Swiss Data Protection

Processing confidential data with due diligence

Technical security combined with certainty of the law is an important factor when storing confidential data. Enterprises including HP, IBM and SWIFT are drawn to Swiss data centers governed by the Swiss Data Protection Act (SDPA).

The purpose of the Swiss Data Protection Act is to protect the privacy, interests and fundamental rights of data subjects. Furthermore, it has as its central goal the maintenance of good data file practice and the facilitation of international data exchange by providing a comparable level of protection. The SDPA is very wide in its scope and applies to personal data file activities carried out by Federal authorities, private organizations and individual private persons (excluding those for normal private purposes).

The SDPA regulates the cross-border transfer of data in cases requiring protection of privacy. Transfers may be prohibited if, for example, the recipient's country cannot provide an adequate level of data protection. Both private individuals and federal bodies that may be involved in cross-border data disclosure are subject to the duty of due care. The transfer of data files abroad has to be notified in the event of a lack of adequate protection. In the absence of such protection, data may only be disclosed abroad if other safeguards, in particular contractual clauses or rules for the same legal person are in place to guarantee protection. The FDPIC must be informed of such clauses and rules. Furthermore, the consent of the person concerned, the impending conclusion or performance of a contract to which the person concerned is party, or the protection of the data subject or any overriding public interests can justify the disclosure of personal data abroad (cf. Art. 6 DPA).

Following an Opinion of the Federal Data Protection and Information Commissioner (2006) regarding the responsibility of financial service providers, Swiss-based providers have to carry out specific due diligence when processing personal data. “When a payment transaction is effected via a financial institution, the payer and the payee must be known. If a financial service provider in Switzerland participates in a payment transaction, it may be assumed that this will involve the processing of personal data within the meaning of the Swiss Data Protection Act (Article 3, letters a and e of the DPA). Thus, the financial service provider is subject to the same duties the Data Protection Act applies to private individuals“ (DPA and the Ordinance relating to the Data Protection Act –VDSG).