Stand am 4.10.2020.

Die Übersetzung ins Englische stammt von Hugh Reeves und Corinne Gilgen (beide Walder Wyss). Sie kann unter einer CC BY-ND 4.0‑Lizenz verwendet werden. Eine Fassung als PDF findet sich hier.
Text des revDSG gemäss Schlussabstimmung; einzelne Hervorhebungen hinzugefügt
Die deutsche Fassung findet sich hier mit Botschaft und hier ohne Botschaft.

ausklappen | einklappen

Chapter 1: Purpose, Scope and Supervisory Authority of the Confederation

Art. 1 Purpose

This Act aims to protect the personality rights and the fundamental rights of natural persons whose personal data is processed.

Art. 2 Personal and material scope

1 This Act applies to the processing of personal data pertaining to natural persons by:

a. private persons;

b. federal bodies.

2 It does not apply to:

a. personal data that is processed by a natural person exclusively for personal use;

b. personal data that is processed by the Federal Chambers and parliamentary committees in connection with their deliberations;

c. personal data that is processed by institutional beneficiaries according to Article 2 paragraph 1 of the Host State Act of 22 June 2007, which enjoy immunity in Switzerland.

3 The processing of personal data and the rights of the data subjects in court proceedings and proceedings governed by the federal rules of procedure are governed by the applicable procedure law. The present Act applies to first instance administrative proceedings.

4 The public registers pertaining to private law relationships, in particular the access to these registers and the rights of the data subjects, are governed by the special provisions of the applicable federal law. If the special provisions do not contain any rules, this Act shall apply.

Art. 3 Territorial scope

1 This Act is applicable to fact patterns that have an effect in Switzerland, even if they occurred abroad.

2 The Federal Act of 18 December 1987 on Private International Law applies to claims under civil law. The provisions on the territorial scope of the Swiss Criminal Code remain reserved.

Art. 4 Federal Data Protection and Information Commissioner

1 The Federal Data Protection and Information Commissioner (FDPIC) supervises the proper application of the federal data protection regulations.

2 The following are excluded from the FDPIC’s supervision:

a. the Federal Assembly;

b. the Federal Council;

c. the federal courts;

d. the Office of the Attorney General of the Confederation as regards the processing of personal data in criminal proceedings;

e. federal authorities as regards the processing of personal data in the context of a jurisdictional activity or of international mutual assistance proceedings in criminal matters.

Chapter 2: General Provisions

Section 1 Definitions and Principles

Art. 5 Definitions

The following definitions apply in this Act:

a. personal data: all information relating to an identified or identifiable natural person;

b. data subject: natural person whose personal data is processed;

c. sensitive personal data:

1. data on religious, ideological, political or trade union-related views or activities,

2. data on health, the intimate sphere or the racial or ethnic origin,

3. genetic data,

4. biometric data which unequivocally identifies a natural person,

5. data on administrative or criminal proceedings and sanctions,

6. data on social security measures;

d. processing: any operation with personal data, irrespective of the means and the procedures applied, and in particular the collection, recording, storage, use, modification, disclosure, archiving, deletion or destruction of data;

e. disclosure: transmitting or making personal data accessible;

f. profiling: any form of automated processing of personal data consisting of using such data to assess certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or whereabouts;

g. High-risk profiling: profiling which involves a high risk to the personality or fundamental rights of the data subject, as it creates a pairing between data that enables an assessment of essential aspects of the personality of a natural person;

h. data security breach: a security breach which leads to an unintentional or unlawful loss, deletion, destruction or modification of personal data or to personal data being disclosed or made accessible to unauthorised persons;

i. federal body: federal authority or service or person that is entrusted with federal public tasks;

j. controller: private person or federal body that alone or jointly with others decides on the purpose and the means of the processing;

k. processor: private person or federal body that processes personal data on behalf of the controller.

Art. 6 Principles

1 Personal data must be processed lawfully.

2 Processing must be carried out in good faith and must be proportionate.

3 Personal data may only be collected for a specific purpose which is evident to the data subject; personal data may only be processed in a way that is compatible with such purpose.

4 It is destroyed or anonymized as soon as it is no longer needed with regard to the purpose of the processing.

5 Anyone who processes personal data must ascertain that the data is accurate. He must take all appropriate measures so that the data which is inaccurate or incomplete with regard to the purposes for which it was collected or processed is corrected, deleted or destroyed. The appropriateness of the measures depends in particular on the nature and extent of the data processing and on the risks which the processing entails for the personality and fundamental rights of the data subjects.

6 If the consent of the data subject is required, such consent is only valid if it has been given freely and for one or several specific processing activities and after adequate information.

7 Consent must be given explicitly for:

a. the processing of sensitive personal data;

b. high-risk profiling by a private person; or

c. profiling by a federal body.

Art. 7 Data protection by design and by default

1 The controller must set up technical and organisational measures in order for the data processing to meet the data protection regulations and in particular the principles set out in Article 6. It considers this obligation from the planning of the processing.

2 The technical and organisational measures must be appropriate in particular with regard to the state of the art, the type and extent of processing, as well as the risks that the processing at hand poses to the personality and the fundamental rights of the data subjects.

3 The controller is additionally bound to ensure through appropriate pre-defined settings that the processing of the personal data is limited to the minimum required by the purpose, unless the data subject directs otherwise.

Art. 8 Data security

1 The controller and the processor must ensure, through adequate technical and organisational measures, security of the personal data that appropriately addresses the risk.

2 The measures must enable the avoidance of data security breaches.

3 The Federal Council shall issue provisions on the minimum requirements for data security.

Art. 9 Data processing by processors

1 The processing of personal data may be assigned by agreement or by legislation to a processor if:

a. the data is processed only in a manner permitted for the controller itself; and

b. no statutory or contractual duty of confidentiality prohibits the assignment.

