Swiss FADP Legal Text

This Act has the purpose of protecting the personality and fundamental rights of natural persons whose personal data is processed.

1. This Act applies to the processing of personal data of natural persons by:
   • a. private persons;
   • b. federal bodies.
2. It does not apply to:
   • a. personal data being processed by a natural person exclusively for personal use;
   • b. personal data being processed by the Federal Assembly and parliamentary committees as part of their deliberations;
   • c. personal data being processed by institutional beneficiaries under Article 2 paragraph 1 of the Host State Act of 22 June 2007 who enjoy immunity from jurisdiction in Switzerland.
3. The applicable procedural law regulates the processing of personal data and the data subject's rights in court proceedings and in proceedings governed by federal procedural regulations. This Act applies to first instance administrative proceedings.
4. The public registers for private legal transactions, and in particular the access to these registers and the data subject's rights, shall be regulated by the specific provisions of the applicable federal law. If the specific provisions do not contain any rules, this Act applies.

1. This Act applies to circumstances that have an effect in Switzerland, even if they were initiated abroad.
2. For rights under private law, the Federal Act of 18 December 1987 on Private International Law applies. In addition, the provisions on the territorial scope of application of the Criminal Code are reserved.

1. The Federal Data Protection and Information Commissioner (FDPIC) supervises the application of the federal data protection regulations.
2. The following are exempted from supervision by the FDPIC:
   • a. the Federal Assembly;
   • b. the Federal Council;
   • c. the federal courts;
   • d. the Office of the Attorney General of Switzerland in relation to processing personal data as part of criminal proceedings;
   • e. federal authorities in relation to processing personal data in terms of a judicial activity or proceedings for international mutual assistance in criminal matters.

In this Act:

• a. personal data means any information relating to an identified or identifiable natural person;
• b. data subject means a natural person whose personal data is processed;
• c. sensitive personal data means:
  1. data relating to religious, philosophical, political or trade union-related views or activities,
  2. data relating to health, the private sphere or affiliation to a race or ethnicity,
  3. genetic data,
  4. biometric data that uniquely identifies a natural person,
  5. data relating to administrative and criminal proceedings or sanctions,
  6. data relating to social assistance measures;
• d. processing means any handling of personal data, irrespective of the means and procedures used, in particular the collection, storage, keeping, use, modification, disclosure, archiving, deletion or destruction of data;
• e. disclosure means transmitting personal data or making such data accessible;
• f. profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
• g. high-risk profiling means profiling that poses a high risk to the data subject's personality or fundamental rights by matching data that allow an assessment to be made of essential aspects of the personality of a natural person;
• h. breach of data security means a breach of security that leads to the accidental or unlawful loss, deletion, destruction or modification or unauthorised disclosure or access to personal data;
• i. federal body means an authority or service of the Confederation or a person entrusted to carry out public tasks on behalf of the Confederation;
• j. controller means a private person who or federal body which, alone or jointly with others, determines the purpose and the means of processing personal data;
• k. processor means a private person or federal body that processes personal data on behalf of the controller.

1. Personal data must be processed lawfully.
2. The processing must be carried out in good faith and be proportionate.
3. Personal data may only be collected for a specific purpose that the data subject can recognise; personal data may only be further processed in a manner that is compatible with this purpose.
4. They shall be destroyed or anonymised as soon as they are no longer required for the purpose of processing.
5. Any person who processes personal data must satisfy themselves that the data are accurate. They must take all appropriate measures to correct, delete or destroy data that are incorrect or incomplete insofar as the purpose for which they are collected or processed is concerned. The appropriateness of the measures depends in particular on the form and the extent of the processing and on the risk that the processing poses to the data subject's personality or fundamental rights.
6. If the consent of the data subject is required, such consent is only valid if given voluntarily for one or more specific instances of processing based on appropriate information.
7. The consent must be explicitly given for:
   • a. processing sensitive personal data;
   • b. high-risk profiling by a private person; or
   • c. profiling by a federal body.

1. The controller is obliged to arrange the data processing in technical and organisational terms so that the data protection regulations, and in particular the principles under Article 6, are respected. It shall take account of this from the planning stage.
2. The technical and organisational measures must in particular be appropriate with regard to the state of the art, the nature and the extent of the data processing and the risk that the processing poses to the data subject's personality or fundamental rights.
3. The controller is obliged to ensure by means of suitable default settings that the processing of personal data is limited to the minimum required for the purpose intended, unless the data subject specifies otherwise.

1. The controller and the processor shall guarantee a level of data security appropriate to the risk by taking suitable technical and organisational measures.
2. The measures must make it possible to avoid breaches of data security.
3. The Federal Council shall issue provisions on the minimum requirements for data security.

1. The processing of personal data may be assigned by contract or by the legislation to a processor if:
   • a. the data is processed only in the manner in which the controller itself is permitted to do it; and
   • b. no statutory or contractual duty of confidentiality prohibits assignment.
2. The controller must satisfy itself in particular that the processor is able to guarantee data security.
3. The processor may only assign processing to a third party with prior approval from the controller.
4. It may claim the same grounds for justification as the controller.
   

1. Private controllers may appoint a data protection officer.
2. The data protection officer is the contact point for the data subjects and for the authorities responsible for data protection in Switzerland. He or she has the following tasks in particular:
   • a. training and advising the private controller in matters of data protection;
   • b. providing support on applying the data protection regulations.
3. Private controllers may invoke the exception in Article 23 paragraph 4 if the following requirements are satisfied:
   • a. The data protection officer exercises his or her function towards the controller in a professionally independent manner and is not bound by any instructions.
   • b. He or she does not carry out any activities that are incompatible with his or her tasks as a data protection officer.
   • c. He or she has the required expertise.
   • d. The controller publishes the contact details of the data protection officer and notifies the FDPIC thereof.
4. The Federal Council shall regulate the appointment of data protection officers by federal bodies.

1. Professional, industry and trade associations that are authorised to safeguard the economic interests of their members in their articles of association and federal bodies may submit codes of conduct to the FDPIC.
2. The FDPIC shall state and publish his or her opinions on the codes of conduct.

1. The controller and the processor shall each maintain a record of their processing activities.
2. The controller's record shall as a minimum contain:
   • a. the identity of the controller;
   • b. the purpose of processing;
   • c. a description of the categories of data subjects and the categories of processed personal data;
   • d. the categories of recipients;
   • e. if possible, the retention period for the personal data or the criteria for determining this period;
   • f. if possible, a general description of the measures taken to guarantee data security under Article 8;
   • g. if the data are disclosed abroad, details of the State concerned and the guarantees under Article 16 paragraph 2.
3. The processor's record shall contain information on identity of the processor and of the controller, the categories of processing carried out on behalf of the controller, and the information mentioned in paragraph 2 letters f and g.
4. The federal bodies shall notify the FDPIC of their records of processing activities.
5. The Federal Council shall provide exceptions for legal entities that have fewer than 250 employees and whose data processing poses a negligible risk of harm to the personality of the data subjects.

The manufacturers of data processing systems or programs and controllers and processors may have their systems, products and services evaluated by recognised independent certification bodies.

The Federal Council shall issue regulations on the recognition of certification procedures and the introduction of a data protection quality mark. In doing so, it shall take account of international law and the internationally recognised technical standards.

1. Private controllers with registered office or domicile abroad shall appoint a representative in Switzerland if they process the personal data of persons in Switzerland and the data processing meets the following requirements:
   • a. The processing is connected with the offer of goods or services or the monitoring of the behaviour of persons in Switzerland.
   • b. The processing is on a large scale.
   • c. The processing is carried out regularly.
   • d. The processing poses a high risk to the personality of the data subjects.
2. The representative shall serve as the contact point for the data subjects and the FDPIC.
3. The controller shall publish the name and the address of the representative.

1. The representative shall maintain a record of controller's processing activities that contains the information set out in Article 12 paragraph 2.
2. On request, he or she shall provide the FDPIC with the information contained in the record.
3. On request, the representative shall provide data subjects with information on how they can exercise their rights.

