-
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 29a FC
- Art. 30 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 75b FC
- Art. 77 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123b FC
- Art. 136 FC
- Art. 166 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
- Art. 808c CO
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 5 lit. f und g FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 54 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
FEDERAL CONSTITUTION
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
SWISS CRIMINAL CODE
CYBERCRIME CONVENTION
- In a nutshell
- I. General
- II. obligation to appoint a data protection officer (para. 1)
- III. function of the data protection officer (para. 2).
- IV. voluntary appointment of a data protection officer
- V. Disclosure of name and address (para. 3)
- Bibliography
In a nutshell
Art. 14 FADP regulates the obligation to appoint a data protection officer in Switzerland by private controllers based abroad. The obligation exists only under certain cumulative conditions and is likely to apply in practice to only a few controllers. The representation is intended to serve as a point of contact for data subjects and the FDPIC to facilitate enforcement of the FADP against certain controllers abroad. Controllers must publish the name and address of their representation, for example as part of the privacy statement on their website.
I. General
A. Purpose
1 Controllers without a registered office in Switzerland must designate a representation in Switzerland under certain conditions, which are rarely met. The formulation of these conditions leads to legal uncertainty as to when they are fulfilled at all.
2 The obligation can be justified by the broad territorial scope of the FADP, since the FADP applies to all matters that have an impact in Switzerland, even if they are initiated abroad (Art. 3 para. 1 FADP). The obligation to designate a representative is intended to improve the practical enforceability of the FADP, analogous to the EU data protection representation under Art. 27 FADP.
B. History of origins
3 During the parliamentary debate, the FADP was amended to include data protection representation pursuant to Art. 14 and 15 FADP. The two articles form in the 2nd chapter with the "General Provisions" the 2nd section "Data Processing by Private Holders with Seat or Residence Abroad". The structure is based on the EU data protection representation according to Art. 27 DSGVO. Accordingly, the data protection representative can be a legal entity or a natural person. The Data Protection Regulation (DSGVO) does not mention representation.
4 The data protection representation touches on political demands for a mandatory jurisdiction for large foreign Internet platforms, such as social media platforms in particular, in criminal and civil law matters, but does not implement them. A possible implementation of these demands for a mandatory domicile of service could be brought by a consultation draft of the Federal Council on the regulation of large communication platforms announced for 2024, according to which such platforms should designate a contact point and a legal representative in Switzerland.
II. obligation to appoint a data protection officer (para. 1)
5 Article 14 para. 1 FADP sets out the conditions under which data controllers must exceptionally designate a data protection officer in Switzerland. Unlike the EU data protection representation under Art. 27 para. 1 and 2 DSGVO, there is no general obligation with exceptions. Accordingly, the number of data controllers concerned is likely to be small.
6 The FDPIC may order or decree the designation of a representative as an administrative measure (Art. 51 para. 4 FADP).
7 Violation of the obligation to designate a representative is not covered by the penal provisions under Art. 60 et seq. FADP. Failure to comply with an order of the FDPIC to designate a representative may be punished by a fine (Art. 63 FADP).
A. Personal scope
8 The obligation to designate a representative applies to private data controllers (Art. 5 lit. j FADP) with their registered office or place of residence abroad if they process data of individuals in Switzerland (Art. 5 lit. a and b FADP) and the processing meets the cumulative requirements under Art. 14 para. 1 lit. a-d FADP. In contrast to the EU data protection representation, the obligation in Switzerland applies only to data controllers and not also to data processors.
B. Material scope of application
1. in connection with the offer of goods or services or with the observation of the behavior of persons in Switzerland (lit. a).
9 Art. 14 para. 1 lit. a FADP is based on the alternative requirements for the territorial scope of the FADP by offering or observing conduct (Art. 3 para. 2 FADP), rather than with the active principle under Art. 3 para. 1 FADP. Accordingly, the requirement only applies if an offer or observation of behavior has an effect on a factual situation in Switzerland. A mere connection with an offer or a behavioral observation is not sufficient.
10 The first cumulative requirement under Art. 14 para. 1 lit. a FADP is met, on the one hand, if the processing of personal data is related to the offer of goods and services to persons in Switzerland. According to recital 80 to Art. 27 para. 3 DSGVO, an offer that is free or free of charge is sufficient.
11 The accessibility of offers alone, e.g. in an app on a social media platform or via a website, is not sufficient. Concrete indications are required that an offer is actually directed at persons in Switzerland. Possible indications are, for example, content in Swiss national languages, delivery options to Switzerland, price information in Swiss francs, prices with indication of Swiss VAT, publication of a Swiss telephone number or the use of a Swiss top-level domain (.ch or .swiss).
12 By contrast, the first cumulative requirement under Art. 14 para. 1 lit. a FADP is met if the processing is carried out in connection with the observation of the behavior of persons in Switzerland as an alternative to the offer or simultaneously with the offer. The term "behavioral observation" is defined in terms of Art. 3 para. 2 DSGVO. The mere recording of access to an online service or website is therefore not sufficient. There must be actual targeting of individuals in Switzerland or the observation must lead to profiling with respect to the data subjects in Switzerland. Thus, the provision is likely to apply to providers of internet platforms such as ByteDance, Google and Meta, but not, for example, to operators of online stores, as long as their business model is not data-centric and profiling of users is only carried out to the usual extent for their own marketing purposes.
