DATA PROTECTION HISTORY
Parallel to the legislative activities in Europe and overseas, a number of parliamentary
interventions were made in 1971 and 1977 in Switzerland. Based on the work of two commissions of experts, the Federal Council (Swiss government) presented in 1984 a draft law for the usual consultation procedure. While some fundamental principles were well received, many interested parties and organisations (including employers’ and industrial organisations) criticised the regulation of private and public activities in one single law. The principal criticisms were that the law was unduly complicated and bureaucratic. It was also criticised for creating an independent data commission (instead of a data ombudsman).In March 1988, having taken into account some of these comments, the Federal Council proposed
a bill for a Federal Law on Data Protection (FLDP) to Parliament. The new law was approved by both chambers on 19 June 1992. Under Swiss Law, this new legislation could have been submitted to the Swiss people for a referendum. However, the term to ask for a popular vote expired on 28 September 1992 and the FLDP entered into force on for 1 July, 1993.The FLDP will be complemented by an executionary regulation to be published in June 1993.
ACTUAL LEGAL SITUATION
Until the adoption of the new Swiss Law, data protection in the private sector was governed by
Article 28 paragraph 1 of the Swiss Civil Code (SCC). According to its provisions, the treatment of data is not allowed if it leads to a violation of the personality or harms its honour or public reputation.Industry codes of practice and guidelines as well as provisions in established data protection
practice provide additional protection in specific branches (e.g. medical sector, market research and direct marketing). Data protection in the field of banking, insurance and pension privacy is assured by the well-known strict secrecy obligations in these areas.Data protection in the public sector is based on Article 8 of the European Convention on human
rights (ECHR). Several directives and regulations of the Federal Council are currently filling the gap in data protection until the FLDP becomes law. In 1981, a Federal Office for Data Protection was established. While most of the Cantons introduced cantonal data protection laws to assure compliance with the ECHR, the Federal government has no constitutional power to legislate on data protection in the cantons.
The FLDP provides for an overall framework and deals with data protection using similar
principles applied in other countries. The law enhances the protection of private persons provided by the SCC and regulates in a more detailed manner the treatment of data by Federal authorities. Private persons need no previous licence to treat data and registration with the Federal Data Register is required only in certain specific cases. Although the majority of interested parties asked for separate treatment of the private and public sectors, the law covers both to ensure harmonised development and to facilitate the access of the individuals to the data protection system.
Structure of the FEDERAL LAW ON DATA PROTECTION
SECTION 1 OBJECTIVE, SCOPE OF APPLICATION AND
DEFINITIONSSECTION 2 GENERAL PROVISIONS ON DATA PROTECTION
SECTION 3 TREATMENT OF PERSONAL DATA BY PRIVATE
PERSONSSECTION 4 TREATMENT OF PERSONAL DATA BY FEDERAL
AUTHORITIESSECTION 5 FEDERAL DATA COMMISSIONER
SECTION 6 FEDERAL DATA COMMISSION
SECTION 7 PENAL PROVISIONS
SECTION 8 MISCELLANEOUS PROVISIONS
MAIN PROVISIONS
The purpose of the FLDP is to protect the privacy, interests and fundamental rights of data subjects. Furthermore, it has as its central goal
* to maintain good data file practice; and
* to facilitate the international data exchange by providing a comparable level of protection.
The FLDP has a very wide scope of coverage and applies to personal data file activities carried out by Federal authorities, private organisations and individual private persons (excluding normal private purposes). While data collections kept by journalists and by the media are covered under Article 10, they benefit from several additional exceptions (i.e. provisions regarding freedom of the press and speech).
The law covers data on private persons as well as on legal persons and applies to both Electronic Data Processing (EDP) and manual files (Article 2, Article 3 paragraph a). The transfer of data abroad is not allowed if adequate data protection cannot be assured (Article 6 paragraph 1). A prior notification of the cross-border transfer is needed except in cases of a legal obligation or if the data subject has been informed, at least implicitly, of the transfer.
Data must be collected lawfully and should be done in good faith (Article 4). Any treatment must ensure accuracy and be balanced. They must be secured against unauthorised access. Furthermore, the data subject must be informed of the purpose of the collection, have a right of access (Article 8) and benefit from a right to correct errors (Article 5).
Sensitive data - such as those relating to religion, political convictions, trade union activities, health, race, social assistance or criminal punishment - enjoy in several respects a more effective protection.