1. Personal data may be disclosed abroad if the Federal Council has decided that the legislation of the State concerned or the international body guarantees an adequate level of protection.
2. In the absence of a decision by the Federal Council under paragraph 1, personal data may be disclosed abroad only if an appropriate level of data protection is guaranteed by:
   • a. a treaty under international law;
   • b. data protection clauses in an agreement between the controller or the processor and its contractual partner, notice of which has been given to the FDPIC beforehand;
   • c. specific guarantees drawn up by the competent federal body, notice of which has been given to the FDPIC beforehand;
   • d. standard data protection clauses that the FDPIC has approved, issued or recognised beforehand; or
   • e. binding corporate rules that have been approved in advance by the FDPIC or by the authority responsible for data protection in a State that guarantees an adequate level of protection.
3. The Federal Council may provide for other appropriate guarantees in line with paragraph 2.

1. In derogation from Article 16 paragraphs 1 and 2, personal data may be disclosed abroad in the following cases:
   • a. The data subject has explicitly consented to disclosure.
   • b. Disclosure is directly connected with the conclusion or performance of a contract:
     1. between the controller and the data subject; or
     2. between the controller and its contractual partner in the interests the data subject.
   • c. Disclosure is necessary in order to:
     1. safeguard an overriding public interest; or
     2. establish, exercise or enforce legal rights before a court or another competent foreign authority.
   • d. Disclosure is necessary to protect the life or the physical integrity of the data subject or a third party, and it is not possible to obtain the consent of the data subject within a reasonable time.
   • e. The data subject has made the data generally accessible and has not explicitly prohibited processing.
   • f. The data originate from a statutory register that is public or accessible to persons with a legitimate interest, provided the statutory requirements for access are met in the case concerned.
2. The controller or the processor shall inform the FDPIC on request about the disclosure of personal data under paragraph 1 letters b number 2, c and d.
   

If personal data are made generally accessible by means of automated information and communications services in order to provide information to the general public, this is not deemed to be disclosure abroad, even if the data are accessible from abroad.

1. The controller shall inform the data subject in an appropriate manner when collecting personal data; this duty to provide information also applies if the data is not collected from the data subject.
2. It shall provide the data subject on collecting the data with the information required for the data subject to exercise their rights under this Act and to guarantee transparent data processing; it shall provide the following information as a minimum:
   • a. the controller's identity and contact details;
   • b. the purpose of processing;
   • c. if applicable, the recipients or the categories of recipients to which personal data is disclosed.
3. If the data is not collected from the data subject, the controller shall also inform the data subject of the categories of processed personal data.
4. If the personal data are disclosed abroad, the controller shall also inform the data subject of the State or the international body to which such data are disclosed and if applicable of the guarantees under Article 16 paragraph 2 or the application of an exception under Article 17.
5. If the data is not collected from the data subject, the controller shall also inform the data subject of the information specified in paragraphs 2–4 at the latest one month after receiving the data. If the controller discloses the personal data before the expiry of this deadline, it shall inform the data subject at the time of disclosure at the latest.
   

1. The duty to provide information under Article 19 ceases to apply if one of the following requirements is satisfied:
   • a. The data subject already has the information concerned.
   • b. The processing is required by law.
   • c. The controller is a private person who is required by law to preserve confidentiality.
   • d. The requirements of Article 27 are satisfied.
2. If the personal data is not collected from the data subject, the duty to provide information also ceases to apply if any one of the following requirements is satisfied:
   • a. It is not possible to provide the information.
   • b. Providing the information requires disproportionate effort.
3. The controller may restrict, delay or dispense with the communication of the information in the following cases:
   • a. It is required to do so because of overriding third party interests.
   • b. Providing the information defeats the purpose of the processing.
   • c. The controller is a private person and the following requirements are satisfied:
     1. The controller is required to do so because of its own overriding interests.
     2. The controller does not intend to disclose the personal data to third parties.
   • d. The controller is a federal body and any one of the following requirements is satisfied:
     1. The measure is required to satisfy overriding public interests, in particular to protect Switzerland's internal or external security.
     2. The communication of the information may compromise an enquiry, an investigation or administrative or judicial proceedings.
4. Legal entities that belong to the same group of companies are not third parties within the meaning of paragraph 3 letter c number 2.

1. The controller shall inform the data subject about any decision that is based exclusively on automated processing and that has a legal consequence for or a considerable adverse effect on the data subject (automated individual decision).
2. It shall on request allow the data subject to express their point of view. The data subject may request that the automated individual decision be reviewed by a natural person.
3. Paragraphs 1 and 2 do not apply if:
   • a. the automated individual decision is directly connected with the conclusion or the processing of a contract between the controller and the data subject and the data subject's request is granted; or
   • b. the data subject has explicitly consented to the decision being automated.
4. If the automated individual decision is issued by a federal body, it must designate the decision accordingly. Paragraph 2 does not apply if, in accordance with Article 30 paragraph 2 of the Administrative Procedure Act of 20 December 1968 (APA) or another federal act, the data subject is not entitled to a hearing before the decision is taken.

1. If processing is likely to result in a high risk to the data subject's personality or fundamental rights, the controller shall carry out a data protection impact assessment beforehand. If several similar processing procedures are planned, a joint assessment may be carried out.
2. The existence of a high risk, in particular when using new technologies, depends on the nature, extent, circumstances and purpose of the processing. A high risk arises in particular:
   • a. in the case of the large-scale processing of sensitive personal data;
   • b. if public areas are systematically monitored on a large scale.
3. The data protection impact assessment shall include a description of the planned processing, an evaluation of the risks to the data subject's personality or fundamental rights and a description of the measures to protect personality and fundamental rights.
4. Private controllers are exempt from having to carry out a data protection impact assessment if they are required by law to process the data.
5. A private controller may dispense with carrying out a data protection impact assessment if it uses a system, product or service that is certified under Article 13 for the intended use, or if it complies with a code of conduct under Article 11 that satisfies the following requirements:
   • a. The code of conduct is based on a data protection impact assessment.
   • b. It provides for measures to protect the personality and the data subject's fundamental rights.
   • c. It has been submitted to the FDPIC.

1. If the data protection impact assessment indicates that the planned processing despite the measures planned by the controller will still pose a high risk to the personality or the data subject's fundamental rights, the controller shall seek the FDPIC's opinion beforehand.
2. The FDPIC shall inform the controller within two months of any objections to the planned processing. This deadline may be extended by one month if the data processing is complex.
3. If the FDPIC objects to the planned processing, he or she shall propose suitable measures to the controller.
4. A private controller may dispense with consulting the FDPIC if it has consulted the data protection officer under Article 10.

1. The controller shall notify the FDPIC of any breach of data security that is likely to lead to a high risk to the data subject's personality or fundamental rights as quickly as possible.
2. ² In the notification, it shall as a minimum specify the nature of the breach of data security, its consequences and the measures taken or planned.
3. The processor shall notify the controller of any breach of data security as quickly as possible.
4. The controller shall inform the data subject if this is required for their protection or if the FDPIC so requests.
5. It may limit, delay or dispense with the provision of information to the data subject if:
   • a. there is a reason for doing so pursuant to Article 26 paragraph 1 letter b or paragraph 2 letter b or the provision of information is prohibited by a statutory duty of confidentiality;
   • b. the provision of information is impossible or requires disproportionate effort; or
   • c. the provision of information to the data subject is equally guaranteed by making a public announcement.
   5bis. With the controller’s consent, the FDPIC may forward the notification to the National Cyber Security Centre for analysis. The communication may contain sensitive personal data, including data relating to administrative and criminal proceedings or sanctions involving the controller.*
6. A notification made pursuant to this Article may only be used against the person required to notify in criminal proceedings with that person's consent.

* Inserted by No II 2 of the FA of 29 Sept. 2023 (Introduction of a Reporting Obligation for Cyberattacks on Critical Infrastructure), in force since 1 April 2025 (AS 2024 257; 2025 168, 173; BBl 2023 84).

