-
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 29a FC
- Art. 30 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 75b FC
- Art. 77 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123b FC
- Art. 136 FC
- Art. 166 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
- Art. 808c CO
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 5 lit. f und g FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 54 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
FEDERAL CONSTITUTION
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
SWISS CRIMINAL CODE
CYBERCRIME CONVENTION
- IN A NUTSHELL
- I. General information
- II. Requirements for consent (Art. 6 para. 6 FADP)
- III. Explicit consent (Art. 6 para. 7 FADP)
- V. Legal consequences of missing, invalid or revoked consent
- VI. Practical tips
- VII. Criticism of the standard
- Bibliography
- MATERIALS
IN A NUTSHELL
Art. 6 para. 6 and 7 FADP stipulate the validity requirements for consent under data protection law. However, the cases in which consent is required are regulated in other provisions. The content of the new provisions on consent is essentially the same as that of Art. 4 para. 5 aDSG. It has merely been specified that consent must be given for one or more specific processing operations, which already applied previously. In the case of explicit consent, the newly introduced profiling has replaced the old legal personality profile. Otherwise, however, there should be no change to the legal situation. If consent is required, it must therefore still be given voluntarily for one or more specific processing operations after appropriate information has been provided. If consent is required for the processing of particularly sensitive personal data, for high-risk profiling by a private individual or for profiling by a federal body, this must also be explicit. However, even in these cases, there is no general requirement for consent, although some argue otherwise. Within the scope of application of the FADP, consent is used more frequently as the legal basis for processing due to the different concept (principle of prohibition with reservation of permission) and the requirements for valid consent are higher overall than under the FADP.
I. General information
A. History of origin
1 The content of Art. 6 para. 6 and para. 7 FADP essentially corresponds to Art. 4 para. 5 aDSG, although some editorial changes were made as part of the total revision. Explicit consent has been separated from "ordinary" consent and regulated in a separate paragraph. It was also clarified that consent must relate to one or more specific processing operations. This clarification was made with a view to aligning with the revised ETS 108 Convention, but does not result in any change to the legal situation. As the term "personality profile" was also replaced by "profiling" as part of the total revision, consent for high-risk profiling by private individuals and profiling by federal bodies must now be given explicitly.
2 The new criterion of unambiguous consent introduced in the draft was dropped during parliamentary deliberations. This had also originally been added with a view to approximating the revised ETS 108 Convention.
B. System and delimitation
3 The Swiss Data Protection Act is based on the principle of permission with reservation of prohibition. Accordingly, processing is generally permitted provided that the processing principles of Art. 6 and data security pursuant to Art. 8 FADP are complied with, personal data is not processed contrary to the express consent of the data subject or personal data requiring special protection is disclosed to third parties (Art. 30 para. 2 FADP). Otherwise, there is a violation of personality rights, which can be justified, among other things, by the consent of the data subject (Art. 31 para. 1 FADP).
4 Art. 6 para. 6 and 7 FADP therefore do not stipulate a general requirement for consent, but only define the conditions under which consent is valid. Whether and for which cases consent is required, however, is regulated elsewhere. Accordingly, consent is not required per se for the cases set out in Art. 6 para. 7 FADP (processing of particularly sensitive personal data, high-risk profiling by a private individual and profiling by a federal body), even if some argue otherwise.
5 Despite the systematic position of the provisions on consent under Art. 6 FADP with the title "Principles", the validity requirements for consent are not a processing principle under data protection law. In particular, there is no violation of personality rights if the requirements for consent are not met, although Art. 30 para. 2 lit. a FADP refers to the "principles" of Art. 6 FADP. For this reason, it would have been better to move the provisions on consent to the definitions in Art. 5 FADP.
C. Scope of application
6 For private individuals, consent may in particular justify a violation of personality rights (Art. 31 para. 1 FADP). In addition, consent may be relevant for private individuals in the following cases: For the disclosure of personal data abroad in derogation of Art. 16 para. 1 and 2 FADP (Art. 17 para. 1 lit. a FADP); for automated individual decisions without having to comply with the requirements of Art. 21 para. 1 and 2 FADP (Art. 21 para. 3 lit. b FADP); in the context of the right to information for the communication of health data by a health professional (Art. 25 para. 3 FADP).
7 For federal bodies, consent may replace the general requirement of a legal basis in individual cases (Art. 34 para. 4 lit. b FADP), including for the disclosure of personal data abroad (Art. 36 para. 2 lit. b FADP).
