In Switzerland, the collection, use and disclosure (i.e., processing) of personal data are primarily regulated by the Federal Act on Data Protection (FADP) and the Ordinance on Data Protection (ODP). These two cross-sectoral laws govern all processing of personal data by private actors (i.e. individuals or companies) or federal bodies, in so far as they are not superseded by a special law, with stricter requirements applicable to federal bodies. The processing of personal data by Swiss cantonal and municipal bodies is governed by cantonal legislation, which varies significantly (e.g. some cantons still protect personal data of legal entities to the same extent as personal data of individuals). 

Separately, the use of cookies is governed by the Telecommunications Act, unsolicited mass advertising is restricted by the Unfair Competition Act, and the processing of employee (or applicant) data is limited by the Swiss Code of Obligations (and Ordinance 3 to the Labour Act, in particular as regards limitations on and prerequisites for employee monitoring systems implemented in the workplace).

In addition, there are numerous sector-specific federal laws (and corresponding ordinances) that supersede or supplement the FADP and the ODP, for example:

• For the processing of human research and health-related data, the Human Research Act, the Federal Act on Human Genetic Testing, the Reproductive Medicine Act, the Federal Act on Electronic Patient Records, the Therapeutic Products Act, the Epidemics Act and the Cancer Registration Act. 
• For data processing in the financial markets industry, the Banking Act, the Financial Institutions Act, the Financial Services Act, the Financial Market Infrastructure Act (noting that respectively regulated entities are each subject to statutory secrecy obligations) and the Anti-Money Laundering Act. 
• The Federal Act on the Surveillance of Post and Telecommunications for data recording, retention and disclosure obligations applicable to post and telecom-related services providers.

The FADP and ODP generally apply to all private actors and federal bodies, in so far as they are processing personal data (see below, Questions 4 and 5).

The addressees of the additional laws mentioned in Question 1, above, vary with respect to the specific conduct and regulatory qualification and are indicated therein.

The territorial scope of the FADP (and consequently the ODP) depends on the nature of the specific provision. 

For public law provisions (e.g. the obligation to appoint a representative in Switzerland, information and notification obligations, or the obligation to conduct a data protection impact assessment (DPIA)), the territorial scope is determined by the principle of territoriality and the principle of effects. Accordingly, they apply if data processing takes place in Switzerland or has an effect in Switzerland.

For civil law provisions (e.g., individuals’ rights or claims arising from data processing infringing personality rights), the applicable law is determined by the Federal Act on Private International Law (PILA). Accordingly, they may apply under certain circumstances, even if the data processing took place outside of Switzerland. The data subject may choose Swiss (data protection) law to apply if:

• the data subject has their habitual residence in Switzerland, provided the violation of privacy to occur in Switzerland was to be expected;
• the data processor (being a controller or processor) has its establishment or habitual residence in Switzerland; or
• the violation of privacy occurs in Switzerland, provided this was to be expected.

The criminal provisions (i.e. conduct subject to fines) apply if an offence is committed in Switzerland or if the result of the offence occurs in Switzerland.

The FADP and the ODP govern the “processing” of personal data. The notion of processing is extremely broad and encompasses any handling of personal data, irrespective of the means and procedures applied, in particular, the collection, storage, keeping, use, modification, disclosure, archiving, deletion or destruction of personal data.

The FADP defines personal data as any information relating to an identified or identifiable natural person (i.e. individual). A natural person is identified if it is evident from the information itself that it pertains precisely to that person. A natural person is identifiable if their identity can be inferred without disproportionate efforts based on additional information. 

If identifying the individual is no longer possible or only possible with disproportionate effort (e.g. in the case of anonymised data), the data does not constitute personal data. To qualify as anonymised data, the de-identification process must be irreversible.

If the identifying characteristics of personal data are (temporarily) replaced with a code (i.e. pseudonymised data) or encrypted, the data still qualifies as personal data for anyone who has the means to re-identify individuals through matching the code or using the decryption key. However, it does not constitute personal data for any recipient of sufficiently pseudonymised or encrypted data who does not have such means to re-identify the individuals concerned. 

Swiss data protection law provides for stronger protection of so-called “sensitive personal data”, which is defined as: 

• data relating to religious, philosophical, political or trade union-related views or activities;
• data relating to health, the private sphere or affiliation to a race or ethnicity;
• genetic data;
• biometric data that uniquely identifies a natural person;
• data relating to administrative and criminal proceedings or sanctions; and
• data relating to social assistance measures.

Large-scale processing of sensitive personal data, for example, requires a DPIA to be conducted. Further, disclosure of sensitive personal data to third parties constitutes a breach of personality rights requiring a justification (cf. below, Question 7). Consent, if required, must be given explicitly (cf. below, Question 7). Also, in cases of large-scale processing of sensitive personal data by automated means, logs must be kept and regulations must be drawn up pursuant to the ODP. Additional restrictions apply to the processing of sensitive personal data by federal bodies. 

