Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
Anyone processing personal data must adhere to the following principles and rules contained in the Data Protection Act:
- The principle of good faith – personal data must be processed in good faith. In particular, it may not be collected by misrepresentation or deception.
- The principle of proportionality – the processing of personal data must be necessary for the intended purpose and reasonable in relation to the infringement of privacy.
- The principle of purpose limitation – personal data may be processed only for the purpose indicated at the time of collection, that is evident from the circumstances or that is provided for by law.
- The principle of transparency – the collection of personal data and, in particular, the purposes of its processing must be evident to the data subject concerned. As long as this is the case, the principle of transparency does not necessarily entail a specific disclosure obligation towards the data subject.
- The principle of data accuracy – personal data must be accurate and kept up to date.
- The principle of data security – adequate technical and organisational security safeguards must be taken against unauthorised or unlawful processing of personal data.
- The principle of lawfulness – the processing of personal data must not violate any legal provisions (including provisions outside the Data Protection Act) which are, directly or indirectly, intended to protect the personality rights of the data subjects.
Justification is not necessarily required for the processing of personal data. However, justification is required if processing amounts to a breach of the privacy rights of data subjects. In particular, a data handler must not:
- process personal data in contravention of one of the data protection principles set out in the Data Protection Act;
- process data against the data subject’s express wish; or
- disclose sensitive personal data or personality profiles to third parties for such parties’ own purposes.
Normally, no breach of privacy rights will exist if the data subject has made the data generally available and has not expressly restricted its processing.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
Given the aforementioned proportionality principle, personal data must not be retained longer than necessary for the purpose of processing. However, applicable regulations on the safekeeping of records (eg, accounting or tax-related provisions) may provide for longer retention periods.
Do individuals have a right to access personal information about them that is held by an organisation?
Individuals can request the controller of a data file to provide information regarding whether any data concerning them is being processed. The controller must inform the individual of:
- all available data concerning him or her in the data file, including available information on the source of the data; and
- the purpose of and, if applicable, the legal basis for the processing, as well as the categories of the personal data processed, the other parties involved with the file and the data recipient.
If the controller of a data file has a third party process personal data, the obligation to provide information essentially remains with the controller. However, the third-party processor must provide information if it does not disclose the identity of the controller or if the controller is not domiciled in Switzerland.
The Data Protection Act provides a number of exceptions to a data subject’s right to request information.
Do individuals have a right to request deletion of their data?
Data subjects are entitled to request the deletion of their personal data to the extent that the processing of such data is unlawful. Further, data subjects may request that incorrect data be corrected. Correction requests may include the deletion of data that cannot be corrected otherwise.
Is consent required before processing personal data?
In general, a data subject’s consent is not required in order for data processing to be admissible. However, consent may justify data processing that would otherwise be unlawful. To the extent that the lawfulness of data processing is based on the consent of the data subject, consent must be given voluntarily and on provision of adequate information in order to be valid. As far as sensitive personal data or personality profiles are concerned, consent must be given explicitly.
If consent is not provided, are there other circumstances in which data processing is permitted?
As described above, consent may be required to justify data processing that would otherwise be unlawful. In addition, data processing may be justified by an overriding private or Swiss public interest or by a Swiss legal provision.
Pursuant to the Data Protection Act, an overriding private interest of the person processing the data will be considered if it:
- processes personal data in direct connection with the conclusion or performance of a contract and the personal data is that of a contractual party;
- competes for business with, or wants to compete for business with, another person and for this purpose processes personal data without disclosing the data to third parties for such third parties’ own purposes;
- processes data which is neither sensitive personal data nor a personality profile in order to verify the creditworthiness of another person, and discloses such data to third parties for the third parties’ own purposes, provided that the data is required for the conclusion or performance of a contract with the data subject;
- processes personal data on a professional basis, exclusively for publication in the edited section of a periodically published medium;
- processes personal data for purposes not relating to a specific person – in particular, for the purposes of research, planning and statistics – and publishes the results in such a manner that does not allow the identification of the data subjects; and
- collects data on a person being a public figure to the extent that the data relates to that person’s role as a public figure.