8 In addition, consent is also mentioned elsewhere in the FADP and may also be provided for in special legislation. Whether and to what extent the requirements of the FADP apply here has not been fully clarified, particularly in the intersection with the ban on spam pursuant to Art. 3 para. 1 lit. o UCA. However, this is at least implicitly assumed.
D. Comparison with the DSGVO
9 The Swiss concept differs fundamentally from the reverse concept of the DSGVO. There, the principle of prohibition with reservation of permission applies, according to which any processing of personal data is prohibited unless there is a legal basis for the processing (Art. 6 DSGVO). One of these possible legal bases is consent (Art. 6 para. 1 lit. a DSGVO). Its requirements are generally described in more detail in Art. 4 No. 11 and Art. 7 DSGVO, with regard to the consent of children in Art. 8 DSGVO and for the processing of special categories of personal data, consent must be given expressly (Art. 9 para. 2 lit. a DSGVO).
10 The requirements for valid consent under the DSGVO are stricter than those under the FADP. Consent that is valid under the FADP therefore generally meets the requirements of the FADP, while consent that is valid under the FADP does not necessarily meet the stricter requirements of the GDPR.
II. Requirements for consent (Art. 6 para. 6 FADP)
A. General information
11 Consent is subject to the general "limits" of personal rights, which include the provisions of Art. 16 et seq. CC (capacity of judgment) and Art. 27 CC (excessive commitment). Consent is to be qualified as a unilateral legal transaction, which is why the CO applies in particular to the interpretation of consent (principle of trust), the limitations of Art. 19 and 20 CO and defects of will (Art. 23 et seq. CO).
B. Capacity of judgment
12 The granting of consent under data protection law constitutes the exercise of a highly personal right and can therefore be exercised independently by persons lacking capacity (Art. 19c para. 1 CC). However, persons lacking capacity are generally represented by their legal representative (Art. 19c para. 2 CC). Parents can give consent for children lacking capacity within the scope of their legal representation and to the extent of the parental care to which they are entitled (Art. 304 CC).
13 A person is capable of judgment if they do not lack the capacity to act rationally due to certain conditions (infancy, mental disability, mental disorder, intoxication or similar) (Art. 16 CC). As a rule of thumb, the capacity of minors aged 13 and over is to be assumed. Due to the relative nature of the capacity of judgment, the requirements are to be set higher, for example, in the case of complex processing, sensitive personal data and serious interventions in the personality.
C. Timing
14 Consent must generally be given prior to data processing, which may, for example, be prior to data collection or disclosure (see Art. 5 lit. d FADP). If consent is required and has not been given, the corresponding data processing is unlawful.
15 Subsequent consent in the strict sense is excluded. However, subsequent consent can be considered, which is to be interpreted as a waiver of the assertion of claims. However, data processing is unlawful until the time of subsequent consent. In addition, subsequent authorization only extends to data processing about which appropriate information was initially or subsequently provided.
D. One or more specific processing operations
16 The criterion that consent must relate to one or more specific processing operations was added with the total revision. This brings the wording into line with Art. 5 para. 2 of the revised ETS 108, but without changing the legal situation.
17 As under the old law, it is necessary that the processing is sufficiently defined, in particular with regard to scope and purpose. The data subject should be able to understand for which processing they are giving their consent. The specific scope of the consent results from the declaration of consent and the appropriate information. Without further information, general descriptions of purposes such as "improving the user's experience", "advertising purposes", "IT security purposes" or "future research" are inadequate. The processing can be limited or unlimited in time. In some cases, however, consent is required on a case-by-case basis.
18 Consent to several processing operations does not require that they all have the same purpose; consent can also be given for different processing operations. In addition, a processing purpose such as medical treatment by a doctor may require different processing operations, e.g. the exchange of particularly sensitive personal data with other specialists or insurance companies and processing for billing purposes.
19 The extent to which general consent is permissible is controversial. In any case, the limits of consent must be clear and, based on the principle of proportionality, the more sensitive the nature and scope of the processing, the clearer it must be. Unlimited declarations of consent for any purpose, for any processing or for all categories of personal data by unlimited processors are therefore inadmissible. On the other hand, it is permissible, for example, to authorize the previous employer to generally provide information to potential employers, which requires express consent in the case of the disclosure of particularly sensitive personal data (such as information on absences due to illness).
E. Adequate information
20 Consent under data protection law is based on the "informed patient's consent", meaning that all information must be provided in the specific case so that the data subject can make a free decision. In other words, it is important that the data subject is clear about what they are consenting to, i.e. that they know the scope of their consent. The specific information to be provided was already not uniformly assessed under the old law, nor will it be under the new law.
