Section 2: General Data Protection Provisions
Art. 4 Principles
– Personal data may only be processed lawfully.
– Its processing must be carried out in good faith and must be proportionate.
– Personal data may only be processed for the purpose indicated at the time of collection, that is evident from the circumstances, or that is provided for by law.
– The collection of personal data and in particular the purpose of its processing must be evident to the data subject.
– If the consent of the data subject is required for the processing of personal data, such consent is valid only if given voluntarily on the provision of adequate information. Additionally, consent must be given expressly in the case of processing of sensitive personal data or personality profiles.
Art. 5 Correctness of the data
– Anyone who processes personal data must make certain that it is correct. He must take all reasonable measures to ensure that data that is incorrect or incomplete in view of the purpose of its collection is either corrected or destroyed.
– Any data subject may request that incorrect data be corrected.
Art. 6 Cross-border disclosure
– Personal data may not be disclosed abroad if the privacy of the data subjects would be seriously endangered thereby, in particular due to the absence of legislation that guarantees adequate protection.
– In the absence of legislation that guarantees adequate protection, personal data may be disclosed abroad only if:
a. sufficient safeguards, in particular contractual clauses, ensure an adequate level of protection abroad;
b. the data subject has consented in the specific case;
c.the processing is directly connected with the conclusion or the performance of a contract and the personal data is that of a contractual party;
d. disclosure is essential in the specific case in order either to safeguard an overriding public interest or for the establishment, exercise or enforcement of legal claims before the courts;
e. disclosure is required in the specific case in order to protect the life or the physical integrity of the data subject;
f. the data subject has made the data generally accessible and has not expressly prohibited its processing; g.
disclosure is made within the same legal person or company or between legal persons or companies that are under the same management, provided those involved are subject to data protection rules that ensure an adequate level of protection.
– The Federal Data Protection and Information Commissioner (the Commissioner, Art. 26) must be informed of the safeguards under paragraph 2 letter a and the data protection rules under paragraph 2 letter g. The Federal Council regulates the details of this duty to provide information.
Art. 7 Data security
– Personal data must be protected against unauthorised processing through adequate technical and organisational measures.
– The Federal Council issues detailed provisions on the minimum standards for data security.
Art. 8 Right to information
– Any person may request information from the controller of a data file as to whether data concerning them is being processed.
– The controller of a data file must notify the data subject: a. of all available data concerning the subject in the data file, including the available information on the source of the data;
b. the purpose of and if applicable the legal basis for the processing as well as the categories of the personal data processed, the other parties involved with the file and the data recipient.
– The controller of a data file may arrange for data on the health of the data subject to be communicated by a doctor designated by the subject.
– If the controller of a data file has personal data processed by a third party, the controller remains under an obligation to provide information. The third party is under an obligation to provide information if he does not disclose the identity of the controller or if the controller is not domiciled in Switzerland.
– The information must normally be provided in writing, in the form of a printout or a photocopy, and is free of charge. The Federal Council regulates exceptions.
– No one may waive the right to information in advance.
Art. 9 Limitation of the duty to provide information
– The controller of a data file may refuse, restrict or defer the provision of information where:
a. a formal enactment so provides;
b. this is required to protect the overriding interests of third parties.
– A federal body may further refuse, restrict or defer the provision of information where:
a. this is required to protect overriding public interests, and in particular the internal or external security of the Confederation;
b. the information would jeopardise the outcome of a criminal investigation or any other investigation proceedings.
– As soon as the reason for refusing, restricting or deferring the provision of information ceases to apply, the federal body must provide the information unless this is impossible or only possible with disproportionate inconvenience or expense.
– The private controller of a data file may further refuse, restrict or defer the provision of information where his own overriding interests so require and he does not disclose the personal data to third parties.
– The controller of a data file must indicate the reason why he has refused, restricted or deferred access to information.
Art. 10 Limitations of the right to information for journalists
– The controller of a data file that is used exclusively for publication in the edited section of a periodically published medium may refuse to provide information, limit the information or defer its provision provided:
a. the personal data reveals the sources of the information;
b. access to the drafts of publications would have to be given;
c. the freedom of the public to form its opinion would be prejudiced.
– Journalists may also refuse restrict or defer information if the data file is being used exclusively as a personal work aid.
Art. 10a Data processing by third parties
– The processing of personal data may be assigned to third parties by agreement or by law if:
a. the data is processed only in the manner permitted for the instructing party itself; and
b. it is not prohibited by a statutory or contractual duty of confidentiality.
– The instructing party must in particular ensure that the third party guarantees data security.
– Third parties may claim the same justification as the instructing party.
Art. 11 Certification procedure
– In order to improve data protection and data security, the manufacturers of data processing systems or programs as well as private persons or federal bodies that process personal data may submit their systems, procedures and organisation for evaluation by recognised independent certification organisations.
– The Federal Council shall issue regulations on the recognition of certification procedures and the introduction of a data protection quality label. In doing so, it shall take account of international law and the internationally recognised technical standards.
Art. 11a Register of data files
– The Commissioner maintains a register of data files that is accessible online. Anyone may consult the register.
– Federal bodies must declare all their data files to the Commissioner in order to have them registered.
– Private persons must declare their data files if:
a. they regularly process sensitive personal data or personality profiles; or
b. they regularly disclose personal data to third parties.
– The data files must be declared before they are opened.
– In derogation from the provisions in paragraphs 2 and 3, the controller of data files is not required to declare his files if:
a. private persons are processing the data in terms of a statutory obligation;
b. the Federal Council has exempted the processing from the registration requirement because it does not prejudice the rights of the data subjects;
c. he uses the data exclusively for publication in the edited section of a periodically published medium and does not pass on any data to third parties without informing the data subjects;
d. the data is processed by journalists who use the data file exclusively as a personal work aid;
e. he has designated a data protection officer who independently monitors internal compliance with data protection regulations and maintains a list of the data files;
f. he has acquired a data protection quality mark under a certification procedure in accordance with Article 11 and has notified the Commissioner of the result of the evaluation.
– The Federal Council regulates the modalities for the declaration of data files for registration, the maintenance and the publication of the register, the appointment and duties of the data protection officer under paragraph 5 letter e and the publication of a list of controllers of data files that are relieved of the reporting obligation under paragraph 5 letters e and f.