I OVERVIEW

Data protection and data privacy are fundamental constitutional rights protected by the Swiss Constitution. Swiss data protection law is set out in the Swiss Federal Data Protection Act of 19 June 19922 (DPA) and the accompanying Swiss Federal Ordinance to the Federal Act on Data Protection of 14 June 19933 (DPO). Further data protection provisions governing particular issues (e.g., the processing of employee or medical data) are spread throughout a large number of legislative acts. As Switzerland is neither a member of the European Union (EU) nor of the European Economic Area (EEA), it has no general duty to implement or comply with EU laws.4 Accordingly, Swiss data protection law has some peculiarities that differ from the legal framework provided by the EU General Data Protection Regulation5 (GDPR). However, because of Switzerland's location in the centre of Europe and its close economic relations with the EU, Swiss law is in general strongly influenced by EU law, both in terms of content and interpretation. A closer alignment of Swiss data protection law with the GDPR is also one of the aims of the ongoing reform of the DPA, which the Swiss Federal Council initiated in April 2015.

The Swiss Data Protection and Information Commissioner (Commissioner) is the authority responsible for supervising both private businesses and federal public bodies with respect to data protection matters. The Commissioner has published several explanatory guidelines that increase legal certainty with respect to specific issues such as data transfers abroad, technical and organisational measures, processing of data in the medical sector and processing of employee data.6 Despite the lack of drastic sanctions in respect of data protection under the current legislative regime, it is nonetheless a topic at the forefront of public attention in Switzerland, especially given the active presence of the Commissioner and the high level of media attention given to data protection matters.

II THE YEAR IN REVIEW

Of a number of recent and noteworthy reforms, some are still pending while others have already entered into force.

On 1 April 2015, the Swiss Federal Council formally decided to revise the DPA. This process is still ongoing, though it is now nearing completion. The overarching aim of the ongoing reform of the DPA is – among others – to lay the foundations for Switzerland's ratification of the modernised Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) and, where necessary in the context of the further development of the Schengen/Dublin acquis, the adaptation of the DPA to the GDPR (see Section X, for more details).

On 21 December 2016, the Federal Council issued a preliminary draft of the revised DPA. Subsequent to a public consultation process, the Federal Council issued a revised draft accompanied by an explanatory report, on 15 September 2017.7 The Swiss federal parliament decided that the revision needed to be split into two phases.

In a first step, the parliament dealt with the amendments required to implement the Schengen/Dublin framework (EU Directive dated 27 April 2016, EC 2016/680) regarding data protection in the field of criminal prosecution as well as police and judicial cooperation.

In a second step, which in effect constitutes the main revision of the DPA, the Swiss data protection law will be aligned more closely to the substantive provisions of the GDPR and ensure compliance with the revised Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data (revision of ETS No. 108, 28 January 1981). Once voted by the parliament, the final text will be subject to an optional referendum.

This splitting of the revision process into two phases significantly delayed the contemplated reform compared to the initial schedule. The first step of the revision entered into force on 1 March 2019 with the adoption of the Schengen Data Protection Act of 28 September 20188 and some amendments to the DPA. The Schengen Data Protection Act is merely a provisional law, which shall be integrated entirely into the DPA in the course of the imminent second step of the reform (i.e., the main revision of Swiss data protection law). Once the revised DPA has entered into force, the Schengen Data Protection Act will be repealed.

The date of entry into force of the second step, comprising the remaining main revisions to Swiss data protection law, is not known though generally expected for 2021 or 2022 (subject to any optional referendum) as the parliamentary discussions are coming to a close at the time of writing.

On 16 July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU–US Privacy Shield Framework with immediate effect while imposing additional requirements on the use of Standard Contractual Clauses for the transfer of personal data to third countries.9 Any controller or processor is now bound to verify on a case-by-case basis whether additional safeguards are necessary to ensure adequate protection of the exported personal data (e.g., due to overly broad surveillance powers of the destination country's authorities). If such additional contractual measures (e.g., a common approach in the event of requests from authorities) are not able to ensure adequate protection, the controller or processor is required to suspend or terminate the data transfer. The judgment also has implications for data transfers from Switzerland to abroad. As a reaction to the decision of the CJEU, the Commissioner stated on 8 September 2020 that, in his view, the Swiss–US Privacy Shield no longer provides for an adequate data protection level for data transfers from Switzerland to recipients in the US (see Section IV).10

III REGULATORY FRAMEWORK

i Privacy and data protection legislation and standards

Privacy and data protection laws and regulations

The Swiss Constitution of 18 April 199911 guarantees the right to privacy in Article 13. The federal legislative framework for the protection of personal data mainly consists of the DPA and the DPO. Further relevant data protection provisions are contained in the Federal Ordinance on Data Protection Certification of 28 September 2007.12 Specific data protection issues such as, inter alia, transfers of data abroad, and data protection in relation to employees or as regards the medical sector, are dealt with in more detail in the relevant guidelines published by the Commissioner.13

The DPA and DPO apply to data processing activities by private persons (i.e., individuals and legal entities) and by federal bodies. In contrast, data processing activities by cantonal and communal bodies are regulated by the cantonal data protection laws and supervised by cantonal data protection commissioners, who also issue guidance within their scope of competence. Hence, data processing activities of cantonal and communal bodies are subject to slightly different regimes in each of the 26 cantons. Unless explicitly set forth otherwise, the present chapter focuses on the Swiss federal legislation without addressing the particularities of the data protection legislation at the cantonal level.

Key definitions under the DPA14

  1. Personal data (or data): all information relating to an identified or identifiable person. Unlike the data protection laws of most other countries, Swiss data protection law currently protects personal data relating to both individuals and legal entities. Hence, the term 'person' refers not only to natural persons (individuals), but also to legal entities such as corporations, associations, cooperatives or any other legal entity, as well as partnerships. The revised DPA is expected, however, to do away with the current Swiss specificity and personal data relating to legal entities will no longer be protected.
  2. Data subject: an individual or, currently, also a legal entity whose data is being processed.
  3. Processing of personal data: any operation with personal data, irrespective of the means applied and the procedure, and in particular the storage, use, revision, disclosure, archiving or destruction of data.
  4. Sensitive personal data: data relating to:
    • religious, ideological, political or trade union-related views or activities;
    • health, the intimate sphere or racial origin;
    • social security measures; and
    • administrative or criminal proceedings and sanctions.
  5. Personality profile: a collection of data that permit an assessment of essential characteristics of the personality of a natural person. Swiss data protection law provides an enhanced data protection level for personality profiles, similar to the protection of sensitive personal data. The draft of the revised DPA foresees that the term 'personality profile' shall be replaced by the term 'profiling', bringing a closer alignment to the corresponding definition provided for by the GDPR, though parliamentary discussions are ongoing on the exact definition of this term, so a discrepancy compared to the GDPR (a 'Swiss finish') remains possible.
  6. Data file: any set of personal data that is searchable by data subject. It is likely that this term will no longer be used under the revised DPA.
  7. Controller of the data file: the controller of the data file is the private person or federal body that decides on the purpose and content of a data file. The draft of the revised DPA merely uses the term 'controller' instead, bringing a closer alignment to the corresponding term used in the GDPR.