All data registers held by Federal authorities must be registered with the Federal Data commissioner. Private persons only have to register data collections if they include sensitive data or if they are communicated regularly to third persons and if there is neither a corresponding legal obligation nor information on the data subject (Article 11).
The Federal Council has the responsibility of establishing the detailed rules relating to the execution of the FLDP.
PRIVATE SECTOR LEGISLATION
Data collection by private persons must not harm the privacy and personality of the data subject. In general, there is no violation if the data have been made publicly available without reserve to a future treatment (Article 12 paragraph 3). The treatment can be justified by consent, by law or by an overwhelming private or public interest, such as:
* data collection in connection with the conclusion of a contract,
* credit information,
* research and statistics (provided no individual data subject can be identified), or
* publication in media.
Private persons can mandate third parties to treat data on their behalf if no secrecy obligation is violated. In such cases, third parties may benefit from the same justifications as the file controller (Article 14).
PUBLIC SECTOR LEGISLATION
In the public sector, the FLDP regulates the collection and treatment of data by Federal authorities
only. The activities of cantonal and communal authorities are governed by cantonal law. The major proportion of the Swiss cantons have introduced laws on data protection in their area with rules similar to those on Federal level.Federal authorities may collect and treat personal data only if authorised or to fulfil a legal
obligation (Article 17). Special rules apply for files held to fight certain criminal activities (e.g. organised crime, terrorism) or to ensure military security (Article 24).Personal data can only be made available to third parties on a clear legal basis, to fulfil legal
obligations or in case of consent (Article 19). A data subject’s name, address and birthday may be communicated without the provision of legal grounds. Personal data may only be used for statistics, planning and research if (i.e. in case of publication) an individual person cannot be identified (Article 22).
FEDERAL DATA COMMISSIONER
The Federal data commissioner (FDC) is appointed by the Federal Council and supervises the
compliance of Federal authorities with the FLDP (Article 27). In the private sector, the FDC acts as an ombudsman. The Commission can only investigate and give binding decisions to private persons in cases where data collections have been registered, in cases of cross-border transfers and if the methods of data treatment endanger the privacy of a larger number of individuals (Article 29).
FEDERAL COMMISSION ON DATA PROTECTION
The Federal commission on data protection is appointed by the Federal Council and acts as an
appeal body against decisions of Federal authorities in relation to data protection as well against cantonal judgements based on Federal public law on data protection.
PENALTIES
Private persons violating their obligations with respect to information, notification and granting
access to information can be punished with a fine or detention. Unauthorised access to sensitive data can be punished with a fine or imprisonment, i.e. the data subject enjoys all usual remedies available under normal civil procedure (i.e. interdiction, right to correct or compensation of damage).
There is no obligation for private persons to establish formal procedures or to ask for permission
before beginning a collection of data except in cases where sensitive personal data are handled or where data are communicated to third persons and only if there is neither a legal obligation nor any information of the data subjects concerned.The data subject generally has the right to inspect and to correct false, incomplete or erroneous data. This right may only be restricted if there are overwhelming public or private interests. There, is however, no obligation of automatic notification as is the case in other countries.
The file controller has the responsibility of assuring the security of the data and is required to prohibit unauthorised access. Under the FLDP, the Federal Council has the flexibility to issue detailed prescriptions on security procedures not only in the public, but also in the private sector.
The FLDP restricts the transborder delivery of data in those cases when there is a need for the
protection of privacy. Delivery may be restricted if, for example, the recipient’s country cannot provide an adequate level of data protection. A notification of the FDC is only necessary if the data subject has not been informed of such a transfer. However, such notifications may be presumed in many cases. During the parliamentary debates, the Federal minister of justice specified that, for example, such knowledge can be presumed if personal data are exchanged among different companies of a multinational group.
19 June 1992
The Federal Assembly of the Swiss Confederation,
regarding Articles 31 bis, paragraphs 64, 64 bis and 85, number 1 of the federal constitution;
regarding the 23 March 19881 FF 1988 II 421 message of the Federal Council, decrees:
Article 1 Objective
This law seeks to protect the personality and the fundamental rights of those individuals about
whom data is processed.Article 2 Scope
This law regulates the processing of data about physical and legal persons undertaken by:
a) private bodies
b) Federal bodies
It does not apply to:
a) Personal data which is processed by a natural person exclusively for personal use and is not disclosed on to a third party;
b) deliberations of the Federal Parliament and Parliamentary Committees;
c) pending civil, penal, international legal assistance procedures as well as public law and administrative regulations with the exception of administrative procedings of the first instance;
d) public registers of private law;
e) personal data processed by the International Committee of the Red Cross.