2 The controller must ensure in particular that the processor is able to guarantee data security.

3 The processor may only assign the processing to a third party with the prior authorisation of the controller.

4 It may invoke the same justifications as the controller.

Art. 10 Data protection advisor

1 Private controllers may appoint a data protection advisor.

2 The data protection advisor is the contact point for the data subjects and for the competent data protection authorities responsible for data protection matters in Switzerland. In particular, he or she has the following duties:

a. to train and advise the private controller in matters of data protection;

b. the participation in the enforcement of data protection regulations.

3 Private controllers may invoke the exception set out in Article 23 paragraph 4 if the following requirements are fulfilled:

a. the data protection advisor performs his function towards the controller in a professionally independent manner and without being bound by instructions;

b. he does not perform any activities which are incompatible with his tasks as data protection advisor;

c. he possesses the necessary professional knowledge;

d. the controller publishes the contact details of the data protection advisor and communicates them to the FDPIC.

4 The Federal Council regulates the appointment of data protection advisors by the federal bodies.

Art. 11 Codes of conduct

1 Professional associations, industry associations and business associations whose statutes entitle them to defend the economic interests of their members, as well as federal bodies, may submit codes of conduct to the FDPIC.

2 The FDPIC states his opinion on the codes of conduct and publishes his opinion.

Art. 12 Inventory of processing activities

1 The controllers and the processors each keep an inventory of their processing activities.

2 The controller’s inventory contains at least the following information:

a. the controller’s identity;

b. the purpose of the processing;

c. a description of the categories of data subjects and the categories of the processed personal data;

d. the categories of the recipients;

e. if possible the period of storage of the personal data or the criteria to determine the period of storage;

f. if possible a general description of the measures to guarantee data security pursuant to Article 8;

g. in case of disclosure of data abroad, the name of the state in question and the guarantees according to Article 16 paragraph 2.

3 The processor’s inventory contains information on the identity of the processor and of the controller, the categories of processing activities performed on behalf of the controller as well as the information foreseen in paragraph 2 letters f and g.

4 The federal bodies notify the FDPIC of their inventories.

5 The Federal Council provides for exceptions for companies that have less than 250 members of staff and whose processing entails only a low risk of infringing the personality of the data subjects

Art. 13 Certification

1 The providers of data processing systems or software as well as the controllers and the processors may submit their systems, their products and their services for evaluation by recognised independent certification organisations.

2 The Federal Council issues regulations on the recognition of certification procedures and the introduction of a data protection quality label. In doing so, it shall take into account international law and internationally recognised technical norms.

Section 2 Data processing by private controllers with registered office or residence abroad

Art. 14 Representative

1 Private controllers with their domicile or residence abroad designate a representative in Switzerland if they process personal data of persons in Switzerland and the data processing fulfils the following requirements:

a. The data processing is connected to offering goods or services in Switzerland or to monitoring the behaviour of these persons.

b. The processing is extensive.

c. It is a regular processing.

d. The processing involves a high risk for the personality of the data subjects.

2 The representative serves as a contact point for the data subjects and the FDPIC.

3 The controller publishes the name and address of the representative.

Art. 15 Duties of the Representative

1 The representation office shall keep a register of the processing activities of the controller, which contains the information specified in Article 12 paragraph 2.

2 On request, it shall provide the FDPIC with the information contained in the register.

3 On request, it shall provide the data subject with information on how to exercise his rights.

Section 3 Cross-Border Disclosure of Personal Data

Art. 16 Principles

1 Personal data may be disclosed abroad if the Federal Council has determined that the legislation of the relevant State or international body guarantees an adequate level of protection.

2 In the absence of such a decision by the Federal Council under paragraph 1, personal data may be disclosed abroad only if appropriate protection is guaranteed by:

a. an international treaty;

b. data protection provisions of a contract between the controller or the processor and its contracting partner, which were communicated beforehand to the FDPIC;

c. specific safeguards prepared by the competent federal body and communicated beforehand to the FDPIC;

d. standard data protection clauses previously approved, established or recognised by the FDPIC;

e. binding corporate rules on data protection which were previously approved by the FDPIC, or by a foreign authority which is responsible for data protection and belongs to a state which guarantees adequate protection.

3 The Federal Council can provide for other adequate safeguards in the sense of paragraph 2.

Art. 17 Exceptions

1 By way of derogation from Article 16 paragraphs 1 and 2, personal data may be disclosed abroad if:

a. The data subject has explicitly consented to the disclosure;

b. The disclosure is directly connected with the conclusion or the performance of a contract:

1. between the controller and the data subject, or

2. between the controller and its contracting partner in the interest of the data subject;

c. Disclosure is necessary:

1. in order to safeguard an overriding public interest, or

2. for the establishment, exercise or enforcement of legal claims before a court or another competent foreign authority;

d. Disclosure is necessary in order to protect the life or the physical integrity of the data subject or a third party and it is not possible to obtain the consent of the data subject within a reasonable period of time;

e. The data subject has made the data generally accessible and has not expressly prohibited its processing;

f. The data originates from a register provided for by law which is accessible to the public or to persons with a legitimate interest, provided that the legal conditions for the consultation are met in the specific case.

2 The controller or the processor informs, upon request, the FDPIC of disclosures of personal data under paragraph 1, letters b, nr 2, c and d.

Art. 18 Publication of personal data in electronic format

If personal data is made generally accessible by means of automated information and communications services for the purpose of providing information to the general public, this is not deemed to be transborder disclosure, even if the data is accessible from abroad.

Chapter 3: Duties of the Controller and the Processor

Art. 19 Duty of information when collecting personal data

1 The controller informs the data subject appropriately about the collection of personal data; such duty of information also applies when data is not collected from the data subject.