As mentioned, it is likely that some terms will change under the revised data protection regime. In particular, the term 'profiling' should replace the term 'personality profiles' and the revised DPA will no longer use the concepts of 'data file' and 'controller of the data file'. Moreover, as concerns data security and cybersecurity, the revised DPA, as it currently stands, is more precise as it includes a definition of 'data breaches'.15 However, as mentioned above, the suggested amendments of the DPA are still subject to parliamentary discussions and it is thus too early to give conclusive indications as to the exact wording of the revised DPA.

ii General obligations for data handlers

Anyone processing personal data must observe the following general obligations.16

Principle of good faith

Personal data must be processed in good faith. It may not be collected by misrepresentation or deception.

Principle of proportionality

The processing of personal data must be proportionate. This means that the data processing must be necessary for the intended purpose and reasonable in relation to the infringement of privacy. Subject to applicable regulations on the safekeeping of records, personal data must not be retained longer than necessary.

Principle of purpose limitation

Personal data may only be processed for the purpose indicated at the time of collection, unless the purpose is evident from the circumstances or the purpose of processing is provided for by law.

Principle of transparency

The collection of personal data, and in particular the purposes of its processing, must be evident to the data subject concerned. This principle does not always lead to a specific disclosure obligation, but it will be necessary to give notice of any use of personal data that is not apparent to the data subject from the circumstances. For example, if personal data are collected in the course of concluding or performing a contract, but the recipient of the personal data intends to use the data for purposes outside the scope of the contract or for the benefit of third parties, then this recipient of personal data must disclose those uses of the personal data to the data subject.

Principle of data accuracy

Personal data must be accurate and kept up to date.

Principle of data security

Adequate security measures must be taken against any unauthorised or unlawful processing of personal data, and against intentional or accidental loss, damage to or destruction of personal data, technical errors, falsification, theft and unlawful use, unauthorised access, changes, copying or other forms of unauthorised processing. If a third party is engaged to process personal data, measures must be taken to ensure that the third party processes the personal data according to the given instructions and that the third party implements the necessary adequate security measures.

Detailed technical security requirements for the processing of personal data are set out in the DPO.

Principle of lawfulness

Personal data must be processed lawfully. This means that the processing of personal data must not violate any Swiss legislative standards, including any normative rules set forth in acts other than the DPA that directly or indirectly aim at the protection of the personality rights of a data subject.

Processing personal data does not necessarily require a justification

According to the Swiss data protection regime, the processing of personal data does not per se constitute a breach of the privacy rights of the data subjects concerned. Accordingly, processing in principle only requires a justification if it unlawfully breaches the personality rights of the data subjects (Article 12 Paragraph 1 in relation to Article 13 DPA).

In general, no justification for the processing of personal data is required if the data subjects have made the data in question generally available and have not expressly restricted the data processing (Article 12 Paragraph 3 DPA). In contrast, a justification is required particularly if the processing violates one of the general data protection principles of the DPA outlined above, if the personal data is processed against the data subjects' express will, or if sensitive personal data or personality profiles are disclosed to third parties for such third parties' own purposes (Article 12 Paragraph 2 DPA).

In cases where a justification is required for a specific data processing, possible forms of justification are (1) consent by the data subject concerned, (2) a specific provision of Swiss (federal, cantonal and municipal) law that provides for such data processing, or (3) an overriding private or public interest17 in the data processing in question (Article 13 Paragraph 1 DPA).

According to Article 13 Paragraph 2 DPA, an overriding private interest of the data handler shall be considered in particular if he or she:

  1. processes personal data in direct connection with the conclusion or the performance of a contract and the personal data in question are the data of one of the contractual parties;
  2. competes for business with, or wants to compete for business with, another person and processes personal data for this purpose without disclosing the data to third parties for such third parties' own purposes;
  3. processes data that are neither sensitive personal data nor a personality profile to verify the creditworthiness of another person, and discloses the data to third parties for the third parties' own purposes only if the data are required for the conclusion or the performance of a contract with the data subject;
  4. processes personal data on a professional basis exclusively for publication in the edited section of a periodically published medium;
  5. processes personal data for purposes that are not related to a specific person, in particular research, planning or statistics, and the results are published in a manner that does not permit the identification of the data subjects; or
  6. collects personal data about a person who is a public figure to the extent that the personal data relates to the role of the person as a public figure.

The fact that a data handler has one of the above-listed interests in processing personal data does not automatically lead to the result that the data handler has an overriding interest in processing the personal data. The interest of the data handler in processing the personal data must always be weighed against the interest of the data subject in being protected against an infringement of his or her personality rights. The processing of personal data is only justified in situations where the interest of the data handler outweighs the interest of the data subject.

Consent

Under Swiss data protection law, processing of personal data does not, in all instances, require the data subject's consent. As mentioned above, data subject consent may constitute a possible justification for a data processing that would otherwise be unlawful (e.g., because of an infringement of the principles outlined above, or in the event of a disclosure of sensitive personal data or personality profiles to third parties for such third parties' own purposes).18 To the extent that the legality of data processing is based on the data subject's consent, the consent, to be valid, must be given (1) voluntarily upon provision of adequate information and, (2) expressly, in case of processing of sensitive personal data or personality profiles (Article 4 Paragraph 5 DPA).

Registration

Controllers of data files that regularly process sensitive personal data or personality profiles, or regularly disclose personal data to third parties (including affiliates), must register their data files with the Commissioner before they start processing the data (Article 11a DPA). The Commissioner maintains a register of data files that have been registered in this manner that is accessible online. If a controller is required to register, it becomes subject to additional documentary obligations. There are several exceptions to the duty to register data files. Inter alia, no registration is required if the controller of the data file is obliged by Swiss law to process the data in question (e.g., in the case of an employer processing employee data for Swiss social security purposes) or has nominated its own independent data protection officer monitoring the data protection compliance of the data controller. Several further exceptions are set forth in Article 11a Paragraph 5 DPA and Article 4 Paragraph 1 DPO.

The draft of the revised DPA (at its Article 11 draft revised DPA) foresees, instead of a registration duty, a new documentation requirement for both controllers and processors similar to the records of processing activities under Article 30 GDPR.

iii Data subject rights

Articles 8–10 DPA define the data subjects' access rights and their scope. Under Article 8 Paragraph 1 DPA, any person may request information from the controller of a data file as to whether data concerning them is being processed. Thereafter, the controller of a data file must notify the data subject of all available data concerning the subject in the data file, including the available information on the source of the data, and must also disclose the purpose of and if applicable the legal basis for the processing as well as the categories of the personal data processed, the other parties involved with the file and the data recipient (Article 8 Paragraph 2(a) and (b) DPA). Where processors are involved, Article 8 Paragraph 4 DPA provides that if the controller of a data file instructs a third party to process personal data , the controller remains under an obligation to provide information. The third party is under an obligation to provide information if he or she does not disclose the identity of the controller or if the controller is not domiciled in Switzerland.

