Data protectioni Requirements for registration
Private persons must register their database if they regularly process sensitive personal data or personality profiles, or if they regularly disclose or transfer personal data to third parties. However, because the employers must collect certain data of the employees pursuant to social security laws, tax law and also the CO (e.g., with regard to the data required to issue a reference letter), they are exempted from the duty to register. If, however, companies collect additional data that, by law, does not need to be collected, there could be a duty to register.
Pursuant to the Federal Data Protection Act, personal data must be acquired lawfully, and processing must be lawful, in good faith and not be excessive, and is only allowed for the purpose indicated for the processing or evident under the circumstances or given by law. Employment law further extends the scope of protection granted under the Act. Article 328b of the CO only allows the processing of data that refers to the employee's aptitude for the job or is necessary for the performance of services.
Cross-border data transfers without the employee's consent are permitted if adequate cross-border data protection agreements are in place and information about such agreements is given to the Federal Data Protection and Information Commissioner or if the respective countries provide for an adequate level of data protection. With regard to the processing of data of private individuals, the Commissioner has established a list of countries that have implemented equivalent data protection legislation, which is publicly available on the internet. For example, the level of protection provided for private individuals by EU countries is deemed adequate. By contrast, the level of protection provided for the United States is not considered as being adequate. In order to reach an adequate level of protection, the Swiss–US Privacy Shield Framework provides a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States.
The processing of personal data may be assigned to third parties by agreement or by law if the data is processed only in the manner permitted for the instructing party itself, and it is not prohibited by a statutory or contractual duty of confidentiality.iii Sensitive data
Personal data pursuant to the Data Protection Act means all data that refers to a certain person. Sensitive personal data means all data relating to:
- religious, ideological, political or trade union-related views or activities;
- health, personal life or racial origin;
- social security measures; and
- administrative or criminal proceedings and sanctions.
The processing of sensitive personal data is only allowed if the relevant person is informed about the controller, the purpose of the processing and the categories of data recipient if a disclosure of personal data is planned.iv Background checks
As a rule, the employer may not conduct background checks or have these checks performed by third parties without the explicit consent of the applicant. Even if the applicant consented to a background check, the check would be – in consideration of the applicant's privacy – limited to information that strictly relates to whether the applicant fulfils the requirements of the job. For instance, any questions in regard to the applicant's health must be directed to find out whether the applicant is currently fit to work. Any further investigations to find out whether there is a general risk that the applicant could become ill in the long term would not be allowed.