This Act has the purpose of protecting the personality and fundamental rights of natural persons whose personal data is processed.

¹ This Act applies to the processing of personal data of natural persons by:

a.

private persons;

b.

federal bodies.

² It does not apply to:

a.

personal data being processed by a natural person exclusively for personal use;

b.

personal data being processed by the Federal Assembly and parliamentary committees as part of their deliberations;

c.

personal data being processed by institutional beneficiaries under Article 2 paragraph 1 of the Host State Act of 22 June 2007³ who enjoy immunity from jurisdiction in Switzerland.

³ The applicable procedural law regulates the processing of personal data and the data subject's rights in court proceedings and in proceedings governed by federal procedural regulations. This Act applies to first instance administrative proceedings.

⁴ The public registers for private legal transactions, and in particular the access to these registers and the data subject's rights, shall be regulated by the specific provisions of the applicable federal law. If the specific provisions do not contain any rules, this Act applies.

¹ This Act applies to circumstances that have an effect in Switzerland, even if they were initiated abroad.

² For rights under private law, the Federal Act of 18 December 1987⁴ on Private International Law applies. In addition, the provisions on the territorial scope of application of the Criminal Code⁵ are reserved.

¹ The Federal Data Protection and Information Commissioner (FDPIC) supervises the application of the federal data protection regulations.

² The following are exempted from supervision by the FDPIC:

a.

the Federal Assembly;

b.

the Federal Council;

c.

the federal courts;

d.

the Office of the Attorney General of Switzerland in relation to processing personal data as part of criminal proceedings;

e.

federal authorities in relation to processing personal data in terms of a judicial activity or proceedings for international mutual assistance in criminal matters.

¹ The controller shall inform the data subject in an appropriate manner when collecting personal data; this duty to provide information also applies if the data is not collected from the data subject.

² It shall provide the data subject on collecting the data with the information required for the data subject to exercise their rights under this Act and to guarantee transparent data processing; it shall provide the following information as a minimum:

a.

the controller's identity and contact details;

b.

the purpose of processing;

c.

if applicable, the recipients or the categories of recipients to which personal data is disclosed.

³ If the data is not collected from the data subject, the controller shall also inform the data subject of the categories of processed personal data.

⁴ If the personal data are disclosed abroad, the controller shall also inform the data subject of the State or the international body to which such data are disclosed and if applicable of the guarantees under Article 16 paragraph 2 or the application of an exception under Article 17.

⁵ If the data is not collected from the data subject, the controller shall also inform the data subject of the information specified in paragraphs 2-4 at the latest one month after receiving the data. If the controller discloses the personal data before the expiry of this deadline, it shall inform the data subject at the time of disclosure at the latest.

¹ The duty to provide information under Article 19 ceases to apply if one of the following requirements is satisfied:

a.

The data subject already has the information concerned.

b.

The processing is required by law.

c.

The controller is a private person who is required by law to preserve confidentiality.

d.

The requirements of Article 27 are satisfied.

² If the personal data is not collected from the data subject, the duty to provide information also ceases to apply if any one of the following requirements is satisfied:

a.

It is not possible to provide the information.

b.

Providing the information requires disproportionate effort.

³ The controller may restrict, delay or dispense with the provision of the information in the following cases:

a.

It is required to do so because of overriding third party interests.

b.

Providing the information defeats the purpose of the processing.

c.

The controller is a private person and the following requirements are satisfied:

1.

The controller is required to do so because of its own overriding interests.

2.

The controller does not intend to disclose the personal data to third parties.

d.

The controller is a federal body and any one of the following requirements is satisfied:

1.

The measure is required to satisfy overriding public interests, in particular to protect Switzerland's internal or external security.

2.

The communication of the information may compromise an enquiry, an investigation or administrative or judicial proceedings.

⁴ Legal entities that belong to the same group of companies are not third parties within the meaning of paragraph 3 letter c number 2.

¹ The controller shall inform the data subject about any decision that is based exclusively on automated processing and that has a legal consequence for or a considerable adverse effect on the data subject (automated individual decision).

