Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Are there specific security obligations that must be complied with?

According to the Data Protection Act, adequate technical and organisational security safeguards must be taken against unauthorised or unlawful processing of personal data. Such measures are further specified in the Federal Ordinance on the Data Protection Act, which requires that systems which process personal data comply with state of the art technical standards in terms of protecting against:

  • unauthorised or accidental destruction or loss;
  • technical flaws;
  • forgery;
  • theft or unlawful access;
  • copying;
  • use alteration; and
  • other kinds of unauthorised processing.

More specific requirements apply to systems featuring automated processing of personal data – in particular, regarding appropriate access, disclosure, storage and usage controls.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

Although there is no general obligation to notify data subjects, in the event of a breach, notification may become necessary in some cases due to the general data protection principles, particularly the principle of good faith. The necessity and the scope of such information will depend on the circumstances – in particular, the gravity of the breach and the necessity to prevent any damages and potential abuse of the disclosed data.

In addition, there are a number of sector and infrastructure-specific notification duties, particularly relating to financial services, telecoms, aviation, the railway industry and nuclear energy.

Are data owners/processors required to notify the regulator in the event of a breach?

To date, no such requirement exists under the Data Protection Act. However, the revised Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of the Council of Europe contains a duty to notify the supervisory authority of data breaches which may seriously interfere with the rights and fundamental freedoms of data subjects. As Switzerland intends to access the revised treaty, a duty to notify has been included in the draft of the revised Data Protection Act.

Electronic marketing and internet use

Electronic marketing

Are there rules specifically governing unsolicited electronic marketing (spam)?

Yes, sending spam is prohibited by the Act against Unfair Competition and, as such, is subject to criminal penalties.

Yes, sending spam is prohibited by the Act against Unfair Competition and, as such, is subject to criminal penalties. According to the act, anyone will be considered to be acting unfairly if they send or arrange to send mass advertising using telecommunications with no direct connection to the requested content and in the process fail to:

  • obtain the prior consent of customers;
  • indicate the correct sender; and
  • refer to an easy, free of charge possibility to refuse.

However, anyone who, when selling goods, works or services, obtains customers' contact information and indicates the possibility of refusal will not be considered to be acting unfairly if they send mass advertising for their own or similar goods, works and services to such customer without the latter’s consent. 

Cookies

Are there rules governing the use of cookies?

Since 2007 the use of cookies has been regulated by Article 45c, Letter (b) of the Telecommunications Act of 30 April 1997. According to this article, website operators must inform users about the use of cookies and their purpose. In addition, they must explain how cookies can be rejected (ie, how cookies can be deactivated in users’ browsers). In contrast to EU countries, Switzerland follows the opt-out principle. However, to the extent that cookies collect sensitive personal data or personality profiles, the Data Protection Act applies and explicit consent of the data subject may be required.

Click here to view the full article.