2 At the time of collection the controller shall provide to the data subject all information which is required in order for the data subject to assert his rights according to this Act and to ensure transparent processing of data, in particular:

a. the controller’s identity and contact information;

b. the purpose of processing;

c. if applicable, the recipients or the categories of recipients to which personal data is disclosed.

3 If data is not collected from the data subject, it additionally informs the data subject of the categories of personal data which is processed.

4 If personal data is disclosed abroad, the controller also informs the data subject of the name of the State or international body and, as the case may be, the safeguards according to Article 16 paragraph 2 or the applicability of one of the exceptions provided for in Article 17.

5 If data is not collected from the data subject, it provides to the data subject the information mentioned in paragraphs 2 to 4 at the latest one month after it received the personal data. If the controller discloses the personal data prior to this date, it informs the data subject at the time of disclosure at the latest.

Art. 20 Exceptions to the duty of information and restrictions

1 The duty of information according to Article 19 ceases to apply if one of the following requirements is met:

a. The data subject already has the corresponding information.

b. The processing is provided for by law.

c. The controller is a private person and is bound by a legal obligation to secrecy.

d. The requirements of Article 27 are fulfilled.

2 If personal data is not collected from the data subject, the duty of information shall also not apply if one of the following requirements is met:

a. it is not possible to give the information; or

b. it requires disproportionate efforts.

3 The controller may restrict, defer or waive the provision of information in the following cases:

a. this is required to protect the overriding interests of third parties;

b. the information prevents the processing from fulfilling its purpose;

c. when the controller is a private person and the following conditions are fulfilled:

1. the measure is required by the controller’s overriding interests.

2. the controller does not disclose the personal data to third parties.

d. when the controller is a federal body and one of the following requirements is met:

1. a prevailing public interest, in particular the internal or external security of Switzerland, so requires, or

2. the provision of the information is susceptible to compromise an inquiry, investigation or an administrative or judicial proceeding.

4 The condition in paragraph 3 lit. c number 2 is deemed met if the disclosure of personal data takes place between companies controlled by the same legal entity.

Art. 21 Duty of information in the case of an automated individual decision

1 The controller informs the data subject of a decision which is taken exclusively on the basis of an automated processing and which has legal effects on the data subject or affects him significantly (automated individual decision).

2 It shall give the data subject upon request the opportunity to state his position. The data subject can request that the decision be reviewed by a natural person.

3 Paragraphs 1 and 2 shall not apply if:

a. the decision is directly connected with the conclusion or the performance of a contract between the controller and the data subject and the request of the latter is satisfied, or

b. the data subject explicitly consented to the decision being taken in an automated manner.

4 If the automated individual decision comes from a federal body, the latter must designate it as such. Paragraph 2 does not apply if the data subject does not need to be heard before the decision in accordance with Article 30 paragraph 2 of the Administrative Procedure Act of 20 December 1968 (APA) or another federal act.

Art. 22 Data protection impact assessment

1 If the intended data processing may lead to a high risk for the data subject’s personality or fundamental rights, the controller must conduct beforehand a data protection impact assessment. If the controller considers performing several similar processing operations, it may establish a joint impact analysis.

2 The existence of a high risk, particularly when new technologies are used, depends on the nature, the extent, the circumstances and the purpose of the processing. Such a risk exists in particular in the following cases:

a. processing of sensitive personal data on a broad scale;

b. systematic surveillance of extensive public areas.

3 The data protection impact assessment contains a description of the intended processing, an evaluation of the risks as regards the data subject’s personality or fundamental rights, as well as the intended measures to protect the data subject’s personality or fundamental rights.

4 Private controllers are relieved from their obligation to establish a data protection impact assessment if they are legally bound to perform the processing.

5 The private controller can abstain from establishing a data protection impact assessment if it uses a system, product or service that is certified for the intended use in accordance with Article 13 or if it complies with a code of conduct in accordance with Article 11 which meets the following requirements:

a. the code of conduct is based on a data protection impact assessment;

b. it provides for measures to protect the personality rights or fundamental rights of the data subject;

c. it was submitted to the FDPIC.

Art. 23 Consultation of the FDPIC

1 The controller consults the FDPIC prior to the processing when the data protection impact assessment shows that the processing presents a high risk for the personality or fundamental rights of the data subject despite the measures envisaged by the controller.

2 The FDPIC informs the controller of his objections against the envisaged processing within two months. This deadline can be extended by one month in cases of complex data processing.

3 If the FDPIC has objections against the envisaged processing, he suggests appropriate measures to the controller.

4 The private controller can abstain from consulting the FDPIC if it consulted the data protection advisor according to Article 10.

Art. 24 Notification of data security breaches

1 The controller shall notify the FDPIC as soon as possible of a data security breach that is probable to result in a high risk to the personality rights or the fundamental rights of the data subject.

2 In the notification, it must at least indicate the nature of the data security breach, its consequences and the measures taken or foreseen.

3 The processor shall notify the controller as soon as possible of any data security breach.

4 The controller shall also inform the data subject if this is necessary for the protection of the data subject or if the FDPIC so requests.

5 It can restrict the information to the data subject, defer it or refrain from providing information if:

a. there are grounds pursuant to Article 26 paragraph 1, letter b or 2 letter b or a statutory duty of secrecy prohibits it;

b. information is impossible or requires disproportionate efforts; or

c. the information of the data subject is ensured in an equivalent manner by a public announcement.

6 A notification based on this Article can be used in criminal proceedings against the person subject to notification only with such person’s consent.