21 According to the view expressed here, the requirements for appropriate information can be based on the duty to provide information pursuant to Art. 19 FADP. This is because the appropriate information required for consent can lead to an exemption from the duty to provide information pursuant to Art. 19 FADP, as the data subject already has the relevant information (Art. 20 para. 1 lit. a FADP).
22 However, this does not mean that all information under Art. 19 FADP must be provided in every case as the basis for the appropriate information under Art. 6 para. 6 FADP, even if such an integrative approach may be required in practice. According to the view expressed here, at least the following information is required for appropriate information in the context of consent:
Identity of the controller;
Purpose of processing;
(categories of) personal data processed.
23 Which of this information is required and to what level of detail, and whether additional information is required, depends on the circumstances of the individual case. In application of the principle of proportionality, the more sensitive the personal data concerned, the clearer the appropriate information must be. For example, Art. 16 para. 2 HRA specifies for consent to research projects, among other things, that information must also be provided on the foreseeable risks and burdens as well as measures to protect the personal data collected. According to Art. 8 para. 1 HRA, information must also be provided on the right of refusal or withdrawal and the consequences of withdrawal, as well as in general on other content required for the decision.
24 Unlike Art. 7 para. 3 DSGVO, however, the FADP does not generally require information about the right of withdrawal and the fact that the withdrawal does not affect the lawfulness of the processing based on the consent until the withdrawal. A lack of information in this regard therefore does not invalidate any consent given.
25 The DSGVO also requires that consent can be withdrawn as easily as it was given. Based on the principle of good faith, the FDPIC has also demanded this for the aDSG. However, there is no support for this in the law and this view should therefore be rejected. On the other hand, the voluntary nature of consent may be questionable if it cannot be revoked in a reasonable manner.
26 In line with the explanations in the 2003 Dispatch, some take the view that information must be provided about the negative consequences or disadvantages of refusing consent. According to the view expressed here, this is not a necessary part of appropriate information, but depending on the adverse consequences, it may call into question the validity of consent due to the lack of voluntariness. On the other hand, information must be provided about any existing risks of data processing.
27 Appropriate information must always be provided by the controller. However, it is possible to obtain consent for processing by a third party. This regularly requires the third party to be named, unless this information is sufficiently clear from the circumstances, as may be the case, for example, in the case of group companies.
28 The information provided must be interpreted in accordance with the principle of trust, i.e. as the person concerned could and should have understood it. This must be based on the assumption of a person of average understanding of the group of addressees addressed. The doctrine that would like to focus instead on the abilities of the individual person concerned must therefore be rejected.
29 The appropriate information must be precise, transparent and comprehensible. It should be written in the language in which the controller provides the services on which the processing is based. The information may be provided orally or in writing; however, for reasons of proof, it is advisable to provide evidence in text form. If the information about the processing to which consent is given has to be fragmented and compiled from several places in one document, this may be an argument against the provision of adequate information.
30 It must be possible to take note of the information before consent is given. A reflection period may be appropriate depending on the sensitivity of the processing. For example, Art. 16 para. 3 HRA requires that a reasonable period of reflection be granted before the data subject consents to a research project.
31 Whether the information is actually taken note of is irrelevant. The only decisive factor is whether there was a reasonable opportunity to take note of the information. In the case of a global acceptance, i.e. the granting of consent without taking note of the information (e.g. because it can only be found in linked general terms and conditions or a privacy policy), unusual clauses do not apply (unusualness rule). It may therefore be appropriate to highlight unusual aspects separately.
F. Voluntariness
32 Consent must be given voluntarily, i.e. it must be an expression of the data subject's free will. There is an interaction with the need for appropriate information. If the appropriate information is not provided, consent cannot be assumed to be voluntary. Consent is also not voluntary if it was obtained through deception, threats or coercion.
33 The FADP does not have a prohibition of linking based on Art. 7 para. 4 DSGVO, although its existence and scope under the DSGVO is disputed. Nevertheless, there are also forms of inadmissible tying of consent under Swiss law, but the hurdles are higher than under the DSGVO. In particular, consent should not be voluntary if a refusal of consent results in a disadvantage that is unrelated to the purpose of processing or is disproportionate to it. However, any other disadvantage resulting from the refusal of consent does not affect the validity of the consent.
34 Examples: Consent to a credit check for the purpose of obtaining a credit card is given voluntarily and is permissible, as without consent the disadvantage of not receiving the credit card is proportionate. The impossibility of participating in an insurance program is directly related to the data processing for which consent is obtained; and the fact that monetary benefits and cash bonuses in the maximum amount of CHF 75.00 per year are advertised for persons with basic insurance only does not call into question the voluntary nature of the consent. However, the threat of dismissal in the event of non-consent to data processing not provided for in the employment contract is deemed to be involuntary because it is disproportionate.
