- Any person may request information from the controller on whether personal data relating to them is being processed.
- The data subject shall receive the information required to be able to exercise their rights under this Act and to guarantee transparent data processing. In every case, they are entitled to the following information:
- a. the identity and the contact details of the controller;
- b. the processed personal data as such;
- c. the purpose of processing;
- d. the retention period for the personal data or, if this is not possible, the criteria for determining this period;
- e. the available information about the source of the personal data, if it has not been collected from the data subject;
- f. if applicable, whether an automated individual decision has been taken and the logic behind the decision;
- g. if applicable, the recipients or the categories of recipients to which personal data is disclosed, as well as the information specified in Article 19 paragraph 4.
- The data subject may consent to having personal data relating to their health communicated by a health profession of their choice.
- If the controller arranges for personal data to be processed by a processor, it remains under a duty to provide information.
- No one may waive their right to information in advance.
- The controller must provide information free of charge. The Federal Council may provide for exceptions, in particular if the effort required is disproportionate.
- The information shall in general be provided within 30 days.
Chapter 4 (Art. 25 - 29) — Rights of the Data Subject
- The controller may refuse to provide information, or restrict or delay the provision of information if:
- a. a formal law so provides, in particular in order to preserve professional secrecy;
- b. this is required to safeguard overriding third-party interests; or
- c. the request for information is obviously unjustified, in particular if does not serve the purpose of data protection or is clearly frivolous.
- Furthermore, it is possible to refuse, restrict or delay the provision of information in the following cases:
- a. The controller is a private person and the following requirements are satisfied:
- The controller's own overriding interests require the measure.
- The controller does not intend to disclose the personal data to third parties.
- b. The controller is a federal body, and one of the following requirements is satisfied:
- The measure is required to satisfy overriding public interests, in particular Switzerland's internal or external security.
- The communication of the information may compromise an enquiry, an investigation or administrative or judicial proceedings.
- a. The controller is a private person and the following requirements are satisfied:
- Legal entities that belong to the same group of companies are not third parties within the meaning of paragraph 2 letter a number 2.
- The controller must indicate why it is refusing, restricting or delaying the provision of the information.
- If personal data are processed exclusively for their publication in the editorial section of a periodically published medium, the controller may refuse, restrict or delay the provision of information for one of the following reasons:
- a. The data reveals the sources of the information.
- b. The provision of information would allow access to drafts of publications.
- c. The provision of information would compromise the freedom of the public to shape their own opinions.
- Journalists may also refuse, restrict or delay the provision of information if they are using the personal data exclusively as an aid to their own personal work.
- Any person may request the controller to deliver the personal data that they have disclosed to it in a conventional electronic format if:
- a. the controller is carrying out the automated processing of the data; and
- b. the data are being processed with the consent of the data subject or in direct connection with the conclusion or the performance of a contract between the controller and the data subject.
- The data subject may also request the controller to transfer their personal data to another controller if the requirements in paragraph 1 are met and no disproportionate effort is required.
- The controller must deliver or transfer the personal data free of charge. The Federal Council may provide for exceptions, in particular if the effort is disproportionate.
- The controller may refuse, restrict or delay the delivery or transfer of personal data for the reasons set out in Article 26 paragraphs 1 and 2.
- The controller must give reasons why it has decided to refuse, restrict or delay the delivery or transfer.