Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

According to the Data Protection Act, adequate technical and organisational security safeguards must be taken against unauthorised or unlawful processing of personal data. Such measures are further specified in the Federal Ordinance on the Data Protection Act, which requires that systems which process personal data comply with state of the art technical standards in terms of protecting against:

  • unauthorised or accidental destruction or loss;
  • technical flaws;
  • forgery;
  • theft or unlawful access;
  • copying;
  • use alteration; and
  • other kinds of unauthorised processing.

More specific requirements apply to systems featuring automated processing of personal data – in particular, regarding appropriate access, disclosure, storage and usage controls.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

Although there is no general obligation to notify data subjects, in the event of a breach, notification may become necessary in some cases due to the general data protection principles, particularly the principle of good faith. The necessity and the scope of such information will depend on the circumstances – in particular, the gravity of the breach and the necessity to prevent any damages and potential abuse of the disclosed data.

In addition, there are a number of sector and infrastructure-specific notification duties, particularly relating to financial services, telecoms, aviation, the railway industry and nuclear energy.

Are data owners/processors required to notify the regulator in the event of a breach?

To date, no such requirement exists under the Data Protection Act. However, the revised Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of the Council of Europe contains a duty to notify the supervisory authority of data breaches which may seriously interfere with the rights and fundamental freedoms of data subjects. As Switzerland intends to access the revised treaty, a similar provision may be included in the Data Protection Act in the course of the pending revision process.

Click here to view the full article.