1. Any person may request information from the controller on whether personal data relating to them is being processed.
2. The data subject shall receive the information required to be able to exercise their rights under this Act and to guarantee transparent data processing. In every case, they are entitled to the following information:
   • a. the identity and the contact details of the controller;
   • b. the processed personal data as such;
   • c. the purpose of processing;
   • d. the retention period for the personal data or, if this is not possible, the criteria for determining this period;
   • e. the available information about the source of the personal data, if it has not been collected from the data subject;
   • f. if applicable, whether an automated individual decision has been taken and the logic behind the decision;
   • g. if applicable, the recipients or the categories of recipients to which personal data is disclosed, as well as the information specified in Article 19 paragraph 4.
3. The data subject may consent to having personal data relating to their health communicated by a health profession of their choice.
4. If the controller arranges for personal data to be processed by a processor, it remains under a duty to provide information.
5. No one may waive their right to information in advance.
6. The controller must provide information free of charge. The Federal Council may provide for exceptions, in particular if the effort required is disproportionate.
7. The information shall in general be provided within 30 days.

1. The controller may refuse to provide information, or restrict or delay the provision of information if:
   • a. a formal law so provides, in particular in order to preserve professional secrecy;
   • b. this is required to safeguard overriding third-party interests; or
   • c. the request for information is obviously unjustified, in particular if does not serve the purpose of data protection or is clearly frivolous.
2. Furthermore, it is possible to refuse, restrict or delay the provision of information in the following cases:
   • a. The controller is a private person and the following requirements are satisfied:
     1. The controller's own overriding interests require the measure.
     2. The controller does not intend to disclose the personal data to third parties.
   • b. The controller is a federal body, and one of the following requirements is satisfied:
     1. The measure is required to satisfy overriding public interests, in particular Switzerland's internal or external security.
     2. The communication of the information may compromise an enquiry, an investigation or administrative or judicial proceedings.
3. Legal entities that belong to the same group of companies are not third parties within the meaning of paragraph 2 letter a number 2.
4. The controller must indicate why it is refusing, restricting or delaying the provision of the information.

1. If personal data are processed exclusively for their publication in the editorial section of a periodically published medium, the controller may refuse, restrict or delay the provision of information for one of the following reasons:
   • a. The data reveals the sources of the information.
   • b. The provision of information would allow access to drafts of publications.
   • c. The provision of information would compromise the freedom of the public to shape their own opinions.
2. Journalists may also refuse, restrict or delay the provision of information if they are using the personal data exclusively as an aid to their own personal work.

1. Any person may request the controller to deliver the personal data that they have disclosed to it in a conventional electronic format if:
   • a. the controller is carrying out the automated processing of the data; and
   • b. the data are being processed with the consent of the data subject or in direct connection with the conclusion or the performance of a contract between the controller and the data subject.
2. The data subject may also request the controller to transfer their personal data to another controller if the requirements in paragraph 1 are met and no disproportionate effort is required.
3. The controller must deliver or transfer the personal data free of charge. The Federal Council may provide for exceptions, in particular if the effort is disproportionate.
   

1. The controller may refuse, restrict or delay the delivery or transfer of personal data for the reasons set out in Article 26 paragraphs 1 and 2.
2. The controller must give reasons why it has decided to refuse, restrict or delay the delivery or transfer.

1. Any person who processes personal data must not unlawfully breach the data subjects' personality rights.
2. A breach of personality rights arises in particular if:
   • a. personal data are processed contrary to the principles of Articles 6 and 8;
   • b. personal data are processed contrary to the express wishes of the data subject;
   • c. sensitive personal data are disclosed to third parties.
3. In general no breach of personality rights arises if the data subject makes the personal data generally accessible and has not explicitly prohibited any processing.

1. A breach of personality rights is unlawful unless it is justified by the consent of the data subject, by an overriding private or public interest, or by the law.
2. The controller may have an overriding interest in the following cases in particular:
   • a. The controller processes personal data relating to a contracting party in direct connection with the conclusion or the performance of a contract.
   • b. The controller is or intends to be in commercial competition with another person and for this purpose processes personal data that are not disclosed to third parties; legal entities that belong to the same group of companies as the controller are not regarded as third parties for the purposes of this provision.
   • c. The controller processes personal data to verify the creditworthiness of the data subject, provided the following requirements are satisfied:
     1. The matter involves neither sensitive personal data nor high-risk profiling.
     2. The data are only disclosed to third parties if the third parties require the data for the conclusion or the performance of a contract with the data subject.
     3. The data are no more than ten years old.
     4. The data subject has attained the age of majority.
   • d. The controller processes the personal data professionally and exclusively for publication in the editorial section of a periodically published medium or the controller uses the data, if they are not published, as an aid to their own personal work.
   • e. The controller processes the personal data for purposes not related to specific persons, in particular for research, planning or statistics, provided the following requirements are satisfied:
     1. The controller anonymises the data as soon as the purpose of processing permits; if anonymity is impossible or if it requires disproportionate effort, the controller shall take appropriate measures to prevent the identification of the data subject.
     2. If the matter involves sensitive personal data, the controller shall disclose such data to third parties in such a manner that the data subject is not identifiable; if this is not possible, it must be guaranteed that the third parties only process the data for purposes unrelated to the data subject's person.
     3. The results are published in such a manner that data subjects are not identifiable.
   • f. The controller collects personal data relating to a public figure that relate to that person's public activities.

1. The data subject may request that incorrect personal data be corrected unless:
   • a. a statutory provision prohibits the correction;
   • b. the personal data are processed for archiving purposes that are in the public interest.
2. Actions to protect the personality are governed by the Articles 28, 28a and 28g–28l of the Civil Code. The applicant may in particular request that:
   • a. a specific data processing activity be prohibited;
   • b. a specific disclosure of personal data to third parties be prohibited;
   • c. personal data be deleted or destroyed.
3. If neither the accuracy nor the inaccuracy of the relevant personal data can be established, the applicant may request that the data be marked as being disputed.
4. The applicant may also request that any correction, deletion or destruction, prohibition of processing or disclosure to third parties, marking as disputed or judgment be communicated to third parties or be published.

The Federal Council shall regulate the control procedures and responsibility for data protection in cases in which a federal body processes personal data jointly with other federal bodies, with cantonal bodies or with private persons.

1. Federal bodies may only process personal data if there is a statutory basis for doing so.
2. A statutory basis in a formal law is required in the following cases:
   • a. The matter involves the processing of sensitive personal data.
   • b. The matter involves profiling.
   • c. The purpose or manner of the data processing may lead to a serious violation of the data subject's fundamental rights.
3. A statutory basis in a substantive law is sufficient as the basis for processing personal data under paragraph 2 letters a and b provided the following requirements are satisfied:
   • a. Processing is essential for a task required by a formal law.
   • b. The purpose of processing poses no particular risks to the data subject's fundamental rights.
4. In derogation from the paragraphs 1–3, federal bodies may process personal data if any one one of the following requirements is satisfied:
   • a. The Federal Council has authorised the processing because it considers that the data subject's rights are not at risk.
   • b. The data subject has consented to the processing in the specific case or has made their personal data generally accessible and has not explicitly prohibited any processing.
   • c. The processing is necessary in order to protect the life or physical integrity of the data subject or of a third party, and it is not possible to obtain the consent of the data subject within a reasonable time.

1. Before a formal enactment comes into force, the Federal Council may authorise the automated processing of sensitive personal data or other data processing under Article 34 paragraph 2 letters b and c if:
   • a. the tasks for which the processing is required are regulated in a formal law that is already in force;
   • b. adequate measures have been taken to limit any violation of the data subjects' fundamental rights to a minimum; and
   • c. a test phase before the enactment comes into force is essential for the practical implementation of the data processing, in particular for technical reasons.
2. The Federal Council shall obtain the FDPIC's opinion beforehand.
3. The competent federal body shall submit an evaluation report to the Federal Council no later than two years after the start of the pilot trial. In the report, it shall propose the continuation or discontinuation of the processing.
4. Automated data processing must in every case be discontinued if no formal enactment containing the required legal basis has come into force within five years of the start of the pilot trial.

