Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


I. Legal framework

Constitutional privacy and data protection framework

Article 36(4) of the 1874 Constitution guaranteed, "[t]he inviolability of the secrecy of letters and telegrams." This constitution was repealed and replaced by public referendum in April 1999. The new Constitution, which entered into force on 1 January 2000, greatly expanded the older privacy protection provision. Article 13 of the new Constitution states: "All persons have the right to the respect of their private and family life, home, mail and telecommunications. All persons have the right to be protected against abuse of their personal data."1

Privacy and data protection laws and regulations

Comprehensive law

The Federal Data Protection Act of 1992 (Loi fédérale sur la protection des données or LPD) regulates personal information held by federal government and private bodies.2 The Act requires that information be legally and fairly collected and places limits on its use and disclosure to third parties. Federal agencies must register their databases. Private companies must register if they regularly process sensitive data or transfer the data to third parties. Transfers to other nations must be registered and the recipient nation must have adequate data protection laws. Individuals have a right of access to correct inaccurate information. There are criminal penalties for violations. In March 2006, the Federal Parliament adopted major revisions to the LPD;3 the revisions came in force on 1 January 2008.4

Revisions to the LPD included: elimination of the possibility of justifying a violation of the principles on the basis of an overriding private or public interest; requirement that processors of sensitive data actively notify data subjects; further requirements for controllers to ensure that third party processors have adequate security in place; and restriction on the methods of ensuring adequate data protection in transfers to third countries.5

Almost all of the 26 Swiss "cantons" (states) have a separate data protection law and their own data protection commissioner. However, as some cantons are small, some data protection commissioners are employed to allocate only 10 percent of their working time for this purpose. In order to exchange opinions and collaborate, the cantonal data protection officers founded the association "PRIVATIM" (formerly DSB+CPD.CH) in March 2000. PRIVATIM created a working group to address questions regarding health privacy, and in June 2007, published a brochure on the rights of individuals concerning their medical data privacy.6

In June 1999, the European Union Article 29 Data Protection Working Party determined that Swiss law was adequate under the EU Data Protection Directive.7 In July 2000, the European Commission formally adopted this position, thereby approving all future personal data transfers to Switzerland. On 20 October 2004, the Commission confirmed this approval.8

In 2008, amendments to the Federal Data Protection Act came into force on 1 January. The new law incorporates the obligation to inform data subjects about the collection and purpose of the information, as well as information about data transfers to third parties.9 The new statute also makes a provision for a certification procedure to obtain a data protection quality label, once applicable legal and technical requirements have been met.10 The new Act modifies the rules applicable to the transfer of personal data abroad and makes it an obligation for data controller transferring personal data to inform the Data Protection Commissioner about contracts and internal data protection regulations in place. The new rules are very similar to the rules of the EU Data Protection Directive and their adoption allowed Switzerland to ratify, on 20 December 2007, the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding Supervisory Authorities and Transborder Data Flows of 8 November 2001.11

Sector-based laws

Besides the Data Protection Act,12 there are also legal protections for privacy in the Civil Code13 and the Penal Code.14 There are also special rules relating to workers' privacy from surveillance,15 telecommunications information,16 health care statistics,17 professional confidentiality, including medical, and legal data,18 medical research,19 and identity cards.20

Data protection authority

The LPD created the office of a Federal Data Protection and Information Commissioner (the Commissioner, or FDPIC).21 The Commissioner maintains and publishes the Register for Data Files, supervises federal government and private bodies, provides advice, issues recommendations and reports, and conducts investigations. The Commissioner has assumed a new role as mediator relating to transparency and public information.22 The Commissioner also consults with the private sector. The office publishes a detailed annual report, as well as leaflets, summaries of press articles and critical statements, and advice to government agencies on issues of data protection.23 However, the Commissioner has only limited possibilities for interventions: he can only submit "suggestions" (Empfehlungen) or ask the Data Protection Commission to review a case. Decisions of this commission can then be submitted to the Federal Court (Bundesgericht). In the FDPIC's 14th Annual Report (2006/2007), the Commissioner addresses issues that range "from military information systems, such as reconnaissance drones, to the planned introduction of the health insurance card, to video surveillance in stores, and to biometric access control in sports stadiums and leisure facilities."24 In the FDPIC's 17th report main topics are "Privacy on Internet" (Goldgräberstimmung im Internet - das Ende der Privatsphäre?) dealing with Google, Facebook, Twitter and other online services providers; "Certification of Data Management Systems: Accreditations" (Zertifizierung von Datenschutzmanagementsystemen: Akkreditierungen) dealing with the first accreditations of private companies with the Swiss Accreditation Agency (SAS); and "2010 Swiss population Census" (Volkszählung 2010).

Annually, the FDPIC deals with 1,500 to 2,000 complaints, investigations, and requests. Among these, there are questions of individuals, media inquiries, long-term supervision of operational proceedings in private enterprises, as much as, in the federal administration, and comments on legislation at the hearing stage. According to the FDPIC, between 1 April 2005 and 31 March 2006 it conducted 63 official investigations, 50 of which concerned access to homeland security files. From 2006 to date there has been any significant change in the number of complaints (page 110 of report). However, the staff of 25 employees seems not to be sufficient to deal with all complaints in a reasonable time.25

In September 2005, the FDPIC hosted the 27th International Conference of Data Protection and Privacy Commissioners in Montreux. More than 350 participants from all over the world took part, and the Conference adopted two important resolutions: one on the use of biometric data in passports, ID cards, and travel documents, and a second on the use of personal data for political communication.26

The Federal Data Protection and Information Commissioner has been appointed by the Bundesrat (the Government), as well as cantonal commissioners have been appointed by their cantonal governments. In order to implement Article 25 of the EU Council Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters -- that states "These authorities [data protection authorities] shall act with complete independence in exercising the functions entrusted to them"27 -- adaptations in the concerning Swiss regulations are currently under way. All commissioners must be elected by the Parliament, or at least approved by this institution.

Major privacy and data protection case law

The relevant case law concerning privacy and data protection is discussed infra in the text and categorised under the corresponding section.28