Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
Anyone processing personal data must adhere to the following principles and rules contained in the Data Protection Act:
- The principle of good faith – personal data must be processed in good faith. In particular, it may not be collected by misrepresentation or deception.
- The principle of proportionality – the processing of personal data must be necessary for the intended purpose and reasonable in relation to the infringement of privacy.
- The principle of purpose limitation – personal data may be processed only for the purpose indicated at the time of collection, that is evident from the circumstances or that is provided for by law.
- The principle of transparency – the collection of personal data and, in particular, the purposes of its processing must be evident to the data subject concerned. As long as this is the case, the principle of transparency does not necessarily entail a specific disclosure obligation towards the data subject.
- The principle of data accuracy – personal data must be accurate and kept up to date.
- The principle of data security – adequate technical and organisational security safeguards must be taken against unauthorised or unlawful processing of personal data.
- The principle of lawfulness – the processing of personal data must not violate any legal provisions (including provisions outside the Data Protection Act) which are, directly or indirectly, intended to protect the personality rights of the data subjects.
Justification is not necessarily required for the processing of personal data. However, justification is required if processing amounts to a breach of the privacy rights of data subjects. In particular, a data handler must not:
process personal data in contravention of one of the data protection principles set out in the Data Protection Act; process data against the data subject’s express wish; or disclose sensitive personal data or personality profiles to third parties for such parties’ own purposes.
Normally, no breach of privacy rights will exist if the data subject has made the data generally available and has not expressly restricted its processing.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
Given the aforementioned proportionality principle, personal data must not be retained longer than necessary for the purpose of processing. However, applicable regulations on the safekeeping of records (eg, accounting or tax-related provisions) may provide for longer retention periods.
Do individuals have a right to access personal information about them that is held by an organisation?
Individuals can request the controller of a data file to provide information regarding whether any data concerning them is being processed. The controller must inform the individual of:
- all available data concerning him or her in the data file, including available information on the source of the data; and
- the purpose of and, if applicable, the legal basis for the processing, as well as the categories of the personal data processed, the other parties involved with the file and the data recipient.
If the controller of a data file has a third party process personal data, the obligation to provide information essentially remains with the controller. However, the third-party processor must provide information if it does not disclose the identity of the controller or if the controller is not domiciled in Switzerland.
The Data Protection Act provides a number of exceptions to a data subject’s right to request information.
Do individuals have a right to request deletion of their data?
Data subjects are entitled to request the deletion of their personal data to the extent that the processing of such data is unlawful. Further, data subjects may request that incorrect data be corrected. Correction requests may include the deletion of data that cannot be corrected otherwise.
Is consent required before processing personal data?
In general, a data subject’s consent is not required in order for data processing to be admissible. However, consent may justify data processing that would otherwise be unlawful. To the extent that the lawfulness of data processing is based on the consent of the data subject, consent must be given voluntarily and on provision of adequate information in order to be valid. As far as sensitive personal data or personality profiles are concerned, consent must be given explicitly.
If consent is not provided, are there other circumstances in which data processing is permitted?
As described above, consent may be required to justify data processing that would otherwise be unlawful. In addition, data processing may be justified by an overriding private or Swiss public interest or by a Swiss legal provision.
Pursuant to the Data Protection Act, an overriding private interest of the person processing the data will be considered if it:
- processes personal data in direct connection with the conclusion or performance of a contract and the personal data is that of a contractual party;
- competes for business with, or wants to compete for business with, another person and for this purpose processes personal data without disclosing the data to third parties for such third parties’ own purposes;
- processes data which is neither sensitive personal data nor a personality profile in order to verify the creditworthiness of another person, and discloses such data to third parties for the third parties’ own purposes, provided that the data is required for the conclusion or performance of a contract with the data subject;
- processes personal data on a professional basis, exclusively for publication in the edited section of a periodically published medium;
- processes personal data for purposes not relating to a specific person – in particular, for the purposes of research, planning and statistics – and publishes the results in such a manner that does not allow the identification of the data subjects; and
- collects data on a person being a public figure to the extent that the data relates to that person’s role as a public figure.
This list is not exhaustive. It should be assessed on a case-by-case basis whether and to what extent an overriding private interest exists.
What information must be provided to individuals when personal data is collected?
It follows from the principle of transparency that the collection of personal data and, in particular, the purpose for its processing must be evident to the data subject concerned. As long as this is the case, the principle of transparency does not necessarily entail a specific disclosure obligation towards the data subject.
However, data subjects must be notified of the collection of sensitive personal data or personality profiles (as defined in the Data Protection Act). This duty also applies where the data is not directly collected from the data subject, but rather from third parties. As a minimum, the information provided must include the following:
- the controller of the data file;
- the purpose of the processing; and
- the categories of data recipient if there is a planned disclosure of data to third parties for the third parties’ own purposes.
If the data is not collected directly from the data subject, the data subject must be informed at the latest when the data is stored or, if the data is not stored, on its first disclosure to a third party. The duty to provide information
Data security and breach notification
Are there specific security obligations that must be complied with?
Are there specific security obligations that must be complied with?
According to the Data Protection Act, adequate technical and organisational security safeguards must be taken against unauthorised or unlawful processing of personal data. Such measures are further specified in the Federal Ordinance on the Data Protection Act, which requires that systems which process personal data comply with state of the art technical standards in terms of protecting against:
- unauthorised or accidental destruction or loss;
- technical flaws;
- theft or unlawful access;
- use alteration; and
- other kinds of unauthorised processing.
More specific requirements apply to systems featuring automated processing of personal data – in particular, regarding appropriate access, disclosure, storage and usage controls.
Are data owners/processors required to notify individuals in the event of a breach?
Although there is no general obligation to notify data subjects, in the event of a breach, notification may become necessary in some cases due to the general data protection principles, particularly the principle of good faith. The necessity and the scope of such information will depend on the circumstances – in particular, the gravity of the breach and the necessity to prevent any damages and potential abuse of the disclosed data.
In addition, there are a number of sector and infrastructure-specific notification duties, particularly relating to financial services, telecoms, aviation, the railway industry and nuclear energy.
Are data owners/processors required to notify the regulator in the event of a breach?
To date, no such requirement exists under the Data Protection Act. However, the revised Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of the Council of Europe contains a duty to notify the supervisory authority of data breaches which may seriously interfere with the rights and fundamental freedoms of data subjects. As Switzerland intends to access the revised treaty, a duty to notify has been included in the draft of the revised Data Protection Act.
Click here to view the full article.