Chapter 4: Rights of the Data Subject

Art. 25 Access right

1 Any person may request information from the controller as to whether personal data concerning him is being processed.

2 The data subject shall receive the information required in order to enable him to assert his rights under this Act and to ensure the transparent processing of data. In any case, the following information is provided to the data subject:

a. identity and contact details of the controller;

b. the personal data being processed as such;

c. the purpose of processing;

d. the period of storage of the personal data or, if this is not possible, the criteria used to determine such period;

e. the available information on the origin of the personal data, to the extent that it was not collected from the data subject;

f. if applicable, the existence of an automated individual decision as well as the logic on which this decision is based;

g. if applicable, the recipients or categories of recipients to which the personal data was disclosed as well as the information foreseen in Article 19 paragraph 4.

3 Personal data on the data subject’s health may be communicated to the data subject, provided his consent is given, by a healthcare professional designated by him.

4 If the controller has personal data processed by a processor, the controller remains under the obligation to provide information.

5 No one may waive the right to information in advance.

6 The controller provides the requested information free of charge. The Federal Council may provide for exceptions where information shall not be provided free of charge, in particular if the effort involved is disproportionate.

7 As a rule, the information shall be provided within 30 days.

Art. 26 Limitations to the access right

1 The controller may refuse, restrict or defer provision of information if:

a. a formal law provides for it, in particular to protect a professional secret;

b. it is required by prevailing interests of third parties; or

c. the request for information is manifestly unfounded in particular if it pursues a purpose that is contrary to data protection or is obviously of a frivolous nature.

2 Additionally, it is possible to refuse, restrict or defer the provision of information in the following cases:

a. when the controller is a private person and the following conditions are fulfilled:

1. if prevailing interests of the controller require the measure.

2. the controller does not disclose the personal data to a third parties.

b. when the controller is a federal body and one of the following requirements is met:

1. the measure is required for a prevailing public interest, in particular the internal or external security of Switzerland, or

2. the provision of information is susceptible to compromise an inquiry, investigation or an administrative or judicial proceeding.

3 The requirement under paragraph 2 lit. a number 2 is considered to be met if the disclosure of personal data takes place between companies controlled by the same legal entity.

4 The controller must indicate the grounds on which it refuses, restricts or defers the provision of the information.

Art. 27 Limitations to the access right for media

1 If personal data is used exclusively for publication in the edited section of a periodically published medium, the controller may refuse, restrict or defer provision of information for one of the following reasons:

a. the data reveals information about the sources of the information;

b. access to draft publications would ensue;

c. the publication would jeopardize the free formation of the public opinion.

2 Journalists may also refuse, restrict or defer provision of information if they use the personal data exclusively as their personal work instrument.

Art. 28 Right of data portability

1 Any person may request from the controller, free of charge, the disclosure of the personal data that he has disclosed to him in a standard electronic format if:

a. the controller processes the data in an automated manner; and

b. the data is processed with the consent of the data subject or in direct connection with the conclusion or performance of a contract between the controller and the data subject.

2 In addition, the data subject may request the controller to transfer his personal data to another controller if the requirements in accordance with paragraph 1 are met and this does not involve a disproportionate effort.

3 The Federal Council may provide for exceptions to this freedom of charge, in particular if the effort involved is disproportionate.

Art. 29 Restrictions on the right to data output and transmission

1 The controller may refuse, restrict or postpone the release and transfer of personal data for the reasons listed in Article 26 paragraphs 1 and 2.

2 The controller must give reasons for refusing, restricting or postponing the release or transfer.

Chapter 5: Special Provisions for Data Processing by Private Persons

Art. 30 Violation of the personality

1 Anyone who processes personal data must not unlawfully violate the data subjects’ personality.

2 A personality harm exists in particular if:

a. personal data is processed in contravention with the principles set forth in Articles 6 and 8;

b. personal data is processed against the data subject’s express declaration of intent;

c. sensitive personal data is disclosed to third parties.

3 In general, there is no violation of the personality if the data subject has made the personal data generally accessible and has not expressly prohibited its processing.

Art. 31 Justifications

1 A violation of the personality is unlawful unless it is justified by the consent of the data subject, by an overriding private or public interest or by law.

2 An overriding interest of the controller may in particular be considered in the following cases:

a. The controller processes personal data of the contractual party in direct connection with the conclusion or the performance of a contract.

b. The controller is or will be in commercial competition with another person or will be in commercial competition with another person and for this purpose processes personal data that is not disclosed to third parties, except in the case of disclosure that takes place between companies controlled by the same legal entity

c. The controller processes personal data in order to verify the data subject’s creditworthiness, provided that the following requirements are fulfilled:

1. The processing does neither involve sensitive personal nor high-risk profiling.

2. The data is disclosed to third parties only if the data is required by such third parties for the conclusion or the performance of a contract with the data subject.

3.The data is not older than ten years.

4. The data subject is of age.

d. The controller processes the personal data on a professional basis and exclusively for publication in the edited section of a periodically published medium or the data serves the controller exclusively as a personal working instrument, given that no publication takes place.

e. The controller processes personal data for purposes not relating to a specific person, in particular for the purposes of research, planning and statistics, provided that the following requirements are fulfilled:

1. The controller shall anonymize the data as soon as the purpose of the processing allows for it or shall take reasonable measures to prevent the identification of the data subjects if anonymization is impossible or requires a disproportionate effort.

2. Sensitive personal data is disclosed to third parties in such a manner that the data subjects may not be identified. If this is not possible, measures must be taken to ensure that third parties only process the data for non-personal related purposes.

3. Results are published in such a manner that the data subjects may not be identified.

f. The controller collects personal data on a person of public interest which relates to the public activities of that person.

Art. 32 Legal claims

1 The data subject may request that incorrect personal data be corrected, unless:

a. there is a statutory regulation prohibiting the correction;

b. the personal data is being processed for archiving purposes in the public interest.