Article 3 Definitions
It is meant by:
a) personal data (Data): all information relating to an identified or identifiable person,
b) persons concerned: the physical or legal person about whom data are processed,
c) sensitive personal data: data concerning:
1. religious, philosophical, political or union opinions or activities,
2. health, sexuality or racial origin,
3. social security files,
4. criminal or administrative procedings and sanctions
d) personality profile, a collection of data which allows the appraisal of essencial characteristics of of the personality of a natural person;
e) processing, all operations relating to personal data - regardless of the equipment and procedures used - in particular the collection, storage, use, modification, communication, archiving or the destruction of data;
f) communication, rendering data accessible, for example by allowing access to data by either transferring them or distributing them;
g) file, a collection of personal data whose structure facilitates a search for data on a particular individual;
h) Federal body, the authority or Federal service as well as any person working for the Swiss Confederation;
i) file controller, the private person or Federal body who decides the purpose and the contents of the file.
k) law, in the formal sense:
1. Federal laws and federal generally binding decrees subject to referendum
2. binding international agreements and treaties ratified by the Federal Assembly.
Article 4 Principles
All processing of personal data must be undertaken in a legal manner.
Processing must be conducted in good faith and must not be excessive.
Personal data should only be processed for the purpose for which it was collected, pursuant to legal provisions or circumstances.
Article 5 Data accuracy
Whoever processes personal data must ensure that the information is correct. All data subjects can request the rectification of inaccurate data.
Article 6 Transborder data flows
No personal data may be transferred abroad if the data subject’s personal privacy could be jeopardised, in cases where there is a failure to provide protection equivalent to that provided under Swiss law.
Whoever transmits data abroad must notify the Federal data protection authorities beforehand in cases where:
a) the transmission does not relate to a legal obligation and
b) it was conducted without the consent of the data subjects.
The Federal Council shall regulate the registrations in detail. It may privide for simplified registrations or exemptions from the duty to notify if the proceccing does not endanger the privacy of the persons concerned.
Article 7
Data securityPersonal data should be protected from unauthorised processing using appropriate organisational
and technical means.The Federal Council reserves the right to set out more detailed measures on minimal data security
measures.Right of access
Anyone can ask a file controller if data stored on him/her are intended for processing. The file
controller must communicate:a) all data about the individual contained in the file;
b) the purpose and ultimately the legal basis for the processing, the categories of
processed data, the individuals involved in processing the file, and individuals designated to receive the file.The file controller can divulge health details to the data subject using a doctor designated by the
latter.The file controller who has the file processed by a third party is responsible for providing any
information that is requested. This obligation is incumbent on the third party if the name of the file controller is not available or if the latter is not resident in Switzerland.The information should, as a general rule, be given free of charge and submitted in writing in
printed form or as a photocopy. The Federal council will grant exceptions.Nobody may waive the right of access in advance.
Non-disclosure of data
A file controller can refuse, restrict or defer the requested information in cases where:
a) a folmal law prevents it;
b) the interests of a third party outweigh the request.
A Federal body can refuse, restrict or defer the requested information in cases where:
a) it is in the public interest, in particular in the interest of internal and international
security of the Confederation;b) the communication of information may compromise judicial or other proceedings.
A private file controller can refus, restrict or defer the requested information when it is in his
interest and on the condition that the data will not be passed on to a third party.The file controller must indicate the reason for which he/she refuses, restricts or defers access.
Article 10
Non-disclosure as it applies to the mediaThe file controller who uses a file for the sole purpose of publication can refuse, restrict or defer
the requested information if:a) the personal data provides a clue as to the source;
b) a right to examine draft publication results;
c) the free expression of public opinion will be compromised.
Journalists can refuse or prevent the communication of information requested if a file is used
exclusively as personal work toll.File register
The Federal data protection commissioner holds a file register. Anyone can consult the register.
Federal government bodies must declare all files to the file register.
