revDSG auf Englisch

Die Über­set­zung ins Eng­li­sche stammt von Hugh Ree­ves und Corin­ne Gil­gen (bei­de Wal­der Wyss). Sie kann unter einer CC BY-ND 4.0‑Lizenz ver­wen­det wer­den. Eine Fas­sung als PDF fin­det sich hier. Die deut­sche Fas­sung fin­det sich hier.

aus­klap­pen | ein­klap­pen

Chap­ter 1: Pur­po­se, Scope and Super­vi­so­ry Aut­ho­ri­ty of the Confederation

Art. 1 Purpose

This Act aims to pro­tect the per­so­na­li­ty rights and the fun­da­men­tal rights of natu­ral per­sons who­se per­so­nal data is processed.

Art. 2 Per­so­nal and mate­ri­al scope

1 This Act app­lies to the pro­ces­sing of per­so­nal data per­tai­ning to natu­ral per­sons by:

a. pri­va­te persons;
b. federal bodies.

2 It does not app­ly to:

a. per­so­nal data that is pro­ces­sed by a natu­ral per­son exclu­si­ve­ly for per­so­nal use;
b. per­so­nal data that is pro­ces­sed by the Federal Cham­bers and par­lia­men­ta­ry com­mit­tees in con­nec­tion with their deliberations;
c. per­so­nal data that is pro­ces­sed by insti­tu­tio­nal bene­fi­cia­ries accord­ing to Arti­cle 2 para­graph 1 of the Host Sta­te Act of 22 June 2007, which enjoy immu­ni­ty in Switzerland.

3 The pro­ces­sing of per­so­nal data and the rights of the data sub­jects in court pro­ce­e­dings and pro­ce­e­dings gover­ned by the federal rules of pro­ce­du­re are gover­ned by the app­li­ca­ble pro­ce­du­re law. The pre­sent Act app­lies to first instance admi­ni­stra­ti­ve proceedings.

4 The public regi­sters per­tai­ning to pri­va­te law rela­ti­ons­hips, in par­ti­cu­lar the access to the­se regi­sters and the rights of the data sub­jects, are gover­ned by the spe­cial pro­vi­si­ons of the app­li­ca­ble federal law. If the spe­cial pro­vi­si­ons do not con­tain any rules, this Act shall apply.

Art. 3 Ter­ri­to­ri­al scope

1 This Act is app­li­ca­ble to fact pat­terns that have an effect in Switz­er­land, even if they occur­red abroad.

2 The Federal Act of 18 Decem­ber 1987 on Pri­va­te Inter­na­tio­nal Law app­lies to claims under civil law. The pro­vi­si­ons on the ter­ri­to­ri­al scope of the Swiss Cri­mi­nal Code remain reserved.

Art. 4 Federal Data Pro­tec­tion and Infor­ma­ti­on Commissioner

1 The Federal Data Pro­tec­tion and Infor­ma­ti­on Com­mis­sio­ner (FDPIC) super­vi­ses the pro­per app­li­ca­ti­on of the federal data pro­tec­tion regulations.

2 The fol­lo­wing are exclu­ded from the FDPIC’s supervision:

a. the Federal Assembly;
b. the Federal Council;
c. the federal courts;
d. the Office of the Attor­ney Gene­ral of the Con­fe­de­ra­ti­on as regards the pro­ces­sing of per­so­nal data in cri­mi­nal proceedings;
e. federal aut­ho­ri­ties as regards the pro­ces­sing of per­so­nal data in the con­text of a juris­dic­tio­n­al acti­vi­ty or of inter­na­tio­nal mutu­al assi­stance pro­ce­e­dings in cri­mi­nal matters.

Chap­ter 2: Gene­ral Provisions

Sec­tion 1 Defi­ni­ti­ons and Principles

Art. 5 Definitions

The fol­lo­wing defi­ni­ti­ons app­ly in this Act:

a. per­so­nal data: all infor­ma­ti­on rela­ting to an iden­ti­fied or iden­ti­fia­ble natu­ral person;
b. data sub­ject: natu­ral per­son who­se per­so­nal data is processed;

c. sen­si­ti­ve per­so­nal data:

1. data on reli­gious, ideo­lo­gi­cal, poli­ti­cal or tra­de uni­on-rela­ted views or activities,
2. data on health, the inti­ma­te sphe­re or the racial or eth­nic origin,
3. gene­tic data,
4. bio­me­tric data which unequi­vo­cal­ly iden­ti­fies a natu­ral person,
5. data on admi­ni­stra­ti­ve or cri­mi­nal pro­ce­e­dings and sanctions,
6. data on social secu­ri­ty measures;
d. pro­ces­sing: any ope­ra­ti­on with per­so­nal data, irre­spec­ti­ve of the means and the pro­ce­du­res app­lied, and in par­ti­cu­lar the collec­tion, record­ing, sto­rage, use, modi­fi­ca­ti­on, dis­clo­sure, archi­ving, dele­ti­on or dest­ruc­tion of data;
e. dis­clo­sure: trans­mit­ting or making per­so­nal data accessible;
f. pro­filing: any form of auto­ma­ted pro­ces­sing of per­so­nal data con­si­sting of using such data to assess cer­tain per­so­nal aspects rela­ting to a natu­ral per­son, in par­ti­cu­lar to ana­ly­se or pre­dict aspects rela­ting to that natu­ral person’s per­for­mance at work, eco­no­mic situa­ti­on, health, per­so­nal pre­fe­ren­ces, inte­rests, relia­bi­li­ty, beha­viour, loca­ti­on or whereabouts;
g. High-risk pro­filing: pro­filing which invol­ves a high risk to the per­so­na­li­ty or fun­da­men­tal rights of the data sub­ject, as it crea­tes a pai­ring bet­ween data that enab­les an assess­ment of essen­ti­al aspects of the per­so­na­li­ty of a natu­ral person;
h. data secu­ri­ty bre­ach: a secu­ri­ty bre­ach which leads to an unin­ten­tio­nal or unlaw­ful loss, dele­ti­on, dest­ruc­tion or modi­fi­ca­ti­on of per­so­nal data or to per­so­nal data being dis­c­lo­sed or made acces­si­ble to unaut­ho­ri­sed persons;
i. federal body: federal aut­ho­ri­ty or ser­vice or per­son that is ent­ru­sted with federal public tasks;
j. con­trol­ler: pri­va­te per­son or federal body that alo­ne or joint­ly with others deci­des on the pur­po­se and the means of the processing;
k. pro­ces­sor: pri­va­te per­son or federal body that pro­ces­ses per­so­nal data on behalf of the controller.

Art. 6 Principles

1 Per­so­nal data must be pro­ces­sed lawfully.

2 Pro­ces­sing must be car­ri­ed out in good faith and must be proportionate.

3 Per­so­nal data may only be collec­ted for a spe­ci­fic pur­po­se which is evi­dent to the data sub­ject; per­so­nal data may only be pro­ces­sed in a way that is com­pa­ti­ble with such purpose.

4 It is destroy­ed or anony­mi­zed as soon as it is no lon­ger nee­ded with regard to the pur­po­se of the processing.

5 Anyo­ne who pro­ces­ses per­so­nal data must ascer­tain that the data is accu­ra­te. He must take all appro­pria­te mea­su­res so that the data which is inac­cu­ra­te or incom­ple­te with regard to the pur­po­ses for which it was collec­ted or pro­ces­sed is cor­rec­ted, dele­ted or destroy­ed. The appro­pria­teness of the mea­su­res depends in par­ti­cu­lar on the natu­re and extent of the data pro­ces­sing and on the risks which the pro­ces­sing entails for the per­so­na­li­ty and fun­da­men­tal rights of the data subjects.

6 If the con­sent of the data sub­ject is requi­red, such con­sent is only valid if it has been given free­ly and for one or several spe­ci­fic pro­ces­sing acti­vi­ties and after ade­qua­te information.

7 Con­sent must be given expli­ci­tly for:

a. the pro­ces­sing of sen­si­ti­ve per­so­nal data;
b. high-risk pro­filing by a pri­va­te per­son; or
c. pro­filing by a federal body.

Art. 7 Data pro­tec­tion by design and by default

1 The con­trol­ler must set up tech­ni­cal and orga­ni­sa­tio­nal mea­su­res in order for the data pro­ces­sing to meet the data pro­tec­tion regu­la­ti­ons and in par­ti­cu­lar the princi­ples set out in Arti­cle 6. It con­si­ders this obli­ga­ti­on from the plan­ning of the processing.

2 The tech­ni­cal and orga­ni­sa­tio­nal mea­su­res must be appro­pria­te in par­ti­cu­lar with regard to the sta­te of the art, the type and extent of pro­ces­sing, as well as the risks that the pro­ces­sing at hand poses to the per­so­na­li­ty and the fun­da­men­tal rights of the data subjects.

3 The con­trol­ler is addi­tio­nal­ly bound to ensu­re through appro­pria­te pre-defi­ned set­tings that the pro­ces­sing of the per­so­nal data is limi­ted to the mini­mum requi­red by the pur­po­se, unless the data sub­ject directs otherwise.

Art. 8 Data security

1 The con­trol­ler and the pro­ces­sor must ensu­re, through ade­qua­te tech­ni­cal and orga­ni­sa­tio­nal mea­su­res, secu­ri­ty of the per­so­nal data that appro­pria­te­ly addres­ses the risk.