1. Federal bodies may only disclose personal data if there is a statutory basis for doing so in accordance with Article 34 paragraphs 1–3.
2. They may disclose personal data in specific cases in derogation from paragraph 1, if any one of the following requirements is satisfied:
   • a. The data must be disclosed in order for the controller or the recipient to fulfil a statutory duty.
   • b. The data subject has consented to disclosure.
   • c. The data must be disclosed in order to protect the life or physical integrity of the data subject or of a third party and it is not possible to obtain the consent of the data subject within a reasonable time.
   • d. The data subject has made their personal data generally accessible and has not explicitly prohibited any processing.
   • e. The recipient has credibly shown that the data subject has refused consent or objected to the disclosure in order to prevent the recipient from enforcing legal rights or exercising other legitimate interests; the data subject must be given the opportunity beforehand to comment, unless this is impossible or requires disproportionate effort.
3. The federal bodies may furthermore disclose personal data as part of official information provided to the public or based on the Freedom of Information Act of 17 December 2004 if:
   • a. the data is connected with the fulfilment of public duties; and
   • b. there is an overriding public interest in the disclosure.
4. They may also disclose a person’s surname, first name, address and date of birth on request even if the requirements in paragraphs 1 or 2 are not satisfied.
5. They may make personal data generally accessible by means of automated information and communications services if there is a legal basis for publishing the data or if they disclose data based on paragraph 3. If there is no longer a public interest in making the data generally accessible, the data concerned shall be deleted from the automated information and communications service.
6. The federal bodies shall refuse or restrict disclosure or make disclosure subject to requirements if:
   • a. essential public interests or the manifestly legitimate interests of the data subject so require; or
   • b. statutory duties of confidentiality or special data protection regulations so require.

1. A data subject who credibly shows a legitimate interest may object to the disclosure of specific personal data by the responsible federal body.
2. The federal body shall reject the objection if any one of the following requirements is satisfied:
   • a. There is a legal duty to disclose the data.
   • b. The fulfilment of the body's tasks would otherwise be jeopardised.
3. Article 36 paragraph 3 remains reserved.

1. In accordance with the Archiving Act of 26 June 1998, federal bodies shall offer to the Federal Archives all personal data that they no longer regularly require.
2. They shall destroy personal data that the Federal Archives do not deem to be worth archiving unless:
   • a. the data are anonymised;
   • b. they must be preserved for evidentiary or security purposes or to safeguard the data subject's legitimate interests.

1. Federal bodies may process personal data for purposes not related to specific persons, in particular for research, planning or statistics, provided:
   • a. the data are anonymised as soon as the purpose of processing permits;
   • b. the federal body only discloses sensitive personal data to private persons in such a manner that the data subjects are not identifiable;
   • c. the recipient only transmits the data to third parties with the consent of the federal body that disclosed the data; and
   • d. the results are only published in such a manner that the data subjects are not identifiable.
2. Articles 6 paragraph 3, 34 paragraph 2 and 36 paragraph 1 do not apply.

If a federal body acts under private law, the provisions on data processing by private persons apply.

1. Any person who has a legitimate interest may request the responsible federal body to:
   • a. stop the unlawful processing of the personal data concerned;
   • b. redress the consequences of unlawful processing;
   • c. declare the processing to be unlawful.
2. The applicant may in particular request the federal body to:
   • a. correct, delete or destroy the personal data concerned;
   • b. communicate its decision, in particular about correcting, deleting or destroying personal data, the objection against the disclosure under Article 37 or marking data as disputed under paragraph 4, to third parties or publish the decision.
3. Instead of deleting or destroying the personal data, the federal body shall restrict the processing if:
   • a. the data subject disputes the accuracy of the personal data and neither its accuracy nor its inaccuracy can be established;
   • b. the overriding interests of third parties so require;
   • c. an overriding public interest, in particular Switzerland's internal or external security, so requires;
   • d. deleting or destroying the data may jeopardise an enquiry, an investigation or an administrative or judicial procedure.
4. If neither the accuracy nor the inaccuracy of the relevant personal data can be established, the federal body shall mark the data as being disputed.
5. The correction, deletion or destruction of personal data may not be requested in connection with the stocks held by publicly accessible libraries, education and training institutions, museums, archives or other public memory institutions. If the applicant credibly shows an overriding interest, he or she may request the institution to restrict access to the disputed data. Paragraphs 3 and 4 do not apply.
6. The procedure is governed by the APA. The exceptions in Articles 2 and 3 APA do not apply.

Where proceedings relating to access to official documents that contain personal data in accordance with the Freedom of Information Act of 17 December 2004 are pending, the data subject may claim those rights in the proceedings that they would have under Article 41 of this Act in relation to the documents that are the subject matter of the access proceedings.

1. The United Federal Assembly shall elect the head of the FDPIC (the Commissioner).
2. Any person with the right to vote on federal matters is eligible for election.
3. The Commissioner's employment relationship is governed, unless this Act provides otherwise, by the Federal Personnel Act of 24 March 2000 (FPA). The Commissioner shall be insured against the financial consequences of retirement, invalidity and death with PUBLICA, the Federal Pension Fund. If the Commissioner remains in the position after reaching the age of 65 and so requests, pension cover shall be extended until the end of the employment contract, but no later than the end of the year in which the Commissioner attains the age of 68. The FDPIC shall finance the employer’s contributions.*3bis. The Federal Assembly shall issue the implementing provisions relating to the Commissioner’s employment contract in an ordinance. **
4. The Commissioner shall exercise his or her duties independently, without seeking or accepting instructions from any authority or third party. He or she is assigned for administrative purposes to the Federal Chancellery.
5. He or she shall have a permanent secretariat and his or her own budget. He or she shall appoint his or her staff.
6. He or she is is not subject to the system of assessment under Article 4 paragraph 3 FPA.

* Second to fourth sentences inserted by No I of the FA of 17 June 2022 (Employment Contract for the Head of the FDPIC), in force since 1 Sept. 2023 (AS 2023 231; BBl 2022 345, 432).

** Inserted by No I of the FA of 17 June 2022 (Employment Contract for the Head of the FDPIC), in force since 1 Sept. 2023 (AS 2023 231; BBl 2022 345, 432).

1. The Commissioner's term of office amounts to four years and may be extended twice. It begins on the first day of January following the start the National Council's legislature period.
2. The Commissioner may terminate his or her employment contract at the end of any month subject to a period of six months' notice. The Judiciary Committee may in an individual case allow the Commissioner a shorter period of notice if there are no substantial interests that preclude this. *
3. The United Federal Assembly may remove the Commissioner from office before the end of the term of office if he or she:
   • a. has wilfully or through gross negligence committed a serious violation of his or her official duties; or
   • b. has permanently lost the capacity to carry out his or her official duties.

* Amended by No I of the FA of 17 June 2022 (Employment Contract for the Head of the FDPIC), in force since 1 Sept. 2023 (AS 2023 231; BBl 2022 345, 432).

The Judiciary Committee may issue a reprimand if it establishes that the Commissioner has failed to comply with official duties.

Inserted by No I of the FA of 17 June 2022 (Employment Contract for the Head of the FDPIC), in force since 1 Sept. 2023 (AS 2023 231; BBl 2022 345, 432).

The FDPIC shall submit the draft of his or her budget each year via the Federal Chancellery to the Federal Council. The Federal Council shall submit the budget unchanged to the Federal Assembly.

The Commissioner may not be a member of the Federal Assembly or the Federal Council and may not have any other employment relationship with the Confederation.

1. The Commissioner may not have any additional occupations.
2. The Judicial Committee may permit the Commissioner to carry out an additional occupation provided this does not adversely affect the exercise of his or her duties or the independence and the reputation of the FDPIC.* The decision shall be published.

* Amended by No I of the FA of 17 June 2022 (Employment Contract for the Head of the FDPIC), in force since 1 Sept. 2023 (AS 2023 231; BBl 2022 345, 432).

In the event of any dispute with regard to the Commissioner’s recusal, the decision shall be taken by the president of the division of the Federal Administrative Court that is competent in data protection matters.

Inserted by No I of the FA of 17 June 2022 (Employment Contract for the Head of the FDPIC), in force since 1 Sept. 2023 (AS 2023 231; BBl 2022 345, 432).

The FDPIC shall ensure by means of suitable control measures, in particular in relation to data security, that the legally compliant implementation of data protection regulations under federal law is guaranteed within his or her office.