Private individuals who regularly process sensitive data, data profiles or communicate personal
data to a third party must register their files if:a) the processing of such data is not subject to legal requirement and that
b) the data subjects are unaware of it.
These files must be registered prior to processing.
The Federal council can issue regulations regarding the registration of files and regarding the
maintenance and publication of the register. It can also prescribe that for certain types of files, exceptions to this obligation to declare or register can be made if the processing does not affect the person or persons concerned.
Article 12
Infringement of privacyWhoever processes personal data must not unjustifiably infringe the privacy of the data subject
No-one has the right without justification to:
a) process personal data that contravenes the principles as set forth in Articles 4; 5,
paragraph 1; 6, paragraph 1; 7, paragraph 1;b) process personal data against the wishes of the data subject;
c) transfer to a third party any sensitive data or personal profiles.
As a general rule, a person’s rights can not be infringed if other data subject has made the data available to the public and is not explicitly opposed to processing.
Justifying motives
An infringement of privacy is illegal unless it is justified by the consent of the victim, by an overriding
public or private interest or by the law.The over-riding interests of the processing person are only applicable if:
a) the processing is undertaken in order to conclude or to carry out the terms of a
contract and if the processed data are about the partner to the contract;b) the processed data will be used in a report on economic competition, current or
future with another person, as long as no personal data is transmitted to a third party;c) personal data processed for the purpose of evaluating the creditworthiness of
another person, as long as they are neither sensitive nor are they constituted through profiling, nor are they transferred to a third party. Unless they are needed to conclude or execute a contract with the data subject;d) the data are processed on a professional basis for the sole purpose of a publication
or for the written media;e) the data are processed not for personal ends, notably in the context of research,
statistical planning, as long as the results are published in a format that does not allow identification of the data subject;f) the data gathered are about a public person, as long as the data concerns his public
life.
Article 14
Data processing by a third partyThe processing of data can be entrusted to a third party on the following conditions:
a) the mandating party ensures that no processing occurs other than the one
authorised;b) no legal or contractual obligation to keep the information confidential forbids it.
The third party can ensure the same provisions as the mandating party.
Article 15 Claims and legal procedures
Article 28 and 28f of the Civil code1 regulate the actions and provisional measures regarding the protection of the individual. The person submitting a request can specifically request that the data are rectified or destroyed or that their transmission be prohibited.
If the inaccuracy of data can not be established, the person submitting the request can ask that the particular data be marked by mentioning its litigious nature.
He can request that the rectification, the destruction of data, the prohibition of communication, the mention of the litigious character or the judgment can be communicated to a third party or be made public.
The actions to execute a right of access can be made at the domicule of the plaintiff or defendant. The judge must act according to a simple and rapid procedure.
Article 16 Responsible body
It is incumbent on the Federal body to ensure the protection of all data it processes or that it has processed in carrying out its duties.
When a Federal body processes personal data jointly with other Federal bodies, with cantonal bodies or with private persons, the Federal council can regulate the specific responsibilities with regards to data protection.
Judicial basis
Federal bodies can only process data if there is a legal basis for the processing.
Sensitive data or personal profiles can not be processed unless a law formally prescribes it or if,
exceptionally:a) the fulfilment of a task clearly defined in a law absolutely prescribes it;
b) the Federal council has authorised it, on the condition that the data subjects’ rights
are not jeopardised orc) the data subject has granted express consent or has personally made the data
public.
Article 18
Collection of personal dataThe Federal body, that systematically collects data, specifically through the use of questionnaires,
must specify the objective and the legal basis for the processing, the categories of persons dealing with the file and recipients of these data.The collection of sensitive data or profiles regarding the characteristics of a person should be
carried out in a way that is distinct from the latter.
Article 19
Communication of personal dataFederal bodies cannot transmit personal data unless it has legal grounds to do so under the
provisions of Article 17 or if:a. the recipient has evidence of the need for these data to carry out a legal task;
b. the data subject, in a particular case, has expressly consented or the circumstances
imply this consent;c. the data subject has rendered the data accessible to the public or
d. the recipient makes it likely that the data subject does not refuse to agree or does
not object to the communication provided that it is not to take advantage of legal provisions or to legitimise the interests of others; whenever possible the data subject must be asked to give prior consent.The Federal organs have the right to communicate, upon request, the name, first name, the
address and the date of birth of a person even if the conditions set forth in paragraph 1 are not fulfilled.The Federal organs can only make personal data available via on appeal procedure if it is
expressly foreseen. Sensitive data or personal profiles cannot be made available via an appeals procedure unless a law, in the formal sense expressly prescribes it.The Federal organ can disallow communication, the restraint or the matching of files, if:
a. an important public interest or if the legitimate interest of the data subject require it
or ifb. a legal obligation to keep it confidential or if a specific arrangement inherent to the
protection of the data requires it.
