-
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 29a FC
- Art. 30 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 75b FC
- Art. 77 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123b FC
- Art. 136 FC
- Art. 166 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
- Art. 808c CO
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 5 lit. f und g FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 54 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
FEDERAL CONSTITUTION
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
SWISS CRIMINAL CODE
CYBERCRIME CONVENTION
- In a nutshell
- I. General
- II. Right of access (para. 1)
- III. Content of the information (para. 2)
- IV. Special Cases
- V. Modalities
- VI. Enforcement
- Bibliography
In a nutshell
Art. 25 FADP regulates the right of data subjects to information as the "cornerstone of data protection law". Any data subject may request information from data controllers as to whether personal data about him or her is being processed. The right to information is highly personal. Data subjects cannot waive the right to information in advance. The information must include all details that are necessary to enable the data subject to assert his or her rights and to understand the data processing. The minimum content of the information is regulated by law. The information must be provided in a comprehensible form, free of charge and within 30 days. In the case of processing by a processor, the controller remains obliged to provide information. Data subjects have various legal options to enforce their right to information.
I. General
A. Purpose
1 Chapter 4, "Rights of Data Subjects", comprises the right to information (Art. 25 ff. FADP) and the right to data disclosure or data transfer introduced by the FADP (Art. 28 f. FADP; also: right to data portability). The right to information can be derived from Art. 13 FC on the "protection of privacy" and from Art. 8 ECHR on the "right to respect for private and family life" and is a "cornerstone of data protection law". The right of access must therefore also be explicitly included in data protection clauses in a contract (Art. 16 para. 2 lit. b FADP) and in specific guarantees (Art. 16 para. 2 lit. c FADP) when personal data are disclosed abroad.
2 The right of access is a central legal right for data subjects to find out - within certain limits - what data about them is being processed by whom and for what purpose. In particular, data subjects should be able to use the right of access to check whether their data is being processed in accordance with the principles of data protection law (Art. 6 ff. FADP). The right to information should thus have a control function as well as a preventive effect.
3 The right to information enables data subjects to exercise their right to informational self-determination, if and to the extent that such a right has been implemented in the FADP. The right to information and the correspondingly provided information often form the basis for the exercise of further legal claims of data subjects such as correction and deletion (Art. 32 and 41 FADP) or objection (Art. 30 para. 2 lit. b FADP), ultimately for the enforcement of the protection of personality.
4 The right to information pursuant to Art. 25 et seq. FADP supplements the duty to inform pursuant to Art. 19 ff. and goes further in terms of content. Data subjects may receive information that goes beyond what the controller is required to provide, thereby increasing transparency.
5 The three articles on the right to information are structured as follows: Art. 25 FADP determines who can request information and what information data controllers must provide and to what extent. Art. 26 FADP clarifies the conditions under which the right to information can be restricted. Art. 27 FADP regulates the conditions under which the right to information can be further restricted in connection with the media. In the Data Protection Ordinance, Art. 16-19 DPA specify the right to information.
B. History of origins
6 Art. 25 is based on the previous Art. 8 aDSG. Compared to Art. 8 aDSG, individuals may request information from all data controllers (Art. 5 lit. j FADP) and no longer only from the "controller of a data collection" (Art. 3 lit. i i.V.m. Art. 8 para. 1 aDSG). By and large, the previous provisions on the right to information pursuant to Art. 8 aDSG et seq. have been retained and supplemented in places.
7 The duty to provide information - from the point of view of the data controller the counterpart to the right to information of the data subjects - is no longer limited to specific information (as was still the case, in particular, in Art. 8 para. 2 aDSG), but information must be provided that is necessary to enable the data subject to assert his or her rights under the FADP and to ensure transparent data processing (Art. 25 para. 2 FADP). At the same time, an attempt is made to limit the "usual misuse of the right to information to obtain evidence" under the aDSG. In the parliamentary debate, it was also added in particular that information must be provided about "the processed personal data as such" (Art. 25 para. 2 lit. b FADP).