² It shall on request allow the data subject to express their point of view. The data subject may request that the automated individual decision be reviewed by a natural person.

³ Paragraphs 1 and 2 do not apply if:

a.

the automated individual decision is directly connected with the conclusion or the processing of a contract between the controller and the data subject and the data subject's request is granted; or

b.

the data subject has explicitly consented to the decision being automated.

⁴ If the automated individual decision is issued by a federal body, it must designate the decision accordingly. Paragraph 2 does not apply if, in accordance with Article 30 paragraph 2 of the Administrative Procedure Act of 20 December 1968⁶ (APA) or another federal act, the data subject is not entitled to a hearing before the decision is taken.

¹ If processing is likely to result in a high risk to the data subject's personality or fundamental rights, the controller shall carry out a data protection impact assessment beforehand. If several similar processing procedures are planned, a joint assessment may be carried out.

² The existence of a high risk, in particular when using new technologies, depends on the nature, extent, circumstances and purpose of the processing. A high risk arises in particular:

a.

in the case of the large-scale processing of sensitive personal data;

b.

if public areas are systematically monitored on a large scale.

³ The data protection impact assessment shall include a description of the planned processing, an evaluation of the risks to the data subject's personality or fundamental rights and a description of the measures to protect personality and fundamental rights.

⁴ Private controllers are exempt from having to carry out a data protection impact assessment if they are required by law to process the data.

⁵ A private controller may dispense with carrying out a data protection impact assessment if it uses a system, product or service that is certified under Article 13 for the intended use, or if it complies with a code of conduct under Article 11 that satisfies the following requirements:

a.

The code of conduct is based on a data protection impact assessment.

b.

It provides for measures to protect the personality and the data subject's fundamental rights.

c.

It has been submitted to the FDPIC.

¹ If the data protection impact assessment indicates that the planned processing despite the measures planned by the controller will still pose a high risk to the personality or the data subject's fundamental rights, the controller shall seek the FDPIC's opinion beforehand.

² The FDPIC shall inform the controller within two months of any objections to the planned processing. This deadline may be extended by one month if the data processing is complex.

³ If the FDPIC objects to the planned processing, he or she shall propose suitable measures to the controller.

⁴ A private controller may dispense with consulting the FDPIC if it has consulted the data protection officer under Article 10.

¹ The controller shall notify the FDPIC of any breach of data security that is likely to lead to a high risk to the data subject's personality or fundamental rights as quickly as possible.

² In the notification, it shall as a minimum specify the nature of the breach of data security, its consequences and the measures taken or planned.

³ The processor shall notify the controller of any breach of data security as quickly as possible.

⁴ The controller shall inform the data subject if this is required for their protection or if the FDPIC so requests.

⁵ It may limit, delay or dispense with the provision of information to the data subject if:

a.

there is a reason for doing so pursuant to Article 26 paragraph 1 letter b or paragraph 2 letter b or the provision of information is prohibited by a statutory duty of confidentiality;

b.

the provision of information is impossible or requires disproportionate effort; or

c.

the provision of information to the data subject is equally guaranteed by making a public announcement.

⁶ A notification made pursuant to this Article may only be used against the person required to notify in criminal proceedings with that person's consent.

¹ Any person may request information from the controller on whether personal data relating to them is being processed.

² The data subject shall receive the information required to be able to exercise their rights under this Act and to guarantee transparent data processing. In every case, they are entitled to the following information:

a.

the identity and the contact details of the controller;

b.

the processed personal data as such;

c.

the purpose of processing;

d.

the retention period for the personal data or, if this is not possible, the criteria for determining this period;

e.

the available information about the source of the personal data, if it has not been collected from the data subject;

f.

if applicable, whether an automated individual decision has been taken and the logic behind the decision;

g.

if applicable, the recipients or the categories of recipients to which personal data is disclosed, as well as the information specified in Article 19 paragraph 4.

³ The data subject may consent to having personal data relating to their health communicated by a health profession of their choice.

