¹ Anyone who requests information from the controller of a data file on whether data concerning them is being processed (Art. 8 DPA) must normally request the information in writing and provide proof of their identity.

² Requests for information as well as the provision of information may also be made online if the controller of the data file expressly arranges for this and takes appropriate measures to:

a.

guarantee the identification of the data subject; and

b.

protect the personal data of the data subject when providing information against unauthorised access by third parties.⁴

³ With the agreement of the controller of the data file or at his suggestion, the data subject may inspect their data in situ. The information may also be provided verbally if the data subject has consented and has been identified by the controller.

⁴ The information or the substantiated decision on the restriction of the right of access (Art. 9 and 10 DPA) is provided within 30 days of receipt of the request for information. If the information cannot be provided within 30 days, the controller of the data file must notify the applicant of this and of the date by which the information will be provided.

⁵ If one or more data files are jointly held by two or more controllers, the right of access may be asserted against each controller, unless one of them is responsible for processing all requests for information. If the controller of the data file is not authorised to provide information, he shall pass the request on to the person responsible.

⁶ If the request for information relates to data that is being processed by a third party on behalf of the controller of the data file, the controller shall pass the request on to the third party for processing if the controller is not able to provide the information himself.⁵

⁷ If information is requested on data relating to deceased persons, it must be provided if the applicant proves an interest in the information that is not countered by the overriding interests of relatives of the deceased or third parties. Close relatives and persons who have been married to the deceased have a justified interest.

¹ The payment of an appropriate share of the costs may by way of exception be requested if:

a.

the applicant has already been provided with the requested information in the twelve months prior to the application and no legitimate interest in the further provision of information can be proven. A legitimate interest is constituted in particular if the personal data has been modified without notice being given to the data subject;

b.

the provision of information entails an exceptionally large amount of work.

² The share of the costs amounts to a maximum of 300 francs. The applicant must be notified of the amount of the share before the information is provided and may withdraw his request within ten days.

¹ Data files (Art. 11a para. 3 DPA) must be registered with the Federal Data Protection and Information Commissioner (the Commissioner) before their operational use.⁶ The registration contains the following information:

a.

the name and address of the controller of the data file;

b.

the name and complete designation of the data file;

c.

the person against whom the right of access may be asserted;

d.

the purpose of the data file;

e.

the categories of personal data processed;

f.

the categories of data recipients;

g.

the categories of persons participating in the data file, i.e. third parties who are permitted to enter and modify data in the data file.

² Each controller of a data file shall update this information on an ongoing basis. …⁷

¹ Exempt from the duty to register data files are data files as defined in Article 11a paragraph 5 letters a and c-f DPA as well as the following data files (Art. 11a para. 5 let. b DPA):

a.

data files from suppliers or customers, provided they do not contain any sensitive personal data or personality profiles;

b.

data files whose data is used exclusively for purposes unrelated to specific persons, in particular in research, planning and statistics;

c.

archived data files and the data that are preserved solely for historical or scientific purposes;

d.

data files that contain only data that has been published or that the data subjects have themselves made generally accessible and whose processing they have not expressly prohibited;

e.

data that exclusively serves to fulfil the requirements of Article10;

f.

accounting records;

g.

secondary data files for personnel management of the controller of the data file, provided they do not contain any sensitive personal data or personality profiles.

² The controller of the data files shall take the measures required to be able to provide the Commissioner or the data subjects on request with the information (Art. 3 para. 1) on data files not subject to the duty to register.

If personal data is made generally accessible by means of automated information and communications services for the purpose of providing information to the general public, this is not deemed to be transborder disclosure.

¹ The controller of the data file shall inform the Commissioner prior to transborder disclosure with regard to the safeguards and data protection rules under Article 6 paragraph 2 letters a and g DPA. If information cannot be provided in advance, it must be provided immediately after disclosure.

