revDSG auf Eng­lisch

Stand am 4.10.2020.


aus­klap­pen | ein­klap­pen

Chap­ter 1: Pur­po­se, Scope and Super­vi­so­ry Aut­ho­ri­ty of the Con­fe­de­ra­ti­on

Art. 1 Pur­po­se

This Act aims to pro­tect the per­so­na­li­ty rights and the fun­da­men­tal rights of natu­ral per­sons who­se per­so­nal data is pro­ces­sed.

Art. 2 Per­so­nal and mate­ri­al scope

1 This Act app­lies to the pro­ces­sing of per­so­nal data per­tai­ning to natu­ral per­sons by:

a. pri­va­te per­sons;
b. federal bodies.

2 It does not app­ly to:

a. per­so­nal data that is pro­ces­sed by a natu­ral per­son exclu­si­ve­ly for per­so­nal use;
b. per­so­nal data that is pro­ces­sed by the Federal Cham­bers and par­lia­men­ta­ry com­mit­tees in con­nec­tion with their deli­be­ra­ti­ons;
c. per­so­nal data that is pro­ces­sed by insti­tu­tio­nal bene­fi­cia­ries accord­ing to Arti­cle 2 para­graph 1 of the Host Sta­te Act of 22 June 2007, which enjoy immu­ni­ty in Switz­er­land.

3 The pro­ces­sing of per­so­nal data and the rights of the data sub­jects in court pro­ce­e­dings and pro­ce­e­dings gover­ned by the federal rules of pro­ce­du­re are gover­ned by the app­li­ca­ble pro­ce­du­re law. The pre­sent Act app­lies to first instance admi­ni­stra­ti­ve pro­ce­e­dings.

4 The public regi­sters per­tai­ning to pri­va­te law rela­ti­ons­hips, in par­ti­cu­lar the access to the­se regi­sters and the rights of the data sub­jects, are gover­ned by the spe­cial pro­vi­si­ons of the app­li­ca­ble federal law. If the spe­cial pro­vi­si­ons do not con­tain any rules, this Act shall app­ly.

Art. 3 Ter­ri­to­ri­al scope

1 This Act is app­li­ca­ble to fact pat­terns that have an effect in Switz­er­land, even if they occur­red abroad.

2 The Federal Act of 18 Decem­ber 1987 on Pri­va­te Inter­na­tio­nal Law app­lies to claims under civil law. The pro­vi­si­ons on the ter­ri­to­ri­al scope of the Swiss Cri­mi­nal Code remain reser­ved.

Art. 4 Federal Data Pro­tec­tion and Infor­ma­ti­on Com­mis­sio­ner

1 The Federal Data Pro­tec­tion and Infor­ma­ti­on Com­mis­sio­ner (FDPIC) super­vi­ses the pro­per app­li­ca­ti­on of the federal data pro­tec­tion regu­la­ti­ons.

2 The fol­lo­wing are exclu­ded from the FDPIC’s super­vi­si­on:

a. the Federal Assem­bly;
b. the Federal Coun­cil;
c. the federal courts;
d. the Office of the Attor­ney Gene­ral of the Con­fe­de­ra­ti­on as regards the pro­ces­sing of per­so­nal data in cri­mi­nal pro­ce­e­dings;
e. federal aut­ho­ri­ties as regards the pro­ces­sing of per­so­nal data in the con­text of a juris­dic­tio­n­al acti­vi­ty or of inter­na­tio­nal mutu­al assi­stance pro­ce­e­dings in cri­mi­nal mat­ters.

Chap­ter 2: Gene­ral Pro­vi­si­ons

Sec­tion 1 Defi­ni­ti­ons and Princi­ples

Art. 5 Defi­ni­ti­ons

The fol­lo­wing defi­ni­ti­ons app­ly in this Act:

a. per­so­nal data: all infor­ma­ti­on rela­ting to an iden­ti­fied or iden­ti­fia­ble natu­ral per­son;
b. data sub­ject: natu­ral per­son who­se per­so­nal data is pro­ces­sed;

c. sen­si­ti­ve per­so­nal data:

1. data on reli­gious, ideo­lo­gi­cal, poli­ti­cal or tra­de uni­on-rela­ted views or acti­vi­ties,
2. data on health, the inti­ma­te sphe­re or the racial or eth­nic ori­gin,
3. gene­tic data,
4. bio­me­tric data which unequi­vo­cal­ly iden­ti­fies a natu­ral per­son,
5. data on admi­ni­stra­ti­ve or cri­mi­nal pro­ce­e­dings and sanc­tions,
6. data on social secu­ri­ty mea­su­res;
d. pro­ces­sing: any ope­ra­ti­on with per­so­nal data, irre­spec­ti­ve of the means and the pro­ce­du­res app­lied, and in par­ti­cu­lar the collec­tion, record­ing, sto­rage, use, modi­fi­ca­ti­on, dis­clo­sure, archi­ving, dele­ti­on or dest­ruc­tion of data;
e. dis­clo­sure: trans­mit­ting or making per­so­nal data acces­si­ble;
f. pro­filing: any form of auto­ma­ted pro­ces­sing of per­so­nal data con­si­sting of using such data to assess cer­tain per­so­nal aspects rela­ting to a natu­ral per­son, in par­ti­cu­lar to ana­ly­se or pre­dict aspects rela­ting to that natu­ral person’s per­for­mance at work, eco­no­mic situa­ti­on, health, per­so­nal pre­fe­ren­ces, inte­rests, relia­bi­li­ty, beha­viour, loca­ti­on or whe­rea­bouts;
g. High-risk pro­filing: pro­filing which invol­ves a high risk to the per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject, as it crea­tes a pai­ring bet­ween data that enab­les an assess­ment of essen­ti­al aspects of the per­so­na­li­ty of a natu­ral per­son;
h. data secu­ri­ty bre­ach: a secu­ri­ty bre­ach which leads to an unin­ten­tio­nal or unlaw­ful loss, dele­ti­on, dest­ruc­tion or modi­fi­ca­ti­on of per­so­nal data or to per­so­nal data being dis­c­lo­sed or made acces­si­ble to unaut­ho­ri­sed per­sons;
i. federal body: federal aut­ho­ri­ty or ser­vice or per­son that is ent­ru­sted with federal public tasks;
j. con­trol­ler: pri­va­te per­son or federal body that alo­ne or joint­ly with others deci­des on the pur­po­se and the means of the pro­ces­sing;
k. pro­ces­sor: pri­va­te per­son or federal body that pro­ces­ses per­so­nal data on behalf of the con­trol­ler.

Art. 6 Princi­ples

1 Per­so­nal data must be pro­ces­sed law­ful­ly.

2 Pro­ces­sing must be car­ri­ed out in good faith and must be pro­por­tio­na­te.

3 Per­so­nal data may only be collec­ted for a spe­ci­fic pur­po­se which is evi­dent to the data sub­ject; per­so­nal data may only be pro­ces­sed in a way that is com­pa­ti­ble with such pur­po­se.

4 It is destroy­ed or anony­mi­zed as soon as it is no lon­ger nee­ded with regard to the pur­po­se of the pro­ces­sing.

5 Anyo­ne who pro­ces­ses per­so­nal data must ascer­tain that the data is accu­ra­te. He must take all appro­pria­te mea­su­res so that the data which is inac­cu­ra­te or incom­ple­te with regard to the pur­po­ses for which it was collec­ted or pro­ces­sed is cor­rec­ted, dele­ted or destroy­ed. The appro­pria­teness of the mea­su­res depends in par­ti­cu­lar on the natu­re and extent of the data pro­ces­sing and on the risks which the pro­ces­sing entails for the per­so­na­li­ty and fun­da­men­tal rights of the data sub­jects.

6 If the con­sent of the data sub­ject is requi­red, such con­sent is only valid if it has been given free­ly and for one or several spe­ci­fic pro­ces­sing acti­vi­ties and after ade­qua­te infor­ma­ti­on.

7 Con­sent must be given expli­ci­tly for:

a. the pro­ces­sing of sen­si­ti­ve per­so­nal data;
b. high-risk pro­filing by a pri­va­te per­son; or
c. pro­filing by a federal body.

Art. 7 Data pro­tec­tion by design and by default

1 The con­trol­ler must set up tech­ni­cal and orga­ni­sa­tio­nal mea­su­res in order for the data pro­ces­sing to meet the data pro­tec­tion regu­la­ti­ons and in par­ti­cu­lar the princi­ples set out in Arti­cle 6. It con­si­ders this obli­ga­ti­on from the plan­ning of the pro­ces­sing.

2 The tech­ni­cal and orga­ni­sa­tio­nal mea­su­res must be appro­pria­te in par­ti­cu­lar with regard to the sta­te of the art, the type and extent of pro­ces­sing, as well as the risks that the pro­ces­sing at hand poses to the per­so­na­li­ty and the fun­da­men­tal rights of the data sub­jects.

3 The con­trol­ler is addi­tio­nal­ly bound to ensu­re through appro­pria­te pre-defi­ned set­tings that the pro­ces­sing of the per­so­nal data is limi­ted to the mini­mum requi­red by the pur­po­se, unless the data sub­ject directs other­wi­se.

Art. 8 Data secu­ri­ty

1 The con­trol­ler and the pro­ces­sor must ensu­re, through ade­qua­te tech­ni­cal and orga­ni­sa­tio­nal mea­su­res, secu­ri­ty of the per­so­nal data that appro­pria­te­ly addres­ses the risk.

2 The mea­su­res must enab­le the avo­id­ance of data secu­ri­ty brea­ches.

3 The Federal Coun­cil shall issue pro­vi­si­ons on the mini­mum requi­re­ments for data secu­ri­ty.

Art. 9 Data pro­ces­sing by pro­ces­sors

1 The pro­ces­sing of per­so­nal data may be assi­gned by agree­ment or by legis­la­ti­on to a pro­ces­sor if:

a. the data is pro­ces­sed only in a man­ner per­mit­ted for the con­trol­ler its­elf; and
b. no sta­tu­to­ry or con­trac­tu­al duty of con­fi­dentia­li­ty pro­hi­bits the assign­ment.