⁴ If the controller arranges for personal data to be processed by a processor, it remains under a duty to provide information.

⁵ No one may waive their right to information in advance.

⁶ The controller must provide information free of charge. The Federal Council may provide for exceptions, in particular if the effort required is disproportionate.

⁷ The information shall in general be provided within 30 days.

¹ The controller may refuse to provide information, or restrict or delay the provision of information if:

a.

a formal law so provides, in particular in order to preserve professional secrecy;

b.

this is required to safeguard overriding third-party interests; or

c.

the request for information is obviously unjustified, in particular if does not serve the purpose of data protection or is clearly frivolous.

² Furthermore, it is possible to refuse, restrict or delay the provision of information in the following cases:

a.

The controller is a private person and the following requirements are satisfied:

1.

The controller's own overriding interests require the measure.

2.

The controller does not intend to disclose the personal data to third parties.

b.

The controller is a federal body, and one of the following requirements is satisfied:

1.

The measure is required to satisfy overriding public interests, in particular Switzerland's internal or external security.

2.

The communication of the information may compromise an enquiry, an investigation or administrative or judicial proceedings.

³ Legal entities that belong to the same group of companies are not third parties within the meaning of paragraph 2 letter a number 2.

⁴ The controller must indicate why it is refusing, restricting or delaying the provision of the information.

¹ If personal data are processed exclusively for their publication in the editorial section of a periodically published medium, the controller may refuse, restrict or delay the provision of information for one of the following reasons:

a.

The data reveals the sources of the information.

b.

The provision of information would allow access to drafts of publications.

c.

The provision of information would compromise the freedom of the public to shape their own opinions.

² Journalists may also refuse, restrict or delay the provision of information if they are using the personal data exclusively as an aid to their own personal work.

¹ Any person may request the controller to deliver the personal data that they have disclosed to it in a conventional electronic format if:

a.

the controller is carrying out the automated processing of the data; and

b.

the data are being processed with the consent of the data subject or in direct connection with the conclusion or the performance of a contract between the controller and the data subject.

² The data subject may also request the controller to transfer their personal data to another controller if the requirements in paragraph 1 are met and no disproportionate effort is required.

³ The controller must deliver or transfer the personal data free of charge. The Federal Council may provide for exceptions, in particular if the effort is disproportionate.

¹ The controller may refuse, restrict or delay the delivery or transfer of personal data for the reasons set out in Article 26 paragraphs 1 and 2.

² The controller must give reasons why it has decided to refuse, restrict or delay the delivery or transfer.

¹ Any person who processes personal data must not unlawfully breach the data subjects' personality rights.

² A breach of personality rights arises in particular if:

a.

personal data are processed contrary to the principles of Articles 6 and 8;

b.

personal data are processed contrary to the express wishes of the data subject;

c.

sensitive personal data are disclosed to third parties.

³ In general no breach of personality rights arises if the data subject makes the personal data generally accessible and has not explicitly prohibited any processing.

¹ A breach of personality rights is unlawful unless it is justified by the consent of the data subject, by an overriding private or public interest, or by the law.

² The controller may have an overriding interest in the following cases in particular:

a.

The controller processes personal data relating to a contracting party in direct connection with the conclusion or the performance of a contract.

b.

The controller is or intends to be in commercial competition with another person and for this purpose processes personal data that are not disclosed to third parties; legal entities that belong to the same group of companies as the controller are not regarded as third parties for the purposes of this provision.

c.

The controller processes personal data to verify the creditworthiness of the data subject, provided the following requirements are satisfied:

1.

The matter involves neither sensitive personal data nor high-risk profiling.

2.

The data are only disclosed to third parties if the third parties require the data for the conclusion or the performance of a contract with the data subject.

3.

The data are no more than ten years old.

4.

The data subject has attained the age of majority.

d.

The controller processes the personal data professionally and exclusively for publication in the editorial section of a periodically published medium or the controller uses the data, if they are not published, as an aid to their own personal work.

e.

The controller processes the personal data for purposes not related to specific persons, in particular for research, planning or statistics, provided the following requirements are satisfied:

1.