2 Actions relating to the protection of personality rights are governed by Articles 28, 28a and 28g – 28l of the Civil Code. The claimant may in particular request that:

a. a specific data processing be prohibited;

b. a specific disclosure of personal data to third parties be prohibited;

c. personal data be deleted or destroyed.

3 If neither the accuracy nor the inaccuracy of the personal data can be determined, the claimant may request for a note that indicates the objection to be added to the personal data.

4 Furthermore, the claimant may request the correction, the deletion or the destruction, the prohibition of processing or of disclosure to third parties, the note indicating the objection or the judgement be communicated to third parties or published.

Chapter 6: Special Provisions for Data Processing by Federal Bodies

Art. 33 Control and responsibility in case of joint processing of personal data

The Federal Council regulates the control procedures and the responsibility for data protection if the federal body processes personal data together with other federal bodies, with cantonal bodies or with private persons.

Art. 34 Legal basis

1 Federal bodies may process personal data only if there is a statutory basis for doing so.

2 A statutory basis must figure in a formal law in the following cases:

a. The processed data is sensitive personal data.

b. It is a matter of profiling.

c. The processing purpose or the type and manner of the data processing may result in a serious interference with the fundamental rights of the data subject.

3 For the processing of personal data under paragraph 2 letters a and b, a statutory basis in a substantive law is sufficient if the following requirements are fulfilled:

a. The processing is essential for a task defined in a formal law.

b. The processing does not involve any special risks affecting the fundamental rights of the data subject.

4 By way of derogation from paragraphs 1 to 3, federal bodies may process personal data if one of the following requirements is fulfilled:

a. The Federal Council has authorised processing because it considers the rights of the data subject not to be endangered.

b. The data subject has given his consent to the processing in the specific case or made his personal data generally accessible and has not expressly prohibited the processing.

c. The processing is required in order to protect the life or the physical integrity of the data subject or a third party and it is not possible to obtain the consent of the data subject within a reasonable period of time.

Art. 35 Automated data processing in pilot projects

1 The Federal Council may, before a formal law enters into force, authorise the automated processing of sensitive personal data or other data processing under Article 34 paragraph 2 letters b and c if:

a. the tasks based on which the processing is required are regulated in a formal law that has already entered into force;

b. adequate measures are taken to limit interferences with the fundamental rights of the data subject to the minimum; and

c. for the practical implementation of a data processing a test phase before entry into force is indispensable, in particular for technical reasons.

2 It obtains the FDPIC’s opinion in advance.

3 The competent federal body shall provide the Federal Council with an evaluation report at the latest within two years after inception of the pilot project. The report contains a proposal on whether the processing should be continued or terminated.

4 Automated data processing must be terminated in any event if within five years after inception of the pilot project no formal law has entered into force that contains the required legal basis.

Art. 36 Disclosure of personal data

1 Federal bodies may disclose personal data only if a statutory basis in accordance with Article 34 paragraphs 1 to 3 so provides.

2 In derogation from paragraph 1, they may disclose personal data in the specific case if one of the following requirements is fulfilled:

a. Disclosure of the data is indispensable to the controller or the recipient for the fulfilment of a statutory task.

b. The data subject has consented to the disclosure.

c. Disclosure of the data is required in order to protect the life or the physical integrity of the data subject or a third party and it is not possible to obtain the consent of the data subject within a reasonable period of time.

d. The data subject has made its data generally accessible and has not expressly prohibited disclosure.

e. The recipient credibly demonstrates that the data subject is withholding consent or objects to disclosure in order to prevent the enforcement of legal claims or the safeguarding of other legitimate interests; the data subject must be given the opportunity to comment beforehand, unless this is impossible or involves a disproportionate effort.

3 They may also disclose personal data in the context of official information disclosed to the general public, either ex officio or pursuant to the Freedom of Information Act of 17 December 2004 , if:

a. the data pertains to the fulfilment of a public duty; and

b. there is an overriding public interest in its disclosure.

4 They may on request also disclose the name, first name, address and date of birth of a person if the requirements of paragraph 1 or 2 are not fulfilled.

5 They may make personal data generally accessible by means of automated information and communication services if a legal basis provides for the publication of such data or if they disclose data on the basis of paragraph 3. If there is no longer a public interest in making such data generally accessible, the data concerned must be deleted from the automated information and communication service.

6 Federal bodies shall refuse or restrict disclosure, or make it subject to conditions, if:

a. essential public interests or interests manifestly warranting protection of a data subject so require or

b. statutory duties of secrecy or special data protection regulations so require.

Art. 37 Objection to the disclosure of personal data

1 The data subject that credibly demonstrates an interest warranting protection may object to the disclosure of certain personal data by the competent federal body.

2 The federal body shall refuse such request if one of the following requirements is fulfilled:

a. there is a legal duty of disclosure;

b. the fulfilment of its task would otherwise be endangered.

3 Article 36 paragraph 3 is reserved.

Art. 38 Offering of documents to the Federal Archive

1 In accordance with the Archiving Act of 26 June 1998 , the federal bodies shall offer the Federal Archive all personal data that the federal bodies no longer constantly require.

2 The federal body shall destroy personal data designated by the Federal Archive as not being of archival value unless:

a. it is rendered anonymous;

b. it must be preserved on evidentiary or security grounds or in order to safeguard the legitimate interests of the data subject.

Art. 39 Data processing for research, planning and statistics

1 Federal bodies may process personal data for purposes not related to specific persons, in particular for research, planning and statistics, if:

a. the data is rendered anonymous, as soon as the processing purpose so permits;

b. the federal body discloses sensitive personal data to private persons only in such a manner that the data subjects cannot be identified;

c. the recipient only passes on the data to third parties with the consent of the federal body which has disclosed the data; and

d. the results are only published in such a manner that the data subjects may not be identified.