1. The FDPIC shall open an investigation into a federal body or a private person ex officio or in response to a report if there are sufficient indications that a data processing activity could violate data protection regulations.
2. It may refrain from opening an investigation if the violation of data protection regulations is of minor importance.
3. The federal body or the private person shall provide the FDPIC with all the information and documents that is needed for the investigation. The right to refuse to provide information is governed by the Articles 16 and 17 of the APA, unless Article 50 paragraph 2 of this Act provides otherwise.
4. If the data subject has filed a report, the FDPIC shall inform them about the steps taken in response and the result of any investigation.

1. If the federal body or the private person fails to fulfil the duties to cooperate, the FDPIC may as part of the investigation order the following in particular:
   • a. access to all information, documents, records of processing activities and personal data that are required for the investigation;
   • b. access to premises and installations;
   • c. questioning of witnesses;
   • d. appraisals by experts.
2. Professional secrecy remains reserved.
3. In order to enforce the measures under paragraph 1 the FDPIC may request support from other federal authorities and from the cantonal or communal police.

1. If data protection regulations have been violated, the FDPIC may order that the processing be modified, suspended or terminated, wholly or in part, and the personal data deleted or destroyed, wholly or in part.
2. It may delay or prohibit disclosure abroad if this violates the requirements of Article 16 or 17 or provisions relating to the disclosure of personal data abroad in other federal acts.
3. It may in particular order that the federal body or the private person:
   • a. provide him or her with information in accordance with Articles 16 paragraph 2 letters b and c and 17 paragraph 2;
   • b. take the measures in accordance with Articles 7 and 8;
   • c. inform the data subjects in accordance with Articles 19 and 21;
   • d. conduct a data protection impact assessment in accordance with Article 22;
   • e. consult him or her in accordance with Article 23;
   • f. provide him or her or, if applicable, the data subject with information in accordance with Article 24;
   • g. provide the data subject with the information specified in Article 25.
4. It may also order that private controllers with registered office or domicile abroad appoint a representative in accordance with Article 14.
5. If the federal body or the private person has taken the required measures during the investigation in order to restore compliance with the data protection regulations, the FDPIC may simply issue an official warning.

1. The investigation proceedings and rulings under Articles 50 and 51 are governed by the APA.
2. The only party is the federal body or the private person against which or whom an investigation has been opened.
3. The FDPIC may contest appeal decisions of the Federal Administrative Court.

1. Federal administrative authorities that supervise private persons or organisations outside the Federal Administration in accordance with another federal act shall invite the FDPIC to comment before they issue a ruling that relates to data protection issues.
2. If the FDPIC is conducting his or her own investigation against the same party, the two authorities shall coordinate their proceedings.

1. Federal authorities and cantonal authorities shall provide the FDPIC with the information and personal data that it requires to fulfil its statutory duties.
2. The FDPIC shall provide the following authorities with the information and personal data that they require to fulfil their statutory duties:
   • a. the authorities responsible for data protection in Switzerland;
   • b. the competent prosecution authorities, where the matter relates to an offence reported under Article 65 paragraph 2;
   • c. the federal authorities and the cantonal and communal police for the implementation of measures in accordance with Articles 50 paragraph 3 and 51.

1. The FDPIC may exchange information or personal data with foreign authorities that are responsible for data protection in order that they may fulfil their respective statutory duties in relation to data protection, provided the following requirements are satisfied:
   • a. Reciprocity with regard to administrative assistance is guaranteed.
   • b. The information and personal data are used only in the proceedings related to data protection that are the subject of the request for administrative assistance.
   • c. The recipient authority undertakes to preserve professional secrecy as well as trade and manufacturing secrecy.
   • d. The information and personal data are only disclosed to third parties if the authority that provided them gives its approval beforehand.
   • e. The recipient authority undertakes to comply with the requirements and restrictions imposed by the authority that provided the information and personal data.
2. In order to justify its request for administrative assistance or to comply with the request from an authority, the FDPIC may provide the following information in particular:
   • a. the identity of the controller, of the processor or of other third parties involved;
   • b. the categories of data subjects;
   • c. the identity the data subjects, provided:
     1. the data subjects have consented, or
     2. disclosure of the identity of the data subjects is essential for the FDPIC or the foreign authority to fulfil statutory duties;
   • d. processed personal data or categories of processed personal data;
   • e. the purpose of processing;
   • f. the recipients or the categories of recipients;
   • g. technical and organisational measures.
3. Before the FDPIC provides information that may include professional, trade or manufacturing secrets to a foreign authority, it shall inform the natural persons or legal entities concerned that hold these secrets, and invite them to comment, unless this is not possible or requires disproportionate effort.

The FDPIC shall keep a register of the processing activities of federal bodies. The register shall be published.

1. The FDPIC shall submit a report on his or her activities to the Federal Assembly every year. He or she shall submit the report to the Federal Council at the same time. The report shall be published.
2. In cases of general interest, the FDPIC shall inform the public about its findings and rulings.

1. The FDPIC shall also carry out the following tasks in particular:
   • a. It shall inform, train and advise federal bodies and private persons on data protection matters.
   • b. It shall support the cantonal bodies and work with Swiss and foreign authorities that are responsible for data protection.
   • c. It shall raise public awareness, and in particular that of persons in need of protection, in relation to data protection.
   • d. It shall provide data subjects on request with information on how they may exercise their rights.
   • e. It shall comment on draft federal legislation and measures that involve data processing.
   • f. It shall carry out the duties assigned to it under the Freedom of Information Act of 17 December 2004 or other federal acts.
   • g. It shall develop working instruments as recommendations of good practice for use by controllers, processors and data subjects; for this purpose, it shall take into account the specifics of the field concerned and the need to protect vulnerable persons.
2. It may also advise federal bodies that are not subject to his or her supervision in accordance with Articles 2 and 4. The federal bodies may allow him or her to inspect files.
3. The FDPIC has the power to declare to foreign authorities that are responsible for data protection that direct service is permitted in relation to data protection in Switzerland, provided Switzerland is granted reciprocal rights.

1. The FDPIC shall charge private persons fees for:
   • a. its opinion on a code of conduct in accordance with Article 11 paragraph 2;
   • b. the approval of standard data protection clauses and binding corporate rules in accordance with Article 16 paragraph 2 letters d and e;
   • c. consultation in connection with a data protection impact assessment in accordance with Article 23 paragraph 2;
   • d. precautionary measures and measures under Article 51;
   • e. advice on data protection issues in accordance with Article 58 paragraph 1 letter a.
2. The Federal Council shall specify the amount of the fees.
3. It may stipulate the cases in which it is possible to waive or reduce a fee.

1. On complaint, a fine not exceeding 250,000 francs shall be imposed on private persons who:
   • a. violate their duties under Articles 19, 21 and 25–27, in that they wilfully provide false or incomplete information;
   • b. fail wilfully:
     1. to provide information to the data subject in accordance with Articles 19 paragraph 1 and 21 paragraph 1, or
     2. to provide the data subject with the information specified in Article 19 paragraph 2.
2. A fine not exceeding 250,000 francs shall be imposed on private persons who, in violation of Article 49 paragraph 3, wilfully provide the FDPIC with false information or wilfully fail to cooperate in the course of an investigation.

On complaint, a fine not exceeding 250,000 francs shall be imposed on private persons who wilfully:

• a. disclose personal data abroad in violation of Article 16 paragraphs 1 and 2 without satisfying the requirements of Article 17;
• b. assign the data processing to a processor without satisfying the requirements of Article 9 paragraphs 1 and 2;
• c. fail to comply with the minimum requirements for data security stipulated by the Federal Council in Article 8 paragraph 3.

1. Any person who, while practising his or her profession, acquires knowledge of secret personal data for the purpose of that profession but thereafter wilfully discloses such data shall on complaint be liable to a fine not exceeding 250,000 francs.
2. The same penalty shall apply to any person who wilfully discloses secret personal data that has come to his or her knowledge while carrying on an activity for or while training with a person subject to a duty of confidentiality.
3. The disclosure of secret personal data after ceasing to practise a profession or after completing training is also a criminal offence.

Any private person who wilfully fails to comply with a ruling issued by the FDPIC or a decision of the appeal courts that refers to the penalty under this Article shall be liable to a fine not exceeding 250,000 francs.

