Unofficial English translation done in October 2017
This text is a draft version. The definitive version, which will be published on www.admin.ch/gov/de/start/bundesrecht.html, will be the only legally binding version.
Federal Act on Data Protection
(Data Protection Act, FADP)
Annex (no. I) (Draft)
The Federal Assembly of the Swiss Confederation, based on Articles 95 paragraph 1, 122 paragraph 1 and 173 paragraph 2 of the Federal Constitution1, and having regard to the Federal Council Message dated ...2, decrees:
Chapter 1: Purpose and Scope as well as Supervisory Authority of the Confederation
Art. 1 Purpose
This Act aims to protect the privacy and the fundamental rights of natural persons whose personal data is processed.
Art. 2 Scope
1This Act applies to the processing of personal data pertaining to natural persons by: a. private persons; b. federal bodies.
2 It does not apply to: a. personal data that is processed by a natural person exclusively for personal use; b. personal data that is processed by the Federal Chambers and parliamentary committees in connection with their deliberations; c. personal data that is processed by institutional beneficiaries according to Article 2 paragraph 1 of the Host State Act of 22 June 2007,3 which enjoy immunity in Switzerland.
3 The processing of personal data and the rights of the data subjects in court proceedings and proceedings governed by the federal rules of procedure are governed by the applicable procedure law. The present Act applies to first instance administrative proceedings. 4 The public registers pertaining to private law relationships, in particular the access to these registers and the rights of the data subjects, are governed by the special provisions of the applicable federal law. If the special provisions do not contain any rules, this Act shall apply.
Art. 3 Federal Data Protection and Information Commissioner
1 The Federal Data Protection and Information Commissioner (Commissioner) supervises the proper application of the federal data protection regulations.
1 SR 101 2 BBl xx 3 SR 192.12
Page 2 of 30
2 The following are excluded from the Commissioner's supervision: a. the Federal Assembly; b. the Federal Council; c. the federal courts; d. the Office of the Attorney General of Switzerland as regards the processing of personal data in criminal proceedings; e. federal authorities as regards the processing of personal data in the context of a jurisdictional activity or of international mutual assistance proceedings in criminal matters.
Chapter 2: General Provisions
Section 1: Definitions and Principles
Art. 4 Definitions
The following definitions apply in this Act: a. personal data: all information relating to an identified or identifiable natural person; b. data subject: natural person whose personal data is processed; c. sensitive personal data: 1. data on religious, ideological, political or trade union-related views or activities, 2. data on health, the intimate sphere or the racial or ethnical origin, 3. genetic data, 4. biometric data which clearly identifies a natural person, 5. data on administrative or criminal proceedings and sanctions, 6. data on social security measures; d. processing: any operation with personal data, irrespective of the means and the procedures applied, and in particular the collection, recording, storage, use, modification, disclosure, archiving, deletion or destruction of data; e. disclosure: transmitting or making personal data accessible; f. profiling: the evaluation of certain characteristics of a person on the basis of personal data processed in an automated manner; in particular in order to analyse or to predict a person's performance at work, his financial situation, his health, his behaviour, his preferences, his location or his mobility; g. data security breach: a security breach, irrespective of whether is intentional or unlawful, which leads to a loss, deletion, destruction or modification of personal data or to personal data being disclosed or made accessible to unauthorised persons; h. federal body: federal authority or service or person that is entrusted with federal public tasks; i. controller: private person or federal body that alone or jointly with others decides on the purpose and the means of the processing; j. processor: private person or federal body that processes personal data on behalf of the controller.
Art. 5 Principles
1Personal data must be processed lawfully. 2Processing must be carried out in good faith and must be proportionate. 3Personal data may only be collected for a specific purpose which is evident to the data subject; personal data may only be processed in a way that is compatible with such purpose. 4It is destroyed or anonymized as soon as it is no longer needed with regard to the purpose of the processing. 5Anyone who processes personal data must ascertain that the data is accurate. He must take all appropriate measures so that the data which is inaccurate or incomplete with regard to the purposes for which it was collected or processed is corrected, deleted or destroyed.
Page 3 of 30
6If the consent of the data subject is required, such consent is only valid if it has been given freely and unambiguously for one or several specific processing activities after adequate information. For the processing of sensitive personal data or for profiling, consent must be given explicitly.
Art. 6 Data protection by design and by default
1 The controller must set up technical and organisational measures in order for the data processing to meet the data protection regulations and in particular the principles set out in Article 5. It considers this obligation from the planning of the processing. 2 The technical and organisational measures must be appropriate in particular with regard to the state of the art, the type and extent of processing, as well as the risks that the processing at hand poses to the personality and the fundamental rights of the data subjects. 3 The controller is additionally bound to ensure through appropriate pre-defined settings that the processing of the personal data is limited to the minimum required by the purpose, unless the data subject directs otherwise.
Art. 7 Data security
1 The controller and the processor must ensure, through adequate technical and organisational measures, security of the personal data that appropriately addresses the risk. 2 The measures must enable the avoidance of data security breaches. 3 The Federal Council shall issue provisions on the minimum requirements for data security.
Art. 8 Data processing by processors
1The processing of personal data may be assigned by agreement or by legislation to a processor if: a. the data is processed only in a manner permitted for the controller itself; and b. no statutory or contractual duty of confidentiality prohibits the assignment.
2The controller must ensure in particular that the processor is able to guarantee data security 3The processor may only assign the processing to a third party with the prior authorisation of the controller. 4 It may invoke the same justifications as the controller.
Art. 9 Data protection counsellor
1 Private controllers may appoint a data protection counsellor. 2 They may invoke the exception set out in Article 21 paragraph 4 if the following requirements are fulfilled:
a. the data protection counsellor performs his function in an independent manner; he is not bound by instructions from the controller;
b. he does not perform any activities which are incompatible with his tasks as data protection counsellor;
c. he possesses the necessary professional knowledge; d. the controller publishes the contact details of the data protection counsellor and communicates
them to the Commissioner. 3 The Federal Council regulates the appointment of data protection counsellors by the federal bodies.
Art. 10 Codes of conduct
1Professional associations and business associations whose statutes entitle them to defend the economic interests of their members, as well as federal bodies, may submit a code of conduct to the Commissioner. 2The Commissioner states his opinion on the codes of conduct and publishes his opinion.