The controller anonymises the data as soon as the purpose of processing permits; if anonymity is impossible or if it requires disproportionate effort, the controller shall take appropriate measures to prevent the identification of the data subject.

2.

If the matter involves sensitive personal data, the controller shall disclose such data to third parties in such a manner that the data subject is not identifiable; if this is not possible, it must be guaranteed that the third parties only process the data for purposes unrelated to the data subject's person.

3.

The results are published in such a manner that data subjects are not identifiable.

f.

The controller collects personal data relating to a public figure that relate to that person's public activities.

¹ The data subject may request that incorrect personal data be corrected unless:

a.

a statutory provision prohibits the correction;

b.

the personal data are processed for archiving purposes that are in the public interest.

² Actions to protect the personality are governed by the Articles 28, 28a and 28g-28l of the Civil Code⁷. The applicant may in particular request that:

a.

a specific data processing activity be prohibited;

b.

a specific disclosure of personal data to third parties be prohibited;

c.

personal data be deleted or destroyed.

³ If neither the accuracy nor the inaccuracy of the relevant personal data can be established, the applicant may request that the data be marked as being disputed.

⁴ The applicant may also request that any correction, deletion or destruction, prohibition of processing or disclosure to third parties, marking as disputed or judgment be communicated to third parties or be published.

The Federal Council shall regulate the control procedures and responsibility for data protection in cases in which a federal body processes personal data jointly with other federal bodies, with cantonal bodies or with private persons.

¹ Federal bodies may only process personal data if there is a statutory basis for doing so.

² A statutory basis in a formal law is required in the following cases:

a.

The matter involves the processing of sensitive personal data.

b.

The matter involves profiling.

c.

The purpose or manner of the data processing may lead to a serious violation of the data subject's fundamental rights.

³ A statutory basis in a substantive law is sufficient as the basis for processing personal data under paragraph 2 letters a and b provided the following requirements are satisfied:

a.

Processing is essential for a task required by a formal law.

b.

The purpose of processing poses no particular risks to the data subject's fundamental rights.

⁴ In derogation from the paragraphs 1-3, federal bodies may process personal data if any one one of the following requirements is satisfied:

a.

The Federal Council has authorised the processing because it considers that the data subject's rights are not at risk.

b.

The data subject has consented to the processing in the specific case or has made their personal data generally accessible and has not explicitly prohibited any processing.

c.

The processing is necessary in order to protect the life or physical integrity of the data subject or of a third party, and it is not possible to obtain the consent of the data subject within a reasonable time.

¹ Before a formal enactment comes into force, the Federal Council may authorise the automated processing of sensitive personal data or other data processing under Article 34 paragraph 2 letters b and c if:

a.

the tasks for which the processing is required are regulated in a formal law that is already in force;

b.

adequate measures have been taken to limit any violation of the data subjects' fundamental rights to a minimum; and

c.

a test phase before the enactment comes into force is essential for the practical implementation of the data processing, in particular for technical reasons.

² The Federal Council shall obtain the FDPIC's opinion beforehand.

³ The competent federal body shall submit an evaluation report to the Federal Council no later than two years after the start of the pilot trial. In the report, it shall propose the continuation or discontinuation of the processing.

⁴ Automated data processing must in every case be discontinued if no formal enactment containing the required legal basis has come into force within five years of the start of the pilot trial.

¹ Federal bodies may only disclose personal data if there is a statutory basis for doing so in accordance with Article 34 paragraphs 1-3.

² They may disclose personal data in specific cases in derogation from paragraph 1, if any one of the following requirements is satisfied:

a.

The data must be disclosed in order for the controller or the recipient to fulfil a statutory duty.

b.

The data subject has consented to disclosure.

c.

The data must be disclosed in order to protect the life or physical integrity of the data subject or of a third party and it is not possible to obtain the consent of the data subject within a reasonable time.

d.

The data subject has made their personal data generally accessible and has not explicitly prohibited any processing.

e.