2. comprehensive processing (lit. b)
13 The second cumulative requirement under Art. 14 para. 1 lit. b FADP is met if the processing of personal data is extensive. What is meant by "extensive processing" is not explained in the law.
14 Art. 22 para. 2 lit. a FADP cites the extensive processing of personal data requiring special protection as an example of high-risk data processing, but also does not explain what constitutes "extensive". Possible criteria would be a large number of data subjects in Switzerland or a large amount of data about individuals in Switzerland.
3. regular processing (lit. c)
15 The third cumulative requirement under Art. 14 para. 1 lit. c FADP is met if there is regular processing of personal data. What is meant by "regular processing" is not explained in the law.
16 It is obvious that there is no regularity if the controllers process personal data only occasionally or for a limited period of time. On the other hand, regularity is likely to exist if a controller regularly processes personal data in order to carry out its activities (example: offering through online store) or pursuing a data-centric business model (example: monitoring through social media platform).
4. high risk for the personality of the data subjects (lit. d).
17 The fourth cumulative requirement under Art. 14 para. 1 lit. d FADP is met if the processing involves a high risk to the personality of the data subjects. This requirement corresponds to the risk-based approach in the FADP, but without mention of the fundamental rights of data subjects (see also, for example, Art. 5 lit. g FADP: high-risk profiling; Art. 22 para. 1 and para. 2 FADP: data protection impact assessment; Art. 24 para. 1 FADP: notification of data security breaches). The lack of mention of the fundamental rights of data subjects is likely a legislative oversight given the other mentions in the FADP.
18 Processing of data that poses a high risk to the privacy of data subjects is likely to be rare in practice. Data protection impact assessments therefore rarely reveal a high risk or such a risk is eliminated by appropriate measures.
III. function of the data protection officer (para. 2).
19 The Data Protection Officer serves as a point of contact for data subjects and the FDPIC. Data subjects and the FDPIC may contact the representative, but are not required to do so. The representation is legally considered to be authorized to serve notifications.
20 The representation is thus an alternative point of contact for data subjects and the FDPIC as a special authority in addition to the controller. If the controller has appointed a data protection officer, there are a total of three different alternative points of contact (Art. 10 para. 1 and 2 FADP).
21 The data protection officer of a data controller cannot simultaneously act as the data protection officer of the same data controller. Such representation would be incompatible with the independence of the data protection advisor (Art. 10 para. 3 lit. a and b FADP).
22 For data subjects, representation as a point of contact has the particular advantage that they can address data protection concerns directly to the data controller in Switzerland, especially within the framework of their rights under Art. 25 et seq. FADP. In the case of data file owners without representation in Switzerland, data subjects must, for example, address requests for information to the respective data file owners or their data protection officers at their registered office or place of residence abroad.
23 For the FDPIC, representation as a point of contact has the particular advantage that it does not have to reach data controllers abroad by way of international mutual legal assistance.
24 The law does not specify the languages in which data subjects can contact the representation. In the case of an offer-related representation, data subjects should be able to contact the representation at least in the language of the offer or in one of the languages of the offer. The restriction to national languages does not seem appropriate. The FDPIC should be able to contact the representation in one of the four official Swiss languages (Art. 33a APG by analogy).
IV. voluntary appointment of a data protection officer
25 The data controller may appoint a data protection officer in Switzerland even without an obligation under Article 14 para. 1 FADP. The data controller may also entrust the voluntary and the mandatory representative with tasks that go beyond the obligations under Art. 14 f. FADP.
V. Disclosure of name and address (para. 3)
26 The data controller must disclose the name and address of its data protection officer. In the case of a legal entity as data controller, the company name corresponds to the name. The publication of an e-mail address or telephone number is not explicitly required. However, in the case of publication in the digital space, it is obvious to offer a digital contact option such as, in particular, an e-mail address. In comparison, Art. 13 para. 1 lit. a DSGVO is not only the "address" but the "contact details" before.
27 In order to fulfill its function as a contact point (Art. 14 para. 2 DSGVO), the name and address of the representative must be published in an easily findable and accessible form. It is obvious to publish the information as part of the general privacy statement on the website of the controller or, if necessary, also in the imprint.
28 In contrast to the information requirements under Art. 13 f. DSGVO, the name and address of the representation in Switzerland are not covered by the information obligation under Art. 19 f. FADP.
29 In contrast to the data protection officer (Art. 10 para. 3 lit. d FADP), there is no obligation to notify the FDPIC of the representation. The FDPIC must find out from the published information whether a data controller has designated a representative or inquire directly with the representative.
Bibliography
Husi-Stämpfli Sandra, Kommentierung zu Art. 14 DSG, in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Datenschutzgesetz, Stämpflis Handkommentar, 2. Aufl., Bern 2023. (zit. SHK-Husi-Stämpfli, Art. 14 DSG).
Rosenthal David, Das neue Datenschutzgesetz, in: Jusletter vom 16.11.2020 (zit. Rosenthal, Jusletter).
Lang Markus, Kommentierung zu Art. 27 DSGVO, in: Taeger Jürgen/Gabel Detlev, DSGVO – BDSG – TTDSG, 4. Aufl., Bremen 2022 (zit. Taeger/Gabel, Bearbeiter/-in).