Die Übersetzung ins Englische stammt von Hugh Reeves und Corinne Gilgen (beide Walder Wyss). Sie kann unter einer CC BY-ND 4.0‑Lizenz verwendet werden. Eine Fassung als PDF findet sich hier. Die deutsche Fassung findet sich hier.
ausklappen | einklappen
Chapter 1: Purpose, Scope and Supervisory Authority of the Confederation
Art. 1 Purpose
This Act aims to protect the personality rights and the fundamental rights of natural persons whose personal data is processed.
Art. 2 Personal and material scope
1 This Act applies to the processing of personal data pertaining to natural persons by:
2 It does not apply to:
3 The processing of personal data and the rights of the data subjects in court proceedings and proceedings governed by the federal rules of procedure are governed by the applicable procedure law. The present Act applies to first instance administrative proceedings.
4 The public registers pertaining to private law relationships, in particular the access to these registers and the rights of the data subjects, are governed by the special provisions of the applicable federal law. If the special provisions do not contain any rules, this Act shall apply.
Art. 3 Territorial scope
1 This Act is applicable to fact patterns that have an effect in Switzerland, even if they occurred abroad.
2 The Federal Act of 18 December 1987 on Private International Law applies to claims under civil law. The provisions on the territorial scope of the Swiss Criminal Code remain reserved.
Art. 4 Federal Data Protection and Information Commissioner
1 The Federal Data Protection and Information Commissioner (FDPIC) supervises the proper application of the federal data protection regulations.
2 The following are excluded from the FDPIC’s supervision:
Chapter 2: General Provisions
Section 1 Definitions and Principles
Art. 5 Definitions
The following definitions apply in this Act:
c. sensitive personal data:
Art. 6 Principles
1 Personal data must be processed lawfully.
2 Processing must be carried out in good faith and must be proportionate.
3 Personal data may only be collected for a specific purpose which is evident to the data subject; personal data may only be processed in a way that is compatible with such purpose.
4 It is destroyed or anonymized as soon as it is no longer needed with regard to the purpose of the processing.
5 Anyone who processes personal data must ascertain that the data is accurate. He must take all appropriate measures so that the data which is inaccurate or incomplete with regard to the purposes for which it was collected or processed is corrected, deleted or destroyed. The appropriateness of the measures depends in particular on the nature and extent of the data processing and on the risks which the processing entails for the personality and fundamental rights of the data subjects.
6 If the consent of the data subject is required, such consent is only valid if it has been given freely and for one or several specific processing activities and after adequate information.
7 Consent must be given explicitly for:
Art. 7 Data protection by design and by default
1 The controller must set up technical and organisational measures in order for the data processing to meet the data protection regulations and in particular the principles set out in Article 6. It considers this obligation from the planning of the processing.
2 The technical and organisational measures must be appropriate in particular with regard to the state of the art, the type and extent of processing, as well as the risks that the processing at hand poses to the personality and the fundamental rights of the data subjects.
3 The controller is additionally bound to ensure through appropriate pre-defined settings that the processing of the personal data is limited to the minimum required by the purpose, unless the data subject directs otherwise.
Art. 8 Data security
1 The controller and the processor must ensure, through adequate technical and organisational measures, security of the personal data that appropriately addresses the risk.
2 The measures must enable the avoidance of data security breaches.
3 The Federal Council shall issue provisions on the minimum requirements for data security.
Art. 9 Data processing by processors
1 The processing of personal data may be assigned by agreement or by legislation to a processor if:
2 The controller must ensure in particular that the processor is able to guarantee data security.
3 The processor may only assign the processing to a third party with the prior authorisation of the controller.
4 It may invoke the same justifications as the controller.
Art. 10 Data protection advisor
1 Private controllers may appoint a data protection advisor.
2 The data protection advisor is the contact point for the data subjects and for the competent data protection authorities responsible for data protection matters in Switzerland. In particular, he or she has the following duties:
3 Private controllers may invoke the exception set out in Article 23 paragraph 4 if the following requirements are fulfilled:
4 The Federal Council regulates the appointment of data protection advisors by the federal bodies.
Art. 11 Codes of conduct
1 Professional associations, industry associations and business associations whose statutes entitle them to defend the economic interests of their members, as well as federal bodies, may submit codes of conduct to the FDPIC.
2 The FDPIC states his opinion on the codes of conduct and publishes his opinion.
Art. 12 Inventory of processing activities
1 The controllers and the processors each keep an inventory of their processing activities.
2 The controller’s inventory contains at least the following information:
3 The processor’s inventory contains information on the identity of the processor and of the controller, the categories of processing activities performed on behalf of the controller as well as the information foreseen in paragraph 2 letters f and g.
4 The federal bodies notify the FDPIC of their inventories.
5 The Federal Council provides for exceptions for companies that have less than 250 members of staff and whose processing entails only a low risk of infringing the personality of the data subjects
Art. 13 Certification
1 The providers of data processing systems or software as well as the controllers and the processors may submit their systems, their products and their services for evaluation by recognised independent certification organisations.