35 In some cases, voluntariness is only assumed if there is a reasonable alternative course of action. According to the view expressed here, apart from exceptional situations (in particular dominant market position, social or de facto dependencies), no alternative is required for the affirmation of voluntariness. Therefore, if consent is not given, the person concerned can generally be denied the use of a service.
36 The question of whether consent is voluntary is particularly controversial in the employment relationship. Some argue that the necessary voluntariness is lacking in this context or that any data processing that goes beyond Art. 328b CO is inadmissible. Other authors merely see the scope of voluntariness as being narrower, for example in that a reasonable alternative course of action must be available to employees. The prevailing doctrine and the FDPIC consider data processing that goes beyond Art. 328b para. 1 CO to be permissible only if it is advantageous for the employees or in their interest (Art. 362 CO). Other authors also consider consent that deviates from Art. 328b CO to the detriment of employees to be valid under certain circumstances. According to the Federal Supreme Court, although data processing contrary to Art. 328b CO is unlawful, it can be based on a justification pursuant to Art. 13 aDSG. According to this view, Art. 328b CO is therefore a processing principle and not a prohibition provision. However, the brief explanations on this are criticized in the doctrine. The Federal Supreme Court has subsequently confirmed its view, but without referring to its earlier decision.
37 According to the view expressed here, consent in the employment relationship is not excluded per se and consent can also be given to processing that goes beyond Art. 328b para. 1 CO. The decisive factor here is whether or not appropriate information was provided and whether or not it can be assumed that consent is actually voluntary in the form of an option to refuse without adverse consequences. For example, consent can be given to the publication of photos of employees without customer contact on the Internet or even for advertising purposes, provided that information has been provided about the corresponding processing and the employee has effective freedom of choice. The position of the employee and the employee's life cycle (application, current employment relationship, termination) may be decisive for this assessment. On the other hand, a lack of voluntariness would have to be assumed in the last example mentioned in n. 34.
38 In the European context, the issue of so-called dark patterns or nudging must be considered for the question of voluntariness, especially in the area of cookie banners. According to case law and the opinion of supervisory authorities, enticing users to give their consent, e.g. through unequal color design and size of the "Accept" and "Decline" buttons or additional effort for declining (e.g. by only offering a "Decline all" button on the second display level, after clicking on "Continue"), calls voluntariness into question. Whether this development will also gain significance in Switzerland is questionable. This is because Swiss law does not generally require consent for cookies. The relevant Art. 45c lit. b TCA only requires that users "are informed about the processing and its purpose and that they can refuse the processing." However, further developments in this regard will have to be monitored, as the FDPIC and others generally assume that tracking constitutes a justifiable violation of privacy.
39 The DSGVO requires that granular consent can be given for various processing operations. This is one reason why cookie banners that comply with European law often offer the option of consenting to each individual cookie separately. Of course, the usefulness of such granularity for cookies is debatable. After all, it is rather unlikely that a person would want to give their consent to certain individual cookies and not to others. Since such a requirement of granularity cannot be inferred from the FADP, this can only be demanded in exceptional cases.
G. Unambiguousness
40 The draft FADP still stipulated that consent must be given "unambiguously". In this regard, the dispatch states that the data subject's declaration must unequivocally indicate their will, which depends on the circumstances of the individual case, and that the more sensitive the personal data in question, the clearer the consent must be, based on the principle of proportionality.
41 However, the requirement of unambiguousness was dropped by Parliament and was therefore not included in the wording of Art. 6 para. 6 FADP. However, the fact that the dispatch refers to this criterion has apparently caused confusion among scholars.
42 The 2003 dispatch had already stated that, based on the principle of proportionality, the more sensitive the personal data in question, the clearer the consent must be. This affects the clarity of the declaration of intent, which means that there are parallels with the criterion of the "unambiguous affirmative act" found in the DSGVO. As an alternative to the "declaration", this represents the second application case of the "unequivocal expression of will" pursuant to Art. 4 No. 11 DSGVO. However, in the absence of a corresponding criterion in the FADP, unlike the DSGVO, it cannot be inferred from this that consent is inadmissible, for example by means of pre-ticked boxes. This also does not necessarily contradict the requirement of "privacy by default" pursuant to Art. 7 para. 3 FADP.