Under certain circumstances, the controller of the data file may refuse or limit its disclosure. Indeed, the controller of a data file may refuse, restrict or defer the provision of information where a formal enactment so provides, or this is required to protect the overriding interests of third parties (Article 9 Paragraph 1(a) and (b) DPA), being specified that similar limitations also exist for federal bodies (Article 9 Paragraph 2 DPA). In addition, the private controller of a data file may further refuse, restrict or defer the provision of information where its own overriding interests so require and it does not disclose the personal data to third parties (Article 9 Paragraph 4 DPA). In any case, the controller of a data file must indicate the reason for refusing, restricting or deferring access to information (Article 9 Paragraph 5 DPA), and this must take the form of a substantiated decision (Article 1 Paragraph 4 DPO).

To exercise the access right, the data subject must typically file a written request and provide proof of their identity, though an online request is also possible if the controller of the data file has made this available (Article 1 Paragraphs 1 and 2 DPO). The requested information must be provided within no more than 30 days of receipt of the request. If this is not possible, the controller of the data file must notify the applicant accordingly with an indication of the date by which the information will be provided (Article 1 Paragraph 4 DPO). If a request for information relates to data that is being processed by a third party on behalf of the controller of the data file, the controller must pass the request on to such third party for processing if the controller is not able to provide the information itself (Article 1 Paragraph 6 DPO).

The exercise of the access right is, as a rule, free of charge for the data subject (Article 8 Paragraph 5 DPA). However, the controller of the data file may exceptionally levy from the applicant an appropriate share of the costs up to a maximum of 300 Swiss francs if the provision of information entails an unusually large amount of work, or if the applicant has already been provided with the requested information in the 12 months prior to the application and no legitimate interest in the further provision of information can be proven. A legitimate interest exists in particular if the personal data has been modified without notice being given to the data subject (Article 2 DPO).

Pursuant to Article 34 DPA, failure to provide the requested information or the provision of false or incomplete information may lead to a fine as further explained in Section VII.i.

iv Technological innovation and privacy law

In general, the electronic or online context of the data processing does not per se directly impact the applicable legal provisions, so the general provisions remain applicable. That said, certain sector-specific rules may come into play. This is the case for Article 43 of the Telecommunications Act of 30 April 1997 (TCA),19 which implements 'telecommunications secrecy' and provides that no person who is or has been responsible for providing a telecommunications service may disclose to a third party information relating to subscribers' communications or give anyone else an opportunity to do so. Because the definition of what constitutes a 'telecommunications service' under Swiss law is very broad and dynamic, in effect encompassing any transfer of data, be it through landlines or via new technologies such as 'over the top' (OTT) delivery, telecommunications secrecy plays an important practical role also for ISPs and web-based service providers.

Automated profiling and data mining

The legality of automated profiling and data mining is doubtful under Swiss data protection law, as such practices inherently involve the use of personal data for a range of purposes, some of which may not have been disclosed when the personal data was collected. Hence, such practices may constitute an unlawful breach of privacy because of an infringement of the principles of transparency, purpose limitation and proportionality unless justified by law, an overriding public or private interest or consent.

Cloud computing

Cloud computing raises various data protection issues. The Commissioner has issued a guide pointing out the risks and setting out the data protection requirements when using cloud computing services.20

In particular, the processing of personal data may only be assigned to a cloud service provider if the assignment is based on an agreement or on the law, if the personal data is processed by the cloud service provider only in the manner permitted for the assignor, and if the assignment is not prohibited by a statutory or contractual duty of confidentiality (Article 10a Paragraph 1 DPA). Furthermore, the assignor must ensure that the cloud service provider guarantees data security (Article 10a Paragraph 2 DPA). The assignor must in particular ensure that the cloud service provider preserves the confidentiality, availability and integrity of the personal data by taking adequate measures against unauthorised processing through adequate technical and organisational measures (see Article 7 DPA and Articles 8 et seq. DPO). Additionally, if cloud computing services involve disclosures of personal data abroad, the specific requirements for transborder data flows must be complied with (see Section IV). Finally, the assignor must also ensure that, despite the use of a cloud service provider, the data subjects may still exercise their right to information (Article 8 DPA), and may demand deletion or correction of data in accordance with Article 5 DPA.

Big data

Big data offers countless opportunities for social and scientific research and for businesses. At the same time, it may threaten privacy rights if the processed data is not or not adequately anonymised. The DPA is not applicable to fully and completely anonymised data. In contrast, if the processing of big data involves the processing of data that has not been fully and completely anonymised (e.g., because it can be 'de-anonymised' (reidentification of the data subject) at a later stage by merging different data), the right to privacy and the protection of personal data need to be ensured. The use of big data that is not entirely anonymised and the general data protection principles of the DPA are potentially conflicting, particularly with regard to the principles of purpose limitation, proportionality and transparency (see Section III.ii).

Cookies

Since 2007, the use of cookies has been regulated in Article 45c (b) TCA. According to this provision, website operators have to inform users about the use of cookies and its purpose. Furthermore, they need to explain how cookies can be rejected (i.e., how cookies can be deactivated in the user's browser). Switzerland in effect follows the opt-out principle.

Drones

Currently, drones of up to 30 kilograms do not require a permit, but certain restrictions apply when flying the drones (e.g., visual contact with the drone).21 From 1 January 2021, the revised legislation requires a specific permit for drones heavier than 25 kilograms. Pilots and operators of drones over 250 grams (and also those under 250 grams if the drone is equipped with a camera, microphone or other sensors that are suitable for recording personal data) will have to register and take an online course and test. In general, drones must not fly over crowds of people, are required to avoid airports and nature reserves and may not fly higher than 120 meters above the ground. The 'pilot' is required to have visual contact with the drone at all times. Nowadays, drones are usually equipped with cameras – as a result, operators must be at least 12 years old. Younger 'pilots' are allowed to fly drones if supervised.22 In addition, people using drones equipped with cameras, need to comply with data protection regulations as soon as they view or record identified or identifiable persons. To the extent that such viewing or recording constitutes an unlawful breach of the personality rights of the data subjects concerned, it needs to be justified either by the consent of the injured party, by an overriding private or public interest or by law (Article 13 Paragraph 1 DPA).23

v Specific regulatory areas

Processing of employee data in general

Article 328b of the Swiss Code of Obligation (CO) applies in addition to the DPA to the processing of personal data of employees.

According to Article 328b CO, the employer may process personal data concerning an employee only to the extent that the personal data concerns the employee's suitability for his or her job or is necessary for the performance of the employment contract. Article 328b CO is mandatory, and any deviation from this provision to the disadvantage of the employee is null and void (Article 362 CO).24

Furthermore, Article 26 of Ordinance 3 to the Employment Act25 prohibits the use of systems that monitor the behaviour of employees, except if the monitoring systems are necessary for other legitimate reasons (e.g., quality control, security requirements, technical reasons) and provided that the systems do not impair the health and mobility of the employees concerned. If monitoring is required for legitimate reasons, it must at all times remain proportionate (i.e., limited to the extent absolutely required) and the employees must be informed in advance about the use of monitoring systems. Permanent monitoring is in general not permitted.