II. Right of access (para. 1)
8 Art. 25 para. 1 FADP sets out the right to information in general terms. Any natural person may request that a controller or person in charge provide information as to whether personal data (Art. 5 lit. a FADP) about him or her are being processed. Responsible private persons and responsible federal bodies are obliged to provide information (Art. 5 lit. j FADP). A justification for or a legal interest in the requested information are generally not required. In the case of federal bodies, the provision of information is an order pursuant to Art. 5 APA, which means that a statement of reasons and instructions on how to appeal pursuant to Art. 35 APA are required.
9 The right to information is of a highly personal nature and is limited to access to personal data. The right to information is non-transferable and non-inheritable. For persons incapable of judgement, the legal representative acts (Art. 19c para. 2 CC).
10 The data subject requesting information must have the data controller take reasonable measures to identify him/herself and cooperate in proving his/her identity (Art. 16 para. 5 DPA). Whether identification with a copy of an official ID is appropriate must be assessed on a case-by-case basis. The obligation under Art. 1 para. 1 aVDSG, according to which the data subject must prove his or her identity, no longer exists. Depending on the data available about a person, the information in an official ID card may not be suitable for identification. In the case of Internet platforms, for example, the persons responsible often only know the e-mail address or a mobile phone number. In this case, identification can be carried out in this way. The general request for a copy of an ID, if necessary even certified, would violate the data protection principles of necessity, proportionality and purpose (Art. 6 para. 2, 3 and 4 FADP).
11 A data subject's request for information as to whether data about him or her is being processed must always be made in writing (Art. 16 para. 1 sentence 1 FADP). The controller may also allow oral requests for information (Art. 16 para. 1 sentence 2 DPA). The right to information is thus potentially made somewhat more low-threshold. The electronic way is equal to the written way (Art. 16 para. 3 DPA). Written form includes any form that enables proof by text.
12 Information about the processed data is provided in writing or in the form in which the data are available (Art. 16 para. 2 sentence 1 DPA). The electronic way is equal to the written way (Art. 16 para. 3 DPA). The data controller may offer on-site access, which the data subject does not have to agree to (Art. 16 para. 2 sentence 2 GDPR). The data controller may also provide the information orally with the consent of the data subject (Art. 16 para. 2 sentence 3 DPA). In the case of on-site inspection, there is a right to copies. The personal data of the data subject must be protected from access by unauthorized third parties when information is provided (Art. 8 FADP). The data controller may respond in the same form in which the data subject requested information, for example by means of an e-mail that is not end-to-end encrypted. The encryption of e-mail is often impractical and not appropriate. An alternative to e-mail can be instant messaging with standard end-to-end encryption, for example with Signal, Threema or WhatsApp, provided that the data subject requesting information uses such an instant messaging service.
13 In the case of electronic means, such as the use of e-mail in particular, it should be noted that a request for information or information provided electronically without confirmation of receipt may not be deemed to have been delivered. The burden of proof lies with the sender. In the case of Internet platforms, it may be offered to process requests for information and the provision of information via the platform. However, the data subjects are free to request information in writing.
14 The information must be provided in a form that is comprehensible to the data subject (Art. 16 para. 4 DPA). Comprehensibility, for example in the case of an unusual or not easily readable format of the data, can be ensured by appropriate explanations. According to the wording, comprehensibility concerns the form and not the content of the information.
III. Content of the information (para. 2)
15 In the sense of a general clause pursuant to Art. 25 para. 2 FADP, the information must include the information required to enable the data subject to assert his or her rights under the FADP and to ensure transparent data processing. If no personal data is available, negative information must be provided.
