Switzerland - Data Protection
History of Data Protection in SWITZERLAND
The introduction of Data Protection Law in Switzerland proved to be a lengthy process. Initial moves were made as far back as the early 1970s, with draft legislation finally submitted in 1984. This proposed legislation was criticised for being over-complicated, however. In the meantime, Article 28(1) of the Swiss Civil Code governed data protection in the private sector. Data protection in the private sector was based on Article 8 of the ECHR. A Federal Office for Data Protection was established in 1991.
With the criticisms in mind, a new bill was proposed in March 1988. It was finally approved on 19 June 1992. The Federal Act on Data Protection entered into force on 1 July 1993.
The Swiss Federal Act on Data Protection is based on similar principles to the Acts in force in other European countries, though Switzerland is not a member of the EU. For the first time in Switzerland, the public and private sectors are subject to the same rules. In the public sector, the Act only covers the activities of authorities at the federal level. However, the majority of Swiss 'cantons' have introduced similar legislation to govern public sector data collection and processing in their respective localities. The Swiss law won adequacy approval from the EU in 2000.
Summary of Data Protection in SWITZERLAND
| Title of Data Protection Legislation | Federal Law on Data Protection |
| Name of supervisory authority | Federal Data Protection Commissioner |
| General Powers of supervisory authority |
According to Article 27(1) of the Federal Law on Data
Protection, "The Commissioner shall supervise compliance by Federal
authorities with this Act and other Federal regulations relating to data
protection. The Federal Council shall be exempted from such supervision". 27(2) states "the Commissioner shall investigate cases on his own initiative or at the request of third parties". 27(3) states "in order to investigate cases, he may request the production of documents, obtain information and have the data processing activities explained to him. The Federal authorities shall be obliged to co-operate in the investigation of any case [...]". If the investigation reveals infringements of the law, the Commissioner may recommend that the Federal authority modify or cease data processing activities (27(4)). If a recommendation is not complied with or is rejected, the Commissioner may refer the matter to the department or the Federal Chancellery for decision (27(5)). Article 28 states that "the Commissioner may advise private individuals on the issue of data protection". Article 29 gives the Commissioner the power to conduct investigations and make recommendations in the private sector. Article 31 outlines the other duties of the Commissioner. These include: assisting Federal and Cantonal authorities with matters relating to data protection; giving opinions on draft Federal legislation and on Federal measures that have a bearing on data protection; co-operating with data protection authorities both within and outside Switzerland; examining the extent to which foreign data protection measures are equivalent to those in Switzerland. Article 32 lists a number of duties relating to medical research: 1 The Commissioner shall advise the Commission of Experts on Professional Confidentiality in Medical Research; 2 In the event that this Commission authorises the lifting of confidentiality, he shall monitor compliance with the related conditions thereof. In this regard, he may conduct investigations in terms of Article 27 (3). 3 The Commissioner shall have a right of appeal against decisions made by the Commission of Experts to the Federal Data Protection Commission. 4 He shall work towards ensuring that the patients are informed of their rights. |
| Who has standing to notify the supervisory authority of breaches? | The Commissioner can investigate cases on his own initiative "or at the request of third parties". See Article 27(2) of the Federal Law on Data Protection. |
| What are the penalties for data controllers if they breach the law? | Breaches of the 1992 Law can be punished with either fines or imprisonment. See the general introduction to the Law (page 6) and Article 34. |
| Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? | Not in the data protection legislation. New laws on Identity Documents do address the issue. |
| Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? | It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it. |
| Does the Data Protection Legislation cover the deceased? | The Swiss Act states that it is concerned with "physical or legal persons" (article 3(b)). |
| Who is able to indirectly identify the data subject? | This is not mentioned in the Swiss Act. |
Laws and Regulations
- Federal
Law on Data Protection of 19 June 1992
German version
French version
Italian version - External link to data protection authorities of all Swiss cantons and details of data protection laws -in German
- Commission
Decision 2000/518/EC of 26.7.2000 pursuant to Directive 95/46/EC of the European
Parliament and of the Council on the adequate protection of personal data
provided in Switzerland - Official Journal L 215/1 of 25.8.2000