The Commissioner has issued specific guidelines with respect to the processing of employee data.26

Monitoring of internet and email use by employees

As regards monitoring of internet and email use by employees in particular, the following requirements apply:

  1. the employer shall issue a 'use policy' that describes the permitted uses the employee may make of company internet and email resources;
  2. constant individual analysis of log files is not allowed;
  3. permanent anonymous analysis of log files and random pseudonymised analysis are admissible to verify whether the use policy is complied with;
  4. individual analysis of log files is only allowed if the employee has been informed in advance of this possibility (e.g., in a 'monitoring policy') and if misuse has been detected or there is a strong suspicion of misuse; and
  5. the monitoring policy must particularly indicate the possibility of an individual analysis, the possibility of forwarding the analysis to the HR department in the event of misuse and any possible sanctions.

As a general rule, employers shall not read any employee emails that have private content (even if misuse has been established). In the event of specific suspicion of a criminal offence, evidence may, however, be saved, and the employer may refer to the criminal prosecution authorities for further prosecution.

Whistle-blowing hotlines

The use of whistle-blowing hotlines is not specifically regulated by the DPA or the CO. Hence, the general rules, in particular on data and employee protection, apply. In a nutshell and from a DPA and CO perspective, whistle-blowing hotlines can be used if certain minimum requirements are met, such as, inter alia:

  1. the transparent informing of employees, contractors, etc., about the existence of the whistle-blowing hotline;
  2. the informing of relevant employees, contractors, etc., of allegations about them contained in a specific whistle-blowing report, unless there is an overriding interest not to do so in order to protect the ensuing investigations or the reporting person;
  3. adequate safeguards to protect the data subjects from false or slanderous accusations; and
  4. strong state-of-the-art security measures.

However, it is important to verify compliance on an individual basis before implementing a whistle-blowing hotline. In particular, and unless an exception applies, whistle-blowing hotlines (and the underlying data files, respectively) may require prior registration with the Commissioner (see Section III.ii), and in the event of transfers abroad, specific requirements must be met (see Section IV). Furthermore, and in particular in a cross-border context, whistle-blowing hotlines may be impacted by blocking statutes (see Section VI).

Bring your own device (BYOD)

Using BYOD causes data protection concerns because of the difficulty in separating private and business data. The Commissioner recommends respecting the following rules while using BYOD:

  1. establish clear use regulations about what is allowed and what is prohibited;
  2. maintain a separation of business and private data (both technical and logical);
  3. ensure data security (e.g., through encryption or passwords);
  4. establish clear regulations on where the business data are stored;
  5. use of employees' own devices must be approved in advance by a person responsible within the company; and
  6. establish clear regulations regarding access to the device by the employer.27

IV INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION

Any disclosure of personal data from Switzerland to countries abroad must comply with the DPA. A disclosure of data abroad occurs when personal data are transferred from Switzerland to a country outside of Switzerland or when personal data located in Switzerland are accessed from outside of Switzerland. The DPA prohibits a disclosure of personal data abroad if the transfer could seriously endanger the personality rights of the data subjects concerned. Such a danger may in particular occur if the personal data are disclosed to a country the legislation of which does not guarantee an adequate protection of personal data.

The Commissioner has published a (non-binding) list of countries that provide an adequate data protection level with respect to individuals.28 As a rule, EU and EEA countries are considered to provide an adequate data protection level relating to individuals.

With respect to data transfers to non-EU or non-EEA countries, it is necessary to check on a case-by-case basis whether the country provides an adequate level of data protection with respect to personal data pertaining to individuals and legal entities. The same applies strictly speaking for transfers of personal data relating to legal entities to EU or EEA countries.29 As mentioned in Section III.i, the draft revised DPA does away with the Swiss specificity that includes legal entities as data subjects; this change is broadly expected to simplify questions of international data transfers and bring more certainty where legal entities are concerned.

If personal data are to be transferred to a country that does not provide an adequate data protection level for the personal data being transferred, the transfer may only occur if (Article 6 Paragraph 2 DPA):

  1. sufficient safeguards, in particular contractual clauses (e.g., the EU Standard Contractual Clauses, where necessary supplemented and adapted to Swiss law requirements), ensure an adequate level of protection abroad;
  2. the data subject has consented in an individual specific case;
  3. the processing is directly connected with the conclusion or the performance of a contract and the personal data are that of a contractual party;
  4. disclosure is essential in specific cases to either safeguard an overriding public interest, or for the establishment, exercise or enforcement of legal claims before the courts;
  5. disclosure is required in the specific case to protect the life or the physical integrity of the data subject;
  6. the data subject has made the data generally accessible and has not expressly prohibited its processing; or
  7. disclosure is made within the same company or the same group of companies, provided those involved are subject to data protection rules that ensure an adequate level of protection (i.e., that have adopted binding corporate rules, BCR).

In case of data transfer justified under (a) and (g) above, the Commissioner must be informed in advance (i.e., before the transfer takes place) about the safeguards that have been taken or the BCR that have been adopted. If the safeguards consist of EU Model Contract Clauses adapted to Swiss law requirements or other contractual clauses explicitly accepted by the Commissioner,30 then it is sufficient to inform the Commissioner that such clauses have been entered into, and there is no need to actually submit the clauses to the Commissioner for review. As regards information about BCR, it is common practice to submit a copy of the rules to the Commissioner.

At the time of writing (10 September 2020), Switzerland and the United States are formally parties to the Swiss–US Privacy Shield. This framework is separate from – but closely resembles – the now-invalidated EU–US Privacy Shield (which the CJEU invalidated with immediate effect in a judgment of 16 July 2020). The Swiss–US Privacy Shield is (legally) not invalidated by the CJEU's decision. However, as a reaction to the CJEU decision, the Commissioner published a statement on 8 September 2020, according to which he deems that US corporations self-certified under the Swiss–US Privacy Shield no longer ensure an adequate level of data protection. Even though the Commissioner's assessment is only indicative (as he formally does not have the competence to invalidate the Swiss–US Privacy Shield), companies who only rely on the Swiss–US Privacy Shield should base their transfers of personal data on EU Standard Contractual Clauses, supplemented where necessary by additional contractual safeguards and adapted to Swiss law requirements (or, although less frequently used, BCR). If EU Standard Contractual Clauses adapted to Swiss law are already in place, their level of protection should be assessed on a case-by-case basis and, where necessary, supplemented by additional contractual safeguards. In his statement dated 8 September 2020, the Commissioner further pointed out that such contractual safeguards (even if adapted and supplemented) are not binding upon foreign authorities. Hence, the data exporter may have to implement further technical measures (such as encryption) to prevent special access to personal data by foreign authorities in the country of the data importer. If such measures are not feasible, the Commissioner recommends refraining from transferring personal data on the basis of contractual safeguards to recipients in countries that do not provide for an adequate data protection level, such as the US.

V COMPANY POLICIES AND PRACTICES

According to Article 11 Paragraph 1 DPA, the private controller31 of an automated data file subject to registration under Article 11a Paragraph 3 DPA that is not exempted from the registration requirement under Article 11a Paragraph 5(b)–(d) DPA shall issue a processing policy that describes in particular the internal organisation, data processing and control procedures, and that contains documentation on the planning, realisation and operation of the data file and the information technology used. This policy must be updated regularly and made available upon request to the Commissioner.