2 The con­trol­ler must ensu­re in par­ti­cu­lar that the pro­ces­sor is able to gua­ran­tee data secu­ri­ty.

3 The pro­ces­sor may only assign the pro­ces­sing to a third par­ty with the pri­or aut­ho­ri­sa­ti­on of the con­trol­ler.

4 It may invo­ke the same justi­fi­ca­ti­ons as the con­trol­ler.

Art. 10 Data pro­tec­tion advi­sor

1 Pri­va­te con­trol­lers may appoint a data pro­tec­tion advi­sor.

2 The data pro­tec­tion advi­sor is the con­ta­ct point for the data sub­jects and for the com­pe­tent data pro­tec­tion aut­ho­ri­ties respon­si­ble for data pro­tec­tion mat­ters in Switz­er­land. In par­ti­cu­lar, he or she has the fol­lo­wing duties:

a. to train and advi­se the pri­va­te con­trol­ler in mat­ters of data pro­tec­tion;
b. the par­ti­ci­pa­ti­on in the enfor­ce­ment of data pro­tec­tion regu­la­ti­ons.

3 Pri­va­te con­trol­lers may invo­ke the excep­ti­on set out in Arti­cle 23 para­graph 4 if the fol­lo­wing requi­re­ments are ful­fil­led:

a. the data pro­tec­tion advi­sor per­forms his func­tion towards the con­trol­ler in a pro­fes­sio­nal­ly inde­pen­dent man­ner and without being bound by inst­ruc­tions;
b. he does not per­form any acti­vi­ties which are incom­pa­ti­ble with his tasks as data pro­tec­tion advi­sor;
c. he pos­ses­ses the necessa­ry pro­fes­sio­nal know­ledge;
d. the con­trol­ler publishes the con­ta­ct details of the data pro­tec­tion advi­sor and com­mu­ni­ca­tes them to the FDPIC.

4 The Federal Coun­cil regu­la­tes the appoint­ment of data pro­tec­tion advi­sors by the federal bodies.

Art. 11 Codes of con­duct

1 Pro­fes­sio­nal asso­cia­ti­ons, indu­stry asso­cia­ti­ons and busi­ness asso­cia­ti­ons who­se sta­tu­tes enti­t­le them to defend the eco­no­mic inte­rests of their mem­bers, as well as federal bodies, may sub­mit codes of con­duct to the FDPIC.

2 The FDPIC sta­tes his opi­ni­on on the codes of con­duct and publishes his opi­ni­on.

Art. 12 Inven­to­ry of pro­ces­sing acti­vi­ties

1 The con­trol­lers and the pro­ces­sors each keep an inven­to­ry of their pro­ces­sing acti­vi­ties.

2 The controller’s inven­to­ry con­tains at least the fol­lo­wing infor­ma­ti­on:

a. the controller’s iden­ti­ty;
b. the pur­po­se of the pro­ces­sing;
c. a descrip­ti­on of the cate­go­ries of data sub­jects and the cate­go­ries of the pro­ces­sed per­so­nal data;
d. the cate­go­ries of the reci­pi­ents;
e. if pos­si­ble the peri­od of sto­rage of the per­so­nal data or the cri­te­ria to deter­mi­ne the peri­od of sto­rage;
f. if pos­si­ble a gene­ral descrip­ti­on of the mea­su­res to gua­ran­tee data secu­ri­ty pur­suant to Arti­cle 8;
g. in case of dis­clo­sure of data abroad, the name of the sta­te in que­sti­on and the gua­ran­tees accord­ing to Arti­cle 16 para­graph 2.

3 The processor’s inven­to­ry con­tains infor­ma­ti­on on the iden­ti­ty of the pro­ces­sor and of the con­trol­ler, the cate­go­ries of pro­ces­sing acti­vi­ties per­for­med on behalf of the con­trol­ler as well as the infor­ma­ti­on fore­se­en in para­graph 2 let­ters f and g.

4 The federal bodies noti­fy the FDPIC of their invent­ories.

5 The Federal Coun­cil pro­vi­des for excep­ti­ons for com­pa­nies that have less than 250 mem­bers of staff and who­se pro­ces­sing entails only a low risk of infrin­ging the per­so­na­li­ty of the data sub­jects

Art. 13 Cer­ti­fi­ca­ti­on

1 The pro­vi­ders of data pro­ces­sing systems or soft­ware as well as the con­trol­lers and the pro­ces­sors may sub­mit their systems, their pro­ducts and their ser­vices for eva­lua­ti­on by reco­gnis­ed inde­pen­dent cer­ti­fi­ca­ti­on orga­ni­sa­ti­ons.

2 The Federal Coun­cil issu­es regu­la­ti­ons on the reco­gni­ti­on of cer­ti­fi­ca­ti­on pro­ce­du­res and the intro­duc­tion of a data pro­tec­tion qua­li­ty label. In doing so, it shall take into account inter­na­tio­nal law and inter­na­tio­nal­ly reco­gnis­ed tech­ni­cal norms.

Sec­tion 2 Data pro­ces­sing by pri­va­te con­trol­lers with regi­stered office or resi­dence abroad

Art. 14 Repre­sen­ta­ti­ve

1 Pri­va­te con­trol­lers with their domic­i­le or resi­dence abroad desi­gna­te a repre­sen­ta­ti­ve in Switz­er­land if they pro­cess per­so­nal data of per­sons in Switz­er­land and the data pro­ces­sing ful­fils the fol­lo­wing requi­re­ments:

a. The data pro­ces­sing is con­nec­ted to offe­ring goods or ser­vices in Switz­er­land or to moni­to­ring the beha­viour of the­se per­sons.
b. The pro­ces­sing is exten­si­ve.
c. It is a regu­lar pro­ces­sing.
d. The pro­ces­sing invol­ves a high risk for the per­so­na­li­ty of the data sub­jects.

2 The repre­sen­ta­ti­ve ser­ves as a con­ta­ct point for the data sub­jects and the FDPIC.

3 The con­trol­ler publishes the name and address of the repre­sen­ta­ti­ve.

Art. 15 Duties of the Repre­sen­ta­ti­ve

1 The repre­sen­ta­ti­on office shall keep a regi­ster of the pro­ces­sing acti­vi­ties of the con­trol­ler, which con­tains the infor­ma­ti­on spe­ci­fied in Arti­cle 12 para­graph 2.

2 On requ­est, it shall pro­vi­de the FDPIC with the infor­ma­ti­on con­tai­ned in the regi­ster.

3 On requ­est, it shall pro­vi­de the data sub­ject with infor­ma­ti­on on how to exer­cise his rights.

Sec­tion 3 Cross-Bor­der Dis­clo­sure of Per­so­nal Data

Art. 16 Princi­ples

1 Per­so­nal data may be dis­c­lo­sed abroad if the Federal Coun­cil has deter­mi­ned that the legis­la­ti­on of the rele­vant Sta­te or inter­na­tio­nal body gua­ran­tees an ade­qua­te level of pro­tec­tion.

2 In the absence of such a deci­si­on by the Federal Coun­cil under para­graph 1, per­so­nal data may be dis­c­lo­sed abroad only if appro­pria­te pro­tec­tion is gua­ran­te­ed by:

a. an inter­na­tio­nal trea­ty;
b. data pro­tec­tion pro­vi­si­ons of a con­tract bet­ween the con­trol­ler or the pro­ces­sor and its con­trac­ting part­ner, which were com­mu­ni­ca­ted befo­re­hand to the FDPIC;
c. spe­ci­fic safe­guards pre­pa­red by the com­pe­tent federal body and com­mu­ni­ca­ted befo­re­hand to the FDPIC;
d. stan­dard data pro­tec­tion clau­ses pre­vious­ly appro­ved, estab­lished or reco­gnis­ed by the FDPIC;
e. bin­ding cor­po­ra­te rules on data pro­tec­tion which were pre­vious­ly appro­ved by the FDPIC, or by a for­eign aut­ho­ri­ty which is respon­si­ble for data pro­tec­tion and belongs to a sta­te which gua­ran­tees ade­qua­te pro­tec­tion.

3 The Federal Coun­cil can pro­vi­de for other ade­qua­te safe­guards in the sen­se of para­graph 2.

Art. 17 Excep­ti­ons

1 By way of dero­ga­ti­on from Arti­cle 16 para­graphs 1 and 2, per­so­nal data may be dis­c­lo­sed abroad if:

a. The data sub­ject has expli­ci­tly con­sen­ted to the dis­clo­sure;

b. The dis­clo­sure is direct­ly con­nec­ted with the con­clu­si­on or the per­for­mance of a con­tract:

1. bet­ween the con­trol­ler and the data sub­ject, or
2. bet­ween the con­trol­ler and its con­trac­ting part­ner in the inte­rest of the data sub­ject;

c. Dis­clo­sure is necessa­ry:

1. in order to safe­guard an over­ri­ding public inte­rest, or
2. for the estab­lish­ment, exer­cise or enfor­ce­ment of legal claims befo­re a court or ano­t­her com­pe­tent for­eign aut­ho­ri­ty;
d. Dis­clo­sure is necessa­ry in order to pro­tect the life or the phy­si­cal inte­gri­ty of the data sub­ject or a third par­ty and it is not pos­si­ble to obtain the con­sent of the data sub­ject wit­hin a rea­son­ab­le peri­od of time;
e. The data sub­ject has made the data gene­ral­ly acces­si­ble and has not express­ly pro­hi­bi­ted its pro­ces­sing;
f. The data ori­gi­na­tes from a regi­ster pro­vi­ded for by law which is acces­si­ble to the public or to per­sons with a legi­ti­ma­te inte­rest, pro­vi­ded that the legal con­di­ti­ons for the con­sul­ta­ti­on are met in the spe­ci­fic case.