Article 20
Blockage of personal dataA person concerned who credibily asserts a legitimate interest may demand of the competent
Federal body that it block the communicating of certain data.The Federal organ can override this provision or withdraw its opposition if:
a. it is legally binding to communicate the data;
b. the performance of his duties would be compromised.
Article 21
Obligation to make personal data anonymous or to destroy themThe Federal organs are required to make anonymous or destroy personal data if they are no longer
useful, unless they;a. are to be retained as evidence or for security purposes or
b. are to be stored in the Federal Archives.
Article 22
Treatment for the purposes or research planning and statisticsThe Federal organs are allowed to process personal data as long as they cannot be identified to
individuals, notably for research purposes, planning or statistics along the following lines:a. the data are made anonymous as soon as the goal of the data processing allows;
b. the recipient does not communicate the data to a third party without the
autorisation of the Federal organ;c. the results of data processing are published in a form that does not allow
identification of the data subjects.The requirements of the following provisions must not be met:
a. Article 4, paragraph 3, regarding the purpose of the data processing;
b. Article 17, Paragraph 2, regarding the legal basis for the treatment of sensitive data
and personal profiles.c. Article, 19, Paragraph 1, relating to the communication of personal data.
Article 23
Private law activities practiced by Federal organsWhen a Federal organ acts on the basis of private law, the processing of personal data is regulated
by the provision applicable to private persons.However, this suspension must be carried in conformity to the practices used in the Federal
organs.
Article 24
Data processing in cases involving the consent of crime and in military securityWhen personal data is processed in connection with the fight against terrorism, violent
extremism, organised crime and forbidden intelligence services or to ensure military secrecy, the Federal Council, can until the law enters into force:a. allow for exceptions to the provisions on the purpose of the data processing
(Article 4, Paragraph 3), communication of the data abroad (Article 6, Paragraph 1), to the obligation to declare and to register (Article 11) and for the collection of personal data;b. authorise the processing of sensitive data or personal profiles, even if the
conditions contained in Article 17, Paragraph 2 and Article 19, Paragraph 1 are not fulfilled.In the areas of balloting, petitioning and statistical secrecy is guaranteed.
After having heard the opinion of the Federal data protection authority, the department with
jurisdiction can settle the disputes in the place of the Federal Data Protection Commission or of its President.Departmental decisions can be appealed using the administrative law before a Federal tribunal.
To the extent that cantonal authorities fulfil their Federal roles as set out in Paragraph 1, they are
under subject to the Federal data protection law. The supervisory rights prescribed in cantonal law subsist.
Article 25
Intentions and procedureThose with a legitimate interest can demand that the responsible Federal organ;
a. refrain from proceeding with illegal data processing;
b. nullify the effects of illegal data processing;
c. declare the illegal nature of the data processing.
If the accuracy or inaccuracy of personal data cannot be established, the Federal organ is required
to mark the data with a note indicating its contentious nature.The person making the request can, in particular, request that the Federal organ
a. correct, destroy the data or ensure that they are not transmitted to a third party;
b. publish the decision or communicate it to third parties notably of its decision to
correct or destroy the personal data, or to disallow communicative or to mention its contentious nature.This procedure is governed by the Federal Law or Administrative procedure. However, the
exceptions set out in Articles 7 and 3 of the Federal Law on Administrative Procedure do not apply.The decisions rendered by the Federal organs can be brought before the Federal Data Protection
Commission. The decisions made by this Commission can be appealed under administrative law before the Federal Tribunal.
Article 26
Appointment and StatusThe Federal Data Protection Commissioner is nominated by the Federal Council.
He performs his tasks autonomously and is administrative attached with the Federal Department
of Justice and Police.He has a permanent staff.
Article 27
Surveillance upon Federal bodiesThe Commissioner supervises the application of this law and other regulations concerning data
protection. The Federal Council can not be the subject of any supervision.The Commissioner clarifies facts either on his own initiative or upon the request of a third party.
