Data Protection Enforcement in Switzerland

Administrative Remedies

The Federal Data Protection and Information Commissioner has the power to conduct investigations, as well as to issue recommendations (i) if the data processing concerned violates a large number of persons; (ii) data collections must be registered or (iii) if there is an information obligation in accordance with the Data Protection Act.

Civil Remedies

Violating data protection obligations may result in civil liability. The violated person may sue the violating person for correction, cease and desist, deletion and damages covering financial losses or lost profits incurred by the violated person. The damages depend on the actual losses and lost profits proved by the plaintiff. In exceptional cases, the violating party may have the obligation to pay a satisfaction amount to the data subject to compensate for immaterial damages.

Criminal Remedies

Fines of up to CHF 10’000, and imprisonment for up to three years for violations of professional secrecy. However, not every violation of a data protection obligation automatically results in a sanction provided for in the Data Protection Act. Only the following violations by private persons are subject to penal sanctions and a fine:

  • Failing intentionally to comply with access rights or information obligations;
  • Failing intentionally to register accurately their data collections or to notify the Federal Data Protection and Information Commissioner of the safeguards implemented for the cross-border transfer of personal data to countries that do not provide an adequate level of protection;
  • Failing intentionally to cooperate in investigations by the Federal Data Protection and Information Commissioner or providing inaccurate information;
  • Disclosing intentionally and without authorization confidential and particularly sensitive information or personality profiles obtained in a professional function that requires the knowledge of such data or while working for a third party subject to confidentiality obligations.

Other Remedies

The individual committing the breach will be subject to the sanctions. However, also the directors and board members of a legal entity may be subject to sanctions.

Selected Enforcement Actions / General Comments

Previously, the Federal Data Protection and Information Commissioner emphasized its consultative and administrative role. Since recent privacy developments it appears the Federal Data and Information Commissioner is taking a more proactive approach in pursuing data processing that may potentially violate the privacy rights of a wider population. It is expected that the number of court cases will rise in the future as a result of this approach. To date, no fines have been imposed in published case law. Please note that first instance case law is usually not published and second instance is only published occasionally. Third instance case law is published on a regular basis. While no fines were imposed, there have been some notable decisions enforcing data privacy rules: Judgment of the Swiss Federal Supreme Court on Logistep (BGE 136 II 508, September 8, 2010) Acting on behalf of rights holders, Logistep had been collecting the IP addresses of users who were using Peer-to-Peer networks in order to exchange what was purported to be illegal uploads of copyrighted material, such as video and music files. Once they were in possession of the IP addresses, rights holders filed criminal charges which allowed them to identify the persons involved and to claim damages from them. The Swiss Federal Supreme Court ordered Logistep to halt all copyright-related data processing activities and banned it from forwarding any data already collected to copyright holders. The key arguments of the Swiss Federal Supreme Court can be summarized as follows:

  • In the case of a data transfer, if the recipient is able to identify the person concerned, the data shall be considered personal. If personal data is involved, the Data Protection Act must apply to all processing activities involving this data.
  • In the abstract, it is impossible to determine whether IP addresses, in particular dynamic ones, involve personal data or not. However, IP addresses are considered to be personal data if, based on common experience, third parties who are interested in identifying the individual user can be expected to undertake the effort to make such identification. This was true in the case of Logistep, since its entire business model was premised on the identification of the individual user.
  • In processing the data it had collected, Logistep had violated the principles of purpose limitation and transparency. The issue to be decided was whether the company had provided any legal justification for its actions. In the court’s opinion, a strictly systematic interpretation according to which a legal justification can only be invoked for the cases covered by paragraphs b) and c), but not a) of Article 12.2 of the Data Protection Act is not admissible, for even though the current version of sub-paragraph a) no longer refers to justificatory grounds, it does not explicitly exclude them either. The provision must therefore be interpreted in such a way that a justification for the processing of personal data in violation of the principles set out in Article 4, Article 5 paragraph 1 and Article 7 paragraph 1 of the FADP cannot as a general rule be excluded; however in this specific case, justificatory grounds may only be accepted with the greatest restraint.
  • The Supreme Court made it clear that it did not consider that data protection must always take precedence over copyright protection. In its opinion, it is the task of the legislator, and not the judge, to ensure that the appropriate steps are taken to guarantee copyright protection when works are distributed via the new technologies. Moneyhouse-Case
  • The operator of moneyhouse.ch, itonex AG in Rotkreuz, offers a contact search service, which involves the publication of address data on the Internet regardless of consent of the relevant persons. Numerous individuals thereupon approached the Federal Data Protection and Information Commissioner which then initiated a clarification of facts and demanded from itonex AG to take the people search function off the Internet. The company did not react to that request, whereupon FDPIC took legal action before the Federal Administrative Court and requested to immediately enjoin the people search service as an immediately enforceable injunction, i.e. without any prior hearing of the opposing party. The Federal Administrative Court complied with the request. In accordance with the Federal Data Protection and Information Commissioner’s demands, it additionally obliged itonex AG to instruct the operators of Internet search engines to delete saved address data immediately. After the hearing of itonex AG, the Federal Administrative Court annulled the immediately enforceable injunction, leading to the personal data being accessible again on the website of moneyhouse.ch. In February 2013, itonex AG has come to an arrangement regarding the handling of personal data with the Federal Data Protection and Information Commissioner and observes the negotiated recommendations, such as, e.g.: Addresses which itonex AG obtained from an individual will only be published on moneyhouse.ch if a justification exists. Only if the person concerned consents to his or her current address being accessible over the Internet without any particular proof of interest is that consent considered a sufficient justification. In case of a justification other than the person’s consent, itonex AG needs to ensure for the other processing of the address data that the address exclusively serves authorized persons for the verification of the identity of the person concerned. Furthermore, the persons concerned have a right to address a personal information request as well as the possibility to request deletion. With regard to company information, such information is based on the commercial register, a summary thereof can be found on zefix.ch. All data published on moneyhouse.ch is public and may be published with no time limit. The consent of the person or company concerned is not required. FDIPC has now again sued moneyhouse.ch before the Federal Administrative Court because he believes that moneyhouse.ch has only partially implemented his recommendations. A decision is pending.

BGE 138 II 346, May 31, 2012