- The controller shall inform the data subject in an appropriate manner when collecting personal data; this duty to provide information also applies if the data is not collected from the data subject.
- It shall provide the data subject on collecting the data with the information required for the data subject to exercise their rights under this Act and to guarantee transparent data processing; it shall provide the following information as a minimum:
- a. the controller's identity and contact details;
- b. the purpose of processing;
- c. if applicable, the recipients or the categories of recipients to which personal data is disclosed.
- If the data is not collected from the data subject, the controller shall also inform the data subject of the categories of processed personal data.
- If the personal data are disclosed abroad, the controller shall also inform the data subject of the State or the international body to which such data are disclosed and if applicable of the guarantees under Article 16 paragraph 2 or the application of an exception under Article 17.
- If the data is not collected from the data subject, the controller shall also inform the data subject of the information specified in paragraphs 2–4 at the latest one month after receiving the data. If the controller discloses the personal data before the expiry of this deadline, it shall inform the data subject at the time of disclosure at the latest.
Chapter 3 (Art. 19 - 24) — Duties of the Controller and of the Processor
- The duty to provide information under Article 19 ceases to apply if one of the following requirements is satisfied:
- a. The data subject already has the information concerned.
- b. The processing is required by law.
- c. The controller is a private person who is required by law to preserve confidentiality.
- d. The requirements of Article 27 are satisfied.
- If the personal data is not collected from the data subject, the duty to provide information also ceases to apply if any one of the following requirements is satisfied:
- a. It is not possible to provide the information.
- b. Providing the information requires disproportionate effort.
- The controller may restrict, delay or dispense with the communication of the information in the following cases:
- a. It is required to do so because of overriding third party interests.
- b. Providing the information defeats the purpose of the processing.
- c. The controller is a private person and the following requirements are satisfied:
- The controller is required to do so because of its own overriding interests.
- The controller does not intend to disclose the personal data to third parties.
- d. The controller is a federal body and any one of the following requirements is satisfied:
- The measure is required to satisfy overriding public interests, in particular to protect Switzerland's internal or external security.
- The communication of the information may compromise an enquiry, an investigation or administrative or judicial proceedings.
- Legal entities that belong to the same group of companies are not third parties within the meaning of paragraph 3 letter c number 2.
- The controller shall inform the data subject about any decision that is based exclusively on automated processing and that has a legal consequence for or a considerable adverse effect on the data subject (automated individual decision).
- It shall on request allow the data subject to express their point of view. The data subject may request that the automated individual decision be reviewed by a natural person.
- Paragraphs 1 and 2 do not apply if:
- a. the automated individual decision is directly connected with the conclusion or the processing of a contract between the controller and the data subject and the data subject's request is granted; or
- b. the data subject has explicitly consented to the decision being automated.
- If the automated individual decision is issued by a federal body, it must designate the decision accordingly. Paragraph 2 does not apply if, in accordance with Article 30 paragraph 2 of the Administrative Procedure Act of 20 December 1968 (APA) or another federal act, the data subject is not entitled to a hearing before the decision is taken.
- If processing is likely to result in a high risk to the data subject's personality or fundamental rights, the controller shall carry out a data protection impact assessment beforehand. If several similar processing procedures are planned, a joint assessment may be carried out.
- The existence of a high risk, in particular when using new technologies, depends on the nature, extent, circumstances and purpose of the processing. A high risk arises in particular:
- a. in the case of the large-scale processing of sensitive personal data;
- b. if public areas are systematically monitored on a large scale.
- The data protection impact assessment shall include a description of the planned processing, an evaluation of the risks to the data subject's personality or fundamental rights and a description of the measures to protect personality and fundamental rights.
- Private controllers are exempt from having to carry out a data protection impact assessment if they are required by law to process the data.
- A private controller may dispense with carrying out a data protection impact assessment if it uses a system, product or service that is certified under Article 13 for the intended use, or if it complies with a code of conduct under Article 11 that satisfies the following requirements:
- a. The code of conduct is based on a data protection impact assessment.
- b. It provides for measures to protect the personality and the data subject's fundamental rights.
- c. It has been submitted to the FDPIC.
- If the data protection impact assessment indicates that the planned processing despite the measures planned by the controller will still pose a high risk to the personality or the data subject's fundamental rights, the controller shall seek the FDPIC's opinion beforehand.
- The FDPIC shall inform the controller within two months of any objections to the planned processing. This deadline may be extended by one month if the data processing is complex.
- If the FDPIC objects to the planned processing, he or she shall propose suitable measures to the controller.
- A private controller may dispense with consulting the FDPIC if it has consulted the data protection officer under Article 10.
- The controller shall notify the FDPIC of any breach of data security that is likely to lead to a high risk to the data subject's personality or fundamental rights as quickly as possible.
- 2 In the notification, it shall as a minimum specify the nature of the breach of data security, its consequences and the measures taken or planned.
- The processor shall notify the controller of any breach of data security as quickly as possible.
- The controller shall inform the data subject if this is required for their protection or if the FDPIC so requests.
- It may limit, delay or dispense with the provision of information to the data subject if:
- a. there is a reason for doing so pursuant to Article 26 paragraph 1 letter b or paragraph 2 letter b or the provision of information is prohibited by a statutory duty of confidentiality;
- b. the provision of information is impossible or requires disproportionate effort; or
- c. the provision of information to the data subject is equally guaranteed by making a public announcement.
- A notification made pursuant to this Article may only be used against the person required to notify in criminal proceedings with that person's consent.
* Inserted by No II 2 of the FA of 29 Sept. 2023 (Introduction of a Reporting Obligation for Cyberattacks on Critical Infrastructure), in force since 1 April 2025 (AS 2024 257; 2025 168, 173; BBl 2023 84).