1. The criminal liability of businesses is governed by Articles 6 and 7 of the Federal Act of 22 March 1974 on Administrative Criminal Law (ACLA).
2. If a fine not exceeding 50,000 francs is under consideration and if the identification of the perpetrators in accordance with Article 6 ACLA requires measures that would be disproportionate in view of the potential penalty, the authority may decide not to pursue these persons but instead to order the business to pay the fine (Art. 7 ACLA).

1. The prosecution and the adjudication of criminal acts is a matter for the cantons.
2. The FDPIC may file a complaint with the competent prosecution authority and exercise the rights of a private claimant in the proceedings.

Prosecution is subject to a statute of limitations of five years.

The Federal Council may conclude international treaties relating to:

• a. international cooperation between data protection authorities;
• b. the mutual acknowledgement of an adequate level of protection for the disclosure of personal data abroad.

The repeal and the amendment of other legislation are regulated in Annex 1.

Articles 7, 22 and 23 do not apply to data processing that began before this Act comes into force, provided the purpose of processing remains unchanged and no new data are collected.

This Act does not apply to FDPIC investigations that are ongoing at the time that it comes into force; likewise, this Act does not apply to appeals pending against first instance decisions issued before it comes into force. Such cases are governed by the previous law.

For federal bodies, regulations in other federal legislation that relate to personal data shall continue to apply to the data of legal entities for five years from the date on which this Act come into force. In particular federal bodies may continue to disclose the data of legal entities in accordance with Article 57s paragraphs 1 and 2 of the Government and Administration Organisation Act of 21 March 1997 for five years from the date on which this Act come into force if there is a legal basis that authorises them to disclose personal data.

1. The election of the Commissioner and the termination of his or her term of office shall be governed by the previous law until the end of the legislature period in which this Act comes into force.
2. If the incumbent is elected in the first vote of the United Federal Assembly to elect the Commissioner, the Commissioner’s new term of office begins on the day after the election.*

* Inserted by No I of the FA of 17 June 2022 (Employment Contract for the Head of the FDPIC), in force since 1 Sept. 2023 (AS 2023 231; BBl 2022 345, 432).

If the Commissioner’s employment contract was based on the previous law, the previous law continues to apply.

Inserted by No I of the FA of 17 June 2022 (Employment Contract for the Head of the FDPIC), in force since 1 Sept. 2023 (AS 2023 231; BBl 2022 345, 432).

Coordination with other enactments is regulated in Annex 2.

1. This Act is subject to an optional referendum.
2. The Federal Council shall determine the commencement date.

Commencement date: 1 September 2023*

* BRB of 31 Aug. 2022.

I. The following enactments are repealed:

1. Federal Act of 19 June 1992* on Data Protection;
2. Schengen-Data Protection Act of 28 September 2018.

II. The following enactments are amended as follows:

...**

* [AS 1993 1945; 1997 2372 No II; 1998 1546 Art. 31, 1999 2243 Art. 25; 2006 2197 Annex No 26, 2319 Annex No 4; 2007 4983; 2010 1739 Annex 1 No II 14, 3387 No 3; 2013 3215 Annex No 1; 2019 625 No II 1]

** The amendments may be consulted under AS 2022 491.

The coordination provisions may be consulted under AS 2022 491..

I. The following enactments are repealed:

1. Federal Act of 19 June 1992* on Data Protection;
2. Schengen-Data Protection Act of 28 September 2018.

II. The following enactments are amended as follows:

...**

* [AS 1993 1945; 1997 2372 No II; 1998 1546 Art. 31, 1999 2243 Art. 25; 2006 2197 Annex No 26, 2319 Annex No 4; 2007 4983; 2010 1739 Annex 1 No II 14, 3387 No 3; 2013 3215 Annex No 1; 2019 625 No II 1]

** The amendments may be consulted under AS 2022 491.

The coordination provisions may be consulted under AS 2022 491..

1. In order to guarantee an adequate level of data security, the controller and the processor must determine the extent to which personal data requires to be protected and adopt the technical and organisational measures that are appropriate to the risk.
2. The extent to which personal data requires to be protected shall be assessed according to the following criteria:
   • a. the type of the data being processed;
   • b. the purpose, nature, extent and circumstances of the processing.
3. The risk for the personality or fundamental rights of the data subject shall be assessed according to the following criteria:
   • a. the causes of the risk;
   • b. the main threats;
   • c. measures taken or planned to reduce the risk;
   • d. the probability and seriousness of a breach of data security despite the measures taken or planned.
4. When determining the technical and organisational measures, the following criteria shall also be considered:
   • a. the state of the art;
   • b. the implementation costs.
5. The extent to which personal data requires to be protected, the risk and the technical and organisational measures shall be reviewed throughout the period of processing. The measures shall be adjusted if necessary.

The controller and the processor must take technical and organisational measures in order to ensure, depending on the level of protection required, that the data being processed:

• a. are only accessible to authorised persons (confidentiality);
• b. are available when they are required (availability);
• c. are not altered without authorisation or unintentionally (integrity);
• d. are processed in a traceable manner (traceability).

1. In order to guarantee confidentiality, the controller and the processor must take appropriate measures to ensure that:
   • a. authorised persons only have access to those personal data that they require to fulfil their tasks (data access control);
   • b. only authorised persons have access to the premises and facilities in which personal data are processed (premises and facilities access control);
   • c. unauthorised persons are unable to use automated data processing systems by means of data transmission devices (user control).
2. In order to guarantee availability and integrity, the controller and the processor must take appropriate measures to ensure that:
   • a. unauthorised persons are unable to read, copy, alter, move, delete or destroy data carriers (data carrier control);
   • b. unauthorised persons are unable to save, read, alter, delete or destroy stored personal data (storage control);
   • c. unauthorised persons are unable to read, copy, alter, delete or destroy personal data in the event of the disclosure of personal data or when data carriers are being transported (transport control);
   • d. the availability of personal data and access to them can be rapidly restored in the event of a physical or technical incident (restoration);
   • e. all functions of the automated data processing system are available (availability), malfunctions are reported (reliability) and stored personal data cannot be damaged by system malfunctions (data integrity);
   • f. operating systems and application software always meet the latest security standards and known critical vulnerabilities are resolved (system security).
3. In order to guarantee traceability, the controller and the processor must take appropriate measures to ensure that:
   • a. it can be verified what personal data were entered or altered in the automated data processing system at what time and by which person (entry control);
   • b. it can be verified to whom personal data are disclosed with the aid of data transmission devices (disclosure control);
   • c. breaches of data security are recognised rapidly (recognition) and measures are taken to mitigate or eliminate the consequences (elimination).

1. If a large volume of sensitive personal data is processed by automated means or if high-risk profiling is carried out and if preventive measures are unable to guarantee data protection, the private controller and its private processor must as a minimum / log the storage, alteration, reading, disclosure, deletion and destruction of the data. A log file must in particular be kept if otherwise it would not be possible to establish whether the data has been processed for the purposes for which it was collected or disclosed.
2. The responsible federal body and its processor shall in the case of automated processing of personal data log as a minimum the storage, alteration, reading, disclosure, deletion and destruction of the data.
3. In the case of personal data that are generally accessible to the public, logs shall be kept as a minimum of the storage, alteration, deletion and destruction of the data.
4. The log file must provide information about the identity of the person that carried out the processing, the form, date and time of processing, and, if applicable, the identity of the recipient of the data.
5. The log files must be retained for at least one year and kept separate from the system in which the personal data are processed. They may only be made accessible to the bodies and persons that are required to review the application of the data protection regulations or to safeguard or restore the confidentiality, integrity, availability and traceability of the data, and may only be used for this purpose.

1. The private controller and its private processor must issue regulations on automated processing if they:
   • a. process a large volume of sensitive personal data; or
   • b. carry out high-risk profiling.
2. The regulations must in particular include details of the internal organisational structure, data processing and control procedures and the measures that guarantee data security.
3. The private controller and its private processor must update the regulations regularly. If a data protection officer has been appointed, the regulations must be made available to the officer.