16 Independently of this, Art. 25 para. 2 FADP defines a minimum list of information that must be provided to data subjects: Identity and contact details of the data controller (lit. a, analogous to Art. 19 para. 2 lit. a FADP), processed personal data as such (lit. b), purpose of processing (lit. c, analogous to Art. 19 para. 2 lit. b FADP), retention period or, if not possible, criteria for determining the retention period (lit. d), available information on the origin of the personal data (source), if not obtained from the data subject, since in this case the data subject already had to be informed pursuant to Art. 19 f. FADP (lit. e), existence and logic of any automated individual decision pursuant to Art. 21 FADP (lit. f) and any recipients (lit. f, analogous to Art. 19 para. 2 lit. c FADP). The extent to which information that is not listed must be disclosed by the controller only upon request or whether such information must be indicated from the outset is disputed.
17 In the case of the person responsible pursuant to Art. 25 para. 2 lit. a, it may be unclear who is responsible at all, possibly together with others (Art. 5 lit. j FADP). The identity and contact details must be stated or, if already known, confirmed. Whoever receives a request for information will have to inform the data subject - also in view of the general clause - if there is no exclusive responsibility or if no information can be provided due to lack of responsibility. In the case of joint responsibility, the provision of information among the data controllers must be coordinated, whereby data subjects should always be able to request information from one or more data controllers in Switzerland, which is particularly important in the case of additional data controllers abroad. If there are several data controllers, each individual data controller is obliged to provide information (Art. 17 para. 1 DPA). If there is no data controller, in particular in the case of processing by data processors (Art. 8 FADP), the request for information must be forwarded to the data controller or, at the very least, reference must be made to the data controller. The burden of proof that information designated as complete is in fact complete rests with the person responsible. Responsible parties will not normally want to give the impression that the information provided is complete, nor are they obliged to confirm this.
18 According to Art. 25 para. 2 lit. b, only the processed personal data as such must be supplied, i.e. not, for example, individual documents, e-mails, notes or contracts as a whole, but only personal data contained therein. Documents as a whole may be supplied voluntarily, which in practice may be easier for the person responsible or the person in charge, depending on the data. The right of access may only cover processed personal data covered by the FADP (Art. 2 para. 2 FADP), for example, not personal data processed by individuals exclusively for personal use (Art. 2 para. 2 lit. a FADP e contrario). In the case of large amounts of data being processed, the data controller may request the data subject to provide more details.
19 Only "data that exists in writing or 'physically' and can therefore be objectively viewed in the long term [...], but not data that can merely be retrieved from memory" may be disclosed. "Irrelevant is the type of storage or the designation" of the data.
20 The right of access to data of deceased persons pursuant to Art. 1 para. 7 aVDSG has not been incorporated into the FADP or the DPA. The provision was most recently qualified in case law as contrary to federal law.
21 What constitutes personal data in the sense of the right to information must be assessed on a case-by-case basis, especially with regard to the criterion of identifiability (Art. 5 lit. a FADP). The standard and at the same time the restriction is the general clause: "Data protection law is only about helping a data subject to be able to assert his or her data protection rights (at least the enforceable claims) and to ensure transparency of data processing (motivated by data protection law)". In particular, the right of access is not intended to be a means of obtaining evidence (cf. n. 7 above).
22 The purpose of processing (Art. 25 para. 2 lit. c) corresponds to that under the duty to inform (Art. 18 para. 2 lit. b FADP).
23 The retention period or, if the communication of a period is not possible, the criteria for determining this period (Art. 25 para. 2 lit. d FADP) can be taken by data controllers from any existing list of processing activities (Art. 12 para. 2 lit. e FADP). As a criterion, reference will have to be made at least to the principle of necessity (Art. 6 para. 4 FADP).
24 In the case of the origin pursuant to Art. 25 para. 2 lit. e FADP, the controller cannot be required to clarify the origin of data.
25 In the case of an automated individual decision, information must be provided in accordance with Art. 25 para. 1 lit. f FADP about this fact on the one hand and about the logic on which the decision is based on the other. The existence in itself should in principle already be known to the data subject due to the obligation to provide information in the case of an automated individual decision (Art. 21 para. 1 FADP; exceptions pursuant to Art. 21 para. 3 FADP). The logic, i.e. the criteria and the underlying data, must be requested by the data subject with reference to his or her right to information. Algorithms may be protected as trade secrets, but the basic assumptions of the algorithm logic must be stated. In the case of "artificial intelligence", the right to information has its limits in this respect, since the person responsible often does not know (and cannot know) which personal data led to the visible result and why.