2 The mea­su­res must enab­le the avo­id­ance of data secu­ri­ty breaches.

3 The Federal Coun­cil shall issue pro­vi­si­ons on the mini­mum requi­re­ments for data security.

Art. 9 Data pro­ces­sing by processors

1 The pro­ces­sing of per­so­nal data may be assi­gned by agree­ment or by legis­la­ti­on to a pro­ces­sor if:

a. the data is pro­ces­sed only in a man­ner per­mit­ted for the con­trol­ler its­elf; and
b. no sta­tu­to­ry or con­trac­tu­al duty of con­fi­dentia­li­ty pro­hi­bits the assignment.

2 The con­trol­ler must ensu­re in par­ti­cu­lar that the pro­ces­sor is able to gua­ran­tee data security.

3 The pro­ces­sor may only assign the pro­ces­sing to a third par­ty with the pri­or aut­ho­ri­sa­ti­on of the controller.

4 It may invo­ke the same justi­fi­ca­ti­ons as the controller.

Art. 10 Data pro­tec­tion advisor 

1 Pri­va­te con­trol­lers may appoint a data pro­tec­tion advisor.

2 The data pro­tec­tion advi­sor is the con­ta­ct point for the data sub­jects and for the com­pe­tent data pro­tec­tion aut­ho­ri­ties respon­si­ble for data pro­tec­tion mat­ters in Switz­er­land. In par­ti­cu­lar, he or she has the fol­lo­wing duties:

a. to train and advi­se the pri­va­te con­trol­ler in mat­ters of data protection;
b. the par­ti­ci­pa­ti­on in the enfor­ce­ment of data pro­tec­tion regulations.

3 Pri­va­te con­trol­lers may invo­ke the excep­ti­on set out in Arti­cle 23 para­graph 4 if the fol­lo­wing requi­re­ments are fulfilled:

a. the data pro­tec­tion advi­sor per­forms his func­tion towards the con­trol­ler in a pro­fes­sio­nal­ly inde­pen­dent man­ner and without being bound by instructions;
b. he does not per­form any acti­vi­ties which are incom­pa­ti­ble with his tasks as data pro­tec­tion advisor;
c. he pos­ses­ses the necessa­ry pro­fes­sio­nal knowledge;
d. the con­trol­ler publishes the con­ta­ct details of the data pro­tec­tion advi­sor and com­mu­ni­ca­tes them to the FDPIC.

4 The Federal Coun­cil regu­la­tes the appoint­ment of data pro­tec­tion advi­sors by the federal bodies.

Art. 11 Codes of conduct

1 Pro­fes­sio­nal asso­cia­ti­ons, indu­stry asso­cia­ti­ons and busi­ness asso­cia­ti­ons who­se sta­tu­tes enti­t­le them to defend the eco­no­mic inte­rests of their mem­bers, as well as federal bodies, may sub­mit codes of con­duct to the FDPIC.

2 The FDPIC sta­tes his opi­ni­on on the codes of con­duct and publishes his opinion.

Art. 12 Inven­to­ry of pro­ces­sing activities

1 The con­trol­lers and the pro­ces­sors each keep an inven­to­ry of their pro­ces­sing activities.

2 The controller’s inven­to­ry con­tains at least the fol­lo­wing information:

a. the controller’s identity;
b. the pur­po­se of the processing;
c. a descrip­ti­on of the cate­go­ries of data sub­jects and the cate­go­ries of the pro­ces­sed per­so­nal data;
d. the cate­go­ries of the recipients;
e. if pos­si­ble the peri­od of sto­rage of the per­so­nal data or the cri­te­ria to deter­mi­ne the peri­od of storage;
f. if pos­si­ble a gene­ral descrip­ti­on of the mea­su­res to gua­ran­tee data secu­ri­ty pur­suant to Arti­cle 8;
g. in case of dis­clo­sure of data abroad, the name of the sta­te in que­sti­on and the gua­ran­tees accord­ing to Arti­cle 16 para­graph 2.

3 The processor’s inven­to­ry con­tains infor­ma­ti­on on the iden­ti­ty of the pro­ces­sor and of the con­trol­ler, the cate­go­ries of pro­ces­sing acti­vi­ties per­for­med on behalf of the con­trol­ler as well as the infor­ma­ti­on fore­se­en in para­graph 2 let­ters f and g.

4 The federal bodies noti­fy the FDPIC of their inventories.

5 The Federal Coun­cil pro­vi­des for excep­ti­ons for com­pa­nies that have less than 250 mem­bers of staff and who­se pro­ces­sing entails only a low risk of infrin­ging the per­so­na­li­ty of the data subjects

Art. 13 Certification

1 The pro­vi­ders of data pro­ces­sing systems or soft­ware as well as the con­trol­lers and the pro­ces­sors may sub­mit their systems, their pro­ducts and their ser­vices for eva­lua­ti­on by reco­gnis­ed inde­pen­dent cer­ti­fi­ca­ti­on organisations.