1. The responsible federal body and its processor must issue processing regulations for automated processing if they:
   • a. process sensitive personal data;
   • b. carry out profiling;
   • c. process personal data in accordance with Article 34 paragraph 2 letter c FADP;
   • d. allow cantons, foreign authorities, international organisations or private persons access to personal data;
   • e. link data collections with each other; or
   • f. operate an information system or manage data collections with other federal authorities.
2. The regulations must in particular include details of the internal organisational structure, data processing and control procedures, and the measures that guarantee data security.
3. The responsible federal body and its processor must update the regulations regularly and make them available to the data protection officer.

1. The prior approval from the controller that allows the processor to assign the data processing to a third party may be specific or general in its scope.
2. In the case of general approval, the processor shall inform the controller of any plan to engage additional or replace existing third parties. The controller may object to such changes.

1. The States, territories, specified sectors in a State and international bodies that guarantee an adequate level of data protection are listed in Annex 1.
2. When assessing whether a State, a territory, a specified sector in a State or an international body guarantees an adequate level of data protection, the following criteria in particular shall be considered:
   • a. the international obligations of the State or international body, in particular in relation to data protection;
   • b. whether it respects the rule of law and human rights;
   • c. the legislation applicable, in particular to data protection, its implementation and the relevant case law;
   • d. that data subjects’ rights and redress are effectively guaranteed;
   • e. the effective functioning of one or more independent authorities in the State concerned that are responsible for data protection or to which an international body is accountable and that have sufficient powers and responsibilities.
3. The Federal Data Protection and Information Commissioner (FDPIC) shall be consulted in the course of each assessment. The assessments of international bodies or foreign authorities responsible for data protection may be taken into account.
4. The adequacy of the data protection shall be reassessed periodically.
5. The assessments shall be made public.
6. If the assessment under paragraph 4 or other information show that an adequate level of data protection is no longer guaranteed, Annex 1 shall be amended; this shall have no effect on disclosures of data already carried out.

1. The data protection clauses in an agreement under Article 16 paragraph 2 letter b FADP and the specific guarantees under Article 16 paragraph 2 letter c FADP must include at least the following points:
   • a. the requirement to apply the principles of legality, good faith, proportionality, transparency, purpose limitation and accuracy;
   • b. the categories of personal data disclosed and of data subjects;
   • c. the manner and purpose of the disclosure of personal data;
   • d. if applicable, the names of the countries or international organisations, in which personal data is to be disclosed and the requirements for disclosure;
   • e. the requirements for safeguarding, deleting and destroying personal data;
   • f. the recipients or the categories of recipients;
   • g. the measures to guarantee data security;
   • h. the requirement to report breaches of data security;
   • i. if the recipients are controllers: the requirement to inform the data subjects about the processing;
   • j. the rights of data subjects, and in particular:
     1. the right of access and the right to the data portability,
     2. the right to object to the disclosure of personal data,
     3. the right to the correction, deletion or destruction of their data,
     4. the right to request an independent authority for judicial protection.
2. The controller and, in the case of data protection clauses in an agreement, the processor must take appropriate measures to ensure that the recipient complies with these clauses or the specific guarantees.
3. If the FDPIC is informed about the data protection clauses in an agreement or the specific guarantees, the duty to provide information is deemed fulfilled for all further disclosures that:
   • a. are made in accordance with the same data protection clauses or guarantees, provided the categories of recipients, purpose of processing and data categories essentially remain unchanged; or
   • b. take place within the same legal entity or company or between company that belong to the same group of companies.

1. If the controller or the processor discloses personal data abroad based on standard data protection clauses in accordance with Article 16 paragraph 2 letter d FADP, it shall take appropriate measures to ensure that the recipient complies therewith.
2. The FDPIC shall publish a list of standard data protection clauses that it has approved, issued or recognised. It shall give notice of the result of its assessment of standard data protection clauses that it has been submitted within 90 days.

1. Binding corporate rules in accordance with Article 16 paragraph 2 letter e FADP apply to all undertakings that belong to the same group of undertakings.
2. They shall include as a minimum the points mentioned in Article 9 paragraph 1 as well as the following information:
   • a. details of the organisational structure and the contact details for the group of undertakings and its members;
   • b. details of the measures taken within the group of undertakings to comply with the binding corporate rules.
3. The FDPIC shall give notice of the result of its assessment of the binding corporate rules that it has been submitted within 90 days.

1. Personal data may be disclosed abroad if a code of conduct or certification guarantees an appropriate level of data protection.
2. The code of conduct must be submitted beforehand to the FDPIC for approval.
3. The code of conduct or certification must be combined with a binding and enforceable obligation for the controller or the processor in the third State to apply the measures contained therein.

The controller must provide the data subject with information on the collection of personal data in a precise, transparent, comprehensible and easily accessible form.

The controller must retain the data protection impact assessment after concluding the data processing for a minimum of two years.

1. The report to the FDPIC of a breach of data security must include the following information:
   • a. the form of breach;
   • b. the time and duration, if possible;
   • c. the categories and approximate amount of personal data concerned, if possible;
   • d. the categories and the approximate number of data subjects, if possible;
   • e. the consequences, including any risks, for the data subjects;
   • f. the measures that have been taken or are planned in order to remedy the breach and mitigate the consequences, including any risks;
   • g. the name and the contact details of a contact person.
2. If the controller is unable to report all the details at one time, it shall supply the missing details as quickly as possible.
3. If the controller is required to inform the data subject, it shall provide the data subject with the details specified in paragraph 1 letters a and e–g in simple and comprehensible language.
4. The controller must document the breaches. The documentation must contain a summary of the circumstances of the incidents, their effects and the measures taken. It shall be retained from the time of the report under paragraph 1 for a minimum of two years.

1. Any person who requests information from the controller as to whether personal data relating to him or her are being processed must do so in writing. If the controller agrees, the request may also be made verbally.
2. The information shall be provided in writing or in the form in which the data is available. By agreement with the controller, the data subject may inspect his or her data on site. The information may be provided verbally if the data subject agrees.
3. Information may be requested and provided electronically.
4. The information must be given to the data subject in a comprehensible form.
5. The controller must take appropriate measures to identify the data subject. The data subject is obliged to cooperate in the identification process.

1. Where two or more controllers are processing personal data jointly, the data subject may exercise his or her right of access in relation to any one of them.
2. If the request relates to data that is being processed by one processor, the processor shall assist the controller in providing the information where it does not answer the request on behalf of the controller.

1. The information must be provided within 30 days of receipt of the request.
2. If it is not possible to provide the information within 30 days, the controller must notify the data subject of this and of how long it will take to provide the information.
3. If the controller decides to refuse, restrict or defer the right of access, it must notify the data subject of this within the same deadline.

1. If providing the information involves a disproportionate cost, the controller may require the data subject to contribute to the costs in an appropriate manner.
2. The contribution may not exceed 300 francs.
3. The controller must notify the data subject of the amount of the contribution before providing the information. If the data subject does not confirm the request within ten days, the request is deemed to have been withdrawn with no costs incurred. The period referred to in Article 18 paragraph 1 shall begin on expiry of the ten-day reflection period.

1. Personal data that the data subject has disclosed to the controller are:
   • a. data that the data subject has knowingly and voluntarily made available;
   • b. data that the controller has obtained relating to the data subject and his or her behaviour while the data subject was using a service or device.
2. Personal data that the controller has itself generated from its own evaluation of the personal data provided or observed are not deemed to be personal data that the data subject has disclosed to the controller.

1. A conventional electronic format is any format that allows the personal data to be transmitted and reused by the data subject or another controller at a proportionate cost.
2. The right to data portability does not create any requirement for the data controller to adopt or maintain technically compatible data processing systems.
3. The cost of transferring personal data to another controller is disproportionate if the transfer is technically impossible.

Articles 16 paragraphs 1 and 5 and 17–19 apply mutatis mutandis to the right to data portability.

The controller must grant the data protection officer:

• a. access to the required resources;
• b. access to all information, documents, records of processing activities and personal data that the officer requires to fulfil his or her tasks;
• c. the right to notify the highest management or governing body in important cases.

Undertakings and other private organisations employing fewer than 250 employees on 1 January of any year and natural persons are exempt from the obligation to keep a record of processing activities unless any one of the following requirements is met:

• a. a large volume of sensitive personal data is being processed;
• b. high-risk profiling is being carried out.