In contrast to the GDPR, private actors do not need to rely on specific legal grounds, such as consent or legitimate interest, to process personal data. Data processing is generally permissible if it complies with the general data processing principles (DPP) (cf. below, Question 8). Federal bodies, on the other hand, require a statutory basis for the processing of personal data.

Justification is only required if processing activities do not comply with the DPP or otherwise violate the personality rights of the data subject. A breach of personality rights is unlawful, unless it is justified by the consent of the data subject, by an overriding private or public interest, or by the law.

If a consent of the data subject is required, such consent is only valid if given voluntarily for one or more specific instances of processing based on appropriate information. For certain types of data processing, the consent, if required, must be explicit (i.e., for the processing of sensitive data, cf. above, Question 6, or for high-risk profiling by private actors or profiling by federal bodies). In contrast to the GDPR, the FADP does not explicitly prohibit the coupling of consent with other agreements, allowing consents to various processing activities to be obtained together. The requirements on consent, however, only apply if consent is relied upon as a justification. Swiss data protection law does not prescribe when exactly consent must be relied upon, only that it is a possible means of justification whenever justification is required.

The FADP contains numerous obligations that apply to both controllers and processors, including: 

• Adherence to DPP, i.e.: 
  • personal data must be processed lawfully; 
  • processing must be carried out in good faith and be proportionate; 
  • personal data may only be collected for a specific purpose recognisable for the data subject. Further processing must be compatible with that purpose; 
  • personal data shall be destroyed or anonymised as soon as it is no longer required for the purpose of processing;
  • accuracy of processed data must be ensured (and all appropriate measures to correct, delete or destroy incorrect or incomplete data must be taken); 
  • a level of data security appropriate to the risk must be ensured by taking suitable technical and organisational measures;
  • personal data shall not be processed contrary to the express wishes of the data subject; and
  • sensitive personal data shall not be disclosed to third parties.
• Maintenance of record of processing activities, including at least the minimum content prescribed by the FADP; federal bodies are required to file their records of processing activities with the Federal Data Protection and Information Commissioner (FDPIC). 
• Cross-border disclosure of personal data only in accordance with respective provisions (cf. below, Question 11).

The FADP further contains numerous obligations that only apply to controllers, including: 

• Arranging data processing in such a way, both technically and organisationally, that the data protection regulations, in particular the DPP, are respected (“privacy by design”).
• Ensuring by means of suitable default settings that the processing of personal data is limited to the minimum required for the purpose intended, unless the data subject specifies otherwise (“privacy by default”).
• Appropriate information of data subjects when collecting personal data, ensuring that the information provided includes at least the minimum content prescribed by the FADP; separately, data subjects must be informed about any decision that is based exclusively on automated processing and that has legal consequences for or a considerable adverse effect on the data subject (so-called “automated individual decisions”).
• Carrying out a DPIA beforehand, if processing is likely to result in a high risk to the data subject’s personality or fundamental rights. If the DPIA indicates that the planned processing will — despite the measures planned — still pose a high risk, the FDPIC’s opinion must be sought beforehand (unless an appropriately appointed data protection officer (DPO) has been consulted. Unlike under the GDPR, appointing a DPO is always voluntary in Switzerland).
• Notification of data security breaches to the FDPIC and/or data subjects under certain circumstances.
• Appointment of a representative in Switzerland in case of a registered office or domicile abroad, if personal data of persons in Switzerland is processed and the data processing meets certain requirements.
• Assignment of processing to a processor only by contract or by law and if the data is processed in the same manner in which the controller is permitted to, and if no statutory or contractual duty of confidentiality prohibits such assignment. Additionally, it must be ensured that the processor is able to guarantee data security. Finally, the processor may only assign processing to a third party (i.e., sub-process) with prior (general or specific) approval.

The FADP grants data subjects the following rights, each subject to relevant prerequisites, limitations and exceptions foreseen under the FADP and ODP: 

• Right of access. To request information from the controller on whether personal data relating to them is being processed and, if this is the case, the data subject shall be provided with the necessary information to exercise their rights. 
• Right to data portability. To request the controller to deliver the personal data they have disclosed in a conventional electronic format (either to themselves or directly to another controller, provided this does not require disproportionate effort), if the controller is carrying out the automated processing of the data and the data is processed with the consent of the data subject or in direct connection with the conclusion or performance of a contract between the controller and the data subject.
• Right of correction. To request that incorrect personal data be corrected. If neither the accuracy nor inaccuracy of the relevant personal data can be established, the data subject may request that the data be marked as disputed. 
• Right to prohibit. To request that a specific data processing activity be prohibited or a specific disclosure of personal data to third parties be prohibited (towards federal bodies, data subjects must credibly demonstrate a legitimate interest for the latter). 
• Right to be forgotten. To request that personal data be deleted or destroyed.
• Right of publication. To request that any of the following should be communicated to third parties or be published: correction, deletion or destruction of personal data; prohibition of processing or disclosure to third parties; marking personal data as disputed; or the judgment. 

Again, these rights are not absolute and may be restricted, in particular, by statutory provisions, the protection of third-party rights, overriding public interests, or, in certain cases, overriding private interests of the controller. 

