Codes of Conduct

Article 11 of the Data Protection Act (FADP) allows professional, industry and trade associations, not to mention federal bodies, to draw up their own codes of conduct and submit it to the FDPIC for an opinion. These opinions are published. They may contain objections or suggest modifications or clarifications. A positive opinion from the FDPIC will justify the legal presumption that the conduct defined in a code complies with data protection law. It also allows private data controllers, under certain conditions, to dispense with an impact assessment or provides a guarantee of an adequate level of protection that allows data to be disclosed abroad.

What is a code of conduct?

An instrument of self-regulation, a code of conduct enables professionals in a given sector to comply with the FADP; a code facilitates the interpretation and implementation of the law by developing specific common rules, thereby standardising practices. It gives a practical dimension to the abstract principles laid down in the law and helps to ensure that the law is properly applied, taking into account the specific processing needs of different sectors. 

Codes make it possible to clarify certain concepts, such as high risk (Art. 22 FADP), the terms of certain duties, such as the duty to provide information (Arts. 19 to 21 FADP) or the duty to carry out a data protection impact assessment (Art. 22 FADP), and provide for measures to ensure the protection of the data subject's personality and fundamental rights. The idea is also to come up with more precise solutions for certain specific issues that are currently raising a lot of questions, such as video surveillance, cloud computing and social networks. 

Who can draw up a code of conduct and for whom is it intended?

In the private sector, a code of conduct is issued by professional, industry and trade associations that are authorised by their constitutions to defend the economic interests of their members, and in the public sector, by federal bodies. An individual controller or processor cannot draw up or adopt its own code of conduct. 

In this way, the groups concerned have the opportunity to play an active role in regulating a sector and to facilitate the development of industry-wide, concerted and widely accepted solutions. Professionals in the sector are free to join or not. A code of conduct is not automatically binding on all the members of the association or body that drew it up. 

Is it compulsory to have a code of conduct?

No. The persons referred to in Article 11 FADP may submit their code of conduct to the FDPIC, but are not obliged to do so. 

What are the benefits of a code?

A code of conduct increases the confidence of data subjects and minimises the risk of breaches of data protection law. In legal terms, a code creates the legal presumption that the conduct defined in the code complies with data protection law. Furthermore, if they are subject to a code of conduct, data controllers may not only be exempted from drawing up their own aids and guidelines for applying the new FADP, but in the case of private controllers, they may also, subject to certain conditions, dispense with carrying out a data protection impact assessment (Art. 22 para. 5 FADP).

If certain additional conditions are met, the code of conduct is also recognised as a valid guarantee that the transfer of data from Switzerland to third countries will be lawful. The code must ensure an adequate level of protection, be submitted to the FDPIC for prior approval and be accompanied by a binding and enforceable undertaking by which the controller or processor in the third country guarantees that it will apply the required measures (Art. 16 para. 3 FADP and Art. 12 GDPR). 

Neither the Act nor the Ordinance sets out requirements as to the form and content of a code of conduct; however, the guidelines adopted by the European Data Protection Committee (EDPS) offer useful information as an aid to drawing up codes of conduct used as a mechanism for transfers to third countries (EDPS, Guidelines 04/2021 on codes of conduct as tools for transfers). 

What does the code of conduct cover?

The FADP does not lay down any requirements regarding the content of a code of conduct. The DPO lays down certain requirements for the disclosure of data abroad. A code of conduct is intended to contribute to the correct application of the FADP, while taking account of the specific processing needs of the different sectors. It generally contains a description of the conduct adopted by its members, which is also presented as good practice to be implemented in the sector concerned. The content of a code may be detailed, or it may be relatively flexible and limited to certain specific aspects of the FADP, thus leaving the companies to which it applies with some room for manoeuvre. It may target a particular type of processing or be more extensive. It must nevertheless help to ensure that the legal provisions are complied with in the sector concerned, and must not simply restate the content of the legislation. 

Given these objectives, a code should aim to give practical form to the FADP and to focus on the areas and problems of data protection specific to the sector concerned by proposing concrete solutions, ideally through examples of best practice to be followed. For example, the concept of 'high risk' (Art. 22 FADP) could be defined in more detail, as could the details of certain duties, such as the duty to provide information (Arts 19 to 21 FADP) or the duty to carry out a data protection impact assessment (Art. 22 FADP). A code may also specify the procedures for applying the FADP, such as how to pseudonymise or sufficiently anonymise data in a given sector, and define specific security measures, provide for appropriate retention periods, establish mechanisms that enable data subjects to exercise their rights, define the criteria that ensure compliance with the principle of data minimisation, or introduce safeguards that apply to data collected from third parties or to the transfer of personal data to a country that does not offer adequate protection. 

Neither the Act nor the Ordinance sets out requirements as to the form and content of a code of conduct; however, as an aid to drafting codes of conduct, Article 40 of the GDPR lists a series of elements that may be included, and the guidelines adopted by the European Data Protection Committee (EDPS) also offer useful information on the subject (EDPS, Guidelines 1/2019 on codes of conduct and monitoring bodies under Regulation (EU) 2016/679). 

Does a code of conduct have to be approved by the FDPIC?

The FADP does not require codes of conduct to be approved. However, codes can be submitted to the FDPIC, which will then issue its opinion; private sector bodies must pay a fee. The time that the FDPIC takes to issue its opinion will depend on the circumstances of the case. The FDPIC examines the compatibility of the code with the FADP. Its position does not constitute a ruling with legal consequences. As a result, a party concerned cannot derive any rights from a positive opinion or from the absence of an opinion. Nevertheless, if the FDPIC's opinion is favourable, companies that comply with the code of conduct can assume that their behaviour will not subsequently be made subject to administrative measures. The opinions given, whether favourable to the code of conduct or not, are published by the FDPIC. The code of conduct may be resubmitted to the FDPIC each time it is updated. 

Where a code of conduct is used as a guarantee for the disclosure of personal data abroad, it must be approved in advance by the FDPIC in the same way as standard data protection clauses and binding corporate rules that ensure an adequate level of protection (Art. 16 para. 3 FADP and Art. 12 DPO).