Other than in the aforementioned case, the DPA does not explicitly require private personal data handlers to put in place any specific policies as regards the processing of personal data. However, for private personal data handlers to effectively ensure compliance with substantive and formal data protection requirements, it has become best practice for large and medium-sized companies to adopt and implement various policies in this area. In particular, the following policies (either in separate or combined documents) are recommended:

  1. a policy regarding the processing of job applicant and employee personal data (including a policy that governs the use by employees of the company's information technology resources, monitoring by the employer of employees' use of those resources and possible sanctions in the event of misuse, rules on BYOD, etc.);
  2. a policy regarding the processing of customer personal data;
  3. a policy regarding the processing of supplier personal data;
  4. a whistle-blowing policy;
  5. a policy or privacy notice for collecting and processing personal data on a company's websites;
  6. a policy on data and information security (qualification of data according to risk, required measures per risk category, access rights, procedures in the event of data breaches, internal competence, etc.); and
  7. a policy on archiving of personal data and record-keeping (including guidelines on how long different categories of data must be stored).

In contrast to other countries' legislation, the DPA does not require private data handlers to appoint a data protection officer. For this reason, and until a few years ago, companies' data protection officers have not played a very important role in Switzerland compared with their role in other countries. However, in the past few years, more and more medium-sized and large companies domiciled in Switzerland have chosen to appoint a data protection officer who independently monitors internal compliance with data protection regulations and maintains a list of the data files of the company in question. In fact, appointing such a data protection officer is one way for private data controllers to avoid having to register data files with the Commissioner that otherwise would have to be registered under the current regime (see Article 11a Paragraph 3 DPA in relation to Article 11a Paragraph 5(e) DPA; see also Section III.ii). Currently, over 1,000 companies have notified the Commissioner of their appointment of an independent data protection officer.

BCR ensuring an adequate level of protection of personal data on a group-wide level facilitate the cross-border disclosure of personal data among group companies (see Section IV). Despite this fact, and until recently, BCR have not been used very frequently in Switzerland.

VI DISCOVERY AND DISCLOSURE

In Switzerland, the taking of evidence constitutes a sovereign judicial function of the courts rather than of the parties. Therefore, taking of evidence for a foreign state court or for foreign regulatory proceedings constitutes an act of a foreign state. If such acts take place in Switzerland, they violate Swiss sovereignty and are prohibited by Article 271 of the Swiss Criminal Code of 21 December 1937 (CC) unless they are authorised by the appropriate Swiss authorities or are conducted by way of mutual legal assistance proceedings (a blocking statute). A violation of Article 271 CC is sanctioned with imprisonment of up to three years or a fine of up to 540,000 Swiss francs, or both. It is important to note that transferring evidence outside Switzerland for the purposes of complying with a foreign country's order requiring the production of evidence does not prevent an application of Article 271 CC. Moreover, Switzerland does not accept 'voluntary' production of evidence even if foreign procedural laws require such production. Therefore, evidence may only be handed over to foreign authorities lawfully by following mutual legal assistance proceedings or by obtaining authorisation from the competent Swiss authorities. If one is requested to produce evidence in a foreign court or in regulatory proceedings by way of pending mutual legal assistance proceedings, the DPA does not apply to the production (Article 2 Paragraph 2(c) DPA).32 As a consequence, and in particular, evidence containing personal data may in such cases be disclosed abroad to foreign parties or authorities located in countries without adequate protection of personal data without having to comply with the restrictions set forth in Article 6 DPA.33

In addition to Article 271 CC, the blocking statute in Article 273 CC prohibits industrial espionage of manufacturing and business secrets by foreign official agencies, foreign organisations, foreign private enterprises or their agents. Accordingly, manufacturing and business secrets with sufficient connection to Switzerland may only be released or communicated abroad when:

  1. the owner of the secret relinquishes its intent to keep the information secret;
  2. the owner of the secret agrees to disclose this information;
  3. all third parties (who have a justifiable interest in keeping the information secret) consent to such a disclosure;
  4. Switzerland has no immediate sovereign interest in keeping the information secret; and
  5. all requirements set forth by the DPA (in particular as regards cross-border transfers) are complied with.

However, Article 273 CC does not apply in cases in which Swiss authorities have granted mutual legal assistance and disclosure takes place in accordance with the proceedings. Contrary to Article 271 CC, Article 273 CC can also be violated by activities taking place outside Switzerland.

VII PUBLIC AND PRIVATE ENFORCEMENT

i Enforcement agencies

The Commissioner supervises compliance of both federal bodies and private persons (individuals and legal entities) with the DPA, DPO and other federal data protection regulations.34 The Commissioner fulfils these tasks independently without being subject to the directives of any authority.

For this purpose, the Commissioner may investigate cases either on his or her own initiative or at the request of a third party. The Commissioner may request the production of files, obtain information and request that a specific instance of data processing is demonstrated to him or her. If such an investigation reveals that data protection regulations are being breached, the Commissioner may make recommendations as to how the method of data processing shall be changed or recommend putting an end to the data processing activity. If such a recommendation is not complied with, the Commissioner may initiate proceedings leading to a formal decision on the matter.

In the case of recommendations to federal bodies, the Commissioner may refer the case to the competent department or the Swiss Federal Chancellery for a formal decision. Both the Commissioner and any persons concerned by such a decision may file an appeal against the decision with the Swiss Federal Administrative Court. The appeal decision can be brought before the Swiss Federal Supreme Court.

In the case of recommendations to private persons, the Commissioner may refer the case to the Swiss Federal Administrative Court for a decision. Both the Commissioner and the addressee of such a decision may file an appeal against the decision with the Swiss Federal Supreme Court.

The Commissioner does not have the power to issue any fines. However, based on Article 34 DPA, the competent criminal judge may, upon complaint, sanction private persons with a fine of up to 10,000 Swiss francs if they have wilfully breached their obligations to:

  1. provide information upon request of the data subject concerned under Article 8 DPA;
  2. provide information on the collection of sensitive personal data and personality profiles under Article 14 DPA;
  3. inform the Commissioner about the safeguards and data protection rules in relation to a transfer of personal data abroad under Article 6 Paragraph 3 DPA;
  4. register a database with the Commissioner; or
  5. cooperate with the Commissioner (Article 34 DPA).

Furthermore, anyone who without authorisation wilfully discloses confidential, sensitive personal data or personality profiles that have come to his or her knowledge in the course of his or her professional activities is, upon complaint, liable to a fine of up to 10,000 Swiss francs (Article 35 DPA in connection with Article 106 Paragraph 1 of the CC).

ii Recent enforcement cases

A recent Swiss Federal Supreme Court case35 dealt with the admissibility of video surveillance on company premises. According to the Swiss Federal Supreme Court, strict standards apply for video surveillance by criminal prosecution authorities. In particular, any video surveillance by police officers on company premises needs to be ordered by the Public Prosecutor and must be authorised by the competent compulsory measures court to be valid as evidence.