Page 4 of 30
Art. 11 Inventory of the processing activities
1The controllers and the processors keep an inventory of their processing activities. 2The controller's inventory contains at least the following information:
a. the controller's identity; b. the purpose of the processing; c. a description of the categories of data subjects and the categories of the processed personal da-
ta; d. the categories of the recipients; e. if possible the period of storage of the personal data or the criteria to determine the period of
storage; f. if possible a general description of the measures to guarantee data security pursuant to Article
7; g. in case of disclosure of data abroad, the name of the state in question and the guarantees ac-
cording to Article 13 paragraph 2. 3 The processor's inventory contains information on the identity of the processor and of the controller, the categories of processing activities performed on behalf of the controller as well as the information foreseen in paragraph 2 letters f and g. 4 The federal bodies notify the Commissioner of their inventories. 5 The Federal Council may foresee exceptions for companies that have less than 50 members of staff and whose processing poses only a low risk of infringing the privacy of the data subjects.offi
Art. 12 Certification
1 The providers of data processing systems or software as well as the controllers and the processors may submit their systems, their products and their services for evaluation by recognised independent certification organisations. 2 The Federal Council issues regulations on the recognition of certification procedures and the introduction of a data protection quality label. In doing so, it shall take into account international law and internationally recognised technical norms.
Section 2: Cross-Border Disclosure of Personal Data
Art. 13 Principles
1 Personal data may be disclosed abroad if the Federal Council has determined that the legislation of the state concerned or the international body guarantees an adequate level of protection. 2 In the absence of such a decision by the Federal Council under paragraph 1, personal data may be disclosed abroad only if appropriate protection is guaranteed by:
a. an international treaty; b. data protection provisions of a contract between the controller or the processor and its con-
tracting partner, which were communicated beforehand to the Commissioner; c. specific safeguards prepared by the competent federal body and communicated beforehand to
the Commissioner; d. standard data protection clauses previously approved, established or recognised by the Com-
missioner; e. binding corporate rules on data protection which were previously approved by the Commis-
sioner, or by a foreign authority which is responsible for data protection and belongs to a state which guarantees adequate protection. 3The Federal Council can foresee other adequate safeguards in the sense of paragraph 2.
Art. 14 Exceptions
1By way of derogation from Article 13 paragraphs 1 and 2, personal data may be disclosed abroad if: a. The data subject has explicitly consented to the disclosure.
Page 5 of 30
b. The disclosure is directly connected with the conclusion or the performance of a contract: 1. between the controller and the data subject, or 2. between the controller and its contracting partner in the interest of the data subject.
c. Disclosure is necessary: 1. in order to safeguard an overriding public interest, or 2. for the establishment, exercise or enforcement of legal claims before a court or another competent foreign authority.
d. Disclosure is necessary in order to protect the life or the physical integrity of the data subject or a third party and it is not possible to obtain the consent of the data subject within a reasonable period of time.
e. The data subject has made the data generally accessible and has not expressly prohibited its processing.
f. The data originates from a register provided for by law which is accessible to the public or to persons with a legitimate interest, provided that the legal conditions for the consultation are met in the specific case.
2The controller or the processor informs the Commissioner, upon request, about the disclosure of personal data under paragraph 1 letters b, number 2, c and d.
Art. 15 Publication of personal data in electronic format If personal data is made generally accessible by means of automated information and communications services for the purpose of providing information to the general public, this is not deemed to be transborder disclosure, even if the data is accessible from abroad.
Section 3: Data of Deceased Persons
Art. 16 1The controller grants access to the data of a deceased person free of charge, if:
a. there is a legitimate interest in such access or the person requesting access has a direct parental tie with the deceased person, was married, had lived under a registered partnership or in a de facto cohabitation with the deceased person at the time of death or if the person requesting access is the executor of the deceased person's will;
b. the deceased person during his lifetime did not expressly prohibit such access and there is no special need for protection of the deceased person; and
c. no overriding interest of the controller or third parties oppose the access. 2If the controller refuses access because of an official or professional secrecy obligation, the authorised persons according to paragraph 1, letter a, may request that the competent authority pursuant to Articles 320 and 321 of the Criminal Code release it from the secrecy obligation. 3 The heirs or the executor of the will may request that the controller delete or destroy personal data of the testator unless:
a. the testator during his lifetime expressly prohibited such action; b. overriding interests of the testator, the controller or third parties oppose a deletion or destruc-
tion; or c. the deletion or destruction goes against prevailing public interests.
Page 6 of 30
Chapter 3: Duties of the Controller and the Processor
Art. 17 Duty of information when collecting personal data
1The controller informs the data subject about the collection of personal data; such duty of information also applies when data is not collected from the data subject. 2At the time of collection the controller shall provide to the data subject all information which is required in order for the data subject to assert his rights according to this Act and to ensure transparent processing of data, in particular:
a. the controller's identity and contact information; b. the purpose of processing; c. if applicable, the recipients or the categories of recipients to which personal data is disclosed. 3If data is not collected from the data subject, it additionally informs the data subject of the categories of personal data which is processed. 4 If personal data is disclosed abroad, the controller also informs the data subject of the name of the state or the international organism and, as the case may be, the guaranties according to Article 13 paragraph 2 or the applicability of one of the exceptions provided for in Article 14. 5If data is not collected from the data subject, it provides to the data subject the information mentioned in paragraphs 2 to 4 at the latest one month after it received the personal data. If the controller discloses the personal data prior to this date, it informs the data subject at the time of disclosure at the latest.
Art. 18 Exceptions to the duty of information and restrictions
1The duty of information according to Article 17 ceases to apply if one of the following requirements is met: a. The data subject already disposes of the corresponding information. b. The processing is provided for by law. c. The controller is a private person and is bound by a legal obligation to secrecy. d. The requirements of Article 25 are fulfilled.
2If personal data is not collected from the data subject, the duty to inform shall also not apply if one of the following requirements is met:
a. the information is impossible to be given; or b. the information requires disproportionate efforts. 3 The controller may restrict, defer or waive the provision of information in the following cases: a. this is required to protect the overriding interests of third parties; b. the information prevents the processing from fulfilling its purpose; c. when the controller is a private person: if prevailing interests so require and under the condition
that he not disclose the personal data to third parties; d. when the controller is a federal body and one of the following requirements is met:
1. a prevailing public interest, in particular the internal or external security of Switzerland, so requires, or
2. the provision of the information is susceptible to compromise an inquiry, investigation or an administrative or judicial proceeding.