2 The con­trol­ler or the pro­ces­sor informs, upon requ­est, the FDPIC of dis­clo­sures of per­so­nal data under para­graph 1, let­ters b, nr 2, c and d.

Art. 18 Publi­ca­ti­on of per­so­nal data in elec­tro­nic for­mat

If per­so­nal data is made gene­ral­ly acces­si­ble by means of auto­ma­ted infor­ma­ti­on and com­mu­ni­ca­ti­ons ser­vices for the pur­po­se of pro­vi­ding infor­ma­ti­on to the gene­ral public, this is not deemed to be trans­bor­der dis­clo­sure, even if the data is acces­si­ble from abroad.

Chap­ter 3: Duties of the Con­trol­ler and the Pro­ces­sor

Art. 19 Duty of infor­ma­ti­on when collec­ting per­so­nal data

1 The con­trol­ler informs the data sub­ject appro­pria­te­ly about the collec­tion of per­so­nal data; such duty of infor­ma­ti­on also app­lies when data is not collec­ted from the data sub­ject.

2 At the time of collec­tion the con­trol­ler shall pro­vi­de to the data sub­ject all infor­ma­ti­on which is requi­red in order for the data sub­ject to assert his rights accord­ing to this Act and to ensu­re trans­pa­rent pro­ces­sing of data, in par­ti­cu­lar:

a. the controller’s iden­ti­ty and con­ta­ct infor­ma­ti­on;
b. the pur­po­se of pro­ces­sing;
c. if app­li­ca­ble, the reci­pi­ents or the cate­go­ries of reci­pi­ents to which per­so­nal data is dis­c­lo­sed.

3 If data is not collec­ted from the data sub­ject, it addi­tio­nal­ly informs the data sub­ject of the cate­go­ries of per­so­nal data which is pro­ces­sed.

4 If per­so­nal data is dis­c­lo­sed abroad, the con­trol­ler also informs the data sub­ject of the name of the Sta­te or inter­na­tio­nal body and, as the case may be, the safe­guards accord­ing to Arti­cle 16 para­graph 2 or the app­li­ca­bi­li­ty of one of the excep­ti­ons pro­vi­ded for in Arti­cle 17.

5 If data is not collec­ted from the data sub­ject, it pro­vi­des to the data sub­ject the infor­ma­ti­on men­tio­ned in para­graphs 2 to 4 at the latest one mon­th after it recei­ved the per­so­nal data. If the con­trol­ler dis­c­lo­ses the per­so­nal data pri­or to this date, it informs the data sub­ject at the time of dis­clo­sure at the latest.

Art. 20 Excep­ti­ons to the duty of infor­ma­ti­on and restric­tions

1 The duty of infor­ma­ti­on accord­ing to Arti­cle 19 cea­ses to app­ly if one of the fol­lo­wing requi­re­ments is met:

a. The data sub­ject alrea­dy has the cor­re­spon­ding infor­ma­ti­on.
b. The pro­ces­sing is pro­vi­ded for by law.
c. The con­trol­ler is a pri­va­te per­son and is bound by a legal obli­ga­ti­on to secrecy.
d. The requi­re­ments of Arti­cle 27 are ful­fil­led.

2 If per­so­nal data is not collec­ted from the data sub­ject, the duty of infor­ma­ti­on shall also not app­ly if one of the fol­lo­wing requi­re­ments is met:

a. it is not pos­si­ble to give the infor­ma­ti­on; or
b. it requi­res dis­pro­por­tio­na­te efforts.

3 The con­trol­ler may restrict, defer or wai­ve the pro­vi­si­on of infor­ma­ti­on in the fol­lo­wing cases:

a. this is requi­red to pro­tect the over­ri­ding inte­rests of third par­ties;
b. the infor­ma­ti­on pre­vents the pro­ces­sing from ful­fil­ling its pur­po­se;

c. when the con­trol­ler is a pri­va­te per­son and the fol­lo­wing con­di­ti­ons are ful­fil­led:

1. the mea­su­re is requi­red by the controller’s over­ri­ding inte­rests.
2. the con­trol­ler does not dis­c­lo­se the per­so­nal data to third par­ties.

d. when the con­trol­ler is a federal body and one of the fol­lo­wing requi­re­ments is met:

1. a pre­vai­ling public inte­rest, in par­ti­cu­lar the inter­nal or exter­nal secu­ri­ty of Switz­er­land, so requi­res, or
2. the pro­vi­si­on of the infor­ma­ti­on is sus­cep­ti­ble to com­pro­mi­se an inqui­ry, inve­sti­ga­ti­on or an admi­ni­stra­ti­ve or judi­cial pro­ce­e­ding.

4 The con­di­ti­on in para­graph 3 lit. c num­ber 2 is deemed met if the dis­clo­sure of per­so­nal data takes place bet­ween com­pa­nies con­trol­led by the same legal enti­ty.

Art. 21 Duty of infor­ma­ti­on in the case of an auto­ma­ted indi­vi­du­al deci­si­on

1 The con­trol­ler informs the data sub­ject of a deci­si­on which is taken exclu­si­ve­ly on the basis of an auto­ma­ted pro­ces­sing and which has legal effects on the data sub­ject or affects him signi­fi­cant­ly (auto­ma­ted indi­vi­du­al deci­si­on).

2 It shall give the data sub­ject upon requ­est the oppor­tu­ni­ty to sta­te his posi­ti­on. The data sub­ject can requ­est that the deci­si­on be review­ed by a natu­ral per­son.

3 Para­graphs 1 and 2 shall not app­ly if:

a. the deci­si­on is direct­ly con­nec­ted with the con­clu­si­on or the per­for­mance of a con­tract bet­ween the con­trol­ler and the data sub­ject and the requ­est of the lat­ter is satis­fied, or
b. the data sub­ject expli­ci­tly con­sen­ted to the deci­si­on being taken in an auto­ma­ted man­ner.

4 If the auto­ma­ted indi­vi­du­al deci­si­on comes from a federal body, the lat­ter must desi­gna­te it as such. Para­graph 2 does not app­ly if the data sub­ject does not need to be heard befo­re the deci­si­on in accordance with Arti­cle 30 para­graph 2 of the Admi­ni­stra­ti­ve Pro­ce­du­re Act of 20 Decem­ber 1968 (APA) or ano­t­her federal act.

Art. 22 Data pro­tec­tion impact assess­ment

1 If the inten­ded data pro­ces­sing may lead to a high risk for the data subject’s per­so­na­li­ty or fun­da­men­tal rights, the con­trol­ler must con­duct befo­re­hand a data pro­tec­tion impact assess­ment. If the con­trol­ler con­si­ders per­for­ming several simi­lar pro­ces­sing ope­ra­ti­ons, it may estab­lish a joint impact ana­ly­sis.

2 The exi­stence of a high risk, par­ti­cu­lar­ly when new tech­no­lo­gies are used, depends on the natu­re, the extent, the cir­cum­stan­ces and the pur­po­se of the pro­ces­sing. Such a risk exists in par­ti­cu­lar in the fol­lo­wing cases:

a. pro­ces­sing of sen­si­ti­ve per­so­nal data on a broad sca­le;
b. syste­ma­tic sur­veil­lan­ce of exten­si­ve public are­as.

3 The data pro­tec­tion impact assess­ment con­tains a descrip­ti­on of the inten­ded pro­ces­sing, an eva­lua­ti­on of the risks as regards the data subject’s per­so­na­li­ty or fun­da­men­tal rights, as well as the inten­ded mea­su­res to pro­tect the data subject’s per­so­na­li­ty or fun­da­men­tal rights.

4 Pri­va­te con­trol­lers are relie­ved from their obli­ga­ti­on to estab­lish a data pro­tec­tion impact assess­ment if they are legal­ly bound to per­form the pro­ces­sing.

5 The pri­va­te con­trol­ler can abstain from estab­li­shing a data pro­tec­tion impact assess­ment if it uses a system, pro­duct or ser­vice that is cer­ti­fied for the inten­ded use in accordance with Arti­cle 13 or if it com­plies with a code of con­duct in accordance with Arti­cle 11 which meets the fol­lo­wing requi­re­ments:

a. the code of con­duct is based on a data pro­tec­tion impact assess­ment;
b. it pro­vi­des for mea­su­res to pro­tect the per­so­na­li­ty rights or fun­da­men­tal rights of the data sub­ject;
c. it was sub­mit­ted to the FDPIC.

Art. 23 Con­sul­ta­ti­on of the FDPIC

1 The con­trol­ler con­sults the FDPIC pri­or to the pro­ces­sing when the data pro­tec­tion impact assess­ment shows that the pro­ces­sing pres­ents a high risk for the per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject despi­te the mea­su­res envi­sa­ged by the con­trol­ler.

2 The FDPIC informs the con­trol­ler of his objec­tions against the envi­sa­ged pro­ces­sing wit­hin two mon­ths. This dead­line can be exten­ded by one mon­th in cases of com­plex data pro­ces­sing.

3 If the FDPIC has objec­tions against the envi­sa­ged pro­ces­sing, he sug­gests appro­pria­te mea­su­res to the con­trol­ler.

4 The pri­va­te con­trol­ler can abstain from con­sul­ting the FDPIC if it con­sul­ted the data pro­tec­tion advi­sor accord­ing to Arti­cle 10.

Art. 24 Noti­fi­ca­ti­on of data secu­ri­ty brea­ches

1 The con­trol­ler shall noti­fy the FDPIC as soon as pos­si­ble of a data secu­ri­ty bre­ach that is pro­bable to result in a high risk to the per­so­na­li­ty rights or the fun­da­men­tal rights of the data sub­ject.