This list is not exhaustive. It should be assessed on a case-by-case basis whether and to what extent an overriding private interest exists.
What information must be provided to individuals when personal data is collected?
It follows from the principle of transparency that the collection of personal data and, in particular, the purpose for its processing must be evident to the data subject concerned. As long as this is the case, the principle of transparency does not necessarily entail a specific disclosure obligation towards the data subject.
However, data subjects must be notified of the collection of sensitive personal data or personality profiles (as defined in the Data Protection Act). This duty also applies where the data is not directly collected from the data subject, but rather from third parties. As a minimum, the information provided must include the following:
- the controller of the data file;
- the purpose of the processing; and
- the categories of data recipient if there is a planned disclosure of data to third parties for the third parties’ own purposes.
If the data is not collected directly from the data subject, the data subject must be informed at the latest when the data is stored or, if the data is not stored, on its first disclosure to a third party. The duty to provide information is subject to a limited number of exceptions which are set out in the Data Protection Act.
Data transfer and third parties
Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?
Under the Data Protection Act, a disclosure of personal data abroad is prohibited if such disclosure could seriously endanger the personality rights of the data subjects concerned, in particular due to the absence of legislation that guarantees adequate protection for personal data. The data protection and information commissioner has published a non-binding list of countries which provide an adequate level of data protection with respect to individuals. In general, EU member states and EEA countries that have implemented EU Directive 95/46/EC are considered to provide an adequate level of data protection with respect to personal data pertaining to individuals and thus appear on the list.
Disclosures to non-EU or non-EEA countries must be assessed on a case-by-case basis to determine whether the respective country provides an adequate level of data protection. The same applies to all cross-border disclosures of personal data pertaining to legal entities, including transfers to EU and EEA countries.
Arguably, the mere fact that some countries lack specific data protection legislation covering legal entities does not necessarily result in a ‘serious danger’ for the personality rights of the legal entities concerned. Further, it can be reasonably argued that adequate protection may also be guaranteed through other kinds of legislation. That said, some legal scholars and the commissioner have taken a different stand on these issues and it is not certain if Swiss courts would follow the more liberal approach in this matter.
In the absence of legislation offering an adequate level of data protection, personal data may be transferred abroad only if:
- sufficient safeguards – particularly contractual clauses (eg, EU Model Contract clauses adapted to Swiss law requirements) – ensure an adequate level of protection abroad (Exception A);
- the data subject has given its consent in a specific case;
- the processing is directly connected with the conclusion or performance of a contract and the personal data is that of a contractual party;
- disclosure is essential in the specific case either to safeguard an overriding public interest or for the establishment, exercise or enforcement of legal claims before the courts;
- disclosure is required in the specific case in order to protect the life or physical integrity of the data subject;
- the data subject has made the data generally accessible and has not expressly prohibited its processing; or
- disclosure is made within the same legal person or company, or between legal persons or companies that are under the same management, provided the persons involved are subject to data protection rules that ensure an adequate level of protection (so-called ‘binding corporate rules’) (Exception G).
In addition, in the case of sufficient safeguards (Exception A) and disclosures made under binding corporate rules (Exception G), the data protection and information commissioner must be informed of the safeguards taken or the adopted binding corporate rules.
Once the commissioner has been informed of the safeguards adopted (Exception A), all subsequent transfers of the same category of data to the same categories of recipient under the same safeguards and for the same processing purposes are covered without requiring additional notification(s). If personal data is transmitted on the basis of model contracts or standard clauses that have been drawn up or approved by the commissioner, general information about the use of such contracts or clauses is sufficient.
Similarly, once the first transfer has been notified under Exception G, additional disclosures need not be notified if they take place within the same legal person or company, or between legal persons or companies that are under the same management, provided that the data protection rules continue to ensure an adequate level of protection. .
Are there restrictions on the geographic transfer of data?
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
Anyone may assign the processing of personal data to third parties by agreement or by law if:
- the data is processed only on behalf of and in accordance with the instructions of the assignor; and
- such assignment is not prohibited by a statutory or contractual duty of confidentiality.
In addition, the assignor must ensure that the third party guarantees data security.
Click here to view the full article.