Art. 19 Duty of information in the case of an automated individual decision
1The controller informs the data subject of a decision which is taken exclusively on the basis of an automated processing, including profiling, and which has legal effects on the data subject or affects him significantly. 2It shall give the data subject upon request the opportunity to state his position. The data subject can request that the decision be reviewed by a natural person. 3Paragraphs 1 and 2 shall not if:
a. the decision is directly connected with the conclusion or the performance of a contract between the controller and the data subject and the request of the latter is satisfied, or
b. the data subject explicitly consented to the decision being taken in an automated manner.
Page 7 of 30
4 If the automated individual decision comes from a federal body, the latter must designate it as such. Paragraph 2 does not apply if the data subject has a legal remedy against the decision.
Art. 20 Data protection impact assessment
1If the intended data processing may lead to a high risk for the data subject's privacy or fundamental rights, the controller must conduct in advance a data protection impact assessment. If the controller considers performing several similar processing operations, it may establish a joint impact analysis. 2The existence of a high risk depends on the nature, the extent, the circumstances and the purpose of the processing. Such a risk exists in particular in the following cases:
a. processing of sensitive personal data on a broad scale; b. in case of profiling; c. systematic surveillance of extensive public areas. 3 The data protection impact assessment contains a description of the intended processing, an evaluation of the risks as regards the data subject's privacy or fundamental rights, as well as the intended measures to protect the data subject's privacy or fundamental rights. 4 Private controllers are relieved from their obligation to establish a data protection impact assessment if they are legally bound to perform the processing. 5The private controller can abstain from establishing a data protection impact assessment if he is certified according to Article 12 or if he complies with a code of conduct according to Article 10 which meets the following requirements: a. the code of conduct is based on a data protection impact assessment; b. it provides for measures to protect the privacy or fundamental rights of the data subject; c. it was submitted to the Commissioner.
Art. 21 Consultation of the Commissioner
1The controller consults the Commissioner prior to the processing when the data protection impact assessment shows that the processing would present a high risk for the privacy or fundamental rights of the data subject if the controller did not take measures. 2The Commissioner informs the controller of his objections against the envisaged processing within two months. This deadline can be extended by one month in cases of complex data processing. 3If the Commissioner has objections against the envisaged processing, he suggests appropriate measures to the controller. 4 The private controller can abstain from consulting the Commissioner if he consulted the data protection counsellor according to Article 9.
Art. 22 Notification of data security breaches
1The controller shall notify the Commissioner as soon as possible of a data security breach that is probable to result in a high risk to the privacy or the fundamental rights of the data subject. 2In the notification, it must at least indicate the nature of the data security breach, its consequences and the measures taken or foreseen. 3 The processor shall notify the controller as soon as possible of any data security breach. 4 The controller shall also inform the data subject if this is necessary for the protection of the data subject or if the Commissioner so requests. 5It can restrict the information to the data subject, defer it or refrain from providing information if:
a. there are grounds pursuant to Article 24 paragraph 1, letter b or 2 letter b or a statutory duty of secrecy prohibits it;
b. information is impossible or requires disproportionate efforts; or c. the information of the data subject is ensured in an equivalent manner by a public announce-
ment. 6 A notification based on this Article can be used in criminal proceedings against the person subject to notification only with such person's consent.
Page 8 of 30
Chapter: 4 Rights of the Data Subject
Art. 23 Access right
1Any person may request information from the controller free of charge as to whether personal data concerning him is being processed. 2The data subject shall receive the information required in order to enable him to assert his rights under this Act and to ensure the transparent processing of data. In any case, the following information shall be provided to the data subject:
a. identity and contact details of the controller; b. the personal data being processed; c. the purpose of processing; d. the period of storage of the personal data or, if this is not possible, the criteria used to deter-
mine such period; e. the available information on the origin of the personal data, to the extent that it was not col-
lected from the data subject; f. if applicable, the existence of an automated individual decision as well as the logic on which this
decision is based; g. if applicable, the recipients or categories of recipients to which the personal data was disclosed
as well as the information foreseen in Article 17 paragraph 4.
3 Personal data on the data subject's health may be communicated to the data subject, provided his consent is given, by a healthcare professional designated by him. 4 If the controller has personal data processed by a processor, the controller remains under the obligation to provide information. 5 No one may waive the right to information in advance. 6 The Federal Council may provide for exceptions where information shall not be provided free of charge.
Art. 24 Limitations to the access right
1The controller may refuse, restrict or defer provision of information if : a. a formal law provides for it; b. it is required by prevailing interests of third parties; or c. the request for information is manifestly unfounded or frivolous.
2Additionally, it is possible to refuse, restrict or defer the provision of information in the following cases:
a. when the controller is a private person: if prevailing interests so require and under the condition that he does not disclose the personal data to a third parties;
b. when the controller is a federal body and one of the following requirements is met: 1. the measure is required for a prevailing public interest, in particular the internal or external security of Switzerland, or 2. the provision of information is susceptible to compromise an inquiry, investigation or an administrative or judicial proceeding.
3 The controller must indicate the grounds on which it refuses, restricts or defers the provision of the information.
Art. 25 Limitations to the access right for media
1If personal data is used exclusively for publication in the edited section of a periodically published medium, the controller may refuse, restrict or defer provision of information for one of the following reasons:
a. the data reveals information about the sources of the information; b. access to draft publications would ensue; c. the publication would jeopardize the free formation of opinion by the public.
Page 9 of 30
2Journalists may also refuse, restrict or defer provision of information if they use the personal data exclusively as their personal work instrument.
Chapter 5 Special Provisions for Data Processing by Private Persons
Art. 26 Breaches of privacy
1Anyone who processes personal data must not unlawfully breach the privacy of the data subjects. 2A breach of privacy exists in particular if:
a. personal data is processed in contravention with the principles set forth in Articles 5 and 7; b. personal data is processed against the data subject's express declaration of intent; c. sensitive personal data is disclosed to third parties.
3 In general, there is no breach of privacy if the data subject has made the personal data generally accessible and has not expressly prohibited its processing.
Art. 27 Justifications
1A breach of privacy is unlawful unless it is justified by the consent of the data subject, by an overriding private or public interest or by law. 2An overriding interest of the controller may in particular be considered in the following cases:
a. The controller processes personal data of the contractual party in direct connection with the conclusion or the performance of a contract.
b. The controller is or will be in commercial competition with another person and for this purpose processes personal data without disclosing it to third parties.
c. The controller processes personal data in order to verify the data subject's creditworthiness, provided that the following requirements are fulfilled: 1. The processing does not involve sensitive personal or profiling. 2. The data is disclosed to third parties only if the data is required by such third parties for the conclusion or the performance of a contract with the data subject. 3. The data is not older than five years. 4. The data subject is of age.
d. The controller processes the personal data on a professional basis and exclusively for publication in the edited section of a periodically published medium.
e. The controller processes personal data for purposes not relating to a specific person, in particular for the purposes of research, planning and statistics, provided that the following requirements are fulfilled: 1. The data is rendered anonymous as soon as the purpose of processing allows for it. 2. Sensitive personal data is disclosed to third parties in such a manner that the data subjects may not be identified. 3. Results are published in such a manner that the data subjects may not be identified. f. The controller collects personal data on a person of public interest which relates to the public activities of that person.