43 However, an interpretation of the criterion of unambiguousness in accordance with the revised ETS 108 would require consent to be "unambiguous". This requirement can relate to both the form and the content of the declaration. The message suggests that the element relates to the form. If this is the case, the legislator has taken this formal requirement into account by stating that consent by silence is generally not sufficient. Insofar as the content is to be affected, the principle that the requirements vary based on the principle of proportionality applies in any case. Thus, under Swiss law, the criterion of unambiguousness would have no independent significance.
H. Form
44 Consent can be given without form. Apart from statutory exceptions, verbal consent is therefore also possible. However, since the data processor bears the burden of proof for consent, documentable consent is the obvious choice. This relativizes, at least de facto, the fundamental freedom of form.
45 In principle, consent can also be obtained within the framework of general terms and conditions. However, if a global assumption is made in this case, the unusualness rule applies, according to which unusual consents are ineffective to the detriment of the data subject. In addition, the ambiguity rule comes into play, according to which unclear formulations are at the expense of the author in case of doubt.
46 Except in the case of the required expressiveness of Art. 6 para. 7 FADP, consent can also be given implicitly. In this case, the declaration of intent does not result from the declaration itself, but from behavior that can be understood as a clear expression of intent based on the circumstances. This is the case, for example, if the data subject makes their data accessible themselves.
47 Implied consent is often used as a synonym for tacit consent, but this should be avoided. Silence or inactivity does not generally lead to valid consent (see Art. 6 CO), unless the parties have agreed to silence as consent.
48 In exceptional cases of urgency, presumed consent is conceivable, e.g. in the case of unconscious patients. However, the significance of such consent is negligible, as in these cases a justification based on the overriding interest of the person concerned would probably apply anyway. In some cases, a distinction is made between presumed consent and hypothetical consent. According to this, consent should be valid despite the lack of adequate information, as the data subject would have consented even if they had been fully informed. However, there is hardly any room for this unless the data subject subsequently consents to this in the form of a waiver of the assertion of claims.
III. Explicit consent (Art. 6 para. 7 FADP)
49 If consent is required for the processing of particularly sensitive personal data, high-risk profiling by a private individual or profiling by a federal body, this must be given expressly. This means that consent is not generally required for these processing operations either. Although statements in the parliamentary debate sometimes suggested the opposite, the wording of Art. 6 para. 7 FADP does not anticipate this in the introduction, unlike that of Art. 6 para. 6 FADP, and the FDPIC and the doctrine sometimes argue the opposite, this results from the clarification in the parliamentary consultation and the fact that no change to the legal situation should be made.
50 The criterion of expressiveness must be observed in addition to the requirements of Art. 6 para. 6 FADP. This was better expressed in Art. 4 para. 5 aDSG and in the preliminary draft of the FADP, as "normal" and explicit consent were regulated in the same paragraph and the addition "in addition" made this clear.
51 It is disputed whether the more stringent element of expressness relates only to the form or also to the content of the consent. With regard to form, express is understood to be the opposite of implied. However, written consent is not required. Based on Art. 1 CO, the question of expressiveness is determined by whether the expressed will is directly evident from the declaration of intent in the form of written or spoken words or a sign. In other words, the manner in which the will is expressed must already provide clarity about the will. Examples of explicit signs include actively ticking a box, actively selecting certain technical parameters for IT services, nodding one's head in agreement during medical treatment or opening one's mouth to remove mucous membrane from the cheek after being informed accordingly. For reasons of the burden of proof, however, documentable consent is again required.
52 According to some scholars and the FDPIC, expressiveness also refers to the content. In the case of express consent, the affirmative behavior should refer to the data processing in question and not merely to the action that only results in this data processing. Consent to receive personalized advertising would therefore not include explicit consent to the high-risk profiling on which the advertising is based.
53 According to the view expressed here, the requirement of expressness refers to the form of consent and not its content. The 2003 Dispatch states: "Consent is not bound to a specific form and can be given tacitly or by implication, unless it concerns the processing of particularly sensitive data or personality profiles. In accordance with the principle of proportionality, it is already assumed that the more sensitive the personal data in question, the clearer the consent must be." For the second sentence, the dispatch refers to a literature reference that expressly understands consent as the opposite of implied consent. The historical interpretation element confirms this finding, especially as the 2017 dispatch states that there should be no deviation from the current legal situation.
IV. Revocation
54 Consent can be withdrawn at any time and without justification. However, revocation at an inopportune time may trigger liability for damages. A revocation then only has effect for the future, which means that the legality of processing that has already taken place is not affected by the revocation. However, previous data processing can be contested on the basis of a lack of consent. Data processed on the basis of consent may have to be deleted if there is no other justification for further processing in the form of continued storage.