The recipient has credibly shown that the data subject has refused consent or objected to the disclosure in order to prevent the recipient from enforcing legal rights or exercising other legitimate interests; the data subject must be given the opportunity beforehand to comment, unless this is impossible or requires disproportionate effort.

³ The federal bodies may furthermore disclose personal data as part of official information provided to the public or based on the Freedom of Information Act of 17 December 2004⁸ if:

a.

the data is connected with the fulfilment of public duties; and

b.

there is an overriding public interest in the disclosure.

⁴ They may also disclose a person's surname, first name, address and date of birth on request even if the requirements in paragraphs 1 or 2 are not satisfied.

⁵ They may make personal data generally accessible by means of automated information and communications services if there is a legal basis for publishing the data or if they disclose data based on paragraph 3. If there is no longer a public interest in making the data generally accessible, the data concerned shall be deleted from the automated information and communications service.

⁶ The federal bodies shall refuse or restrict disclosure or make disclosure subject to requirements if:

a.

essential public interests or the manifestly legitimate interests of the data subject so require; or

b.

statutory duties of confidentiality or special data protection regulations so require.

¹ A data subject who credibly shows a legitimate interest may object to the disclosure of specific personal data by the responsible federal body.

² The federal body shall reject the objection if any one of the following requirements is satisfied:

a.

There is a legal duty to disclose the data.

b.

The fulfilment of the body's tasks would otherwise be jeopardised.

³ Article 36 paragraph 3 remains reserved.

¹ In accordance with the Archiving Act of 26 June 1998⁹, federal bodies shall offer to the Federal Archives all personal data that they no longer regularly require.

² They shall destroy personal data that the Federal Archives do not deem to be worth archiving unless:

a.

the data are anonymised;

b.

they must be preserved for evidentiary or security purposes or to safeguard the data subject's legitimate interests.

¹ Federal bodies may process personal data for purposes not related to specific persons, in particular for research, planning or statistics, provided:

a.

the data are anonymised as soon as the purpose of processing permits;

b.

the federal body only discloses sensitive personal data to private persons in such a manner that the data subjects are not identifiable;

c.

the recipient only transmits the data to third parties with the consent of the federal body that disclosed the data; and

d.

the results are only published in such a manner that the data subjects are not identifiable.

² Articles 6 paragraph 3, 34 paragraph 2 and 36 paragraph 1 do not apply.

If a federal body acts under private law, the provisions on data processing by private persons apply.

¹ Any person who has a legitimate interest may request the responsible federal body to:

a.

stop the unlawful processing of the personal data concerned;

b.

redress the consequences of unlawful processing;

c.

declare the processing to be unlawful.

² The applicant may in particular request the federal body to:

a.

correct, delete or destroy the personal data concerned;

b.

communicate its decision, in particular about correcting, deleting or destroying personal data, the objection against the disclosure under Article 37 or marking data as disputed under paragraph 4, to third parties or publish the decision.

³ Instead of deleting or destroying the personal data, the federal body shall restrict the processing if:

a.

the data subject disputes the accuracy of the personal data and neither its accuracy nor its inaccuracy can be established;

b.

the overriding interests of third parties so require;

c.

an overriding public interest, in particular Switzerland's internal or external security, so requires;

d.

deleting or destroying the data may jeopardise an enquiry, an investigation or an administrative or judicial procedure.

⁴ If neither the accuracy nor the inaccuracy of the relevant personal data can be established, the federal body shall mark the data as being disputed.

⁵ The correction, deletion or destruction of personal data may not be requested in connection with the stocks held by publicly accessible libraries, education and training institutions, museums, archives or other public memory institutions. If the applicant credibly shows an overriding interest, he or she may request the institution to restrict access to the disputed data. Paragraphs 3 and 4 do not apply.

⁶ The procedure is governed by the APA¹⁰. The exceptions in Articles 2 and 3 APA do not apply.

Where proceedings relating to access to official documents that contain personal data in accordance with the Freedom of Information Act of 17 December 2004¹¹ are pending, the data subject may claim those rights in the proceedings that they would have under Article 41 of this Act in relation to the documents that are the subject matter of the access proceedings.