Also relating to the processing of employee personal data, the Swiss Federal Supreme Court held in 2013 that the monitoring of an employee's use of email and internet that lasted for three months and included taking regular screenshots was illegal and not proportionate. Moreover, the monitoring was not backed by an internal policy that permitted monitoring under specific, transparently disclosed circumstances.36 In a similar case at the cantonal level, the High Court of Zurich invalidated an employer's decision to terminate an employee with immediate effect as the employer based its decision on an unlawfully collected WhatsApp conversation.37

In a leading case dated 18 April 2017, the Swiss Federal Administrative Court dealt with the concept of personality profiles and retrievability of personal data via search engines.38 The decision, which concerns a case of the Commissioner against a Swiss economic information platform and credit agency, is final and binding as none of the parties appealed against said decision. The Swiss Federal Administrative Court came to the conclusion that personal data that in combination reveals an essential part of the personality of a data subject and that is not relevant in assessing the creditworthiness of the person in question may not be published without the consent of the data subject concerned. The Commissioner's claim that the economic information platform and credit agency's data relating to persons registered in the commercial registry should only be retrievable with search engines in the same manner as data of the official Swiss Federal Commercial Registry was rejected (search engines, in particular Google, only show search results for the Swiss Commercial Registry (i.e., www.zefix.ch) if the search name and also the term 'Zefix' are entered into the search tool). The Swiss Federal Administrative Court stated that the economic information platform and credit agency only has limited influence on the publication of search results on search engines. Also, the Swiss Federal Administrative Court pointed out that the possibility of finding data via search engines may have positive effects from a data protection perspective as it increases transparency.

Moreover, still very relevant and noteworthy is the Swiss Federal Supreme Court's decision of 12 January 2015 in connection with the tax dispute between certain Swiss banks and the United States. Based on the right of access set forth in Article 8 DPA, the Court obliged a Swiss bank to provide its employees with copies of all documents transferred to the US Department of Justice in April 2012 containing their personal data.39 This case law retains its importance as the Swiss Federal Supreme Court recently dealt with additional cases arising from the abovementioned dispute between certain Swiss banks and the United States. Indeed, the court generally validated its prior case law and, furthermore, generally ruled that the banks who transferred to the United States their employees' personal data to comply with American governmental requests violated Swiss data protection legislation and the personality rights of the employees, though this always requires a case-by-case assessment and did not lead to valid claims for damages.40

Lastly, the Swiss Federal Supreme Court ruled, in a 13 October 2019 judgment, that private dashcam footage does not constitute valid evidence in criminal proceedings unless it is used as evidence to solve a serious crime (which was not the case in the matter at hand).41 On the topic of traffic surveillance, the Swiss Federal Supreme Court moreover considered that a cantonal police act does not constitute a sufficient legal basis for automated vehicle search and identification and for traffic surveillance, as such behaviour may lead to a serious encroachment on constitutional rights (personal freedom and informational self-determination). Any records based on this practice, therefore, qualify as unlawfully-collected evidence.42

iii Private litigation

Any person may request information from the controller of a data file as to whether personal data concerning them is being processed (see above Section III.iii). Any data subject may also request that incorrect data be corrected (Article 5 Paragraph 2 DPA).

In addition, data subjects have ordinary judicial remedies available under civil law to protect their personality rights (Article 15 DPA in relation to Article 28–28l of the Swiss Civil Code). Data subjects may in particular request:

  1. that data processing be stopped;
  2. that no data be disclosed to third parties;
  3. that the personal data be corrected or destroyed;
  4. compensation for moral sufferings; and
  5. payment of damages or the handing over of profits.

However, as regards claims for damages, it is in practice often very difficult for a data subject to prove actual damage based on breaches of data protection legislation and personality rights.

VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS

The territorial scope of application of the DPA is very broad. The DPA not only applies to the processing of personal data in Switzerland (which is the most common trigger), but – depending on the circumstances – may also apply to the processing of personal data that takes place abroad. In fact, based on an international convention or based on Article 129 Paragraph 1 and Article 130 Paragraph 3 PILA, a data subject may in some instances have the option to file an action in a Swiss court for infringement of his or her personality rights and ask the competent court to apply Swiss law even if no processing activity has taken place in Switzerland (see Article 139 PILA).43 Based on the foregoing, foreign organisations should review compliance with the DPA even if they do not process any personal data in Switzerland or even if they do not have any presence in Switzerland if there is a possibility that data subjects may file a claim in Switzerland and ask for the application of the DPA. Nonetheless, Switzerland does not have any 'data territoriality' requirements, meaning that there is no obligation to store personal data in Switzerland.

As regards foreign organisations with personal data processing operations in Switzerland (e.g., through a branch office, an affiliate or a third-party service provider), compliance with the requirements on international data transfers is another important topic if a cross-border exchange of personal data is involved (e.g., in the context of centralised HR and customer relationship management systems – see Section IV). Moreover, if a foreign organisation transfers or discloses personal data to Switzerland for the first time, additional or new obligations for the processing of the personal data may be created that did not exist beforehand.44 It is therefore strongly recommended that compliance is verified with the DPA before disclosing or transferring any personal data to Switzerland, before starting to process personal data in Switzerland (whether on one's own or by using group companies or third-party service providers), or before cross-border exchanges of personal data in the context of a group of companies or otherwise.

IX CYBERSECURITY AND DATA BREACHES

Article 7 DPA and Articles 8–12 DPO set out the general security requirements applicable to the processing of personal data. Additionally, the Commissioner has issued a guide pertaining to technical and organisational measures to be taken when processing personal data.45

Swiss data security requirements do not impose specific standards. Rather, and in furtherance of a technology-neutral stance, anyone processing personal data must implement technical and organisational measures that are 'adequate' (Article 8 Paragraph 2 DPO) and, in the case of automated processing, 'suitable' for achieving data security goals (Article 9 Paragraph 1 DPO). This wording is generally construed as requiring of anyone processing personal data to implement industry best practices in its cybersecurity processes.

Neither the DPA nor the DPO currently explicitly require data handlers to notify the Commissioner (nor any other Swiss authority) or data subjects of any suspected or actual personal data breaches.46 This is likely to change under the revised DPA, as data controllers will have to report data breaches to the Commissioner if the breach may lead to a high risk to the personality or fundamental rights of the data subjects. In addition, the Swiss Federal Council is assessing the value of introducing a cyber-incident reporting obligation, which would primarily concern operators of critical infrastructures. Under the (current) DPA, however, data handlers may indeed have a duty to inform data subjects concerned based on the principles of transparency and good faith. Data handlers may in certain circumstances also have a contractual obligation to notify data subjects of any suspected or actual personal data breaches.47 In the event that a large number of data subjects are affected, the principles of transparency and good faith may very exceptionally even result in a duty to report the incident publicly. This may in particular be the case if the data subjects concerned cannot be informed individually and there is a high probability that damages will occur if the incident is not publicly reported. Whether an obligation to notify data subjects exists (be it individually, through public reporting, or both) must be checked on a case-by-case basis.