2 In the noti­fi­ca­ti­on, it must at least indi­ca­te the natu­re of the data secu­ri­ty bre­ach, its con­se­quen­ces and the mea­su­res taken or fore­se­en.

3 The pro­ces­sor shall noti­fy the con­trol­ler as soon as pos­si­ble of any data secu­ri­ty bre­ach.

4 The con­trol­ler shall also inform the data sub­ject if this is necessa­ry for the pro­tec­tion of the data sub­ject or if the FDPIC so requests.

5 It can restrict the infor­ma­ti­on to the data sub­ject, defer it or refrain from pro­vi­ding infor­ma­ti­on if:

a. the­re are grounds pur­suant to Arti­cle 26 para­graph 1, let­ter b or 2 let­ter b or a sta­tu­to­ry duty of secrecy pro­hi­bits it;
b. infor­ma­ti­on is impos­si­ble or requi­res dis­pro­por­tio­na­te efforts; or
c. the infor­ma­ti­on of the data sub­ject is ensu­red in an equi­va­lent man­ner by a public announ­ce­ment.

6 A noti­fi­ca­ti­on based on this Arti­cle can be used in cri­mi­nal pro­ce­e­dings against the per­son sub­ject to noti­fi­ca­ti­on only with such person’s con­sent.

Chap­ter 4: Rights of the Data Sub­ject

Art. 25 Access right

1 Any per­son may requ­est infor­ma­ti­on from the con­trol­ler as to whe­ther per­so­nal data con­cer­ning him is being pro­ces­sed.

2 The data sub­ject shall recei­ve the infor­ma­ti­on requi­red in order to enab­le him to assert his rights under this Act and to ensu­re the trans­pa­rent pro­ces­sing of data. In any case, the fol­lo­wing infor­ma­ti­on is pro­vi­ded to the data sub­ject:

a. iden­ti­ty and con­ta­ct details of the con­trol­ler;
b. the per­so­nal data being pro­ces­sed as such;
c. the pur­po­se of pro­ces­sing;
d. the peri­od of sto­rage of the per­so­nal data or, if this is not pos­si­ble, the cri­te­ria used to deter­mi­ne such peri­od;
e. the avail­ab­le infor­ma­ti­on on the ori­gin of the per­so­nal data, to the extent that it was not collec­ted from the data sub­ject;
f. if app­li­ca­ble, the exi­stence of an auto­ma­ted indi­vi­du­al deci­si­on as well as the logic on which this deci­si­on is based;
g. if app­li­ca­ble, the reci­pi­ents or cate­go­ries of reci­pi­ents to which the per­so­nal data was dis­c­lo­sed as well as the infor­ma­ti­on fore­se­en in Arti­cle 19 para­graph 4.

3 Per­so­nal data on the data subject’s health may be com­mu­ni­ca­ted to the data sub­ject, pro­vi­ded his con­sent is given, by a health­ca­re pro­fes­sio­nal desi­gna­ted by him.

4 If the con­trol­ler has per­so­nal data pro­ces­sed by a pro­ces­sor, the con­trol­ler remains under the obli­ga­ti­on to pro­vi­de infor­ma­ti­on.

5 No one may wai­ve the right to infor­ma­ti­on in advan­ce.

6 The con­trol­ler pro­vi­des the reque­sted infor­ma­ti­on free of char­ge. The Federal Coun­cil may pro­vi­de for excep­ti­ons whe­re infor­ma­ti­on shall not be pro­vi­ded free of char­ge, in par­ti­cu­lar if the effort invol­ved is dis­pro­por­tio­na­te.

7 As a rule, the infor­ma­ti­on shall be pro­vi­ded wit­hin 30 days.

Art. 26 Limi­ta­ti­ons to the access right

1 The con­trol­ler may refu­se, restrict or defer pro­vi­si­on of infor­ma­ti­on if:

a. a for­mal law pro­vi­des for it, in par­ti­cu­lar to pro­tect a pro­fes­sio­nal secret;
b. it is requi­red by pre­vai­ling inte­rests of third par­ties; or
c. the requ­est for infor­ma­ti­on is mani­fest­ly unfoun­ded in par­ti­cu­lar if it pur­su­es a pur­po­se that is con­tra­ry to data pro­tec­tion or is obvious­ly of a fri­vo­lous natu­re.

2 Addi­tio­nal­ly, it is pos­si­ble to refu­se, restrict or defer the pro­vi­si­on of infor­ma­ti­on in the fol­lo­wing cases:

a. when the con­trol­ler is a pri­va­te per­son and the fol­lo­wing con­di­ti­ons are ful­fil­led:

1. if pre­vai­ling inte­rests of the con­trol­ler requi­re the mea­su­re.
2. the con­trol­ler does not dis­c­lo­se the per­so­nal data to a third par­ties.

b. when the con­trol­ler is a federal body and one of the fol­lo­wing requi­re­ments is met:

1. the mea­su­re is requi­red for a pre­vai­ling public inte­rest, in par­ti­cu­lar the inter­nal or exter­nal secu­ri­ty of Switz­er­land, or
2. the pro­vi­si­on of infor­ma­ti­on is sus­cep­ti­ble to com­pro­mi­se an inqui­ry, inve­sti­ga­ti­on or an admi­ni­stra­ti­ve or judi­cial pro­ce­e­ding.

3 The requi­re­ment under para­graph 2 lit. a num­ber 2 is con­si­de­red to be met if the dis­clo­sure of per­so­nal data takes place bet­ween com­pa­nies con­trol­led by the same legal enti­ty.

4 The con­trol­ler must indi­ca­te the grounds on which it refu­ses, restricts or defers the pro­vi­si­on of the infor­ma­ti­on.

Art. 27 Limi­ta­ti­ons to the access right for media

1 If per­so­nal data is used exclu­si­ve­ly for publi­ca­ti­on in the edi­ted sec­tion of a perio­di­cal­ly published medi­um, the con­trol­ler may refu­se, restrict or defer pro­vi­si­on of infor­ma­ti­on for one of the fol­lo­wing rea­sons:

a. the data reve­als infor­ma­ti­on about the sources of the infor­ma­ti­on;
b. access to draft publi­ca­ti­ons would ensue;
c. the publi­ca­ti­on would jeo­par­di­ze the free for­ma­ti­on of the public opi­ni­on.

2 Jour­na­lists may also refu­se, restrict or defer pro­vi­si­on of infor­ma­ti­on if they use the per­so­nal data exclu­si­ve­ly as their per­so­nal work instru­ment.

Art. 28 Right of data por­ta­bi­li­ty

1 Any per­son may requ­est from the con­trol­ler, free of char­ge, the dis­clo­sure of the per­so­nal data that he has dis­c­lo­sed to him in a stan­dard elec­tro­nic for­mat if:

a. the con­trol­ler pro­ces­ses the data in an auto­ma­ted man­ner; and
b. the data is pro­ces­sed with the con­sent of the data sub­ject or in direct con­nec­tion with the con­clu­si­on or per­for­mance of a con­tract bet­ween the con­trol­ler and the data sub­ject.

2 In addi­ti­on, the data sub­ject may requ­est the con­trol­ler to trans­fer his per­so­nal data to ano­t­her con­trol­ler if the requi­re­ments in accordance with para­graph 1 are met and this does not invol­ve a dis­pro­por­tio­na­te effort.

3 The Federal Coun­cil may pro­vi­de for excep­ti­ons to this free­dom of char­ge, in par­ti­cu­lar if the effort invol­ved is dis­pro­por­tio­na­te.

Art. 29 Restric­tions on the right to data out­put and trans­mis­si­on

1 The con­trol­ler may refu­se, restrict or post­po­ne the release and trans­fer of per­so­nal data for the rea­sons listed in Arti­cle 26 para­graphs 1 and 2.

2 The con­trol­ler must give rea­sons for refu­sing, restric­ting or post­po­ning the release or trans­fer.

Chap­ter 5: Spe­cial Pro­vi­si­ons for Data Pro­ces­sing by Pri­va­te Per­sons

Art. 30 Vio­la­ti­on of the per­so­na­li­ty

1 Anyo­ne who pro­ces­ses per­so­nal data must not unlaw­ful­ly vio­la­te the data sub­jects’ per­so­na­li­ty.

2 A per­so­na­li­ty harm exists in par­ti­cu­lar if:

a. per­so­nal data is pro­ces­sed in con­tra­ven­ti­on with the princi­ples set forth in Arti­cles 6 and 8;
b. per­so­nal data is pro­ces­sed against the data subject’s express decla­ra­ti­on of intent;
c. sen­si­ti­ve per­so­nal data is dis­c­lo­sed to third par­ties.

3 In gene­ral, the­re is no vio­la­ti­on of the per­so­na­li­ty if the data sub­ject has made the per­so­nal data gene­ral­ly acces­si­ble and has not express­ly pro­hi­bi­ted its pro­ces­sing.

Art. 31 Justi­fi­ca­ti­ons

1 A vio­la­ti­on of the per­so­na­li­ty is unlaw­ful unless it is justi­fied by the con­sent of the data sub­ject, by an over­ri­ding pri­va­te or public inte­rest or by law.