In order to clarify the facts, he can demand the production of documents, ask questions and have
the data processing activities explained to him. The Federal organs are obligated to cooperate in this clarification of the facts. The right to refuse to provide evidence along the lines laid out in Article 16 of the Federal Law on Administrative Procedure1 applies by analogy.It it appears that the data protection rules have been breached, the Commissioner can recommend
to the responsible body to alter or cease data processing activities. He must inform the relevant department or the Federal Chancellery of his recommendation.If a recommendation is rejected or not followed, he can raise the matter for decision with the
department or the Federal Chancellery. The decision will be communictae to the persons concerned.
Article 28
Surveillance of private bodiesThe Commissioner can advise private individuals on the issue of data protection.
Article 29
Clarifications and recommendations in the private sectorThe Commissioner makes clarifications on his own initiative or at the request of a third party
whena. the methods of processing are capable of violeting the privacy of a larger number
of persons (system error);b. files must be registered (art. 11);
c. communications abroad have to be declared (art. 6).
He can also require the furnishing of documents, request for information and or that the data
processing activities be demonstrated. The legal right to refuse to serve as a witness, pursuant to Article 16 of the Federal Law on Administrative Procedure applies by analogy.After clarifying the facts, the Data Protection Commissioner can recommend the modification or
cessation of the data processing activities.If such a recommendation by the Commissioner is rejected or not followed, he can raise the
matter for decision at the Federal Data Protection Commission.
Article 30
InformationThe Commissioner must submit a report to the Federal Council at regular intervals and as
necessary. These periodical reports are to be published.If it is in the public interest, he can inform the public of his findings and recommendations. He
can only make public data given to him in confidence if he has the consent of the competent authority. If consent is given, the President of the Federal Data Protection Commission can make a decision, which is final.
Article 31
Other dutiesThe Commissioner has the following other duties:
a. to assist Federal and Cantonal organs in the area of data protection;
b. to give his opinion on draft Federal legislation and on that Federal measures have a
bearing on data protection;c. to cooperate with data protection authorities in Switzerland and abroad;
d. to examine the extent to which foreign data protection measure are equivalent to
this in Switzerland.
Article 32
Duties relating to medical researchThe Commissioner can advise the Commission of experts on the professional confidentiality
provisions in the area of medical research (art. 321 bis CP1)1 ;If this Commission authorises the lifting of confidentiality, he must evaluate the reasons given for
this authorisation. In this regard, he can clarify the facts pursuant to Article 27, paragraph 3.He can revise decisions made by the expert Commission before the Federal Data Protection
Commission.He must ensure that the patients are informed of their rights.
The Federal Data Protection Commission is an arbitration and appeal body pursuant to Articles
71 a-c of the Federal Law on Administrative procedure1 . It makes decisions on:a. the recommendations of the Commissioner (Article 29, paragraph 4) which has
been submitted;b. appeals against decision made by Federal bodies in the data protection field except
those made by the Federal Council;c. appeals against the Commission on matters of professional confidentiality in
matters involving medical research (art. 321 CP)2 ;d. appeals against cantonal decisions take in enforcing Federal public law on data
protection.The Commissioner can ask the president of the Commission for provisional measure if, as a result
of an enquiry undertaken pursuant to the provisions of Article 27, paragraph 2e or Article 29, paragraph 1, he believes that the data subject may be prejudiced in a way that would be difficult to rectify damage. Articles 79 to 84 of the Federal Law or Federal Civil Procedure3 applies by analogy.
Article 34
Breach of obligations to provide information to register data and to cooperatePrivate individuals that fail to fulfil their obligations as set out in Article 8, 9 and 10 by
intentionally providing inaccurate or incomplete information will upon the lodging of a complaint, be placed under arrest or fined.Private individuals that intentionally:
a. fail to register a file pursuant to Article 11 or a transferral of data abroad pursuant
to Article 6 or provide inaccurate information to the register;b. provide inaccurate information or refuse to collaborate during the establishment of
the facts (Article 29) will be arrested or fined.
Article 35
Violation of confidentialityAny person who intentionally and illegally communicates sensitive and secret personal data or
personal profiles available to him or her in the exercise functions that require knowledge of such data will, upon the lodging of a complaint, will be arrested or fined.Any person under oath of confidentially is subject to the same punishment if he or she
communicates secret and sensitive personal data or personal profiles available in the course of the exercise of his or her functions.The illegal communication of secret or sensitive data or personal profiles is punishable even if the
related work or training has been finished.