² If the Commissioner has been informed of the safeguards and the data protection rules, the duty to provide information for all additional disclosures is regarded as fulfilled if such disclosures:

a.

are made subject to the same safeguards, provided the categories of recipient, the purpose the processing and the data categories remain essentially unchanged; or

b.

take place within the same legal person or company or between legal persons or companies that are under the same management, provided the data protection rules continue to ensure an adequate level of protection.

³ The duty to provide information is also regarded as fulfilled if data is transmitted on the basis of model contracts or standard contract clauses that have been drawn up or approved by the Commissioner, and the Commissioner has been informed about the use of these model contracts or standard contract clauses by the controller of the data file. The Commissioner shall publish a list of the model contracts and standard contract clauses that he has drawn up or approved.

⁴ The controller of the data file shall take appropriate measures to ensure that the recipient complies with the safeguards and the data protection rules.

⁵ The Commissioner examines the safeguards and the data protection rules that have been notified to him (Art. 31 para. 1 let. e DPA) and notifies the controller of the data file of the result of his examination within 30 days of receipt of the information.

The Commissioner shall publish a list of the states whose legislation ensures an adequate level of protection.

¹ Anyone who as private individual processes personal data or provides a data communication network shall ensure the confidentiality, availability and the integrity of the data in order to ensure an appropriate level of data protection.¹² In particular, he shall protect the systems against the following risks:

a.

unauthorised or accidental destruction;

b.

accidental loss;

c.

technical faults;

d.

forgery, theft or unlawful use;

e.

unauthorised alteration, copying, access or other unauthorised processing.

² The technical and organisational measures must be adequate. In particular, they must take account of the following criteria:

a.

the purpose of the data processing;

b.

the nature and extent of the data processing;

c.

an assessment of the possible risks to the data subjects;

d.

the current state of the art.

³ These measures must be reviewed periodically.

⁴ ...¹³

¹ The controller of the data file shall, in particular for the automated processing of personal data, take the technical and organisational measures that are suitable for achieving the following goals in particular:

a.

entrance control: unauthorised persons must be denied the access to facilities in which personal data is being processed;

b.

personal data carrier control: unauthorised persons must be prevented from reading, copying, altering or removing data carriers;

c.

transport control: on the disclosure of personal data as well as during the transport of data carriers, the unauthorised reading, copying, alteration or deletion of data must be prevented;

d.

disclosure control: data recipients to whom personal data is disclosed by means of devices for data transmission must be identifiable;

e.

storage control: unauthorised storage in the memory as well as the unauthorised knowledge, alteration or deletion of stored personal data must be prevented;

f.

usage control: the use by unauthorised persons of automated data processing systems by means of devices for data transmission must be prevented;

g.

access control: the access by authorised persons must be limited to the personal data that they required to fulfilment their task;

h.

input control: in automated systems, it must be possible to carry out a retrospective examination of what personal data was entered at what time and by which person.

² The data files must be structured so that the data subjects are able to assert their right of access and their right to have data corrected.

¹ The controller of the data file shall maintain a record of the automated processing of sensitive personal data or personality profiles if preventive measures cannot ensure data protection. Records are necessary in particular if it would not otherwise be possible to determine subsequently whether data has been processed for the purposes for which it was collected or disclosed. The Commissioner¹⁵ may also recommend that records be maintained of other processing.

² The records must be stored for one year in a state suitable for auditing. They are accessible only to those bodies or private persons whose duty it is to supervise compliance with the data protection regulations, and may be used only for this purpose.

¹ The controller of an automated data file subject to registration (Art. 11a para. 3 DPA) that is not exempted from the registration requirement in terms of Article 11a paragraph 5 letters b-d DPA shall issue a processing policy that describes in particular the internal organisation and the data processing and control procedures and contain documents on the planning, realisation and operation of the data file and the information technology used.