2 An over­ri­ding inte­rest of the con­trol­ler may in par­ti­cu­lar be con­si­de­red in the fol­lo­wing cases:

a. The con­trol­ler pro­ces­ses per­so­nal data of the con­trac­tu­al par­ty in direct con­nec­tion with the con­clu­si­on or the per­for­mance of a con­tract.
b. The con­trol­ler is or will be in com­mer­cial com­pe­ti­ti­on with ano­t­her per­son or will be in com­mer­cial com­pe­ti­ti­on with ano­t­her per­son and for this pur­po­se pro­ces­ses per­so­nal data that is not dis­c­lo­sed to third par­ties, except in the case of dis­clo­sure that takes place bet­ween com­pa­nies con­trol­led by the same legal enti­ty

c. The con­trol­ler pro­ces­ses per­so­nal data in order to veri­fy the data subject’s credit­wort­hi­ness, pro­vi­ded that the fol­lo­wing requi­re­ments are ful­fil­led:

1. The pro­ces­sing does neit­her invol­ve sen­si­ti­ve per­so­nal nor high-risk pro­filing.
2. The data is dis­c­lo­sed to third par­ties only if the data is requi­red by such third par­ties for the con­clu­si­on or the per­for­mance of a con­tract with the data sub­ject.
3.The data is not older than ten years.
4. The data sub­ject is of age.
d. The con­trol­ler pro­ces­ses the per­so­nal data on a pro­fes­sio­nal basis and exclu­si­ve­ly for publi­ca­ti­on in the edi­ted sec­tion of a perio­di­cal­ly published medi­um or the data ser­ves the con­trol­ler exclu­si­ve­ly as a per­so­nal working instru­ment, given that no publi­ca­ti­on takes place.

e. The con­trol­ler pro­ces­ses per­so­nal data for pur­po­ses not rela­ting to a spe­ci­fic per­son, in par­ti­cu­lar for the pur­po­ses of rese­arch, plan­ning and sta­tis­tics, pro­vi­ded that the fol­lo­wing requi­re­ments are ful­fil­led:

1. The con­trol­ler shall anony­mi­ze the data as soon as the pur­po­se of the pro­ces­sing allo­ws for it or shall take rea­son­ab­le mea­su­res to pre­vent the iden­ti­fi­ca­ti­on of the data sub­jects if anony­miz­a­ti­on is impos­si­ble or requi­res a dis­pro­por­tio­na­te effort.
2. Sen­si­ti­ve per­so­nal data is dis­c­lo­sed to third par­ties in such a man­ner that the data sub­jects may not be iden­ti­fied. If this is not pos­si­ble, mea­su­res must be taken to ensu­re that third par­ties only pro­cess the data for non-per­so­nal rela­ted pur­po­ses.
3. Results are published in such a man­ner that the data sub­jects may not be iden­ti­fied.
f. The con­trol­ler collects per­so­nal data on a per­son of public inte­rest which rela­tes to the public acti­vi­ties of that per­son.

Art. 32 Legal claims

1 The data sub­ject may requ­est that incor­rect per­so­nal data be cor­rec­ted, unless:

a. the­re is a sta­tu­to­ry regu­la­ti­on pro­hi­bi­t­ing the cor­rec­tion;
b. the per­so­nal data is being pro­ces­sed for archi­ving pur­po­ses in the public inte­rest.

2 Actions rela­ting to the pro­tec­tion of per­so­na­li­ty rights are gover­ned by Arti­cles 28, 28a and 28g – 28l of the Civil Code. The clai­mant may in par­ti­cu­lar requ­est that:

a. a spe­ci­fic data pro­ces­sing be pro­hi­bi­ted;
b. a spe­ci­fic dis­clo­sure of per­so­nal data to third par­ties be pro­hi­bi­ted;
c. per­so­nal data be dele­ted or destroy­ed.

3 If neit­her the accu­ra­cy nor the inac­cu­ra­cy of the per­so­nal data can be deter­mi­ned, the clai­mant may requ­est for a note that indi­ca­tes the objec­tion to be added to the per­so­nal data.

4 Fur­ther­mo­re, the clai­mant may requ­est the cor­rec­tion, the dele­ti­on or the dest­ruc­tion, the pro­hi­bi­ti­on of pro­ces­sing or of dis­clo­sure to third par­ties, the note indi­ca­ting the objec­tion or the jud­ge­ment be com­mu­ni­ca­ted to third par­ties or published.

Chap­ter 6: Spe­cial Pro­vi­si­ons for Data Pro­ces­sing by Federal Bodies

Art. 33 Con­trol and respon­si­bi­li­ty in case of joint pro­ces­sing of per­so­nal data

The Federal Coun­cil regu­la­tes the con­trol pro­ce­du­res and the respon­si­bi­li­ty for data pro­tec­tion if the federal body pro­ces­ses per­so­nal data tog­e­ther with other federal bodies, with can­to­nal bodies or with pri­va­te per­sons.

Art. 34 Legal basis

1 Federal bodies may pro­cess per­so­nal data only if the­re is a sta­tu­to­ry basis for doing so.

2 A sta­tu­to­ry basis must figu­re in a for­mal law in the fol­lo­wing cases:

a. The pro­ces­sed data is sen­si­ti­ve per­so­nal data.
b. It is a mat­ter of pro­filing.
c. The pro­ces­sing pur­po­se or the type and man­ner of the data pro­ces­sing may result in a serious inter­fe­rence with the fun­da­men­tal rights of the data sub­ject.

3 For the pro­ces­sing of per­so­nal data under para­graph 2 let­ters a and b, a sta­tu­to­ry basis in a sub­stan­ti­ve law is suf­fi­ci­ent if the fol­lo­wing requi­re­ments are ful­fil­led:

a. The pro­ces­sing is essen­ti­al for a task defi­ned in a for­mal law.
b. The pro­ces­sing does not invol­ve any spe­cial risks affec­ting the fun­da­men­tal rights of the data sub­ject.

4 By way of dero­ga­ti­on from para­graphs 1 to 3, federal bodies may pro­cess per­so­nal data if one of the fol­lo­wing requi­re­ments is ful­fil­led:

a. The Federal Coun­cil has aut­ho­ri­sed pro­ces­sing becau­se it con­si­ders the rights of the data sub­ject not to be end­an­ge­red.
b. The data sub­ject has given his con­sent to the pro­ces­sing in the spe­ci­fic case or made his per­so­nal data gene­ral­ly acces­si­ble and has not express­ly pro­hi­bi­ted the pro­ces­sing.
c. The pro­ces­sing is requi­red in order to pro­tect the life or the phy­si­cal inte­gri­ty of the data sub­ject or a third par­ty and it is not pos­si­ble to obtain the con­sent of the data sub­ject wit­hin a rea­son­ab­le peri­od of time.

Art. 35 Auto­ma­ted data pro­ces­sing in pilot pro­jects

1 The Federal Coun­cil may, befo­re a for­mal law enters into for­ce, aut­ho­ri­se the auto­ma­ted pro­ces­sing of sen­si­ti­ve per­so­nal data or other data pro­ces­sing under Arti­cle 34 para­graph 2 let­ters b and c if:

a. the tasks based on which the pro­ces­sing is requi­red are regu­la­ted in a for­mal law that has alrea­dy ente­red into for­ce;
b. ade­qua­te mea­su­res are taken to limit inter­fe­ren­ces with the fun­da­men­tal rights of the data sub­ject to the mini­mum; and
c. for the prac­ti­cal imple­men­ta­ti­on of a data pro­ces­sing a test pha­se befo­re ent­ry into for­ce is indis­pensable, in par­ti­cu­lar for tech­ni­cal rea­sons.

2 It obtains the FDPIC’s opi­ni­on in advan­ce.

3 The com­pe­tent federal body shall pro­vi­de the Federal Coun­cil with an eva­lua­ti­on report at the latest wit­hin two years after incep­ti­on of the pilot pro­ject. The report con­tains a pro­po­sal on whe­ther the pro­ces­sing should be con­ti­nued or ter­mi­na­ted.

4 Auto­ma­ted data pro­ces­sing must be ter­mi­na­ted in any event if wit­hin five years after incep­ti­on of the pilot pro­ject no for­mal law has ente­red into for­ce that con­tains the requi­red legal basis.

Art. 36 Dis­clo­sure of per­so­nal data

1 Federal bodies may dis­c­lo­se per­so­nal data only if a sta­tu­to­ry basis in accordance with Arti­cle 34 para­graphs 1 to 3 so pro­vi­des.

2 In dero­ga­ti­on from para­graph 1, they may dis­c­lo­se per­so­nal data in the spe­ci­fic case if one of the fol­lo­wing requi­re­ments is ful­fil­led:

a. Dis­clo­sure of the data is indis­pensable to the con­trol­ler or the reci­pi­ent for the ful­film­ent of a sta­tu­to­ry task.
b. The data sub­ject has con­sen­ted to the dis­clo­sure.
c. Dis­clo­sure of the data is requi­red in order to pro­tect the life or the phy­si­cal inte­gri­ty of the data sub­ject or a third par­ty and it is not pos­si­ble to obtain the con­sent of the data sub­ject wit­hin a rea­son­ab­le peri­od of time.
d. The data sub­ject has made its data gene­ral­ly acces­si­ble and has not express­ly pro­hi­bi­ted dis­clo­sure.
e. The reci­pi­ent credi­b­ly demon­stra­tes that the data sub­ject is with­hol­ding con­sent or objects to dis­clo­sure in order to pre­vent the enfor­ce­ment of legal claims or the safe­guar­ding of other legi­ti­ma­te inte­rests; the data sub­ject must be given the oppor­tu­ni­ty to com­ment befo­re­hand, unless this is impos­si­ble or invol­ves a dis­pro­por­tio­na­te effort.

3 They may also dis­c­lo­se per­so­nal data in the con­text of offi­cial infor­ma­ti­on dis­c­lo­sed to the gene­ral public, eit­her ex offi­cio or pur­suant to the Free­dom of Infor­ma­ti­on Act of 17 Decem­ber 2004 , if:

a. the data per­tains to the ful­film­ent of a public duty; and
b. the­re is an over­ri­ding public inte­rest in its dis­clo­sure.

4 They may on requ­est also dis­c­lo­se the name, first name, address and date of birth of a per­son if the requi­re­ments of para­graph 1 or 2 are not ful­fil­led.