Art. 28 Legal claims
1 The data subject may request that incorrect personal data be corrected, unless:
a. there is a statutory regulation prohibiting the correction; b. the personal data is being processed for archiving purposes in the public interest. 2 Actions relating to the protection of privacy are governed by Articles 28, 28a and 28g 28l of the Civil Code. The plaintiff may in particular request that:
Page 10 of 30
a. a specific data processing be prohibited; b. a specific disclosure of personal data to third parties be prohibited; c. personal data be deleted or destroyed. 3 If neither the accuracy nor the inaccuracy of the personal data can be determined, the plaintiff may request for a note that indicates the objection to be added to the personal data. 4 Furthermore, the plaintiff may request the correction, the deletion or the destruction, the prohibition of processing or of disclosure to third parties, the note indicating the objection or the judgement be communicated to third parties or published.
Chapter 6: Special Provisions for Data Processing by Federal Bodies
Art. 29 Control and responsibility in case of joint processing of personal data
The Federal Council regulates the control procedures and the responsibility for data protection if the federal body processes personal data together with other federal bodies, with cantonal bodies or with private persons.
Art. 30 Legal basis
1Federal bodies may process personal data only if there is a statutory basis for doing so. 2A statutory basis must consist in a formal law in the following cases:
a. The processed data is sensitive personal data. b. Profiling. c. The processing purpose or the type and manner of the data processing may result in a serious
interference with the fundamental rights of the data subject. 3For the processing of personal data under paragraph 2 letters a and b, a statutory basis consisting in a substantive law is sufficient if the following requirements are fulfilled:
a. The processing is essential for a task defined in a formal law. b. The processing does not involve any special risks affecting the fundamental rights of the data
subject. 4 By way of derogation from paragraphs 1 to 3, federal bodies may process personal data if one of the following requirements is fulfilled:
a. The Federal Council has authorised processing because it considers the rights of the data subject not to be endangered.
b. The data subject has given his consent to the processing in the specific case or made his personal data generally accessible and has not expressly prohibited the processing.
c. The processing is required in order to protect the life or the physical integrity of the data subject or a third party and it is not possible to obtain the consent of the data subject within a reasonable period of time.
Art. 31 Automated data processing in pilot projects
1The Federal Council may, before a formal law enters into force, authorise the automated processing of sensitive personal data or other data processing under Article 30 paragraph 2 letters b and c if:
a. the tasks based on which the processing is required are regulated in a formal law that has already entered into force;
b. adequate measures are taken to limit interferences with the fundamental rights of the data subject to the minimum; and
c. for the practical implementation of a data processing a test phase before entry into force is indispensable, in particular for technical reasons.
2It obtains the Commissioner's opinion in advance. 3The competent federal body shall provide the Federal Council with an evaluation report at the latest within two years after inception of the pilot project. The report contains a proposal on whether the processing should be continued or terminated. 4 Automated data processing must be terminated in any event if within five years after inception of the pilot project no formal law has entered into force that contains the required legal basis.
Page 11 of 30
Art. 32 Disclosure of personal data
1 Federal bodies may disclose personal data only if a statutory basis in accordance with Article 30 paragraphs 1 to 3 so provides.
2In derogation from paragraph 1, they may disclose personal data in the specific case if one of the following requirements is fulfilled:
a. Disclosure of the data is indispensable to the controller or the recipient for the fulfilment of a statutory task.
b. The data subject has consented to the disclosure. c. Disclosure of the data is required in order to protect the life or the physical integrity of the data
subject or a third party and it is not possible to obtain the consent of the data subject within a reasonable period of time. d. The data subject has made its data generally accessible and has not expressly prohibited disclosure. e. The recipient credibly demonstrates that the data subject is withholding consent or objects to disclosure in order to prevent the enforcement of legal claims or the safeguarding of other legitimate interests; the data subject must be given the opportunity to comment beforehand, unless this is impossible or involves a disproportionate effort. 3They may also disclose personal data in the context of official information disclosed to the general public, either ex officio or pursuant to the Freedom of Information Act of 17 December 2004,4 if: a. the data pertains to the fulfilment of a public duty; and b. there is an overriding public interest in its disclosure.
4They may on request also disclose the name, first name, address and date of birth of a person if the requirements of paragraph 1 or 2 are not fulfilled.
5They may make personal data generally accessible by means of automated information and communication services if a legal basis provides for the publication of such data or if they disclose data on the basis of paragraph 3. If there is no longer a public interest in making such data generally accessible, the data concerned must be deleted from the automated information and communication service.
6Federal bodies shall refuse or restrict disclosure, or make it subject to conditions, if: a. essential public interests or manifest legitimate interests of a data subject so require or b. statutory duties of secrecy or special data protection regulations so require.
Art. 33 Objection to the disclosure of personal data
1The data subject that credibly demonstrates a legitimate interest may object to the disclosure of certain personal data by the competent federal body.
2The federal body shall refuse such request if one of the following requirements is fulfilled: a. there is a legal duty of disclosure; b. the fulfilment of its task would otherwise be endangered.
3 Article 32 paragraph 3 is reserved.
Art. 34 Offering of documents to the Federal Archive
1In accordance with the Archiving Act of 26 June 19985, the federal bodies shall offer the Federal Archive all personal data that the federal bodies do not constantly require anymore.
2The federal body shall destroy personal data designated by the Federal Archive as not being of archival value unless:
a. it is rendered anonymous; b. it must be preserved on evidentiary or security grounds or in order to safeguard the legitimate
interests of the data subject.
4 SR 152.3 5 SR 152.1
Page 12 of 30
Art. 35 Data processing for research, planning and statistics
1Federal bodies may process personal data for purposes not related to specific persons, in particular for research, planning and statistics, if:
a. the data is rendered anonymous, as soon as the processing purpose so permits; b. the federal body discloses sensitive personal data to private persons only in such a manner that
the data subjects cannot be identified; c. the recipient only passes on the data to third parties with the consent of the federal body which
has disclosed the data; and d. the results are only published in such a manner that the data subjects may not be identified. 2Articles 5 paragraph 3, 30 paragraph 2 and Article 32 paragraph 1 do not apply.