2 Articles 6 paragraph 3, 34 paragraph 2 and Article 36 paragraph 1 do not apply.

Art. 40 Private law activities of federal bodies

If a federal body acts under private law, the provisions for data processing by private persons apply.

Art. 41 Claims and procedure

1 Anyone with an interest warranting protection may request the responsible federal body to:

a. refrain from unlawfully processing the personal data;

b. eliminate the consequences of unlawful processing;

c. ascertain the unlawfulness of the processing.

2 The claimant may in particular request that the federal body:

a. correct, delete or destroy the personal data concerned;

b. publish or communicate its decision to third parties, in particular on the correction, deletion or destruction, the objection to disclosure under Article 37 or the note that indicates the objection under paragraph 4.

3 Instead of deleting or destroying the personal data, the federal body restricts the processing if

a. the data subject disputes the accuracy of the personal data and if it is not possible to determine the accuracy or the inaccuracy thereof;

b. overriding interests of third parties so require;

c. an overriding public interest, in particular the internal or external security of Switzerland, so requires;

d. the deletion or destruction of the data may jeopardise an inquest, an investigation or administrative or judicial proceeding.

4 If it is not possible to determine the accuracy or the inaccuracy of personal data, the federal body attaches to the data a note that indicates the objection.

5 The correction, deletion or destruction of personal data may not be requested with respect to the inventory of publicly accessible libraries, educational institutions, museums, archives or other public memorial institutions. If the applicant can credibly demonstrate an overriding interest, he may request that the institution restrict access to the disputed data. Paragraphs 3 and 4 do not apply.

6 The procedure is governed by the APA . The exceptions contained in Articles 2 and 3 APA do not apply.

Art. 42 Procedure in the event of the disclosure of official documents containing personal data

If proceedings relating to access to official documents within the meaning of the Freedom of Information Act of 17 December 2004 that contain personal data are pending, the data subject may in such proceedings claim the rights given to him under Article 41 for those of the documents that are the subject matter of the access proceedings.

Chapter 7: Federal Data Protection and Information Commissioner

Section 1 Organisation

Art. 43 Appointment and status

1The head of the FDPIC (the commissioner) is elected by the Federal Assembly.

2 Anyone who is entitled to vote on federal matters is eligible.

3 The employment relationship of the commissioner is governed by the Federal Personnel Act of 24 March 2000 (BPG) , unless this Act provides otherwise.

4 The commissioner exercises his function independently without asking for or accepting instructions of any authority or third party. He is assigned to the Federal Chancellery for administrative purposes.

5 He has a permanent secretariat and his own budget. He hires his own staff.

6 He is not subject to the system of assessment under Article 4 paragraph 3 BPG.

Art. 44 Term of office, reappointment and termination of the term of office

1 The term of office of the commissioner is four years and may be renewed twice. It begins on 1 January following the start of the legislative period of the National Council.

3 The commissioner may request the Federal Assembly to be discharged from office at the end of any month subject to six months advance notice.

4 The Federal Assembly may dismiss the commissioner from office before the expiry of his term of office if he:

a. wilfully or through gross negligence seriously violates official duties; or

b. is permanently unable to fulfil his office.

Art. 45 Budget

The FDPIC submits the draft of his budget annually to the Federal Council via the Federal Chancellery. The Federal Council forwards it unchanged to the Federal Assembly.

Art. 46 Incompatibility

The commissioner may not be a member of the Federal Assembly or the Federal Council and may not have an employment relationship with the Confederation.

Art. 47 Secondary employment

1 The commissioner must not carry out any secondary employment

2 The Federal Assembly (both chambers together) may permit

the commissioner to carry out a secondary employment provided this neither compromises the performance of the function nor independence and standing. The Federal Council’s decision in this respect is published.

Art. 48 Self-regulation of the FDPIC

By means of appropriate control measures, in particular with respect to data security, the FDPIC shall ensure that the legally compliant enforcement of the federal data protection regulations is guaranteed in his office.

Section 2 Investigation of breaches of data protection regulations

Art. 49 Investigation

1 The FDPIC initiates, ex officio or upon notification, an investigation against a federal body or a private person if there are sufficient indications that a data processing could violate the data protection regulations.

2 He may refrain from initiating an investigation if the breach of the data protection regulations is of minor significance.

3 The federal body or the private person will provide the FDPIC with all information and will make available all documents which are necessary for the investigation. The right to refuse to provide information is governed by Articles 16 and 17 APA unless Article 50 paragraph 2 provides otherwise.

4 If the data subject notified the FDPIC, he will inform the data subject of the steps undertaken in the matter based on the data subject’s notification and the results of the investigation, if any.

Art. 50 Powers

1 If the federal body or the private person does not comply with the duty to cooperate, the FDPIC may in the context of the investigation order the following:

a. access to all information, documents, registers of the processing activities and personal data which are required for the investigation;

b. access to premises and facilities,

c. questioning of witnesses;

d. evaluations by experts.

2 Professional secrecy is reserved.

3 He may call on other a federal authority or the cantonal or municipal police to enforce the measures in accordance with paragraph 1.

Art. 51 Administrative measures

1 If data protection regulations are violated, the FDPIC may order that the processing is fully or partially adjusted, suspended or terminated and that the personal data is fully or partially deleted or destroyed.

2 He may defer or prohibit disclosure abroad if it violates the requirements under Articles 13 or 14 or specific provisions on the disclosure of personal data abroad in other Federal Acts.

3 He may in particular order that the federal body or the private person:

a. inform the FDPIC under Articles 16 paragraph 2 letters b and c and 17 paragraph 2;

b. take the measures under Articles 7 and 8;

c. inform the data subjects under Articles 19 and 21

d. perform a data protection impact assessment under Article 22;

e. consult the FDPIC under Article 23;

f. inform the FDPIC or, if applicable, the data subjects under Article 24; and

g. provide the data subject with the information under Article 25.