² The controller of the data file shall update the processing policy regularly. He shall make it available to the Commissioner or the data protection officer under Article 11a paragraph 5 letter e DPA on request in a form that is comprehensible to them.

The controller of the data file shall notify the data recipient as to how up-to-date and reliable the personal data that he has disclosed is, unless this information is evident from the data itself or from the circumstances.

¹ If the controller of the data file under Article 11a paragraph 5 letter e DPA wishes to be exempted from the duty to register the data file, he must:

a.

appoint an operational data protection officer who fulfils the requirements of paragraph 2 and of Article 12b; and

b.

notify the Commissioner of the appointment of the data protection officer.

² The controller of the data file may appoint an employee or a third party as the data protection officer. This person may not carry out any other activities that are incompatible with his duties as a data protection officer, and must have the required specialist knowledge.

¹ The data protection officer has the following duties in particular:

a.

he audits the processing of personal data and recommends corrective measures if he ascertains that the data protection regulations have been infringed;

b.

he maintains a list of the data files in accordance with Article 11a paragraph 3 DPA that are operated by the controller of the data files; this list must be made available to the Commissioner or on request to data subjects.

² The data protection officer:

a.

carries out his duties independently and without instructions from the controller of the data file;

b.

has the resources required to fulfil his duties;

c.

has access to all data files and data processing as well as to all information, that he requires to fulfil his duties.

Articles 1 and 2 apply by analogy to requests for information made to federal bodies.

¹ Swiss representations abroad as well as the missions to the European Communities and to international organisations shall forward requests for information made to them to the office responsible in the Federal Department of Foreign Affairs. The Department regulates the responsibilities.¹⁸

² In addition, the provisions of the Ordinance of 10 December 2004¹⁹ on Military Controls apply to requests for information on military controls abroad.²⁰

¹ The federal bodies responsible (Art. 16 DPA) shall register with the Commissioner all the data files that they maintain before they are opened. The registration contains the following details:

a.

the name and address of the responsible federal body;

b.

the name and complete designation of the data file;

c.

the body against whom the right of access may be asserted;

d.

the legal basis and purpose of the data file;

e.

the categories of processed personal data;

f.

the categories of the recipients of the data;

g.

the categories of the participants in the data file, i.e. third parties who may enter or modify data in the file;

h.²³

...

² The responsible federal body shall update these details regularly.²⁴

¹ Following data files are exempted from the duty to register, provided the federal bodies use them exclusively for the internal administrative purposes:

a.

common correspondence registers;

b.

data files of supplier or clients, provided they do not contain sensitive personal data or personality profiles;

c.

collections of addresses used solely for addressing correspondence, provided they do not contain sensitive personal data or personality profiles;

d.

lists for compensation payments;

e.

accounting documents;

f.

secondary data files for federal personnel management, provided they do not contain sensitive personal data or personality profiles;

g.

library data files (catalogues of authors, borrower and user lists).

² The following are also exempted from the duty to register:

a.

data files archived in the Federal Archives;

b.

data files that are made available to the general public in the form of directories;

c.

data files where the data is used exclusively for purposes not related to specific persons, in particular in research, planning and statistics.

³ The competent federal body shall take the measures required to be able to provide the Commissioner or the data subjects on request with the information (Art. 16 para. 1) on data files exempted from the duty to register.

If a federal body makes a transborder disclosure of personal data on the basis of Article 6 paragraph 2 letter a DPA known, Article 6 applies.

¹ The federal bodies responsible shall take the technical and organisational measures required under Articles 8-10 to protect the privacy and the fundamental rights of persons whose data is being processed. In the case of the automated data processing, the federal bodies shall cooperate with the Federal Strategy Unit for IT (FSUIT).

² The federal bodies responsible shall immediately notify the data protection officer under Article 11a paragraph 5 letter e DPA or, if no officer has been appointed, the Commissioner of all projects involving the automated processing of personal data, so that data protection requirements are taken into account without delay. Notice is given to the Commissioner by way of FSUIT if the project must also be registered with the latter.²⁹

³ The Commissioner and FSUIT shall cooperate on technical measures within the scope of their activities. The Data Protection Commissioner shall consult with FSUIT before recommending such measures.