Art. 36 Private law activities of federal bodies
If a federal body acts under private law, the provisions for data processing by private persons apply.
Art. 37 Claims and procedure
1Anyone with a legitimate interest may request the responsible federal body to: a. refrain from processing the personal data concerned unlawfully; b. eliminate the consequences of unlawful processing; c. ascertain the unlawfulness of the processing.
2 The applicant may in particular request that the federal body: a. correct, delete or destroy the personal data concerned; b. publish or communicate its decision to third parties, in particular on the correction, deletion or destruction, the objection to disclosure under Article 33 or the note that indicates the objection under paragraph 4.
3 Instead of deleting or destroying the personal data, the federal body restricts the processing if a. the data subject disputes the accuracy of the personal data and if it is not possible to determine the accuracy or the inaccuracy thereof; b. overriding interests of third parties so require; c. an overriding public interest, in particular the internal or external security of Switzerland, so requires; d. the deletion or destruction of the data may jeopardise an inquiry, an investigation or administrative or judicial proceeding.
4If it is not possible to determine the accuracy or the inaccuracy of personal data, the federal body attaches to the data a note that indicates the objection. 5 The correction, deletion or destruction of personal data may not be requested with respect to the inventory of publicly accessible libraries, educational institutions, museums, archives or other public memorial institutions. If the applicant can credibly demonstrate an overriding interest, he may request that the institution restrict access to the disputed data. Paragraphs 3 and 4 do not apply. 6 The procedure is governed by the Federal Act of 18 December 19686 on Administrative Procedure (Administrative Procedure Act). The exceptions contained in Articles 2 and 3 of the Administrative Procedure Act do not apply.
Art. 38 Procedure in the event of the disclosure of official documents containing personal data
If proceedings relating to access to official documents within the meaning of the Freedom of Information Act of 17 December 20047 that contain personal data are pending, the data subject may in such proceedings claim the rights given to him under Article 37 for those of the documents that are the subject matter of the access proceedings.
6 SR 172.021 7 SR 152.3
Page 13 of 30
Chapter 7: Commissioner
Section 1: Organisation
Art. 39 Appointment and status
1The Commissioner is appointed by the Federal Council for a term of office of four years. The appointment requires the approval by the Federal Assembly. 2The employment relationship of the Commissioner is governed by the Federal Personnel Act of 24 March 2000 (BPG)8, unless this Act provides otherwise. 3The Commissioner exercises his function independently without asking for or accepting instructions of any authority or third party. He is assigned to the Federal Chancellery for administrative purposes. 4He has a permanent secretariat and his own budget. He hires his own staff. 5He is not subject to the system of assessment under Article 4 paragraph 3 BPG.
Art. 40 Reappointment and termination of the term of office
1The Commissioner's term of office may be renewed twice. 2If the Federal Council decides not to renew the Commissioner's appointment based on sufficient factual reasons at least six months prior to the term of his office, his term of office shall tacitly be renewed. 3The Commissioner may request the Federal Council to be discharged from office at the end of any month subject to six months advance notice. 4The Federal Council may dismiss the Commissioner from office before the expiry of his term of office if he:
a. wilfully or through gross negligence seriously violates official duties; or b. is permanently unable to fulfil his office.
Art. 41 Secondary employment
1The Commissioner must not carry out any additional gainful activity. Furthermore, he must not hold an office of the Confederation or of a canton and must not be a member of the management, board of directors, supervisory body or auditors of a commercial enterprise. 2The Federal Council may permit the Commissioner to carry out a secondary employment under paragraph 1 provided this neither compromises the performance of the function nor independence and standing. The Federal Council's decision in this respect is published.
Art. 42 Self-regulation of the Commissioner
By means of appropriate control measures, in particular with respect to data security, the Commissioner shall ensure that the legally compliant enforcement of the federal data protection regulations is guaranteed in his office.
Section 2 Investigation of breaches of data protection regulations
Art. 43 Investigation
1The Commissioner initiates, ex officio or upon notification, an investigation against a federal body or a private person if there are any indications that a data processing could violate the data protection regulations.
8 SR 172.220.1
Page 14 of 30
2 He may refrain from initiating an investigation if the breach of the data protection regulations is of minor significance. 3The federal body or the private person will provide the Commissioner with all information and will make all documents available to the Commissioner which are necessary for the investigation. The right to refuse to provide information is governed by Articles 16 and 17 of the Administrative Procedure Act of 20 December 19689. 4If the data subject notified the Commissioner, the Commissioner will inform the data subject of the steps undertaken in the matter based on the data subject's notification and the results of the investigation, if any.
Art. 44 Powers 1 If the federal body or the private person does not comply with the duty to cooperate, the Commissioner may in the context of the investigation order the following:
a. access to all information, documents, inventories of the processing activities and personal data which are required for the investigation;
b. access to premises and facilities, c. questioning of witnesses; d. evaluations by experts. 2He may also order preliminary measures for the duration of the investigation and have them enforced by a federal authority or the cantonal or municipal police.
Art. 45 Administrative measures
1If data protection regulations are violated, the Commissioner may order that the processing is fully or partially adjusted, suspended or terminated and that the personal data is fully or partially deleted or destroyed. 2He may defer or prohibit disclosure abroad if it violates the requirements under Articles 13 or 14 or specific provisions on the disclosure of personal data abroad in other Federal Acts. 3 He may in particular order that the federal body or the private person:
a. inform the Commissioner under Articles 13 paragraph 2 letters b and c and 14 paragraph 2; b. take the measures under Articles 6 and 7; c. inform the data subjects under Articles 17 and 19 d. perform a data protection impact assessment under Article 20; e. consult the Commissioner under Article 21; f. inform the Commissioner or, if applicable, the data subjects under Article 22; and g. provide the data subject with the information under Article 23. 4 If during the investigation the federal body or the private person has taken the necessary measures to restore compliance with the data protection regulations, the Commissioner may limit himself to issuing a warning.
Art. 46 Proceedings
1Investigation proceedings and decisions under Articles 44 and 45 are governed by the Administrative Procedure Act of 20 December 196810. 2Only the federal body or the private person against whom the investigation was initiated shall be party to the proceedings. 3 The Commissioner may file an appeal against appeal decisions issued by the Federal Administrative Court.