26 In the case of any recipients pursuant to Art. 25 para. 2 lit. g, it is sufficient to disclose the categories. Categories are, for example, authorities or group companies, whereas names do not have to be disclosed. In addition, information on disclosure abroad must be provided in accordance with Art. 19 para. 4 FADP.
IV. Special Cases
A. Information by health professionals (para. 3)
27 For personal data relating to health, Art. 25 para. 3 FADP provides that such data may be disclosed with the consent of the data subject by a health professional designated by the data subject. Health data are personal data requiring special protection pursuant to Art. 5 lit. c no. 2 FADP.
28 The provision largely corresponds to Art. 8 para. 3 aDSG. The required consent has been added to enable the data subject to make a free choice. The information can no longer be provided only by physicians, but by all healthcare professionals who are qualified for the case in question. In particular, medical professionals with an entry in the Medical Professional Register (MedReg) must be considered as health professionals.
B. Processing by order processors (para. 4)
29 In the case of processing of personal data by order processors (Art. 9 FADP), the controller remains obliged to provide information. The provision corresponds to the first sentence of the previous Art. 8 para. 4 aDSG, the second sentence of which has been deleted without replacement.
30 A processor who is requested to provide information without being responsible must forward the request for information to the controller(s) or at least refer to the controller(s). Pursuant to Art. 17 para. 2 FADP, commissioned processors must assist the controller(s) in providing information if they have not been commissioned to provide the information. The controller will have to regulate the provision of information in the contract with the order processor (order processing contract) (Art. 9 para. 1 lit. a FADP).
V. Modalities
A. No waiver of the right to information (para. 5)
31 According to Art. 25 para. 5 FADP, the right to information may not be waived in advance. The provision corresponds to Art. 8 para. 6 aDSG.
B. Free provision of information (para. 6)
32 According to Art. 25 para. 6 FADP, information must in principle be provided free of charge. The corresponding partial provision of Art. 8 para. 5 aDSG ("as a rule [...] free of charge") has thus been taken over. The right to information is based on the assumption that the provision of information is generally possible without great effort if the data is processed in accordance with the law and the ordinance.
33 The Federal Council is given the authority to provide for exceptions to the right to information free of charge, "namely if the effort involved is disproportionate". The Federal Council has made use of this competence with Art. 19 DPA.
34 In the case of disproportionate effort, the provision of information may exceptionally be made dependent on a reasonable contribution to costs of up to 300 Swiss francs (Art. 19 para. 1 and 2 FADP).
35 There is no disproportionate effort if information must be provided about a large amount of personal data because the controller collects (as much as possible) data in his or her own interest. The same applies if the disproportionate effort results from a deficient organization of the data controller. In the case of requests for information to the meineimpfungen foundation following the discontinuation of the meineimpfungen.ch internet platform, the FDPIC recommended that the data subjects who had requested information be reimbursed the fees for certified copies of identity documents that the foundation had demanded.
36 The controller must inform the data subject who requested information about the amount of the cost sharing before providing the information (Art. 19 para. 3 sentence 1 FADP). If the data subject does not adhere to the requested information within ten days, the request for information shall be deemed to have been withdrawn without incurring any costs (Art. 19 para. 2 FADP). The first deadline for providing the information pursuant to Art. 18 para. 1 DPO is thereby extended by this cooling-off period of ten days (Art. 19 para. 3 sentence 2 DPO).
37 In practice, cost sharing by the data subject is of little significance. In the case of full cost accounting, the effort of the person responsible in connection with cost sharing often reaches the maximum possible 300 Swiss francs. This effort increases further if the data subject adjusts his or her request for information due to the required cost sharing, so that the person responsible can no longer claim disproportionate effort. It is usually easier for the responsible person to request a specification of the requested information (cf. n. 18 above).
