Basic knowledge

In view of the dynamics of digitalisation, the public debate has become somewhat fixated on technological phenomena, for whose assessment under data protection law technological knowledge may be useful, but without a basic understanding of the peculiarities of data protection, it usually proves to be insufficient. Against this backdrop it seems helpful to us to answer seven frequently asked questions about data protection:

In order to increase the effectiveness of the obligations it imposes, the FADP contains several criminal law provisions to sanction infringements.

Article 11 FADP allows professional, industry and trade associations, not to mention federal bodies, to draw up their own codes of conduct and submit it to the FDPIC for an opinion.

The cross-border transfer of personal data is subject to special rules.

Manufacturers of data processing systems and programmes, data controllers and processors can have their systems, products and services assessed by a recognised independent certification body (Art. 13 para. 1 FADP).

Private- and public-sector data controllers must carry out a data protection impact assessment (DPIA) if data processing is likely to result in a high risk to the personality or fundamental rights of the data subjects.

Notification of data protection officers (DPO) to the FDPIC pursuant to Art. 10 para. 3 FADP for private persons and Art. 10 para. 4 FADP for federal bodies.

The duty to provide information ensures that data processing is transparent and that the data subject’s rights are respected. Without information, the data subject is not necessarily aware that their personal data is being processed and cannot therefore exercise their rights under the FADP. The FADP therefore requires the data controller to inform the data subject that their data is being gathered, no matter the type of data concerned.

In future, the FDPIC will charge private data processors for a number of his services.

On this page you will find important information and instructions relating to IT and information security.

The FDPIC supervises the application of federal data protection regulations. To this end, it has drawn up a factsheet designed to provide a brief overview of the investigation. It summarises the in-depth interpretations of the FDPIC on Articles 49-53 FADP.

Article 14 of the Federal Act on Data Protection (FADP) regulates the obligation of private controllers who are registered or domiciled abroad and who process personal data in Switzerland to appoint a representative here.

You remain responsible for data protection even if you entrust their processing to a sub-contractor.

In accordance with the Federal Act on Data Protection (FADP), any person may request information from the controller of a data file as to whether their personal data is being processed and may, if necessary, have the data corrected or destroyed. This right to information allows everyone to maintain control over the data collected about them. It is key to enabling those affected to assert their rights under the law and ensures transparency regarding what use is made of the data. Nevertheless, each person must take action themselves to exercise this right.