9 SR 172.021 10 SR 172.021
Page 15 of 30
Art. 47 Coordination
1 Federal administrative bodies which supervise private persons or organisations outside of the Federal Administration in accordance with another federal act invite the Commissioner to submit a statement before they issue a decision pertaining to data protection issues. 2 If the Commissioner has initiated his own investigation against the same party, the two authorities will coordinate their proceedings.
Art. 48 Administrative assistance between Swiss authorities
1Federal and cantonal authorities provide the Commissioner with the information and personal data required for the performance of his statutory duties.
2The Commissioner discloses to the following authorities the information and personal data required for the performance of their statutory duties:
a. the authorities responsible for data protection in Switzerland; b. the competent criminal prosecution authorities if a criminal offence under Article 59 paragraph 2
is reported; c. the federal authorities as well as the cantonal and municipal police for the enforcement of the
measures under Articles 44 paragraph 2 and 45.
Art. 49 Administrative assistance to foreign authorities
1 The Commissioner may exchange information and personal data with foreign authorities responsible for data protection for the performance of their respective statutory duties in the area of data protection if the following requirements are fulfilled:
a. The reciprocity of administrative assistance is ensured. b. Information and personal data are only used for the proceedings relating to data protection on
which the request for administrative assistance is based. c. The receiving authority undertakes to observe professional, business and manufacturing se-
crets. d. Information and personal data are only disclosed if the authority which has transmitted them
has previously consented to the disclosure. e. The receiving authority undertakes to adhere to the conditions and restrictions of the authority
which has transmitted the information and personal data. 2 In order to substantiate his request for administrative assistance or to comply with the request of an authority, the Commissioner may in particular provide the following information:
a. the identity of the controller, the processor or other third parties involved; b. the categories of data subjects; c. the identity of data subjects if:
1. the data subjects have consented thereto, or 2. the notification of the identity of the data subjects is indispensable so that the
Commissioner or the foreign authority may fulfil their statutory duties; d. processed personal data or categories of processed personal data; e. the purpose of processing; f. recipients or categories of recipients; g. technical and organisational measures.
3 Before the Commissioner discloses information to a foreign authority which may contain professional, business or manufacturing secrets, he informs the natural persons or legal entities concerned who are the holders of these secrets and invites them to comment, unless this is not possible or possible only with disproportionate efforts.
Page 16 of 30
Section 4: Other tasks of the Commissioner
Art. 50 Register
The Commissioner shall keep a register on the processing activities of the federal bodies. The register is published.
Art. 51 Information
1The Commissioner reports to the Federal Assembly annually on his activities. He simultaneously submits the report to the Federal Council. The report is published. 2In cases of general interest, the Commissioner informs the public of his findings and his decisions.
Art. 52 Additional tasks 1 The Commissioner has in particular the following additional tasks:
a. He informs, trains and advises the federal bodies as well as private persons on matters of data protection.
b. He supports the cantonal bodies and cooperates with domestic and foreign data protection authorities.
c. He raises public awareness, and in particular that of vulnerable private persons, regarding data protection.
d. He provides persons at their request with information on how they can exercise their rights. e. He provides an opinion on draft federal legislation and on federal measures which entail a pro-
cessing of data. f. He carries out the tasks assigned to him under the Freedom of Information Act of 17 December
200411 or other Federal Acts. g. He draws up guidelines and working tools for controllers, processors and data subjects; in this
respect he considers the particularities of the respective area and the protection of vulnerable private persons. 2He may also advise federal bodies which are not subject to his supervision according to Articles 2 and 3. The federal bodies may grant him access to their files.
Section 5: Fees
Art. 53 1 The Commissioner charges private persons fees for:
a. his opinion on a code of conduct under Article 10 paragraph 2; b. his approval of standard data protection clauses and binding corporate rules on data protection
under Article 13 paragraph 2 letters d and e; c. his consultation based on a data protection impact assessment under Article 21 paragraph 2; d. measures taken under Articles 44 paragraph 2 and 45; and e. providing his advice on matters of data protection under Article 52 paragraph 1 letter a. 2 The Federal Council determines the amount of fees. 3 It may determine in which cases it is possible to refrain from charging a fee or to reduce it.
11 SR 152.3
Page 17 of 30
Chapter 8 Criminal Provisions
Art. 54 Breach of obligations to provide access and information or to cooperate
1On complaint, private persons are liable to a fine of up to 250,000 Swiss Francs if they: a. breach their obligations under Articles 17, 19 and 23-25 by wilfully providing false or incomplete information; b. wilfully fail: 1. to inform the data subject pursuant to Articles 17 paragraph 1 and 19 paragraph 1; or 2. to provide the data subject with the information required under Article 17 paragraph 2.
2Private persons are liable to a fine of up to 250,000 Swiss Francs if in violation of Article 43 paragraph 3 they wilfully provide false information to the Commissioner in the context of an investigation or wilfully refuse to cooperate.
Art. 55 Violation of duties of diligence
On complaint, private persons are liable to a fine of up to 250,000 Swiss Francs if they wilfully: a. disclose personal data abroad in violation of Article 13 paragraphs 1 and 2 and without the conditions set forth in Article 14 being met; b. assign the data processing to a processor without the conditions set forth in Article 8 paragraphs 1 and 2 being met; c. fail to comply with the minimum data security requirements which the Federal Council has issued under Article 7 paragraph 3.
Art. 56 Breach of professional confidentiality
1 If a person wilfully discloses secret personal data of which he has gained knowledge while exercising his profession which requires knowledge of such data, he shall be liable on complaint to a fine of up to 250, 000 Swiss Francs. 2The same penalty applies to anyone who wilfully discloses secret personal data of which he has gained knowledge in the course of his activities for a person bound by a confidentiality obligation or in the course of training with such a person. 3The disclosure of secret personal data remains punishable after termination of such professional activities or training.
Art. 57 Disregard of decisions Private persons shall be liable to a fine of up to 250,000 Swiss Francs if they wilfully fail to comply with a decision issued by the Commissioner with reference to the criminal penalty of this Article or a decision issued by the appellate courts.
Art. 58 Violations committed within undertakings 1 For violations committed within undertakings, Articles 6 and 7 of the Federal Act of 22 March 1974 on Administrative Criminal Law12 shall apply. 2 If a fine not exceeding 50,000 Swiss Francs could come into consideration and the ascertainment of the persons who are criminally liable under Article 6 of the Federal Act of 22 March 1974 on Administrative Criminal Law required investigative measures that would be disproportionate in comparison with the penalty incurred, the authority may abstain from prosecuting these persons and instead sentence the undertaking to the payment of the fine (Article 7 of the Federal Act of 22 March 1974 on Administrative Criminal Law).