¹ On complaint, a fine not exceeding 250,000 francs shall be imposed on private persons who:

a.

violate their duties under Articles 19, 21 and 25-27, in that they wilfully provide false or incomplete information;

b.

fail wilfully:

1.

to provide information to the data subject in accordance with Articles 19 paragraph 1 and 21 paragraph 1, or

2.

to provide the data subject with the information specified in Article 19 paragraph 2.

² A fine not exceeding 250,000 francs shall be imposed on private persons who, in violation of Article 49 paragraph 3, wilfully provide the FDPIC with false information or wilfully fail to cooperate in the course of an investigation.

On complaint, a fine not exceeding 250,000 francs shall be imposed on private persons who wilfully:

a.

disclose personal data abroad in violation of Article 16 paragraphs 1 and 2 without satisfying the requirements of Article 17;

b.

assign the data processing to a processor without satisfying the requirements of Article 9 paragraphs 1 and 2;

c.

fail to comply with the minimum requirements for data security stipulated by the Federal Council in Article 8 paragraph 3.

¹ Any person who, while practising his or her profession, acquires knowledge of secret personal data for the purpose of that profession but thereafter wilfully discloses such data shall on complaint be liable to a fine not exceeding 250,000 francs.

² The same penalty shall apply to any person who wilfully discloses secret personal data that has come to his or her knowledge while carrying on an activity for or while training with a person subject to a duty of confidentiality.

³ The disclosure of secret personal data after ceasing to practise a profession or after completing training is also a criminal offence.

Any private person who wilfully fails to comply with a ruling issued by the FDPIC or a decision of the appeal courts that refers to the penalty under this Article shall be liable to a fine not exceeding 250,000 francs.

¹ The criminal liability of businesses is governed by Articles 6 and 7 of the Federal Act of 22 March 1974²² on Administrative Criminal Law (ACLA).

² If a fine not exceeding 50,000 francs is under consideration and if the identification of the perpetrators in accordance with Article 6 ACLA requires measures that would be disproportionate in view of the potential penalty, the authority may decide not to pursue these persons but instead to order the business to pay the fine (Art. 7 ACLA).

¹ The prosecution and the adjudication of criminal acts is a matter for the cantons.

² The FDPIC may file a complaint with the competent prosecution authority and exercise the rights of a private claimant in the proceedings.

Prosecution is subject to a statute of limitations of five years.

The Federal Council may conclude international treaties relating to:

a.

international cooperation between data protection authorities;

b.

the mutual acknowledgement of an adequate level of protection for the disclosure of personal data abroad.

The repeal and the amendment of other legislation are regulated in Annex 1.

Articles 7, 22 and 23 do not apply to data processing that began before this Act comes into force, provided the purpose of processing remains unchanged and no new data are collected.

This Act does not apply to FDPIC investigations that are ongoing at the time that it comes into force; likewise, this Act does not apply to appeals pending against first instance decisions issued before it comes into force. Such cases are governed by the previous law.

For federal bodies, regulations in other federal legislation that relate to personal data shall continue to apply to the data of legal entities for five years from the date on which this Act come into force. In particular federal bodies may continue to disclose the data of legal entities in accordance with Article 57s paragraphs 1 and 2 of the Government and Administration Organisation Act of 21 March 1997²³ for five years from the date on which this Act come into force if there is a legal basis that authorises them to disclose personal data.

¹ The election of the Commissioner and the termination of his or her term of office shall be governed by the previous law until the end of the legislature period in which this Act comes into force.

² If the incumbent is elected in the first vote of the United Federal Assembly to elect the Commissioner, the Commissioner's new term of office begins on the day after the election.²⁴

If the Commissioner's employment contract was based on the previous law, the previous law continues to apply.

Coordination with other enactments is regulated in Annex 2.

¹ This Act is subject to an optional referendum.

² The Federal Council shall determine the commencement date.

Commencement date: 1 September 2023²⁶