Switzerland - Data Breach Guide

Switzerland

1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?

    No. The current Swiss Federal Data Protection Act ("FDPA") does not provide an explicit obligation to notify individuals or the Federal Data Protection and Information Commissioner ("FDPIC"). However, an obligation to notify individuals may arise from:

    • The principle that persons processing personal data have to observe the rules of good faith (Art. 4 para. 2 FDPA);
    • The general obligation to mitigate damages (in particular reflected in "force majeure"-clauses in contracts between parties); or
    • The fact that the processing party has to implement measures that are necessary to ensure data security, which might entail instructions to individuals following a data breach; or
    • A contractually stipulated notification duty between the parties (which is frequent in IT-related agreements under best practice standards). In particular, data processors are usually assigned with tasks under the provisions of the mandate contract (Art. 394 et seq. Swiss Code of Obligations [CO]) and have a general diligence duty to act in the best interests of the principal (Art. 398 para. 2 CO) which may imply to notify data breaches that have occurred.

    The above factors must be assessed on a case-by-case basis.

    Please note that the current FDPA is subject to a comprehensive revision and a new FDPA is scheduled to come into force by 2021. The new FDPA ("NFDPA") is an attempt to align Swiss data protection laws with the new standards established by the European General Data Protection Regulation ("GDPR"). Under Art. 22 of the NFDPA, data breach notifications will become mandatory and required if the data breach presumably leads to a high risk for the personality or human rights of a data subject (whereas under the GDPR all cases, which involve a risk are to be notified).

    1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?

      There is no general rule detailing under what conditions notification must be given. It is currently more likely that a data processor will have to notify a data controller (based on contractual arrangements) than a data controller to individuals in the event of a data breach (based on current data protection principles).

      As mentioned above, under the future NFDPA, data breach notifications will become mandatory and required if the data breach presumably leads to a high risk for the personality or human rights of a data subject (whereas under the GDPR all cases, which involve a risk, are to be notified). There is no particular type or category of data that has to be breached to trigger a data breach notification, other than it has to be personal data in the sense of the NFDPA. The entity subject to notification duty will be the data processor (to the data controller) and the data controller (to the data subject and to the data protection authority).

      The notifications required under the NFDPA may in the future be omitted if (i) a data controller is entitled to refuse to give information on data processing activities (see Art. 24 para 1.b. and 2.b. NFDPA) due to overweighing interests of third parties, (ii) the information to be provided is impossible to gather or connected with disproportionate efforts and/or (iii) a notification of the data subjects has already occurred through an equivalent public announcement (see Art. 22 para. 5 NFDPA).

      1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?

        No, this depends on the circumstances and is mainly a question of practicality and effectiveness. There are no particular formalities required.

        Under the NFDPA, a notification of a data processor to the data controller will be required "as soon as possible". A notification of a data controller to a data subject will be required if it is "necessary to protect the interests of the data subject or if the data processors demands it". Foreseeably, there will be no particular form of notification prescribed under the NFDPA.

        1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?

          Failing to notify in the event of a data breach may lead to liability for damage caused by such failure and to an administrative investigation (potentially followed by recommendations concerning the processing of data).

          Under the future NFDPA, willfully omitting to notify in the event of a data breach will be sanctioned with criminal fines up to CHF 250,000. However, such criminal sanction will only be triggered upon request (i.e. not "ex officio"). Furthermore, sanctions are of penal nature and not considered public administrative sanctions (as e.g. under the GDPR).

          1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?

            In each case, the processing party has to evaluate whether the individuals can expect a notification in view of the principle of good faith, whether a notification can avoid considerable further damage, and whether data security obligations imply a notification duty.

            Under the NFDPA, data breach notifications will become mandatory and required if the data breach presumably leads to a high risk for the personality or human rights of a data subject involved.

            1.6 What are the applicable (data protection) laws or guidelines within your country?

              The key legislation is the Federal Data Protection Act and the related ordinances. The new Federal Data Protection Act will foreseeable come into force in 2021.

              1.7 Contact information for the local Data Protection Authority:

                Name:

                Federal Data Protection and Information Commissioner

                Address:

                Feldeggweg 1, 3003 Bern, Switzerland

                Telephone:

                +41 31 322 4395

                Fax:

                +41 31 325 99 96

                Website:

                www.edoeb.admin.ch

                For more information, contact:

                Name:

                Dr. Dirk Spacek, LL.M.

                Firm:

                CMS Switzerland

                Address:

                Dreikönigstrasse 7, 8002 Zurich, Switzerland

                Telephone:

                +41 44 285 11 11

                Fax:

                +41 44 285 11 22

                Email:

                dirk.spacek@cms-vep.com

                Website:

                https://cms.law/en/che/