⁴ In addition, directives apply that have been issued by the federal bodies responsible based on the Federal Information Technology Ordinance of 26 September 2003³⁰.³¹

¹ The federal bodies responsible shall issue a processing policy for automated data files that:

a.

contain sensitive data or personality profiles;

b.

are used by two or more federal bodies;

c.

are disclosed to cantons, foreign authorities, international organisations or private persons; or

d.

are connected to other data files.

² The federal body responsible shall determine its internal organisation in the processing policy. These shall in particular describe the data processing and control procedures and contain all documents on the planning, realisation and management of the data file. The policy shall contain the details required for registration (Art. 16) as well as information on:

a.

the body responsible for the protection and security of the data;

b.

the source of the data;

c.

the purposes for which the data is regularly disclosed;

d.

the control procedures and in particular the technical and organisational measures in terms of Article 20;

e.

the description of the data fields and the organisational units that have access to them;

f.

the access by users of the data files as well as on the nature and extent of such access;

g.

the data processing procedures, in particular the procedure for the rectification, blocking, anonymising, storing, safeguarding, archiving or destruction of the data;

h.

the configuration of the information technology used;

i.

the procedure for exercising the right of access.

³ The policy shall be updated regularly. They shall be made available to the control bodies responsible in a form comprehensible to them.

¹ ...³²

² A federal body that arranges for personal data to be processed by third parties remains responsible for data protection. It ensures that the data is processed in accordance with its instructions, in particular with regard to its use and disclosure.

³ If the third party is not subject to the DPA, the responsible body shall satisfy itself that other statutory provisions ensure equivalent data protection, and if this is not the case, it shall ensure protection by contractual means.

¹ The Federal Chancellery and the Departments shall each appoint at least one advisor on data protection. This advisor has the following duties:

a.

advising the responsible bodies and users;

b.

encouraging the provision of information and the training of staff;

c.

participating in the implementation of the data protection regulations.

² If federal bodies under Article 11a paragraph 5 letter e DPA wish to be exempted from the duty to register their data files, Articles12a and 12b apply.

³ The federal bodies consult with the Commissioner with regard to the advisor.

Where a federal body collects personal data systematically by means of questionnaires, it must inform persons who are not obliged to provide information that the provision of information is voluntary.

¹ The federal body that introduces a personal identification number for the administration of its data file shall create a non-speaking number that is used in its own area of responsibility. A non-speaking number is any set of clear or clearly identifiable characters allocated to each person registered in a data file that does not permit any conclusions to be drawn as to the person to which it relates.

² The use of the personal identification number by other federal or cantonal bodies or by private individuals must be approved by the federal body concerned.

³ The approval may be granted if there is a close connection between the planned data processing and the processing for which the personal identification number has been created.

⁴ In addition, the use of the AHV number is regulated by the AHV legislation.

The federal body concerned shall notify the data recipient of the up-to-dateness and the reliability of the personal data that it discloses, provided this information is not evident from the data itself or from the circumstances.

¹ Before consulting the interested administrative units, the federal body responsible for the pilot scheme shall inform the Commissioner as to how it is intended to ensure compliance with the requirements of Article 17a DPA, and invite him to comment thereon.

² The Commissioner shall comment on the issue of whether the licensing requirements in terms of Article 17a paragraphs 1 and 2 DPA are fulfilled. The federal body responsible shall provide him with all the documents required, and in particular with:

a.

a general description of the pilot scheme;

b.

a report that proves that the fulfilment of tasks provided for by law requires the processing of sensitive personal data or personality profiles and that a test phase before the formal enactment comes into force is indispensable (Art. 17a para. 1 let. c DPA);

c.

a description of the internal organisation as well as the data processing and control procedures (Art. 21);

d.

a description of the security and data protection measures;

e.

the draft of or the concept for an ordinance that regulates the details of the processing;

f.

information relating to the planning of the various phases of the pilot scheme.