C. Time limit for providing information (para. 7)
38 An initial time limit of 30 days from receipt by the data controller applies to the provision of information (Art. 18 para. 1 FADP). The controller may extend the time limit if the information cannot be provided within 30 days, and in this case must inform the data subject of the new time limit (Art. 18 para. 2 FADP). The information must be provided prior to the expiry of the first 30-day period, as must the information on the postponement, restriction or refusal of the information (Art. 18 para. 3 FADP; cf. Art. 26 et seq. FADP on restrictions to the right of access).
VI. Enforcement
39 The right to information must be enforced by civil action against responsible private individuals, whereby failure to comply does not in principle constitute a direct violation of privacy. The non-fulfillment cannot be justified according to Art. 31 FADP. The place of jurisdiction for civil actions is at the registered office or domicile of one of the parties (Art. 20 lit. d CPC), whereby no advance on costs must be paid (Art. 99 para. 3 lit. d CPC) and no court costs are awarded (Art. 113 para. 2 lit. g and 114 lit. g CPC). The simplified procedure applies to actions to enforce the right to information (Art. 243 para. 2 lit. d CPC).
40 The right to information against responsible federal bodies must be enforced by means of a complaint. The data subject who requests information is entitled to a contestable ruling.
41 The FDPIC may, in administrative proceedings pursuant to Art. 49 ff. FADP, the FDPIC may order the provision of information and attach a penalty to the order (Art. 51 para. 3 lit. g and 63 FADP). The data subject has no party status in these proceedings (Art. 52 para. 2 FADP e contrario).
42 The intentional provision of false or incomplete information is punishable by a fine of up to 250,000 Swiss francs at the request of the data subject (Art. 60 para. 1 lit. a FADP). The data subject is entitled to file an application (Art. 30 SCC, in particular Art. 30 para. 1 SCC). In contrast to the DSGVO, the FADP does not recognize administrative fines (Art. 83 DSGVO), although a fine for companies is possible by way of exception (cf. n. 44).
43 Anyone who, as a data controller or responsible party, does not respond to a request for information or falsely claims not to be obliged to provide information is not liable to prosecution. This criminal liability loophole already existed under Art. 34 para. 1 lit. aDSG, with a maximum possible fine of 10,000 Swiss francs (Art. 106 para. 1 SCC).
44 The penalty provision is basically limited to natural persons in the case of responsible private individuals. The risk of a fine is essentially borne by those individual natural persons who provide information, which can also be a subordinate person. Companies can only be punished as an exception; the maximum possible fine in this case is 50,000 Swiss francs (Art. 64 FADP). The criminal liability for the intentional provision of incomplete information does not apply if the impression is not created that the information is complete. There is no obligation to issue a declaration of completeness. For employees of the federal administration and other federal bodies, only disciplinary means are available.
Bibliography
Baeriswyl Bruno, Vorbemerkung zu Art. 25-29 DSG, in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Stämpflis Handkommentar, Datenschutzgesetz, 2. Aufl., Bern 2023 (zit. SHK-Baeriswyl, Vorb. zu Art. 25-29 DSG).
Botschaft zum Bundesgesetz über die Totalrevision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz vom 15.9.2017, BBI 2017 S. 6941 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/2017/2057/de, besucht am 30.3.2023.
Bundesamt für Justiz: Verordnung über den Datenschutz (Datenschutzverordnung, DSV), Erläuternder Bericht vom 31.8.2022 (zit. BJ, Bericht).
Bauer Stefan, Beweisführung der Zustellung im E-Mail-Verkehr, 1.5.2022, https://www.cubewerk.de/wp-content/uploads/2022/06/Stefan_Bauer_Beweisfuehrung_E-Mail_Fiktion_Zugangsfiktion_Zustellnachweise_E-Mail.pdf, besucht am 30.3.2023 (zit. Bauer, E-Mail-Zustellung).