5 They may make per­so­nal data gene­ral­ly acces­si­ble by means of auto­ma­ted infor­ma­ti­on and com­mu­ni­ca­ti­on ser­vices if a legal basis pro­vi­des for the publi­ca­ti­on of such data or if they dis­c­lo­se data on the basis of para­graph 3. If the­re is no lon­ger a public inte­rest in making such data gene­ral­ly acces­si­ble, the data con­cer­ned must be dele­ted from the auto­ma­ted infor­ma­ti­on and com­mu­ni­ca­ti­on ser­vice.

6 Federal bodies shall refu­se or restrict dis­clo­sure, or make it sub­ject to con­di­ti­ons, if:

a. essen­ti­al public inte­rests or inte­rests mani­fest­ly war­ran­ting pro­tec­tion of a data sub­ject so requi­re or
b. sta­tu­to­ry duties of secrecy or spe­cial data pro­tec­tion regu­la­ti­ons so requi­re.

Art. 37 Objec­tion to the dis­clo­sure of per­so­nal data

1 The data sub­ject that credi­b­ly demon­stra­tes an inte­rest war­ran­ting pro­tec­tion may object to the dis­clo­sure of cer­tain per­so­nal data by the com­pe­tent federal body.

2 The federal body shall refu­se such requ­est if one of the fol­lo­wing requi­re­ments is ful­fil­led:

a. the­re is a legal duty of dis­clo­sure;
b. the ful­film­ent of its task would other­wi­se be end­an­ge­red.

3 Arti­cle 36 para­graph 3 is reser­ved.

Art. 38 Offe­ring of docu­ments to the Federal Archi­ve

1 In accordance with the Archi­ving Act of 26 June 1998 , the federal bodies shall offer the Federal Archi­ve all per­so­nal data that the federal bodies no lon­ger con­stant­ly requi­re.

2 The federal body shall destroy per­so­nal data desi­gna­ted by the Federal Archi­ve as not being of archi­val value unless:

a. it is ren­de­red anony­mous;
b. it must be pre­ser­ved on evi­den­tia­ry or secu­ri­ty grounds or in order to safe­guard the legi­ti­ma­te inte­rests of the data sub­ject.

Art. 39 Data pro­ces­sing for rese­arch, plan­ning and sta­tis­tics

1 Federal bodies may pro­cess per­so­nal data for pur­po­ses not rela­ted to spe­ci­fic per­sons, in par­ti­cu­lar for rese­arch, plan­ning and sta­tis­tics, if:

a. the data is ren­de­red anony­mous, as soon as the pro­ces­sing pur­po­se so per­mits;
b. the federal body dis­c­lo­ses sen­si­ti­ve per­so­nal data to pri­va­te per­sons only in such a man­ner that the data sub­jects can­not be iden­ti­fied;
c. the reci­pi­ent only pas­ses on the data to third par­ties with the con­sent of the federal body which has dis­c­lo­sed the data; and
d. the results are only published in such a man­ner that the data sub­jects may not be iden­ti­fied.

2 Arti­cles 6 para­graph 3, 34 para­graph 2 and Arti­cle 36 para­graph 1 do not app­ly.

Art. 40 Pri­va­te law acti­vi­ties of federal bodies

If a federal body acts under pri­va­te law, the pro­vi­si­ons for data pro­ces­sing by pri­va­te per­sons app­ly.

Art. 41 Claims and pro­ce­du­re

1 Anyo­ne with an inte­rest war­ran­ting pro­tec­tion may requ­est the respon­si­ble federal body to:

a. refrain from unlaw­ful­ly pro­ces­sing the per­so­nal data;
b. eli­mi­na­te the con­se­quen­ces of unlaw­ful pro­ces­sing;
c. ascer­tain the unlaw­ful­ness of the pro­ces­sing.

2 The clai­mant may in par­ti­cu­lar requ­est that the federal body:

a. cor­rect, dele­te or destroy the per­so­nal data con­cer­ned;
b. publish or com­mu­ni­ca­te its deci­si­on to third par­ties, in par­ti­cu­lar on the cor­rec­tion, dele­ti­on or dest­ruc­tion, the objec­tion to dis­clo­sure under Arti­cle 37 or the note that indi­ca­tes the objec­tion under para­graph 4.

3 Ins­tead of deleting or destroy­ing the per­so­nal data, the federal body restricts the pro­ces­sing if

a. the data sub­ject dis­pu­tes the accu­ra­cy of the per­so­nal data and if it is not pos­si­ble to deter­mi­ne the accu­ra­cy or the inac­cu­ra­cy the­re­of;
b. over­ri­ding inte­rests of third par­ties so requi­re;
c. an over­ri­ding public inte­rest, in par­ti­cu­lar the inter­nal or exter­nal secu­ri­ty of Switz­er­land, so requi­res;
d. the dele­ti­on or dest­ruc­tion of the data may jeo­par­di­se an inqu­est, an inve­sti­ga­ti­on or admi­ni­stra­ti­ve or judi­cial pro­ce­e­ding.

4 If it is not pos­si­ble to deter­mi­ne the accu­ra­cy or the inac­cu­ra­cy of per­so­nal data, the federal body atta­ches to the data a note that indi­ca­tes the objec­tion.

5 The cor­rec­tion, dele­ti­on or dest­ruc­tion of per­so­nal data may not be reque­sted with respect to the inven­to­ry of publicly acces­si­ble libra­ries, edu­ca­tio­nal insti­tu­ti­ons, muse­ums, archi­ves or other public memo­ri­al insti­tu­ti­ons. If the app­li­cant can credi­b­ly demon­stra­te an over­ri­ding inte­rest, he may requ­est that the insti­tu­ti­on restrict access to the dis­puted data. Para­graphs 3 and 4 do not app­ly.

6 The pro­ce­du­re is gover­ned by the APA . The excep­ti­ons con­tai­ned in Arti­cles 2 and 3 APA do not app­ly.

Art. 42 Pro­ce­du­re in the event of the dis­clo­sure of offi­cial docu­ments con­tai­ning per­so­nal data

If pro­ce­e­dings rela­ting to access to offi­cial docu­ments wit­hin the mea­ning of the Free­dom of Infor­ma­ti­on Act of 17 Decem­ber 2004 that con­tain per­so­nal data are pen­ding, the data sub­ject may in such pro­ce­e­dings claim the rights given to him under Arti­cle 41 for tho­se of the docu­ments that are the sub­ject mat­ter of the access pro­ce­e­dings.

Chap­ter 7: Federal Data Pro­tec­tion and Infor­ma­ti­on Com­mis­sio­ner

Sec­tion 1 Orga­ni­sa­ti­on

Art. 43 Appoint­ment and sta­tus

1The head of the FDPIC (the com­mis­sio­ner) is elec­ted by the Federal Assem­bly.

2 Anyo­ne who is enti­t­led to vote on federal mat­ters is eli­gi­ble.

3 The employ­ment rela­ti­ons­hip of the com­mis­sio­ner is gover­ned by the Federal Per­son­nel Act of 24 March 2000 (BPG) , unless this Act pro­vi­des other­wi­se.

4 The com­mis­sio­ner exer­cises his func­tion inde­pendent­ly without asking for or accep­t­ing inst­ruc­tions of any aut­ho­ri­ty or third par­ty. He is assi­gned to the Federal Chan­cel­le­ry for admi­ni­stra­ti­ve pur­po­ses.

5 He has a per­ma­nent secre­ta­ri­at and his own bud­get. He hires his own staff.

6 He is not sub­ject to the system of assess­ment under Arti­cle 4 para­graph 3 BPG.

Art. 44 Term of office, reap­point­ment and ter­mi­na­ti­on of the term of office

1 The term of office of the com­mis­sio­ner is four years and may be rene­wed twice. It begins on 1 Janu­a­ry fol­lo­wing the start of the legis­la­ti­ve peri­od of the Natio­nal Coun­cil.

3 The com­mis­sio­ner may requ­est the Federal Assem­bly to be dischar­ged from office at the end of any mon­th sub­ject to six mon­ths advan­ce noti­ce.

4 The Federal Assem­bly may dis­miss the com­mis­sio­ner from office befo­re the expi­ry of his term of office if he:

a. wil­ful­ly or through gross negli­gence serious­ly vio­la­tes offi­cial duties; or
b. is per­ma­nent­ly unab­le to ful­fil his office.

Art. 45 Bud­get

The FDPIC sub­mits the draft of his bud­get annu­al­ly to the Federal Coun­cil via the Federal Chan­cel­le­ry. The Federal Coun­cil for­wards it unch­an­ged to the Federal Assem­bly.

Art. 46 Incom­pa­ti­bi­li­ty

The com­mis­sio­ner may not be a mem­ber of the Federal Assem­bly or the Federal Coun­cil and may not have an employ­ment rela­ti­ons­hip with the Con­fe­de­ra­ti­on.

Art. 47 Secon­da­ry employ­ment

1 The com­mis­sio­ner must not car­ry out any secon­da­ry employ­ment

2 The Federal Assem­bly (both cham­bers tog­e­ther) may per­mit

the com­mis­sio­ner to car­ry out a secon­da­ry employ­ment pro­vi­ded this neit­her com­pro­mi­ses the per­for­mance of the func­tion nor inde­pen­dence and stan­ding. The Federal Council’s deci­si­on in this respect is published.

Art. 48 Self-regu­la­ti­on of the FDPIC

By means of appro­pria­te con­trol mea­su­res, in par­ti­cu­lar with respect to data secu­ri­ty, the FDPIC shall ensu­re that the legal­ly com­pli­ant enfor­ce­ment of the federal data pro­tec­tion regu­la­ti­ons is gua­ran­te­ed in his office.

Sec­tion 2 Inve­sti­ga­ti­on of brea­ches of data pro­tec­tion regu­la­ti­ons

Art. 49 Inve­sti­ga­ti­on

1 The FDPIC initia­tes, ex offi­cio or upon noti­fi­ca­ti­on, an inve­sti­ga­ti­on against a federal body or a pri­va­te per­son if the­re are suf­fi­ci­ent indi­ca­ti­ons that a data pro­ces­sing could vio­la­te the data pro­tec­tion regu­la­ti­ons.