Under the Unfair Competition Act, the sender (or anyone who procures the sending) of unsolicited (i.e., no direct connection with any requested content) mass advertisements by telecommunications means (such as email, text or instant messages, automated phone calls, etc.) must obtain the intended recipient’s prior consent (opt-in). Further, each single mass advertisement must indicate the correct sender and provide a simple and free of charge option of refusal (opt-out).

An exception to this consent regime applies if contact details from customers are obtained in the course of the sale of goods, works or services. In such cases, the respective contact details may be used for mass advertising own similar goods, works or services to them. However, (future intended) recipients (i.e. existing customers) must be informed about their option to refuse such mass advertisement. Also, this exception does not apply to the mass advertisement of third-party goods, works or services (whereby affiliates are not considered third parties in this sense). 

Personal data may be disclosed abroad if the Federal Council has decided that the legislation of the jurisdiction concerned (or the international body) guarantees an adequate level of protection. The countries which the Federal Council regards as adequate include all European Economic Area countries and a few more selected countries (including the United Kingdom). The full list of adequate countries is attached to the ODP. Since September 15, 2024, the U.S. has provided for adequate level of protection of personal data for the cross-border transfer of personal data to US companies self-certified with the Swiss–U.S. Data Privacy Framework (and is included in the list accordingly).

The cross-border disclosure of personal data to jurisdictions not included in said list is only permissible if an appropriate level of data protection is guaranteed by:

• a treaty under international law;
• data protection clauses in an agreement between the controller or the processor and its contractual partner, notice of which has been given to the FDPIC beforehand;
• specific guarantees drawn up by the competent federal body, notice of which has been given to the FDPIC beforehand;
• standard data protection clauses that the FDPIC has approved, issued or recognised beforehand (better known as SCC); or
• binding corporate rules (BCR) that have been approved in advance by the FDPIC or by the authority responsible for data protection in a jurisdiction that guarantees an adequate level of protection (i.e. contrary to the SCC, BCR approved by an EU data protection supervisory authority can be relied on by Swiss companies without further requirements).

In the absence of both an adequacy decision by the Federal Council and specific guarantees, cross-border disclosure is only permissible in the following cases:

• the data subject has explicitly consented;
• disclosure is: 
  • directly connected with the conclusion or performance of a contract between the controller and the data subject or between the controller and its counterpart in the interests of the data subject;
  • necessary in order to safeguard an overriding public interest or to establish, exercise or enforce legal rights before a court or another competent foreign authority; or
  • necessary to protect the life or the physical integrity of the data subject or a third party, and it is not possible to obtain the consent of the data subject within a reasonable time;
• the data subject has made the data generally accessible and has not explicitly prohibited processing; or
• the data originates from a statutory register that is public or accessible to persons with a legitimate interest, provided the statutory requirements for access are met in the case concerned. 

The FDPIC is the regulator responsible for supervising the application of federal data protection regulations (note: cantonal supervisory authorities oversee the application of cantonal data protection regulations). The FDPIC has the authority to — and must — initiate an investigation into a federal body or private actor either ex officio or in response to a report if there are sufficient indications that a data processing activity could violate data protection regulations. However, the FDPIC may refrain from opening an investigation if the violation is of minor importance. 

The FDPIC must be provided with all the information and documents needed for the investigation (unless a statutory exception applies). If they fail to fulfil their duties to co-operate, the FDPIC may, as part of the investigation, order in particular the following:

• access to:
  • all information, documents, records of processing activities and personal data required for the investigation; and
  • premises and installations;
• questioning of witnesses; and
• appraisals by experts.

In order to enforce those measures, the FDPIC may request support from other federal authorities and the police.

If data protection regulations have been violated, the FDPIC may order that the processing be modified, suspended or terminated, wholly or in part, and the personal data be deleted or destroyed, wholly or in part. The FDPIC may further: 

• delay or prohibit disclosure abroad if it violates statutory requirements; and
• order certain information (including on data security breaches) to be provided, specific measures (regarding privacy by design and default, and data security) to be taken, data subjects to be informed or notified, DPIA to be conducted, to be consulted, or a Swiss representative to be appointed.

If the required measures to restore compliance are taken during the investigation, the FDPIC may simply issue an official warning.

Unlike its counterparts abroad, the FDPIC has no competence to issue sanctions of any kind.

Civil law consequences. If processing of personal data breaches the data subject’s personality rights, the data subject can bring a lawsuit before the competent cantonal civil courts and in particular request that a specific data processing activity be prohibited, a specific disclosure of personal data to third parties be prohibited, or that personal data be deleted or destroyed. Furthermore, the data subject may also claim compensation of actual damages caused (which must be demonstrated) and/or for a sum of money by way of satisfaction (Genugtuung).

Administrative consequences. See above, Question 12.

Criminal consequences. Certain specified violations can incur fines of up to CHF 250,000, if they are committed wilfully. The individual responsible for the data processing in question is primarily subject to the fine (rather than the company, which may be the controller or processor). Fines must be pursued by the competent public prosecutor’s office.