Pärli Kurt/Flück Nathalie, Kommentierung zu Art. 25 DSG, in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Stämpflis Handkommentar, Datenschutzgesetz, 2. Aufl., Bern 2023 (zit. SHK-Pärli/Flück, Art. 25 DSG).
Rosenthal David, Das neue Datenschutzgesetz, Jusletter vom 16.11.2020 (zit. Rosenthal, Jusletter).
Rosenthal David/Jöhri Yvonne, Handkommentar zum Datenschutzgesetz und weiteren, ausgewählten Bestimmungen, Zürich 2008 (zit. Rosenthal/Jöhri Art. 8 aDSG).
Schlussbericht und Empfehlungen des Eidgenössischen Datenschutz- und Öffentlichkeitsbeauftragten (EBÖB) betreffend die Plattform «meineimpfungen.ch», 31.8.21 (zit. Schlussbericht EDÖB).
Suter-Sieber Irène/Stutz Christoph/Wirz Chiara, Datenschutzzweckwidrige Auskunftsbegehren im Arbeitsverhältnis, AJP 5 (2021), S. 593-605 (zit. Suter-Sieber/Stutz/Wirz, Auskunftsbegehren).
Thouvenin Florent, Recht auf informationelle Selbstbestimmung?!, Vortrag am Datenschutz-Festival der Digitalen Gesellschaft am 2.12.2022 in Zürich, https://www.digitale-gesellschaft.ch/2022/12/15/erstes-datenschutz-festival-der-schweiz-zusammenfassung-rueck-und-ausblick/ und https://www.digitale-gesellschaft.ch/uploads/2022/12/Datenschutz-Festival-Informationelle-Selbstbestimmung.pdf, besucht am 30.3.2023.
Vasella David, 4A_125/2020 (amtl. Publ.): Gegenstand des Auskunftsrechts, insb. betr. Herkunftsangaben; keine Auskunft über Daten im Gedächtnis, in: datenrecht.ch, 12.1.2021, https://datenrecht.ch/4a_125-2020-amtl-publ-gegenstand-des-auskunftsrechts-insb-betr-herkunftsangaben-keine-auskunft-auf-daten-im-gedaechtnis/, besucht am 30.3.2023 (zit. Vasella, Gedächtnis).
Vasella David, 4A_277/2020: Rechtsmissbrauch eines Auskunftsbegehrens bejaht (Fishing Expedition), in: datenrecht.ch, 8.12.2020, https://datenrecht.ch/4a_277-2020-rechtsmissbrauch-eines-auskunftsbegehrens-bejaht-fishing-expedition/, besucht am 30.3.2023 (zit. Vasella, Fishing Expedition).
Vasella David, EuGH (Österreichische Post): Auskunftsrecht umfasst wenn möglich die einzelnen Empfänger (nicht nur Kategorien), in: datenrecht.ch, 14.1.2023, https://datenrecht.ch/eugh-oesterreichische-post-auskunftsrecht-umfasst-die-einzelnen-empfaenger-nicht-nur-kategorien/, besucht am 30.3.2023 (zit. Vasella, Österreichische Post).
Vasella David, OGer ZH: kein Auskunftsrecht betr. Daten einer verstorbenen Person, Art. 1 Abs. 7 VDSG bundesrechtswidrig; Dispositionsmaxime bei Klagen auf Auskunftserteilung, in: datenrecht.ch, 4.4.2017, https://datenrecht.ch/oger-zh-kein-auskunftsrecht-betr-daten-einer-verstorbenen-person-art-7-abs-1-vdsg-bundesrechtswidrig-dispositionsmaxime-bei-klagen-auf-auskunftserteilung/, besucht am 30.3.2023 (zit. Vasella, Tod).
Waldvogel Marcel, Machine Learning: Künstliche Faultier-Intelligenz, in: dnip.ch, 16.8.2022, https://dnip.ch/2022/08/16/machine-learning-kuenstliche-faultier-intelligenz/, besucht am 30.3.2023 (zit. Waldvogel, Machine Learning).