2 He may refrain from initia­ting an inve­sti­ga­ti­on if the bre­ach of the data pro­tec­tion regu­la­ti­ons is of minor signi­fi­can­ce.

3 The federal body or the pri­va­te per­son will pro­vi­de the FDPIC with all infor­ma­ti­on and will make avail­ab­le all docu­ments which are necessa­ry for the inve­sti­ga­ti­on. The right to refu­se to pro­vi­de infor­ma­ti­on is gover­ned by Arti­cles 16 and 17 APA unless Arti­cle 50 para­graph 2 pro­vi­des other­wi­se.

4 If the data sub­ject noti­fied the FDPIC, he will inform the data sub­ject of the steps under­ta­ken in the mat­ter based on the data subject’s noti­fi­ca­ti­on and the results of the inve­sti­ga­ti­on, if any.

Art. 50 Powers

1 If the federal body or the pri­va­te per­son does not com­ply with the duty to coope­ra­te, the FDPIC may in the con­text of the inve­sti­ga­ti­on order the fol­lo­wing:

a. access to all infor­ma­ti­on, docu­ments, regi­sters of the pro­ces­sing acti­vi­ties and per­so­nal data which are requi­red for the inve­sti­ga­ti­on;
b. access to pre­mi­ses and faci­li­ties,
c. que­stio­ning of wit­nesses;
d. eva­lua­tions by experts.

2 Pro­fes­sio­nal secrecy is reser­ved.

3 He may call on other a federal aut­ho­ri­ty or the can­to­nal or muni­ci­pal poli­ce to enfor­ce the mea­su­res in accordance with para­graph 1.

Art. 51 Admi­ni­stra­ti­ve mea­su­res

1 If data pro­tec­tion regu­la­ti­ons are vio­la­ted, the FDPIC may order that the pro­ces­sing is ful­ly or par­ti­al­ly adju­sted, sus­pen­ded or ter­mi­na­ted and that the per­so­nal data is ful­ly or par­ti­al­ly dele­ted or destroy­ed.

2 He may defer or pro­hi­bit dis­clo­sure abroad if it vio­la­tes the requi­re­ments under Arti­cles 13 or 14 or spe­ci­fic pro­vi­si­ons on the dis­clo­sure of per­so­nal data abroad in other Federal Acts.

3 He may in par­ti­cu­lar order that the federal body or the pri­va­te per­son:

a. inform the FDPIC under Arti­cles 16 para­graph 2 let­ters b and c and 17 para­graph 2;
b. take the mea­su­res under Arti­cles 7 and 8;
c. inform the data sub­jects under Arti­cles 19 and 21
d. per­form a data pro­tec­tion impact assess­ment under Arti­cle 22;
e. con­sult the FDPIC under Arti­cle 23;
f. inform the FDPIC or, if app­li­ca­ble, the data sub­jects under Arti­cle 24; and
g. pro­vi­de the data sub­ject with the infor­ma­ti­on under Arti­cle 25.

4 He may also order that the pri­va­te con­trol­ler with its regi­stered office or place of resi­dence abroad desi­gna­te a repre­sen­ta­ti­on in accordance with Arti­cle 14.

5 If during the inve­sti­ga­ti­on the federal body or the pri­va­te per­son has taken the necessa­ry mea­su­res to res­to­re com­pli­an­ce with the data pro­tec­tion regu­la­ti­ons, the FDPIC may limit hims­elf to issuing a warning.

Art. 52 Pro­ce­e­dings

1 Inve­sti­ga­ti­on pro­ce­e­dings and deci­si­ons under Arti­cles 44 and 45 are gover­ned by the APA .

2 Only the federal body or the pri­va­te per­son against whom the inve­sti­ga­ti­on was initia­ted shall be par­ty to the pro­ce­e­dings.

3 The FDPIC may file an appeal against appeal deci­si­ons issued by the Federal Admi­ni­stra­ti­ve Court.

Art. 53 Coor­di­na­ti­on

1 Federal admi­ni­stra­ti­ve aut­ho­ri­ties which super­vi­se pri­va­te per­sons or orga­ni­sa­ti­ons out­side of the Federal Admi­ni­stra­ti­on in accordance with ano­t­her federal act invi­te the FDPIC to sub­mit a state­ment befo­re they issue a deci­si­on per­tai­ning to data pro­tec­tion issu­es.

2 If the FDPIC has initia­ted his own inve­sti­ga­ti­on against the same par­ty, the two aut­ho­ri­ties will coor­di­na­te their pro­ce­e­dings.

Sec­tion 3 Admi­ni­stra­ti­ve assi­stance

Art. 54 Admi­ni­stra­ti­ve assi­stance bet­ween Swiss aut­ho­ri­ties

1 Federal and can­to­nal aut­ho­ri­ties pro­vi­de the FDPIC with the infor­ma­ti­on and per­so­nal data requi­red for the per­for­mance of his sta­tu­to­ry duties.

2 The FDPIC dis­c­lo­ses to the fol­lo­wing aut­ho­ri­ties the infor­ma­ti­on and per­so­nal data requi­red for the per­for­mance of their sta­tu­to­ry duties:

a. the aut­ho­ri­ties respon­si­ble for data pro­tec­tion in Switz­er­land;
b. the com­pe­tent cri­mi­nal pro­se­cu­ti­on aut­ho­ri­ties if a cri­mi­nal offence under Arti­cle 65 para­graph 2 is repor­ted;
c. the federal aut­ho­ri­ties as well as the can­to­nal and muni­ci­pal poli­ce for the enfor­ce­ment of the mea­su­res under Arti­cles 50 para­graph 2 and 51.

Art. 55 Admi­ni­stra­ti­ve assi­stance to for­eign aut­ho­ri­ties

1 The FDPIC may exchan­ge infor­ma­ti­on and per­so­nal data with for­eign aut­ho­ri­ties respon­si­ble for data pro­tec­tion for the per­for­mance of their respec­ti­ve sta­tu­to­ry duties in the area of data pro­tec­tion if the fol­lo­wing requi­re­ments are ful­fil­led:

a. The reci­pro­ci­ty of admi­ni­stra­ti­ve assi­stance is ensu­red.
b. Infor­ma­ti­on and per­so­nal data are only used for the pro­ce­e­dings rela­ting to data pro­tec­tion on which the requ­est for admi­ni­stra­ti­ve assi­stance is based.
c. The recei­ving aut­ho­ri­ty under­ta­kes to obser­ve pro­fes­sio­nal, busi­ness and manu­fac­tu­ring secrets.
d. Infor­ma­ti­on and per­so­nal data are only dis­c­lo­sed if the aut­ho­ri­ty which has trans­mit­ted them has pre­vious­ly con­sen­ted to the dis­clo­sure.
e. The recei­ving aut­ho­ri­ty under­ta­kes to adhe­re to the con­di­ti­ons and restric­tions of the aut­ho­ri­ty which has trans­mit­ted the infor­ma­ti­on and per­so­nal data.

2 In order to sub­stan­tia­te his requ­est for admi­ni­stra­ti­ve assi­stance or to com­ply with the requ­est of an aut­ho­ri­ty, the FDPIC may in par­ti­cu­lar pro­vi­de the fol­lo­wing infor­ma­ti­on:

a. the iden­ti­ty of the con­trol­ler, the pro­ces­sor or other third par­ties invol­ved;
b. the cate­go­ries of data sub­jects;

c. the iden­ti­ty of data sub­jects if:

1. the data sub­jects have con­sen­ted the­re­to, or
2. the noti­fi­ca­ti­on of the iden­ti­ty of the data sub­jects is indis­pensable so that the FDPIC or the for­eign aut­ho­ri­ty may ful­fil their sta­tu­to­ry duties;
d. pro­ces­sed per­so­nal data or cate­go­ries of pro­ces­sed per­so­nal data;
e. the pur­po­se of pro­ces­sing;
f. reci­pi­ents or cate­go­ries of reci­pi­ents;
g. tech­ni­cal and orga­ni­sa­tio­nal mea­su­res.

3 Befo­re the FDPIC dis­c­lo­ses infor­ma­ti­on which may con­tain pro­fes­sio­nal, busi­ness or manu­fac­tu­ring secrets to a for­eign aut­ho­ri­ty, he informs the natu­ral per­sons or legal enti­ties con­cer­ned who are the hol­ders of the­se secrets and invi­tes them to com­ment, unless this is not pos­si­ble or pos­si­ble only with dis­pro­por­tio­na­te efforts.

Sec­tion 4 Other tasks of the FDPIC

Art. 56 Regi­ster

The FDPIC keeps a regi­ster on the pro­ces­sing acti­vi­ties of the federal bodies. The regi­ster is made public.

Art. 57 Infor­ma­ti­on

1 The FDPIC reports to the Federal Assem­bly annu­al­ly on his acti­vi­ties. He simul­ta­ne­ous­ly sub­mits the report to the Federal Coun­cil. The report is published.