In Switzerland, the cantons are generally responsible for the prosecution of misuse of information and communication technology. To fight cybercrime more efficiently, the Swiss Confederation and the cantons entered into an administrative agreement in 2001, empowering the federal authorities to assume certain responsibilities in this area. On 1 January 2014, the Swiss national coordination unit to fight internet crime, the Cybercrime Coordination Unit Switzerland (CYCO), commenced its activities.48 CYCO conducts an initial analysis of incoming reports, secures the relevant data and then forwards the matter to the competent law enforcement agencies in Switzerland and abroad.

On a Swiss federal level, the Reporting and Analysis Centre for Information Assurance (MELANI) was established in 2004. MELANI functions as a cooperation model, inter alia, between the Swiss Federal Finance Department and the Swiss Federal Defence Department. It serves private computers and internet users (in particular providing them with information about risks relating to the use of modern information and communication technologies) as well as selected providers of critical national infrastructures (such as banks and telecommunication services providers). MELANI has created various checklists and documentation regarding IT security. In 2008, MELANI established GovCERT.ch, the computer emergency response team (CERT) of the government, and the official national CERT of Switzerland, GovCERT.ch is a member of the Forum of Incident Response and Security Teams, and of the European Government CERTs group.

The Ordinance on Protecting against Cyber-Risks in the Federal Administration49 entered into force on 1 July 2020. It sets up the National Cyber Security Centre (NCSC), under the direction of the Federal Cyber Security Delegate. The NCSC merges together MELANI, Federal ICT Security and GovCERT, thereby offering a single point of contact on the federal level for all matters pertaining to cybersecurity.

X OUTLOOK

The ongoing reform of the DPA is likely to lead to a tightening of the Swiss data protection regime. Based on the publication of the draft of the revised DPA,50 the following aspects are particularly noteworthy:

  1. transparency in data processing is increased. In particular, private sector actors will have a duty to inform data subjects in the event of data collection and processing;
  2. self-regulation shall be encouraged. Professional and business associations may prepare codes of conduct and submit them to the Commissioner for the delivery of an opinion;
  3. the data controller will have to perform an impact assessment whenever it appears that the envisaged data processing may lead to an increased risk to the data subjects' personality and fundamental rights, although some exceptions apply;
  4. a duty to notify the Commissioner or even the data subjects in cases of breach of data protection will bind data controllers;
  5. the present rules on personality profiles will be abolished. However, they will be replaced by new rules on profiling, the scope of which remain somewhat uncertain;
  6. the draft introduces the concepts of privacy by design and privacy by default. Hence, data protection must take place from the outset (i.e., from the conception of the processing) and the least invasive settings must be applied by default;
  7. the duty to declare data files to the Commissioner shall be abolished for private actors. Data controllers and data processors must, however, keep records of their processing activities;
  8. personal data relating to legal entities shall no longer be protected under the DPA;
  9. the Commissioner shall obtain greater powers and will in particular have the competence to render binding decisions on data controllers and processors; and
  10. criminal sanctions for data protection misconduct will be increased significantly. In fact, fines of up to 250,000 Swiss francs may be levied in cases of intentional offences against certain provisions of the revised DPA.

The text that will eventually become law may contain deviations from the published draft. It is nonetheless to be expected that the final revised DPA will include many of the changes suggested in the draft of the revised DPA. Entry into force of the new, revised DPA, which was initially expected to take place in 2018, was split into two parts. The first part entered into force in March 2019, while the second part is tentatively expected to enter into force in 2021 or 2022 (for further details, see Section II).


Footnotes

1 Jürg Schneider is a partner, Monique Sturny is a managing associate and Hugh Reeves is a senior associate at Walder Wyss Ltd.

2 Classified compilation (SR) 235.1, last amended as of 1 March 2019.

3 Classified compilation (SR) 235.11, last amended as of 16 October 2012.

4 Specific duties exist in certain areas based on international treaties. Furthermore, the GDPR, which became effective on 25 May 2018, is not only relevant for companies located in EU and EEA Member States, but also for Swiss companies under certain circumstances, see Section II below for more detail.

5 Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

6 The guidelines are not legally binding, but do set de facto standards.

7 The draft DPA, the explanatory report of the Swiss Federal Council and the summary of the results of the consultation process are available in German, French and Italian on the website of the Swiss Confederation at: (in German) www.ejpd.admin.ch/ejpd/de/home/aktuell/news/2017/2017-09-150.html; (in French) www.ejpd.admin.ch/ejpd/fr/home/aktuell/news/2017/2017-09-150.html; and (in Italian) www.ejpd.admin.ch/ejpd/it/home/aktuell/news/2017/2017-09-150.html (all sites last visited on 29 July 2020). An unofficial English translation of the draft DPA can be found at: https://www.dataprotection.ch/user_assets/pdfs/Swiss_Data_Protection_Act__draft_of_September_2017__Walder_Wyss_convenience_translation_V010.pdf?v=1507206202 (last visited on 29 July 2020).

8 Classified compilation (SR) 235.3.

9 CJEU Judgment C-311/18 of 16 July 2020.

10 The statement of the Commissioner is available at www.edoeb.admin.ch/edoeb/en/home/latest-news/media/medienmitteilungen.msg-id-80318.html (last visited on 11 September 2020).

11 Classified compilation (SR) 101, last amended as of 12 February 2017.

12 Classified compilation (SR) 235.13, last amended as of 1 November 2016.

13 As mentioned in footnote 8, the guidelines are not legally binding, but do set de facto standards.

14 Article 3 DPA.

15 Article 4 lit. g of the revised DPA defines the data breach as 'a breach of security leading to loss, deletion, destruction, alteration, unauthorised disclosure of or access to personal data, irrespective of any intent or unlawfulness' (our translation).

16 Articles 4, 5 and 7 DPA.

17 The public interest justification must exist from a Swiss perspective. However, this does not only include Swiss public interests. Supporting foreign concerns – depending on the circumstances – may also qualify as a public interest from a Swiss perspective. This needs to be checked on a case-by-case basis.

18 See Article 12 Paragraph 2(c) DPA.

19 Classified compilation (SR) 784.10, last amended as of 1 March 2018.

20 Commissioner, 'Guide to cloud computing', available at: https://www.edoeb.admin.ch/edoeb/en/home/data-protection/Internet_und_Computer/cloud-computing/guide-to-cloud-computing.html (status 2014; last visited on 29 July 2020).

21 Ordinance of the Federal Department of the Environment, Transport, Energy and Communications on special categories of aircraft of 24 November 1994, last amended as of 1 January 2019, classified compilation (SR) 748.941.

22 'New drone regulation from 1 January 2021', available at: www.bazl.admin.ch/bazl/en/home/good-to-know/drones-and-aircraft-models/Europaeische_Drohnenregulierung_uebernommen.html (last visited on 3 August 2020); 'FAQs on the new drone Regulation applicable as of 1 January 2021', available at www.bazl.admin.ch/dam/bazl/en/dokumente/Gut_zu_wissen/Drohnen_und_Flugmodelle/faq_neue_drohnenregulierung_2020.pdf.download.pdf/faq_neue_drohnenregulierung_2020.pdf (last visited on 3 August 2020).