55 According to the Federal Supreme Court, personal data that does not form part of the core area of human existence, such as name, voice or image, can be irrevocably shaped if the contractual obligation is based on economic interests. However, the extent to which these considerations of the right to one's own image can be generalized is not entirely clear. In the case under review, one of the decisive factors was that revocation was possible against payment of a moderate compensation for rescission in the form of a contractual penalty.
V. Legal consequences of missing, invalid or revoked consent
56 If a certain processing requires consent and this is not given (in good time) or does not meet the validity requirements, the corresponding processing is unlawful or constitutes a violation of personality rights. If processing is continued despite the withdrawal of consent, this also constitutes a violation of personality rights (Art. 30 para. 2 lit. b FADP).
57 In these cases, a controller may invoke other justifications (Art. 31 FADP) as a subsidiary basis. If, on the other hand, no other justification applies, there are claims against private controllers (Art. 32 para. 2 FADP) or federal bodies (Art. 41 FADP) and, if necessary, investigative and administrative measures are taken by the FDPIC (Art. 49 et seq. FADP).
58 A violation of Art. 6 para. 6 and 7 FADP is not directly punishable. However, indirect punishment is possible, particularly in the case of the disclosure of personal data abroad based on invalid or revoked consent, provided that the disclosure was continued based on this consent (Art. 61 lit. a in conjunction with Art. 17 para. 1 lit. a FADP). In addition, in the area of electronic mass advertising in particular, a lack of consent pursuant to Art. 3 para. 1 lit. o UCA may result in a penalty pursuant to Art. 23 UCA.
VI. Practical tips
59 In practice, consent is sometimes obtained for processing that does not require it. It is occasionally argued that the transparency requirement or the principle of good faith speak against obtaining consent that is not necessary. As a rule, such strictness is not appropriate because the question of the necessity of consent is often associated with legal uncertainty. However, since consent can be withdrawn at any time, alternative justifications should be examined first.
60 Formulations such as "I agree to the privacy policy", "I accept the privacy policy" or similar are often found on the internet. However, a privacy policy should only provide information unilaterally and not constitute a bilateral contract. In the case of a global takeover, the unusualness rule also has a restrictive effect. The privacy policy should therefore only be linked and consent should be obtained separately and cautiously.
VII. Criticism of the standard
61 According to the dispatch on the new Data Protection Act, one of the guiding principles of the revision was to strengthen the rights of data subjects, which was also to be achieved by more precisely defining the requirements for valid consent from the data subject. It cannot be assumed that this goal will be achieved by the clarification of the requirements for consent. On the one hand, there has been no change to the legal situation. On the other hand, declarations of consent, just like data protection declarations, are hardly ever read. This can result in "information overload" and click fatigue, especially if, in addition to a declaration of consent under data protection law, consent to general terms and conditions is obtained and the data protection declaration is brought to the user's attention.
Bibliography
Aebi-Müller Regina E., Personenbezogene Informationen im System des zivilrechtlichen Persönlichkeitsschutzes, Bern 2005.
Aebi-Müller Regina E. Grenzen des Bildnisschutzes – überwiegendes Interesse des Versicherers an der Observation eines Geschädigten und Rückzug einer Einwilligung zur Publikation erotischer Bilder im Internet, ZBJV 147 (2011), S. 330-354 (zit. ZBJV).
Baeriswyl Bruno, Kommentierung zu Art. 6, in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Stämpflis Handkommentar zum DSG, 2. Aufl., Bern 2023.
Bühlmann Lukas/Schüepp Michael, Information, Einwilligung und weitere Brennpunkte im (neuen) Schweizer Datenschutzrecht, Jusletter 15.3.2021.
Dal Molin Luca, in: Dal Molin Luca/Wesiak-Schmidt Kirsten (Hrsg.), Datenschutz im Unternehmen, Zürich et al. 2023.
Domenig Benjamin/Mitscherlich Christian/Lutz Chantal, Datenschutzrecht für Schweizer Unternehmen, Stiftungen und Vereine, Bern 2022.
Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB), Datenbearbeitung durch den Arbeitgeber, 24.4.2023, abrufbar unter https://www.edoeb.admin.ch/edoeb/de/home/datenschutz/arbeit_wirtschaft/datenbearbeitung-arbeitgeber.html, besucht am 14.10.2023 (zit. Arbeitgeber).
Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB), Schlussbericht und Empfehlungen vom 3.3.2023 mit Ergänzungen vom 17.5.2023 in Sachen Once Dating AG (zit. Schlussbericht Once Dating).
Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB), Schlussbericht vom 11.4.2006 sowie Anhang vom 6.11.2006 in Sachen Erhebung biometrischer Daten beim Erwerb einer Dauerkarte in den Sport- und Freizeitanlagen KSS Schaffhausen (zit. Schlussbericht KSS Schaffhausen).
Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB), Tracking, 12.4.2023, abrufbar unter https://www.edoeb.admin.ch/edoeb/de/home/datenschutz/internet_technologie/tracking.html, besucht am 14.10.2023 (zit. Tracking).
European Data Protection Board (EDPB), Leitlinien 05/2020 zur Einwilligung gemäss Verordnung 2016/679, Version 1.1, angenommen am 4.5.2020, abrufbar unter https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_de.pdf, besucht am 14.10.2023.
Fasnacht Tobias, Die Einwilligung im Datenschutzrecht, Zürich 2017.
Ferrari-Visca Reto/Reichlin Jeremy, in: Dal Molin Luca/Wesiak-Schmidt Kirsten (Hrsg.), Datenschutz im Unternehmen, Zürich et al. 2023.
George Damian, Prinzipien und Rechtmässigkeitsbedingungen im privaten Datenschutzrecht, Zürich 2021.
Glatthaar Matthias/Schröder Annika, Kommentierung zu Art. 19 DSG, in: Steiner Thomas/Morand Anne-Sophie/ Hürlimann Daniel (Hrsg.), Onlinekommentar zum Bundesgesetz über den Datenschutz, 20.8.2023, abrufbar unter https://onlinekommentar.ch/de/kommentare/dsg19, besucht am 14.10.2023, DOI: https://doi.org/10.17176/20230820-133017-0.
Haas Raphaël, Die Einwilligung in eine Persönlichkeitsverletzung nach Art. 28 Abs. 2 ZGB, Zürich 2007.
Kasper Gabriel, People Analytics in privatrechtlichen Arbeitsverhältnissen, Zürich et al. 2021.
Klaus Samuel/Thomann Kenzo, Kommentierung zu Art. 6 Abs 6 und 7 DSG, in: Bieri Adrian/Powell Julian (Hrsg.), Orell Füssli Kommentar zum Schweizerischen Datenschutzgesetz mit weiteren Erlassen, Zürich 2023.
Kurt Pärli, Kommentierung zu Art. 328b OR, in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Stämpflis Handkommentar zum DSG, 2. Aufl., Bern 2023.
Kurt Pärli, BGer 4A_518/2020: Rechtswidrige Beschaffung von Arbeitnehmerpersonendaten, Jusletter 14.2.2022 (zit. Arbeitnehmerpersonendaten).
Kunz Christian, Kommentierung zu Art. 16 DSG, in: Bieri Adrian/Powell Julian (Hrsg.), Orell Füssli Kommentar zum Schweizerischen Datenschutzgesetz mit weiteren Erlassen, Zürich 2023.
Maurer-Lambrou Urs/Steiner Andrea, Kommentierung zu Art. 4 aDSG, in: Maurer-Lambrou Urs/Blechta Gabor P. (Hrsg.), Basler Kommentar zum Datenschutzgesetz/Öffentlichkeitsgesetz, 3. Aufl., Basel 2014.
Meier Philippe/Tschumy Nicolas, Kommentierung zu Art. 6 DSG, in: Métille Sylvain/Meier Philippe (Hrsg.), Commentaire Romand, Loi sur la protection des données, Basel 2023.
Pellascio Michael, Kommentierung zu Art. 328b OR, in: Kren Kostkiewicz Jolanta/Wolf Stephan/Amstutz Marc/Fankhauser Roland, Orell Füssli Kommentar zum Schweizerischen Obligationenrecht, 3. Aufl., Zürich 2016.
Pfaffinger Monika, Kommentierung zu Art. 31 DSG, in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Stämpflis Handkommentar zum DSG, 2. Aufl., Bern 2023.
Pietruszak Thomas, Kommentierung zu Art. 328b OR, in: Honsell Heinrich (Hrsg.), Kurzkommentar Obligationenrecht, Basel 2014.
Portmann Wolfgang/Rudolph Roger, Kommentierung zu Art. 328b OR, in: Widmer Lüchinger Corinne/Oser David (Hrsg.), Basler Kommentar Obligationenrecht I, 7. Aufl., Basel 2020.
Rampini Corrado, Kommentierung zu Art. 13 DSG, in: Maurer-Lambrou Urs/Blechta Gabor P. (Hrsg.), Basler Kommentar zum Datenschutzgesetz/Öffentlichkeitsgesetz, 3. Aufl., Basel 2014.