12 SR 313.0
Page 18 of 30
Art. 59 Jurisdiction 1 The cantons are responsible for the prosecution and the judgment of criminal acts. 2 The Commissioner may report a criminal offence to the competent criminal prosecution authorities and exercise the rights of a private plaintiff in the proceedings.
Art. 60 Statute of limitation for criminal prosecution The right to criminally prosecute is subject to a limitation period of five years.
Chapter 9: Conclusion of International Treaties
Art. 61 The Federal Council may conclude international treaties concerning:
a. the international cooperation between data protection authorities; b. the mutual recognition of an adequate level of protection for the disclosure of personal data
Chapter 10: Final Provisions
Art. 62 Repeal and amendments of other legislation The repeal and the amendments of other legislation are set forth in the Annex.
Art. 63 Transitional provisions concerning the controller's obligations 1 The information duty at the collection of personal data is governed by the previous law for two years following the entry into force of this Act. 2 Articles 6 and 17 to 21 shall apply during the two years following the entry into force of this Act only to processing activities in the sense of Articles 1 and 2 of (EU) Directive 2016/680.
Art. 64 Transitional provisions concerning processing 1 The processing activities that have ended at the time of entry into force of this Act are governed by the previous law, save for the rights of the data subject (Articles 23 to 25). 2 The processing activities commenced under the previous law and which continue after entry into force of this Act must meet the requirements of this Act at the latest two years after its entry into force. 3 Articles 6, 20 and 21 do not apply to processing activities commenced prior to the entry into force of this Act, insofar as the purpose of the processing remains unchanged and no new data is collected. 4 In all other cases, this Act applies to data processing upon its entry into force.
Art. 65 Transitional provisions concerning ongoing proceedings This Act does not apply to investigations of the Commissioner which are pending at the time of its entry into force, nor to pending appeals against first instance decisions rendered before its entry into force. In these matters, the previous law applies.
Page 19 of 30
Art. 66 Transitional provision concerning data pertaining to legal entities For federal bodies, the provisions of other federal regulations that concern personal data continue to apply to data pertaining to legal entities for five years after the entry into force of this Act. During that time, the federal bodies may in particular continue to disclose the data pertaining to legal entities under Article 57s, paragraph 1 and 2, of the Act of 21 March 1997 on the Organisation of the Government and the Administration, if the federal bodies are entitled to disclose personal based on a legal basis. Art. 67 Transitional provision concerning certification 1The Federal Council shall within two years from entry into force of this Act issue provisions on the recognition of certification procedures and the introduction of a data protection quality label. 2Certification during this period is governed by the previous law.
Page 20 of 30
Repeals and amendments of other Acts
[Translators' note: as specified below, this document does not contain translations of all repeals and amendments of other Acts. Furthermore, please note that additional repeals and amendments are set forth in a separate preliminary Federal Act on the revision of the Data Protection Act and the modification of other Federal Acts (see draft amendments of further legislation in German, French and Italian language (DE/FR/IT)].
I The Federal Act of 19 June 199213 on Data Protection is repealed.
II The Acts hereinafter will be amended as follows:
[footnotes omitted in the following sections]
1. Foreign Nationals Act of 16 December 2005
3. Asylum Act of 26 June 1998
4. Federal Act on the Information System for Foreign Nationals and Asylum Matters of 20 June 2003
5. Federal Act on Archiving of 26 June 1998
5. Freedom of Information Act of 17 December 2004
Article 3 paragraph 2 Access to official documents containing personal information about the applicant is governed by the Federal Act of 19 June 1992 on Data Protection (Data Protection Act).
Article 9 Protection of personal data and data relating to legal entities 1 Official documents containing personal data shall, wherever possible, be rendered anonymous prior to inspection. 2 Requests for access covering official documents that cannot be rendered anonymous are assessed with regard to personal data in accordance with Article 32 of the Data Protection Act and with regard to data relating to legal entities in accordance with Article 57s of the Government and Administration Organisation Act.
13 AS 1993 1945, 1997 2372, 1998 1586, 1999 2243, 2006 2197 2319, 2007 4983, 2010 1739 3387
Page 21 of 30
Article 11 Consultation 1Should an application be made for access to official documents which contain personal data and that may interfere with the privacy of third parties, and that the authority is considering granting, it shall consult the person concerned and afford him the opportunity to submit comments within ten days. 2 The authority shall inform such consulted person of its position concerning the application.
Article 12 paragraph 2 second sentence and paragraph 3 2 ... Should an application concern official documents that may interfere with the privacy of third parties if made available, the deadline shall be extended for the required period. 3Should an application concern official documents that may interfere with the privacy of third parties if made available, the authority shall suspend access until the legal situation has been clarified.
Article 15 paragraph 2 letter b 2Furthermore, the authority shall render a decision if, contrary to the recommendation, it:
b. intends to grant the right of access to an official document that may interfere with the privacy of third parties if made available.
Article 18 Introductory sentence The Federal Data Protection and Information Commissioner (the Commissioner) pursuant to Article 39 of the Data Protection Act shall, in particular, have the following duties and competencies under the present Act:
6. Government and Administration Organisation Act of 21 March 199714 [not translated]
7. Federal Personnel Act of 24 March 2000
8. Administrative Court Act of 17 June 2005
Art. 35 letter b Repealed.
9. Swiss Civil Code
Article 45a paragraph 3 number 3 3Within the limits of the law and in co-operation with the cantons, the Federal Council regulates:
3. the organisational and technical measures necessary to ensure data protection and data security as well as the supervision of compliance with the data security regulations.
10. Audit Supervision Act of 16 December 2005
14 SR 172.010
Page 22 of 30
11. Federal Act on the Processing of Personal Data in the Federal Department of Foreign Affairs of 24 March 2000
12. Federal Act against Unfair Competition of 19 December 1986
13. Civil Procedure Code
Article 20 letter d The court at the domicile or registered office of either of the parties has jurisdiction to decide on:
d. actions and requests based on the Federal Act on Data Protection of ...,
Article 99 paragraph 3 letter d 3No security need be provided:
d. in proceedings concerning a dispute under the Federal Act on Data Protection of....
Article 113 paragraph 2 letter g 2No court costs are charged in disputes:
g. relating to the Federal Act on Data Protection.