23 Article 179 quater of the Swiss Criminal Code is also relevant in this context, which states that a person who, without consent, observes with a recording device or records with an image-carrying device information from the secret domain of another person or information from the private domain of another person that is not readily available to everyone is criminally liable; see also Commissioner, 'Video surveillance with drones by private persons', available at www.edoeb.admin.ch/edoeb/de/home/datenschutz/technologien/videoueberwachung/videoueberwachung-mit-drohnen-durch-private/videoueberwachung-mit-drohnen-durch-private.html (status 2014; in German; no English version available; last visited on 29 July 2020).

24 Some legal authors, however, are of the opinion that an employee may specifically and unilaterally consent (i.e., not in the employment contract or in any other agreement with the employer) to a processing of personal data that goes beyond Article 328b CO.

25 Ordinance 3 to the Employment Act (Healthcare) of 18 August 1993, last amended as of 1 October 2015, classified compilation (SR) 822.113.

26 Commissioner, 'Guide on the processing of personal data in the work area' (status November 2014; www.edoeb.admin.ch/edoeb/de/home/dokumentation/taetigkeitsberichte/aeltere-berichte/19--taetigkeitsbericht-2011-2012/buergeranfragen-zur-ueberwachung-am-arbeitsplatz.html, in German; no English version available; last visited on 29 July 2020).

27 Commissioner, 'Bring Your Own Device (BYOD)' (available at www.edoeb.admin.ch/edoeb/de/home/datenschutz/arbeitsbereich/bring-your-own-device--byod-.html; in German; no English version available; last visited on 29 July 2020).

28 See list of countries at www.edoeb.admin.ch/dam/edoeb/de/dokumente/2017/04/staatenliste.pdf.download.pdf/staatenliste.pdf (in German; no English version available; last visited on 29 July 2020).

29 It can, in our view, be reasonably argued that the fact that the EU data protection provisions (GDPR) do not specifically protect personal data pertaining to legal entities does not per se result in an absence of adequate protection in EU or EEA member states. The protection for such data may also be adequate based on other legislation of EU or EEA member states. Furthermore, the transfer of personal data pertaining to legal entities does not necessarily seriously endanger the legal entity's personality rights.

30 See the standard contractual clauses for the transborder outsourcing of data processing accepted by the Commissioner, available at: www.edoeb.admin.ch/edoeb/en/home/data-protection/handel-und-wirtschaft/entreprises/anmeldung-einer-datensammlung/mustervertrag-fuer-das-outsourcing-von-datenbearbeitungen-ins-au.html (status November 2013; last visited on 29 July 2020).

31 Federal public controllers of data files have a similar obligation to issue a processing policy for automated data files that contain sensitive personal data or personality files, are used by two or more federal bodies, are disclosed to third parties or are connected to other data files (see Article 21 DPO).

32 The DPA also does not apply to pending Swiss civil proceedings, pending Swiss criminal proceedings and pending Swiss proceedings under constitutional or under administrative law, with the exception of administrative proceedings of first instance (see Article 2 Paragraph 2(c) DPA).

33 In contrast, producing and taking evidence in purely private foreign arbitral proceedings is not subject to Article 271 CC and therefore do not require that the parties follow the requirements of mutual legal assistance proceedings. However, as the DPA fully applies to the processing of personal data in foreign-based private arbitral proceedings, any cross-border disclosure must comply with the requirements set forth in Article 6 DPA (see Section IV). For more details and exceptions, see Jürg Schneider, Ueli Sommer, Michael Cartier, in Catrien Noorda, Stefan Hanloser (eds), E-Discovery and Data Privacy: A Practical Guide, Kluwer Law International BV, 2011, Chapter 5.25, Switzerland.

34 The processing of personal data by cantonal and communal bodies is regulated by cantonal law. Each canton has a cantonal data protection authority, be it a cantonal data protection officer or a commission competent for cantonal and communal data protection matters. Some cantons have jointly appointed an inter-cantonal data protection authority.

35 Swiss Federal Supreme Court decision of 20 December 2018, 6B_181/2018.

36 Swiss Federal Supreme Court decision dated 17 January 2015 (BGE 139 II 7).

37 High Court of Zurich, decision LA180019-O/U dated 15 March 2019.

38 Swiss Federal Administrative Court decision dated 18 April 2017, A-4232/2015.

39 Swiss Federal Supreme Court decisions dated 12 January 2015, 4A_406/2014; 4A_408/2014 (BGE 141 III 119).

40 Among others, Swiss Federal Supreme Court decisions of year 2019, 4A_610/2018; 4A_588/2018; 4A_568/2018; 4A_50/2019; 4A_77/2019.

41 Swiss Federal Supreme Court decision dated 13 October 2019, 6B_1188/2018.

42 Swiss Federal Supreme Court decision dated 7 October 2019, BGE 146 I 11.

43 This, however, does not apply to public law provisions of the DPA (such as the obligation to register a data file with the Commissioner or to inform the Commissioner of a transfer abroad) as such rules are governed by the principle of territoriality and only apply to facts that take place in Switzerland.

44 Such as, for example, an obligation to register a data file with the Commissioner, or there may be instances where data that before their transfer or disclosure to Switzerland were not subject to specific data protection regulations suddenly becoming subject to the data protection regulations set forth in the DPA and the DPO because of the fact that the DPA and DPO currently also apply to the processing of personal data pertaining to legal entities (even if, at a later stage, the data are transferred abroad from Switzerland again).

45 'Guide for technical and organisational measures' (status as of February 2016); www.edoeb.admin.ch/dam/edoeb/en/dokumente/2016/02/leitfaden_zu_dentechnischenundorganisatorischenmassnahmendesdate.pdf.download.pdf/guide_for_technicalandorganizationalmeasures.pdf, last visited on 29 July 2020). Additional security requirements apply to specific sectors such as, inter alia, the financial industry and the area of medical research. These additional requirements are set forth in separate legislative acts.

46 For certain specifically regulated areas, however, these duties may exist. This is the case, for instance, in the banking sector where regulatory requirements call for a notification in certain cases of data breaches (Circular 2008/21 – Operational Risks Banks, Annex 3, of the Swiss Financial Market Supervisory Authority – FINMA, available at: www.finma.ch/de/~/media/finma/dokumente/rundschreiben-archiv/finma-rs-2008-21---30-06-2017.pdf&sa=U&ved=0ahUKEwiZ8vetoovWAhUCshQKHeLuBeMQFggNMAQ&client=internal-uds-cse&usg=AFQjCNH1i9Man6e87Na3Uq4hvV8R2iGy4g, last visited on 29 July 2020).

47 For example, a data handler may have an obligation to inform its customers about a data breach based on an explicit contractual obligation towards its customers or based on a general contractual duty of diligence.

48 More information on CYCO is available at www.fedpol.admin.ch/fedpol/en/home/kriminalitaet/cybercrime.html (last visited on 20 July 2020).

49 Classified compilation (SR) 120.73, dated 27 May 2020, entry into force 1 July 2020.

50 See footnote 6 for links to the draft of the revised DPA.