³ The Commissioner may request further documents and carry out additional investigations.

⁴ The federal body responsible shall inform the Commissioner of any important modification relating to compliance with the requirements of Article 17a DPA. If required, the Commissioner shall again state his views thereon.

⁵ The opinion of the Commissioner must be included in the application to the Federal Council.

The federal body responsible shall submit the draft of the analysis report for the Federal Council (Art. 17a para. 4 DPA) to the Commissioner for comment. The Federal Council must be informed of the opinion of the Commissioner.

¹ The register maintained by the Commissioner contains the information in terms of Articles 3 and 16.

² The register is accessible to the general public online. The Commissioner shall provide extracts on request free of charge.

³ The Commissioner maintains a list of the controllers of data files who are exempted from the requirement to register data files in terms of Article 11a paragraph 5 letters e and f DPA. This list is accessible to the general public online.

⁴ If the controller of the data file does not register his data file or does not do so completely, the Commissioner shall allow him a period within which to comply with his obligations. On expiry of the period, he may, based on the information available to him, register the file ex officio or recommend that the data processing be terminated.

¹ The Commissioner's headquarters and secretariat are located in Bern.

² The employment of the members of the Commissioner's secretariat is governed by the Federal Personnel Act of 24 March 2000⁴¹ together with its implementing provisions.⁴²

³ The Commissioner's budget is contained in a special section of the Federal Chancellery budget.⁴³

¹ The Commissioner deals with the Federal Council via the Federal Chancellor.⁴⁴ The Federal Chancellor shall pass on any recommendations and reports from the Data Protection Commissioner irrespective of whether he or she concurs with them.

^1bis The Commissioner passes on the reports intended for the Federal Assembly directly to the Parliamentary Services.⁴⁵

² The Commissioner deals directly with other administrative units, the federal courts, foreign data protection authorities and with all other authorities and private persons that are subject to federal data protection legislation or the legislation on the principle of freedom of information in government.⁴⁶

¹ The federal bodies shall submit to the Commissioner any draft legislation that relates to the processing of personal data, data protection or access to official documents.⁴⁷ In the area of the data protection, the departments and the Federal Chancellery notify him of their decisions in anonymised form as well as their guidelines.⁴⁸

² The Commissioner must have sufficient documentation made available to him in order to carry out his activities. He operates an independent information and documentation system for the administration, indexing and control of correspondence and the files as well as for the online publication of information of general interest and of the registers of data files.⁴⁹

³ The Federal Administrative Court has access to the Commissioner's scientific documentation.⁵⁰

¹ A fee is charged for expert opinions (Art. 28 DPA) from the Commissioner. The provisions of the General Fees Ordinance of 8 September 2004⁵¹ apply.⁵²

² No fee is charged to federal administrative units, authorities and the cantons.

¹ For the investigation of the circumstances under Articles 27 and 29 DPA, and in particular the examination of the lawfulness of data processing, the Commissioner may request the following information in particular from the controller of the data file:

a.

technical and organisational measures (Art. 8-10, 20) that have been taken or that are planned;

b.

the regulations relating to the correction, blocking, rendering anonymous, storing, safeguarding and destruction of personal data;

c.

the configuration of the information technology used;

d.

links with other data files;

e.

the manner of the disclosure the data;

f.

the description of the data fields and the organisational units that have access to them;

g.

the nature and extent of access by users to the data in the data file.

² In the case of transborder disclosure, the Commissioner may request additional information, in particular on the processing possibilities of the data recipient or on the data protection measures taken.

¹ The Federal Administrative Court may request the submission of processed data.

² It notifies the Commissioner of its decisions.