Article 114 letter f In litigation proceedings, no court costs are charged in disputes:
f. relating to the Federal Act on Data Protection.
Article 243 paragraph 2 letter d 2They apply regardless of the amount in dispute to:
d. enforcement of claims under Articles 16 and 23 of the Federal Act on Data Protection;
Before the title of Art. 407d Chapter 5 Transitional Provision to the Amendment of ...
Article 407d The new law applies to proceedings that are pending when Amendment of ... comes into force.
14. Federal Act on Private International Law of 18 December 1987
Article 130 paragraph 3 Legal actions for the enforcement of the right to information and access in connection with the processing of personal data may be submitted to courts mentioned in Article 129.
15. Swiss Criminal Code
Article 179novies Obtaining personal data without authorisation Any person who without authorisation obtains sensitive personal data which are not freely accessible is liable on complaint to a custodial sentence not exceeding three years or to a monetary penalty.
Page 23 of 30
Insert before the title of Section 4
Article 179decies Misuse of identity Any person who makes use of the identity of a third person without that person's consent and in order to harm that person or to obtain an unlawful advantage for himself or for another is liable on complaint to a custodial sentence not exceeding one year or to a monetary penalty.
Article 352 paragraph 2 2 The Federal Act on Data Protection applies to the exchange of information in connection with searches for missing persons and the identification of unknown persons and for administrative purposes.
Article 355a paragraph 1 The Federal Office of Police (fedpol) and the Federal Intelligence Service (FIS) may pass on personal data, including sensitive personal data, to the European Police Office (Europol). Article 365 paragraph 1 first sentence 1 The Federal Office of Justice, with the support of the other federal authorities and the cantons (article 367 paragraph 1), maintains a computerised register of criminal convictions and applications for extracts from the register of convictions in connection with ongoing criminal proceedings, which contains sensitive personal data.
16. Federal Act on Administrative Criminal Law of 22 March 1974
17. Military Criminal Procedure of 23 March 1979
18. Federal Act on Federal Police Information Systems of 13 June 2008
19. Federal Act on the Federal Polytechnic Schools of 4 October 1991
20. Sports Promotion Act of 17 June 2011
21. Federal Act on the Federal Information Systems in the Area of Sports of 17 June 2011
22. Federal Statistics Law of 9 October 1992
Page 24 of 30
23. Federal Act on the Business Identification Number of 18 June 2010 [not translated] 24. Federal Act on the National Library of 18 December 1992 [not translated] 25. Federal Act on the Circulation of Animals and Plants of Protected Species of 16 March 2012 [not translated] 26. Animal Protection Act of 16 December 2005 [not translated] 27. Military Act of 3 February 1995 [not translated] 28. Geographical Information Act of 5 October 2007 [not translated] 29. Federal Act on the Military Information Systems of 3 October 2008 [not translated] 30. War Material Act of 13 December 1996 [not translated] 31. Arms Act of 20 June 1997 [not translated] 32. Act on the Protection of the Population and Civil protection of 4 October 2002 [not translated] 33. Financial Budget Act of 7 October 2005 [not translated] 34. Federal Auditing Act of 28 June 1967 [not translated] 35. Customs Act of 18 March 2005
Page 25 of 30
[not translated] 36. Value Added Tax Act of 12 June 2009 [not translated] 37. Tobacco Tax Act of 21 March 1969 [not translated] 38. Beer Tax Act of 6 October 2006 [not translated] 39. Mineral Oil Tax Act of 21 June 1996 [not translated] 40. Heavy Traffic Tax Act of 19 December 1997 [not translated] 41. Nuclear Energy Act of 21 March 2003 [not translated] 42. Electricity Act of 24 June 1902 [not translated] 43. Road Traffic Act of 19 December 1958 [not translated] 44. Railway Act of 20 December 1957 [not translated] 45. Passenger Transport Act of 20 March 2009 [not translated] 46. Pipeline Act of 4 October 1963 [not translated] 47. Aviation Act of 21 December 1948 [not translated]
Page 26 of 30
48. Postal Act of 17 December 2010 [not translated] 49. Telecommunications Act of 30 April 1997 [not translated] 50. Federal Act on Radio and Television of 24 March 2006 [not translated] 51. Human Research Act of 30 September 2011 [not translated] 52. Narcotics Act of 3 October 1951 [not translated] 53. Epidemic Act of 28 September 2012 [not translated] 54. Federal Act against Illegal Employment of 17 June 2005 [not translated] 55. Employment Service Act of 6 October 1989 [not translated] 56. Federal Act on the Old Age and Survivors' Insurance of 20 December 1946 [not translated] 57. Federal Occupational Retirement, Survivors' and Disability Pensions Act of 25 June 1982 [not translated] 58. Health Insurance Act of 18 March 1994 [not translated] 59. Accident Insurance Act of 20 March 1981 [not translated]
Page 27 of 30
60. Military Insurance Act of 19 June 1992 [not translated] 61. Unemployment Insurance Act of 25 June 1982 [not translated] 62. Animal Diseases Act of 1 July 1966 [not translated] 63. Hunting Act of 20 June 1986 [not translated] 64. National Bank Act of 3 October 2003 [not translated] 65. Money Laundering Act of 10 October 1997 [not translated] 66. Financial Markets Supervision Act of 22 June 2007 [not translated] 67. Act on International Development Cooperation and Humanitarian Aid of 19 March 1976 [not translated] 68. Act on Cooperation With the States of Eastern Europe of 30 September 2016 [not translated]
Page 28 of 30
Jrg Schneider Dr. iur., Attorney at Law Partner Direct phone: +41 58 658 55 71 email@example.com
David Vasella Dr. iur., Attorney at Law Counsel Direct phone: +41 58 658 52 87 firstname.lastname@example.org
Jacqueline Sievers Dr. iur., LL.M., Attorney at Law Direct phone: +41 58 658 53 47 email@example.com
Monique Sturny Dr. iur., LL.M., Attorney at Law Direct phone: +41 58 658 56 56 firstname.lastname@example.org
Martin Zobl Dr. iur., LL.M., Attorney at Law Direct phone: +41 58 658 55 35 email@example.com
Hugh Reeves MLaw, LL.M., Attorney at Law Direct phone: +41 58 658 52 73 firstname.lastname@example.org
Page 29 of 30
Walder Wyss Ltd. Attorneys at Law
Phone +41 44 498 98 98 Fax +41 44 498 98 99 email@example.com
www.walderwyss.com Zurich, Geneva, Basel, Berne, Lausanne, Lugano
Page 30 of 30