Rehbinder Manfred/Stöckli Jean-Fritz, Kommentierung zu Art. 328b OR, in: Hausheer Heinz/Walter Hans Peter (Hrsg.), Berner Kommentar, Einleitung und Kommentar zu den Art. 319-330b OR, Zürich 2010.
Rosenthal David, Das neue Datenschutzgesetz, Jusletter 16.11.2020 (zit. nDSG).
Rosenthal David, Der Entwurf für ein neues Datenschutzgesetz, Jusletter 27.11.2017 (zit. Entwurf).
Rosenthal David, Der Vorentwurf für ein neues Datenschutzgesetz: Was er bedeutet, Jusletter 20.2.2017 (zit. Vorentwurf).
Rosenthal David/Jöhri Yvonne, Kommentierung zu Art. 4 und 13 DSG, Art. 328b OR, Art. 45c FMG, Handkommentar zum Datenschutzgesetz sowie weiteren, ausgewählten Bestimmungen, Zürich 2008.
Schulz Sebastian, Kommentierung zu Art. 7 DSGVO, in: Gola Peter/Heckmann Dirk, Datenschutz-Grundverordnung – Bundesdatenschutzgesetz, 3. Aufl., München 2022.
Spacek Dirk, Kommentierung zu Art. 7 DSG, in: Bieri Adrian/Powell Julian (Hrsg.), Orell Füssli Kommentar zum Schweizerischen Datenschutzgesetz mit weiteren Erlassen, Zürich 2023.
Steiner Thomas, Zwischen Autonomie und Angleichung: Eine Analyse zur Anwendung des neuen DSG im Lichte der DSGVO, in: Widmer Michael (Hrsg.), Datenschutz: Rechtliche Schnittstellen, Zürich 2023, S. 51-138.
Steiner Thomas/Laux Christian, Kommentierung zu Art. 30 und 31 DSG, in: Bieri Adrian/Powell Julian (Hrsg.), Orell Füssli Kommentar zum Schweizerischen Datenschutzgesetz mit weiteren Erlassen, Zürich 2023.
Streiff Ullin/von Kaenel Adrian/Rudolph Roger, Arbeitsvertrag, Praxiskommentar zu Art. 319-362 OR, 7. Aufl., Zürich 2012.
Uttinger Ursula/Geiser Thomas, Das neue Datenschutzrecht, Basel 2023.
Vasella David, Kommentierung zu Art. 3 Abs. 1 lit. o UWG, in: Heizmann Reto/Loacker Leander D., UWG Kommentar, Zürich et al. 2018.
Vasella David, Zur Freiwilligkeit und zur Ausdrücklichkeit der Einwilligung im Datenschutzrecht, Jusletter 16.11.2015 (zit. Einwilligung).
Vasella, EDÖB: Schlussbericht und Empfehlungen iS Once Dating, datenrecht.ch, 19.6.2023, abrufbar unter https://datenrecht.ch/edoeb-schlussbericht-und-empfehlungen-is-once-dating, besucht am 14.10.2023 (zit. Once Dating).
MATERIALS
Botschaft zum Bundesgesetz über die Totalrevision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz vom 15.7.2017, BBl 2017 S. 6941 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/2017/2057/de, besucht am 14.10.2023 (zit. Botschaft 2017).
Botschaft zur Änderung des Bundesgesetzes über den Datenschutz (DSG) und zum Bundesbeschluss betreffend den Beitritt der Schweiz zum Zusatzprotokoll vom 8.11.2001 zum Übereinkommen zum Schutz des Menschen bei der automatischen Verarbeitung personenbezogener Daten bezüglich Aufsichtsbehörden und grenzüberschreitende Datenübermittlung vom 19.2.2003, BBl 2003 S. 2101 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/2003/267/de, besucht am 14.10.2023 (zit. Botschaft 2003).
Botschaft zum Bundesgesetz über den Datenschutz (DSG) vom 23.3.1988, BBl 1988 II S. 413 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/1988/2_413_421_353/de, besucht am 14.10.2023 (zit. Botschaft 1988).
Bundesgesetz über die Umsetzung der Richtlinie (EU) 2016/680 zum Schutz natürlicher Personen bei der Verarbeitung personenbezogener Daten zum Zwecke der Verhütung, Ermittlung, Aufdeckung oder Verfolgung von Straftaten oder der Strafvollstreckung (Weiterentwicklung des Schengen-Besitzstands), BBl 2017 S. 7193 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/2017/2058/de, besucht am 14.10.2023 (zit. Entwurf DSG).