Article 36
ImplementationThe Federal Council can enact implementation provision.
It regulates the processing of personal data held in the Federal Archives. On this matter, it can
allow for derogations to Articles 8 and 9 governing the right of access as well as to Articles 17, paragraph 2 and Article 19, paragraph 1, relating to the processing of sensitive and personal profiles.It can allow for derogations to Articles 8 and 9 regarding the releasing of information by
diplomatic and consular representatives abroad.As well, it can determine
a. which files require processing regulations;
b. the conditions under which a Federal Organ can have personal data processed by a
third party or processed on behalf of a third party;c. the way in which the means of identifying individuals can be used.
It can negotiate international data protection treaties as long as they are in conformity with this
law.It issues regulations as to how files consisting of data which in a case of war or a crisis may
endanger the life or health of the persons concerned, have to be secured.
Article 37
Implementation by the CantonsAs far as cantonal data protection provisions do not exist, the processing of personal data by
cantonal organs in the execution of the Federal law is regulated by the provisions contained in Articles 1 to 11, 16 to 23, and Article 25, paragraphs 1 to 3 of the present law.The Cantons must designate an organ to be responsible for overseeing the protection of personal
data. Articles 27, 30 and 31 apply by analogy.
Article 38
Transitional RequirementsWithin one year after the entry into force of this law, file processors must register existing files, in
conformity with Article 11.Within one year of the entry into force of his law, they must take the necessary measures to allow
the exercise of a request for access, pursuant to Article 8.As of the data entry into force of the current law, Federal Organs can continue to use, for a period
of 5 years, existing files that contain sensitive personal data or personal profiles, without fulfilling the processing conditions stipulated in Article 17, paragraph 2.Article 39
Referendum and Entry into ForceThis law will be the subject of a referendum.
The Federal Council will establish a data where the act will become law.
Council of States National Council
The President: Meir Josi The President: Nebiker
The Secretary: Huber The Secretary: Anliker
Publication date: 30 June 1992
1Entry into force: 1 July 1993
$PHQGPHQWRI)HGHUDO/DZV
1. The Federal Law on Judicial Organisation
1 is amended as follows Art. 100, first sentenceExcept for decisions rendered on data protection matters, recourse to administrative law is not
permitted against:...
2. The Code of obligations
2 is amended as follows:Art. 328b
The employer cannot process any data related to the ability of the worker to do his job or those
that are necessary to the fulfilling of a professional contract. As well, the provisions contained in the Federal Law of 19 June 19923Art. 362
Article 328b (Protection of the individual during data processing)
...
3. The Federal Law of 18 December 1987
4 on intentional private law (IPL) to amended as follows:Art. 130, 3e al.
Any action to invoke a right of access directed at a file controller can be initiated before the
tribunals mentioned in Article 129 or before Swiss tribunals where the file is managed or used.Art. 139, paragraph 3
The first paragraph also applies to those attacks on individuals that are the result of the processing
of personal data as well any hindrances to the exercising of the right of access to personal data.4. The penal code is amended as follows:
Art. 179 novies
Whoever extracts from a file any sensitive personal data or personal profiles that are not freely
accessible is, upon complaint, will be jailed or fined.Art. 321 bis
Anyone who, without the right to do so, communicates a professional secret which he learned in
the course of his research activities in the medical field or in the field of public health will be punished pursuant to Article 321.A professional secret can be communicated for research purposes in the medical or public health
fields if a Commission of Experts give its consent and if the data subject after he has been informed of his rights, does not expressly withdraw his consent.The Commission can grant an authorisation in cases where:
a. The research cannot be performed using anonymised data;
b. It is impossible or particularly difficult to obtain the consent of the data subject:
c. The interests of the research outweigh the interest of maintaining the secret.
The Commission may decide not to grant an authorisation in order to protect personal data. It
must publish the authorisation.The Commission can grant general authorisations or prescribe other simplified methods if the
legitimate interests of the data subjects are not compromised and if the personal data are anonymised from the beginning of the research.The Commission does not need a mandate to act.
The Federal Council appoints the President and the Members of the Commission. It regulates the
organisation and its procedure.