Loi sur la pro­tec­tion des rens­eig­ne­ments per­son­nels et les docu­ments élec­tro­ni­ques” of 13 April 2005 (Per­so­nal Infor­ma­ti­on Pro­tec­tion and Elec­tro­nic Docu­ments Act) in the pri­va­te sphe­re or a Cana­di­an pro­vin­cial law applies that is broad­ly equi­va­lent to the fede­ral law. The fede­ral law applies to per­so­nal data that is coll­ec­ted, pro­ce­s­sed or dis­c­lo­sed in the con­text of com­mer­cial acti­vi­ties, irre­spec­ti­ve of whe­ther this is done by orga­ni­sa­ti­ons such as asso­cia­ti­ons, part­ner­ships, indi­vi­du­als and trade uni­ons or fede­ral­ly regu­la­ted enti­ties such as faci­li­ties, plants, under­ta­kings or busi­ness acti­vi­ties that fall within the legis­la­ti­ve juris­dic­tion of the Cana­di­an Par­lia­ment. The pro­vin­ces of Qué­bec, Bri­tish Colum­bia and Alber­ta have enac­ted legis­la­ti­on that is broad­ly equi­va­lent to the fede­ral law. The pro­vin­ces of Onta­rio, New Bruns­wick, New­found­land and Labra­dor and Nova Sco­tia have enac­ted legis­la­ti­on that is broad­ly equi­va­lent to the fede­ral law with respect to health data. In all Cana­di­an pro­vin­ces the fede­ral law applies to all per­so­nal data coll­ec­ted, pro­ce­s­sed or dis­c­lo­sed by fede­ral­ly regu­la­ted enti­ties, inclu­ding employee data of tho­se enti­ties. The fede­ral law also applies to per­so­nal data trans­fer­red to ano­ther pro­vin­ce or coun­try in the cour­se of com­mer­cial activities.

8. Cyprus *
9. Croa­tia *
10. Den­mark*
11. Spain*
12. Esto­nia*
13. Fin­land*
14. France*
15. Gibral­tar *
16. Greece*
17. Guern­sey *
18. Hun­ga­ry*
19. Isle of Man *
20. Faroe Islands *
21. Ire­land *
22. Ice­land*
23. Isra­el *
24. Ita­ly*
25. Jer­sey *
26. Lat­via*
27. Liech­ten­stein*
28. Lithua­nia*
29. Luxem­bourg*
30. Mal­ta*
31. Mona­co *
32. Nor­way*
33. New Zealand *
34. Net­her­lands*
35. Pol­and*
36. Por­tu­gal*
37. Czech Republic*
38. Roma­nia *
39. United Kingdom
40. Slo­va­kia*
41. Slove­nia*
42. Swe­den*
43. Uru­gu­ay *

The data pro­tec­tion ade­qua­cy assess­ment inclu­des the dis­clo­sure of per­so­nal data in accordance with Direc­ti­ve (EU) 2016/680.

The data pro­tec­tion ade­qua­cy assess­ment inclu­des the dis­clo­sure of per­so­nal data in accordance with an imple­men­ting decis­i­on of the Euro­pean Com­mis­si­on deter­mi­ning data pro­tec­tion ade­qua­cy under Direc­ti­ve (EU) 2016/680.

The data pro­tec­tion ade­qua­cy assess­ment does not include the dis­clo­sure of per­so­nal data in the con­text of the coope­ra­ti­on pro­vi­ded for by Direc­ti­ve (EU) 2016/680.

Table of Contents