Every federal body shall appoint a data protection officer. Two or more federal authorities may appoint a joint data protection officer.

1. The data protection officer must meet the following requirements:
   1. a. He or she has the required specialist knowledge.
   2. b. He or she carries out his or her work in relation to the federal body in a professionally independent manner and is not bound by instructions.
2. He or she must carry out the following tasks:
   • a. He or she participates in applying the data protection regulations, in particular in that he or she:
     1. examines the processing of personal data and recommends corrective measures if a breach of the data protection regulations is established;
     2. advises the controller on preparing the data protection impact assessment and reviews its implementation.
   • b. He or she serves as a contact point for data subjects.
   • c. He or she trains and advises employees of the federal body on data protection matters.

1. The federal body has the following obligations in relation to the data protection officer:
   • a. It shall grant him or her access to all information, documents, records of processing activities and personal data that he or she requires to fulfil his or her tasks.
   • b. It shall ensure that he or she is notified of any breach of data security.
2. It shall publish contact details for the data protection officer online and notify the FDPIC of these details.

The data protection officer serves as the FDPIC’s contact point for any questions in connection with the processing of personal data by the federal body concerned.

The federal body shall inform the recipient about the up-to-dateness, reliability and completeness of the personal data that it has disclosed, unless this information is evident from the data themselves or from the circumstances.

If the data subject is not under any obligation to provide information, the responsible federal body shall inform him or her of this fact in relation to any systematic collection of personal data.

1. The responsible federal body shall notify the FDPIC of any planned automated processing activities at the time that the decision is taken to develop or approve the project.
2. Notification must include the details in Article 12 paragraph 2 letters a–d FADP and the anticipated date on which the processing activities will begin.
3. The FDPIC shall record the notification in the register of processing activities.
4. The responsible federal body shall update the notification on transition to productive operations or termination of the project.

A pilot trial is mandatory if any one of the following conditions is satisfied:

• a. Fulfilling a task requires technical innovations, the effects of which must first be evaluated.
• b. Fulfilling a task requires significant organisational or technical measures, the effectiveness of which must first be tested, in particular in the case of the cooperation between federal and cantonal authorities.
• c. Fulfilling a task requires personal data to be made accessible in the online search process.

1. Before consulting the administrative units with an interest, the federal body responsible for the pilot trial shall explain how it planned to comply with the requirements under Article 35 FADP, and invite the FDPIC to provide its opinion.
2. The FDPIC shall provide its opinion on whether the authorisation requirements under Article 35 FADP are met. The federal body shall provide it with all the documents required to do this, and in particular:
   • a. a general description of the pilot trial;
   • b. a report that demonstrates that fulfilling the statutory tasks requires processing under Article 34 paragraph 2 FADP and that a test phase before the act formally comes into force is essential;
   • c. a description of the internal organisational structure and the data processing and control procedures;
   • d. a description of the security and data protection measures;
   • e. the draft of an ordinance that regulates the details of the processing, or the plan for an ordinance;
   • f. the plans for the various phases of the pilot trial.
3. The FDPIC may request further documents and conduct additional enquiries.
4. The federal body shall inform the FDPIC of any significant change that affects compliance the requirements of Article 35 FADP. The FDPIC shall again provide its opinion if required.
5. The FDPIC’s opinion shall be included with the application to the Federal Council.
6. Automated data processing shall be regulated in an ordinance.

1. The competent federal body shall submit the draft of the evaluation report for the Federal Council to the FDPIC for the FDPIC to provide an opinion.
2. The competent federal body shall submit the evaluation report to the Federal Council with the FDPIC’s opinion.

If personal data are processed for purposes not related to specific persons, in particular research, planning and statistics, but at the same time are processed for a different purpose, the exceptions under Article 39 paragraph 2 FADP only apply to the processing for purposes not related to specific persons.

1. The seat of the FDPIC is in Bern.
2. The federal legislation on personnel governs the employment contracts of the employees of the FDPIC’s permanent secretariat. The employees shall be insured with the Federal Pension Fund.

1. The FDPIC shall communicate with the Federal Council via the Federal Chancellor. The Federal Chancellor shall pass on the FCPIC’s proposals, opinions and reports unedited the Federal Council.
2. The FDPIC shall submit reports to the Federal Assembly via the Parliamentary Services.

1. The departments and the Federal Chancellery shall notify the FDPIC of their decisions in anonymised form and of their guidelines relating to data protection.
2. The federal authorities shall submit all legislative drafts to the FDPIC that relate to the processing of personal data, data protection and access to official documents.

The FDPIC may process personal data, including sensitive personal data, for the following purposes in particular:

• a. in order to carry out its supervisory activities;
• b. in order to carry out its advisory activities;
• c. in order to cooperate with federal, cantonal and foreign authorities;
• d. in order to fulfil tasks in terms of the criminal provisions in the FADP;
• e. in order to conduct mediation proceedings and to issue recommendations under the Freedom of Information Act of 17 December 2004 (FoIA);
• f. in order to conduct evaluations under the FoIA;
• g. in order to conduct proceedings for access to official documents under the FoIA;
• h. in order to provide information to the parliamentary supervisory authorities;
• i. in order to provide information to the public;
• j. in order to carry out its training activities.

The FDPIC shall issue processing regulations for all automated processing; Article 6 paragraph 1 does not apply.

1. …*
2. The FDPIC shall invite the NCSC to comment before it orders the federal body to take measures under Article 8 FADP.

* Repealed by Annex No 2 of the Cybersecurity Ordinance of 7 March 2025, with effect from 1 April 2025 (AS 2025 169).

1. The register of the processing activities by federal authorities shall contain the details provided by the federal authorities in accordance with Article 12 paragraph 2 FADP and Article 31 paragraph 2 this Ordinance.
2. It shall be published online. The register entries on planned automated processing activities under Article 31 shall not be published.

If a code of conduct is submitted to the FDPIC, the FDPIC shall confirm in its opinion whether the code of conduct meets the requirements of Article 22 paragraph 5 letters a and b FADP.

1. The fees charged by the FDPIC shall be calculated on the basis of the time taken.
2. An hourly rate of 150 to 250 francs applies, depending on the seniority of the members of staff carrying out the work.
3. In the case of services that are exceptionally extensive, complex or urgent, a surcharge of up to 50 per cent of the fee under paragraph 2 may be added.
4. If the service provided by the FDPIC can be commercially exploited by the person liable to pay the fee, a surcharge of up to 100 per cent of the fee under paragraph 2 may be added.
5. The General Fees Ordinance of 8 September 2004 also applies.

The repeal and the amendment of other legislation are regulated in Annex 2.

1. For data processing that does not fall within the scope of Directive (EU) 2016/680, Article 4 paragraph 2 starts to apply at the latest three years after this Ordinance comes into force or at the latest at the end of the system’s lifecycle. In the intervening period, processing is governed by Article 4 paragraph 1.
2. Article 8 paragraph 5 does not apply to assessments carried out before this Ordinance comes into force.
3. Article 31 does not apply to planned automated processing activities in respect of which the decision to develop or approve the project has already been taken when this Ordinance comes into force.

This Ordinance comes into force on 1 September 2023.

States, territories, specified sectors in a State and international bodies that guarantee an adequate level of data protection

* The assessment of the adequacy of data protection includes the disclosure of personal data in accordance with Directive (EU) 2016/680.
** The assessment of the adequacy of data protection includes the disclosure of personal data in accordance with an implementing decision of the European Commission in which the adequacy of data protection is established in accordance with Directive (EU) 2016/680.
*** The assessment of the adequacy of data protection does not include the disclosure of personal data in terms of the cooperation provided for under Directive (EU) 2016/680.

Repeal and amendment of other legislation

I
The Ordinance to the Federal Data Protection Act of 14 June 1993* is repealed.

II
The enactments below are amended as follows:

…**

* [AS 1993 1962; 2000 1227 Annex No II 7; 2006 2331 Annex 2 No 3, 4705 No II 24; 2007 4993; 2008 189; 2010 3399]

** The amendments may be consulted under AS 2022 568.