SWISS DATA PROTECTION ACT

WHAT DATA IS REGULATED?

Applies to personal data, which means all information relating to an identified or
identifiable person. Data subjects are natural persons or legal entities whose data is
processed.

WHAT ACTS ARE REGULATED?

It regulates data processing. Processing must be carried out in good faith and must be
proportionate. Processing includes any operation with personal data, regardless of the
means applied and procedure, and in particular the collection, storage, use, revision,
disclosure, archiving or destruction of data.

JURISDICTIONAL SCOPE:
 The data subject has its habitual residence in Switzerland, provided that the data
processor can anticipate that damage may be sustained in Switzerland.
 The data controller or processor (as the potentially infringing party) is a Swiss resident.
 Damage resulting from a data breach is sustained in Switzerland, provided that the
data processor can anticipate that damage may be sustained in Switzerland.

MAIN OBLIGATIONS OF DATA CONTROLLERS:

 Personal data can only be processed lawfully (principle of lawfulness).
 Personal data processing must be carried out in good faith and must be proportionate
(principle of proportionality).
 Personal data can only be processed for the purpose indicated at the time of collection,
that is evident from the circumstances, or that is provided for by law (principle of
appropriateness).
 The collection of personal data and the purpose of processing must be evident to the
data subject (principle of transparency).

Additionally, any person that processes personal data must make certain that such data
is correct and complete (Article 5, DPA). Personal data must be protected against
unauthorised processing by appropriate organisational and technical measures (Article
7, DPA).
SECURITY REQUIREMENTS
Generally, the data controller must implement adequate technical and organisational
protection measures and ensure the confidentiality, availability and integrity of the data to
ensure an appropriate level of data protection. In particular, the data controller must
protect its systems against the following risks:

 Unauthorised or accidental destruction.

 Accidental loss.
 Technical faults.
 Forgery, theft or unlawful use.
 Unauthorised alteration, copying, or access or other unauthorised processing.

LIABITIES IN CASE OF BREACH:

Criminal penalties
Anyone who willfully breaches professional confidentiality obligations relating to sensitive
personal data or personality profiles is liable to a fine (Article 35, Swiss Federal Data
Protection Act (DPA)). The maximum amount of the fine that can be imposed is
CHF10,000.

Civil remedies
Data subjects can file civil actions and request interim measures. Data subjects can
request that (Article 15, DPA):
 Data processing be stopped.
 No data be disclosed to third parties.
 Personal data be corrected or destroyed.

Administrative remedies
The Commissioner can initiate administrative proceedings.