THE DATA PROTECTION BLOG
Data protection information obligations under the Federal Data Protection Act (FADP) Under the previous version of the FADP, which was in force before 1 September 2023, controllers were only required to provide information to data subjects when collecting sensitive personal data or when creating personality profiles. The revised FADP, which came into force on 1 September 2023, imposes further information obligations on controllers. In the future, data subjects must be informed about the collection of personal data, regardless of whether the personal data is sensitive or not. Scope of information obligations under the FADP:
Mandatory information
Under Art. 19 (1) FADP, controllers must inform the data subjects in an appropriate manner about the collection of personal data; this obligation to provide information also applies if the personal data have not been collected directly from the data subject. Under Art. 19 (2) FADP, the mandatory information includes at least the following:
- the identity and contact details of the controller;
- the purposes of the processing;
- the recipients or categories of recipients to whom the personal data is disclosed;
- the categories of personal data processed, unless they have been obtained directly from the data subject;
- If personal data are disclosed abroad, the recipient countries or international organisations and, where applicable, the guarantees for the protection of personal data under Art. 16 or the exceptions under Art. 17 FADP.
In addition, under Art. 21 FADP, data subjects must be informed if a decision is based solely on automated decision-making and is associated with legal consequences for the data subject or is significantly detrimental to the data subject.
Optional information
Privacy notices should contain all the information necessary for data subjects to exercise their rights under the FADP. To reflect this nature, the following additional optional information could be provided with the notice to the data subject:
- Information on data subjects’ rights under the FADP;
- The contact details of the controller where data subjects can exercise their data subject rights (for example, data subject access requests, requests for rectification or erasure of personal data)
- The contact details where the data subject can request a manual review of automated individual decisions;
- Where the processing of personal data is based on the data subject’s consent, all information necessary for the data subject to make an informed decision;
- Information on how the data subject can revoke consent once given or refuse to receive direct marketing communications in the context of an existing customer relationship.
Specification of individual data or categories
Art. 6 (1) and (2) FADP establish the principle of transparency in data protection. Under Art. 13 of the Data Protection Ordinance of 31 August 2022 (DPO), this information must be easily accessible and comprehensible. In its ruling C-154/21 on information on the recipients or categories of recipients of requests for information, the European Court of Justice (ECJ) stated that Art. 15 para. 1(c) GDPR must be interpreted as meaning that, in the case of requests for information, “the data subject must be informed of the identity of the recipients, unless it is not possible to identify the recipients […], in which case the controller may inform the data subject only of the categories of recipients concerned”. The ECJ also pointed out that any processing of personal data must comply with the principles laid down. The rulings oft he ECJ are not applicable in Switzerland. Nevertheless, the Swiss Federal Courts have in the past followed the interpretation of the ECJ on data protection issues (see for example Federal Tribunal decision 136 II 508 – 08.09.2010 on IP addresses as personal data). Therefore, in the interest of transparent information in accordance with the FADP, it may make sense for Swiss controllers not to limit themselves to naming categories of recipients, but to name the recipients in detail, analogous to the above-mentioned ECJ ruling.
Modalities of Information Obligation:
The information under Article 19 FADP must be provided at the time of the collection of personal data, meaning at the beginning of data processing when personal data is gathered. A one-time information will suffice: Under Article 20(1)(a) FADP, there is no need to inform again if the data subject already has the relevant information. Article 13 DPO emphasizes that the controller must communicate the information to the data subject “in a precise, transparent, understandable, and easily accessible manner.”
Exceptions to the Information Obligation:
In certain cases, the obligation to provide information is waived. For example, under Article 20 FADP, if data processing is legally mandated, when the controller is legally bound to confidentiality, or if media privilege under Article 27 FADP can be invoked, provided that personal data is processed solely for publication in the editorial section of a periodically published medium or is used exclusively as a personal working tool in this context.
There is also no obligation to provide information if personal data is collected about third parties and informing the data subjects is impossible or would require a disproportionate effort. In addition, the provision of information may be waived if it would thwart the purposes of the data processing or if overriding interests of the controller or a third party argue against the provision of information.
Information Obligation and Access Requests under Article 25 FADP:
The information provided to data subjects under Article 19 FADP must be provided proactively whenever personal data is collected. In contrast, the right of access under Article 25 FADP is granted only upon request of the data subject and is more extensive than the information initially provided under Article 19 FADP. In addition to the information specified in Article 19 FADP, the following additional information must be provided when responding to a request for access:
- the retention period of the personal data or, if that is not possible, the criteria for determining that period;
- any available information about the source of the personal data, insofar as it was not obtained from the data subject;
- if applicable, the existence of automated individual decision-making and the logic on which the decision is based.
Consequences of violating Information Obligations:
The intentional violation of the information and access obligations under the revised FADP is a criminal offense that will be prosecuted upon request. Accordingly, persons who violate the obligations under Article 19 (information obligation), Article 21 (information obligation regarding automated individual decisions) and Articles 25-27 (access obligations) by intentionally providing false or incomplete information may be fined up to 250,000 Swiss francs. In addition, those who intentionally fail to inform the data subject in accordance with Articles 19(1) and 21(1) FADP or who fail to provide the information specified in Article 19(2) FADP may also be fined.