2 In cases of gene­ral inte­rest, the FDPIC informs the public of his fin­dings and his deci­si­ons.

Art. 58 Addi­tio­nal tasks

1 The FDPIC has in par­ti­cu­lar the fol­lo­wing addi­tio­nal tasks:

a. He informs, trains and advi­ses the federal bodies as well as pri­va­te per­sons on mat­ters of data pro­tec­tion.
b. He sup­ports the can­to­nal bodies and coope­ra­tes with dome­stic and for­eign data pro­tec­tion aut­ho­ri­ties.
c. He rai­ses public awa­reness, and in par­ti­cu­lar that of vul­nerable pri­va­te per­sons, regar­ding data pro­tec­tion.
d. He pro­vi­des per­sons at their requ­est with infor­ma­ti­on on how they can exer­cise their rights.
e. He pro­vi­des an opi­ni­on on draft federal legis­la­ti­on and on federal mea­su­res which entail a pro­ces­sing of data.
f. He car­ri­es out the tasks assi­gned to him under the Free­dom of Infor­ma­ti­on Act of 17 Decem­ber 2004 or other Federal Acts.
g. He draws up working tools as a recom­men­da­ti­on of good prac­ti­ce for con­trol­lers, pro­ces­sors and data sub­jects; in this respect he con­si­ders the par­ti­cu­la­ri­ties of the respec­ti­ve area and the pro­tec­tion of vul­nerable pri­va­te per­sons.

2He may also advi­se federal bodies which are not sub­ject to his super­vi­si­on accord­ing to Arti­cles 2 and 4. The federal bodies may grant him access to their files.

3 The FDPIC is aut­ho­ri­sed to decla­re to the for­eign aut­ho­ri­ties respon­si­ble for data pro­tec­tion that direct deli­very is per­mit­ted in Switz­er­land in the area of data pro­tec­tion, pro­vi­ded Switz­er­land is gran­ted reci­pro­ci­ty.

Sec­tion 5 Fees

Art. 59

1 The FDPIC char­ges pri­va­te per­sons fees for:

a. his opi­ni­on on a code of con­duct under Arti­cle 11 para­graph 2;
b. his appro­val of stan­dard data pro­tec­tion clau­ses and bin­ding cor­po­ra­te rules on data pro­tec­tion under Arti­cle 16 para­graph 2 let­ters d and e;
c. his con­sul­ta­ti­on based on a data pro­tec­tion impact assess­ment under Arti­cle 23 para­graph 2;
d. preli­mi­na­ry injunc­tions and mea­su­res taken under Arti­cle 51; and
e. pro­vi­ding his advice on mat­ters of data pro­tec­tion under Arti­cle 58 para­graph 1 let­ter a.

2 The Federal Coun­cil deter­mi­nes the amount of fees.

3 It may deter­mi­ne in which cases it is pos­si­ble to refrain from char­ging a fee or to redu­ce it.

Chap­ter 8: Cri­mi­nal Pro­vi­si­ons

Art. 60 Bre­ach of obli­ga­ti­ons to pro­vi­de access and infor­ma­ti­on or to coope­ra­te

1 On com­p­laint, pri­va­te per­sons are liable to a fine of up to 250,000 Swiss Francs if they:

a. bre­ach their obli­ga­ti­ons under Arti­cles 19, 21 and 25 – 27 by wil­ful­ly pro­vi­ding fal­se or incom­ple­te infor­ma­ti­on;

b. wil­ful­ly fail:

1. to inform the data sub­ject pur­suant to Arti­cles 19 para­graph 1 and 21 para­graph 1; or
2. to pro­vi­de the data sub­ject with the infor­ma­ti­on requi­red under Arti­cle 19 para­graph 2.

2 Pri­va­te per­sons are liable to a fine of up to 250,000 Swiss Francs if, in vio­la­ti­on of Arti­cle 49 para­graph 3, they wil­ful­ly pro­vi­de fal­se infor­ma­ti­on to the FDPIC in the con­text of an inve­sti­ga­ti­on or wil­ful­ly refu­se to coope­ra­te.

Art. 61 Vio­la­ti­on of duties of dili­gence

On com­p­laint, pri­va­te per­sons are liable to a fine of up to 250,000 Swiss Francs if they wil­ful­ly:
a. dis­c­lo­se per­so­nal data abroad in vio­la­ti­on of Arti­cle 16 para­graphs 1 and 2 and without the con­di­ti­ons set forth in Arti­cle 17 being met;
b. assign the data pro­ces­sing to a pro­ces­sor without the con­di­ti­ons set forth in Arti­cle 9 para­graphs 1 and 2 being met;
c. fail to com­ply with the mini­mum data secu­ri­ty requi­re­ments which the Federal Coun­cil has issued under Arti­cle 8 para­graph 3.

Art. 62 Bre­ach of pro­fes­sio­nal con­fi­dentia­li­ty

1 If a per­son wil­ful­ly dis­c­lo­ses secret per­so­nal data of which he has gai­ned know­ledge while exer­ci­s­ing his pro­fes­si­on which requi­res know­ledge of such data, he shall be liable on com­p­laint to a fine of up to 250, 000 Swiss Francs.

2 The same penal­ty app­lies to anyo­ne who wil­ful­ly dis­c­lo­ses secret per­so­nal data of which he has gai­ned know­ledge in the cour­se of his acti­vi­ties for a per­son bound by a con­fi­dentia­li­ty obli­ga­ti­on or in the cour­se of trai­ning with such a per­son.

3 The dis­clo­sure of secret per­so­nal data remains punis­ha­ble after ter­mi­na­ti­on of such pro­fes­sio­nal acti­vi­ties or trai­ning.

Art. 63 Dis­re­gard of deci­si­ons

Pri­va­te per­sons shall be liable to a fine of up to 250,000 Swiss Francs if they wil­ful­ly fail to com­ply with a deci­si­on issued by the FDPIC with refe­rence to the cri­mi­nal penal­ty of this Arti­cle or a deci­si­on issued by the appel­la­te aut­ho­ri­ties.

Art. 64 Vio­la­ti­ons com­mit­ted wit­hin under­ta­kings

1 For vio­la­ti­ons com­mit­ted wit­hin under­ta­kings, Arti­cles 6 and 7 of the Federal Act of 22 March 1974 on Admi­ni­stra­ti­ve Cri­mi­nal Law shall app­ly.

2 If a fine not exce­e­ding 50,000 Swiss Francs could come into con­si­de­ra­ti­on and Admi­ni­stra­ti­ve Cri­mi­nal Law requi­red inve­sti­ga­ti­ve mea­su­res that would be dis­pro­por­tio­na­te in com­pa­ri­son with the penal­ty incur­red, the aut­ho­ri­ty may abstain from pro­se­cu­ting the­se per­sons and ins­tead sen­tence the under­ta­king to the pay­ment of the fine (Arti­cle 7 of the Admi­ni­stra­ti­ve Cri­mi­nal Law).

Art. 65 Juris­dic­tion

1 The can­tons are respon­si­ble for the pro­se­cu­ti­on and the judgment of cri­mi­nal acts.

2 The FDPIC may report a cri­mi­nal offence to the com­pe­tent cri­mi­nal pro­se­cu­ti­on aut­ho­ri­ties and exer­cise the rights of a pri­va­te plain­tiff in the pro­ce­e­dings.

Art. 66 Sta­tu­te of limi­ta­ti­ons for cri­mi­nal pro­se­cu­ti­on

The right to cri­mi­nal­ly pro­se­cu­te is sub­ject to a sta­tu­te of limi­ta­ti­ons of five years.

Chap­ter 9: Con­clu­si­on of Inter­na­tio­nal Trea­ties

Art. 67

The Federal Coun­cil may con­clu­de inter­na­tio­nal trea­ties con­cer­ning:.

a. the inter­na­tio­nal coope­ra­ti­on bet­ween data pro­tec­tion aut­ho­ri­ties;
b. the mutu­al reco­gni­ti­on of an ade­qua­te level of pro­tec­tion for the dis­clo­sure of per­so­nal data abroad.

Chap­ter 10: Final Pro­vi­si­ons

Art. 68 Repeal and amend­ments of other legis­la­ti­on

The repeal and the amend­ments of other legis­la­ti­on are set forth in annex 1.

Art. 69 Tran­si­tio­nal pro­vi­si­ons con­cer­ning ongo­ing pro­ces­sing

Arti­cles 7, 22 and 23 do not app­ly to data pro­ces­sing ope­ra­ti­ons that were star­ted befo­re the ent­ry into for­ce of this law, if the pur­po­se of the pro­ces­sing remains unch­an­ged and no new data is obtai­ned.

Art. 70 Tran­si­tio­nal pro­vi­si­ons con­cer­ning ongo­ing pro­ce­e­dings

This Act does not app­ly to inve­sti­ga­ti­ons of the FDPIC which are pen­ding at the time of its ent­ry into for­ce, nor to pen­ding appeals against first instance deci­si­ons ren­de­red befo­re its ent­ry into for­ce. In the­se mat­ters, the pre­vious law app­lies.

Art. 71 Tran­si­tio­nal pro­vi­si­on con­cer­ning data per­tai­ning to legal enti­ties

For federal bodies, the pro­vi­si­ons of other federal regu­la­ti­ons that con­cern per­so­nal data con­ti­nue to app­ly to data per­tai­ning to legal enti­ties for three years after the ent­ry into for­ce of this Act. During that time, the federal bodies may in par­ti­cu­lar con­ti­nue to dis­c­lo­se the data per­tai­ning to legal enti­ties under Arti­cle 57s, para­graph 1 and 2, of the Act of 21 March 1997 on the Orga­ni­sa­ti­on of the Government and the Admi­ni­stra­ti­on , if the federal bodies are enti­t­led to dis­c­lo­se per­so­nal based on a legal basis.

Art. 72 Tran­si­tio­nal pro­vi­si­on con­cer­ning the elec­tion and ter­mi­na­ti­on of the term of office of the com­mis­sio­ner

The elec­tion of the com­mis­sio­ner and the ter­mi­na­ti­on of his term of office shall be gover­ned by the law in for­ce until the end of the legis­la­ti­ve peri­od in which this Act enters into for­ce.

Art. 73 Coor­di­na­ti­on

Coor­di­na­ti­on with other acts is set out in annex 2.

Art. 74 Refe­ren­dum and ent­ry into for­ce

1 This Act is sub­ject to an optio­nal refe­ren­dum.

2 The Federal Coun­cil deter­mi­nes the date of ent­ry into for­ce.