4 He may also order that the private controller with its registered office or place of residence abroad designate a representation in accordance with Article 14.

5 If during the investigation the federal body or the private person has taken the necessary measures to restore compliance with the data protection regulations, the FDPIC may limit himself to issuing a warning.

Art. 52 Proceedings

1 Investigation proceedings and decisions under Articles 44 and 45 are governed by the APA .

2 Only the federal body or the private person against whom the investigation was initiated shall be party to the proceedings.

3 The FDPIC may file an appeal against appeal decisions issued by the Federal Administrative Court.

Art. 53 Coordination

1 Federal administrative authorities which supervise private persons or organisations outside of the Federal Administration in accordance with another federal act invite the FDPIC to submit a statement before they issue a decision pertaining to data protection issues.

2 If the FDPIC has initiated his own investigation against the same party, the two authorities will coordinate their proceedings.

Section 3 Administrative assistance

Art. 54 Administrative assistance between Swiss authorities

1 Federal and cantonal authorities provide the FDPIC with the information and personal data required for the performance of his statutory duties.

2 The FDPIC discloses to the following authorities the information and personal data required for the performance of their statutory duties:

a. the authorities responsible for data protection in Switzerland;

b. the competent criminal prosecution authorities if a criminal offence under Article 65 paragraph 2 is reported;

c. the federal authorities as well as the cantonal and municipal police for the enforcement of the measures under Articles 50 paragraph 2 and 51.

Art. 55 Administrative assistance to foreign authorities

1 The FDPIC may exchange information and personal data with foreign authorities responsible for data protection for the performance of their respective statutory duties in the area of data protection if the following requirements are fulfilled:

a. The reciprocity of administrative assistance is ensured.

b. Information and personal data are only used for the proceedings relating to data protection on which the request for administrative assistance is based.

c. The receiving authority undertakes to observe professional, business and manufacturing secrets.

d. Information and personal data are only disclosed if the authority which has transmitted them has previously consented to the disclosure.

e. The receiving authority undertakes to adhere to the conditions and restrictions of the authority which has transmitted the information and personal data.

2 In order to substantiate his request for administrative assistance or to comply with the request of an authority, the FDPIC may in particular provide the following information:

a. the identity of the controller, the processor or other third parties involved;

b. the categories of data subjects;

c. the identity of data subjects if:

1. the data subjects have consented thereto, or

2. the notification of the identity of the data subjects is indispensable so that the FDPIC or the foreign authority may fulfil their statutory duties;

d. processed personal data or categories of processed personal data;

e. the purpose of processing;

f. recipients or categories of recipients;

g. technical and organisational measures.

3 Before the FDPIC discloses information which may contain professional, business or manufacturing secrets to a foreign authority, he informs the natural persons or legal entities concerned who are the holders of these secrets and invites them to comment, unless this is not possible or possible only with disproportionate efforts.

Section 4 Other tasks of the FDPIC

Art. 56 Register

The FDPIC keeps a register on the processing activities of the federal bodies. The register is made public.

Art. 57 Information

1 The FDPIC reports to the Federal Assembly annually on his activities. He simultaneously submits the report to the Federal Council. The report is published.

2 In cases of general interest, the FDPIC informs the public of his findings and his decisions.

Art. 58 Additional tasks

1 The FDPIC has in particular the following additional tasks:

a. He informs, trains and advises the federal bodies as well as private persons on matters of data protection.

b. He supports the cantonal bodies and cooperates with domestic and foreign data protection authorities.

c. He raises public awareness, and in particular that of vulnerable private persons, regarding data protection.

d. He provides persons at their request with information on how they can exercise their rights.

e. He provides an opinion on draft federal legislation and on federal measures which entail a processing of data.

f. He carries out the tasks assigned to him under the Freedom of Information Act of 17 December 2004 or other Federal Acts.

g. He draws up working tools as a recommendation of good practice for controllers, processors and data subjects; in this respect he considers the particularities of the respective area and the protection of vulnerable private persons.

2He may also advise federal bodies which are not subject to his supervision according to Articles 2 and 4. The federal bodies may grant him access to their files.

3 The FDPIC is authorised to declare to the foreign authorities responsible for data protection that direct delivery is permitted in Switzerland in the area of data protection, provided Switzerland is granted reciprocity.

Section 5 Fees

Art. 59

1 The FDPIC charges private persons fees for:

a. his opinion on a code of conduct under Article 11 paragraph 2;

b. his approval of standard data protection clauses and binding corporate rules on data protection under Article 16 paragraph 2 letters d and e;

c. his consultation based on a data protection impact assessment under Article 23 paragraph 2;

d. preliminary injunctions and measures taken under Article 51; and

e. providing his advice on matters of data protection under Article 58 paragraph 1 letter a.

2 The Federal Council determines the amount of fees.

3 It may determine in which cases it is possible to refrain from charging a fee or to reduce it.

Chapter 8: Criminal Provisions

Art. 60 Breach of obligations to provide access and information or to cooperate

1 On complaint, private persons are liable to a fine of up to 250,000 Swiss Francs if they:

a. breach their obligations under Articles 19, 21 and 25 – 27 by wilfully providing false or incomplete information;

b. wilfully fail:

1. to inform the data subject pursuant to Articles 19 paragraph 1 and 21 paragraph 1; or

2. to provide the data subject with the information required under Article 19 paragraph 2.

2 Private persons are liable to a fine of up to 250,000 Swiss Francs if, in violation of Article 49 paragraph 3, they wilfully provide false information to the FDPIC in the context of an investigation or wilfully refuse to cooperate.

Art. 61 Violation of duties of diligence

On complaint, private persons are liable to a fine of up to 250,000 Swiss Francs if they wilfully:

a. disclose personal data abroad in violation of Article 16 paragraphs 1 and 2 and without the conditions set forth in Article 17 being met;

b. assign the data processing to a processor without the conditions set forth in Article 9 paragraphs 1 and 2 being met;

c. fail to comply with the minimum data security requirements which the Federal Council has issued under Article 8 paragraph 3.

Art. 62 Breach of professional confidentiality

1 If a person wilfully discloses secret personal data of which he has gained knowledge while exercising his profession which requires knowledge of such data, he shall be liable on complaint to a fine of up to 250, 000 Swiss Francs.

2 The same penalty applies to anyone who wilfully discloses secret personal data of which he has gained knowledge in the course of his activities for a person bound by a confidentiality obligation or in the course of training with such a person.

3 The disclosure of secret personal data remains punishable after termination of such professional activities or training.

Art. 63 Disregard of decisions

Private persons shall be liable to a fine of up to 250,000 Swiss Francs if they wilfully fail to comply with a decision issued by the FDPIC with reference to the criminal penalty of this Article or a decision issued by the appellate authorities.

Art. 64 Violations committed within undertakings

1 For violations committed within undertakings, Articles 6 and 7 of the Federal Act of 22 March 1974 on Administrative Criminal Law shall apply.

2 If a fine not exceeding 50,000 Swiss Francs could come into consideration and Administrative Criminal Law required investigative measures that would be disproportionate in comparison with the penalty incurred, the authority may abstain from prosecuting these persons and instead sentence the undertaking to the payment of the fine (Article 7 of the Administrative Criminal Law).

Art. 65 Jurisdiction

1 The cantons are responsible for the prosecution and the judgment of criminal acts.

2 The FDPIC may report a criminal offence to the competent criminal prosecution authorities and exercise the rights of a private plaintiff in the proceedings.

Art. 66 Statute of limitations for criminal prosecution

The right to criminally prosecute is subject to a statute of limitations of five years.

Chapter 9: Conclusion of International Treaties

Art. 67

The Federal Council may conclude international treaties concerning:.

a. the international cooperation between data protection authorities;

b. the mutual recognition of an adequate level of protection for the disclosure of personal data abroad.

Chapter 10: Final Provisions

Art. 68 Repeal and amendments of other legislation

The repeal and the amendments of other legislation are set forth in annex 1.

Art. 69 Transitional provisions concerning ongoing processing

Articles 7, 22 and 23 do not apply to data processing operations that were started before the entry into force of this law, if the purpose of the processing remains unchanged and no new data is obtained.

Art. 70 Transitional provisions concerning ongoing proceedings

This Act does not apply to investigations of the FDPIC which are pending at the time of its entry into force, nor to pending appeals against first instance decisions rendered before its entry into force. In these matters, the previous law applies.

Art. 71 Transitional provision concerning data pertaining to legal entities

For federal bodies, the provisions of other federal regulations that concern personal data continue to apply to data pertaining to legal entities for three years after the entry into force of this Act. During that time, the federal bodies may in particular continue to disclose the data pertaining to legal entities under Article 57s, paragraph 1 and 2, of the Act of 21 March 1997 on the Organisation of the Government and the Administration , if the federal bodies are entitled to disclose personal based on a legal basis.

Art. 72 Transitional provision concerning the election and termination of the term of office of the commissioner

The election of the commissioner and the termination of his term of office shall be governed by the law in force until the end of the legislative period in which this Act enters into force.

Art. 73 Coordination

Coordination with other acts is set out in annex 2.

Art. 74 Referendum and entry into force

1 This Act is subject to an optional referendum.

2 The Federal Council determines the date of entry into force.

Chap­ter 1: Pur­po­se, Scope and Super­vi­so­ry Aut­ho­ri­ty of the Confederation

Art. 1 Purpose

Art. 2 Per­so­nal and mate­ri­al scope

Art. 3 Ter­ri­to­ri­al scope

Art. 4 Federal Data Pro­tec­tion and Infor­ma­ti­on Commissioner

Chap­ter 2: Gene­ral Provisions

Sec­tion 1 Defi­ni­ti­ons and Principles

Art. 5 Definitions

Art. 6 Principles

Art. 7 Data pro­tec­tion by design and by default

Art. 8 Data security

Art. 9 Data pro­ces­sing by processors

Art. 10 Data pro­tec­tion advisor

Art. 11 Codes of conduct

Art. 12 Inven­to­ry of pro­ces­sing activities

Art. 13 Certification

Sec­tion 2 Data pro­ces­sing by pri­va­te con­trol­lers with regi­stered office or resi­dence abroad

Art. 14 Representative

Art. 15 Duties of the Representative

Sec­tion 3 Cross-Bor­der Dis­clo­sure of Per­so­nal Data

Art. 16 Principles

Art. 17 Exceptions

Art. 18 Publi­ca­ti­on of per­so­nal data in elec­tro­nic format

Chap­ter 3: Duties of the Con­trol­ler and the Processor

Art. 19 Duty of infor­ma­ti­on when collec­ting per­so­nal data

Art. 20 Excep­ti­ons to the duty of infor­ma­ti­on and restrictions

Art. 21 Duty of infor­ma­ti­on in the case of an auto­ma­ted indi­vi­du­al decision

Art. 22 Data pro­tec­tion impact assessment

Art. 23 Con­sul­ta­ti­on of the FDPIC

Art. 24 Noti­fi­ca­ti­on of data secu­ri­ty breaches

Chap­ter 4: Rights of the Data Subject

Art. 25 Access right

Art. 26 Limi­ta­ti­ons to the access right

Art. 27 Limi­ta­ti­ons to the access right for media