-
- Art. 3 FC
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 13 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 26 FC
- Art. 29a FC
- Art. 30 FC
- Art. 31 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 45 FC
- Art. 51 FC
- Art. 52 FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 69 FC
- Art. 74 FC
- Art. 75b FC
- Art. 77 FC
- Art. 81 FC
- Art. 96 para. 1 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 119a FC
- Art. 122 FC
- Art. 123a FC
- Art. 123b FC
- Art. 130 FC
- Art. 136 FC
- Art. 164 FC
- Art. 166 FC
- Art. 170 FC
- Art. 176 FC
- Art. 178 FC
- Art. 189 FC
- Art. 191 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 97 CO
- Art. 98 CO
- Art. 99 CO
- Art. 100 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 633 CO
- Art. 701 CO
- Art. 713 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Art. 808c CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 60 PRA
- Art. 60a PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 64 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 73 PRA
- Art. 73a PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Art. 1 IMAC
- Art. 1a IMAC
- Art. 3 para. 1 and 2 IMAC
- Art. 8 IMAC
- Art. 8a IMAC
- Art. 11b IMAC
- Art. 16 IMAC
- Art. 17 IMAC
- Art. 17a IMAC
- Art. 32 IMAC
- Art. 35 IMAC
- Art. 47 IMAC
- Art. 48 IMAC
- Art. 54 IMAC
- Art. 55a IMAC
- Art. 63 IMAC
- Art. 67 IMAC
- Art. 67a IMAC
- Art. 74 IMAC
- Art. 74a IMAC
- Art. 80 IMAC
- Art. 80a IMAC
- Art. 80b IMAC
- Art. 80c IMAC
- Art. 80d IMAC
- Art. 80h IMAC
- Art. 80k IMAC
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 4 FADP
- Art. 5 lit. c FADP
- Art. 5 lit. d FADP
- Art. 5 lit. f und g FADP
- Art. 6 para. 3-5 FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 18 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 28 FADP
- Art. 29 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 52 FADP
- Art. 54 FADP
- Art. 55 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 16 CCC (Convention on Cybercrime)
- Art. 18 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 27 CCC (Convention on Cybercrime)
- Art. 28 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
-
- Art. 2 para. 1 AMLA
- Art. 2a para. 1-2 and 4-5 AMLA
- Art. 2 para. 2 AMLA
- Art. 2 para. 3 AMLA
- Art. 3 AMLA
- Art. 7 AMLA
- Art. 7a AMLA
- Art. 8 AMLA
- Art. 8a AMLA
- Art. 11 AMLA
- Art. 14 AMLA
- Art. 15 AMLA
- Art. 20 AMLA
- Art. 23 AMLA
- Art. 24 AMLA
- Art. 24a AMLA
- Art. 25 AMLA
- Art. 26 AMLA
- Art. 26a AMLA
- Art. 27 AMLA
- Art. 28 AMLA
- Art. 29 AMLA
- Art. 29a AMLA
- Art. 29b AMLA
- Art. 30 AMLA
- Art. 31 AMLA
- Art. 31a AMLA
- Art. 32 AMLA
- Art. 33 AMLA
- Art. 34 AMLA
- Art. 38 AMLA
FEDERAL CONSTITUTION
FEDERAL ACT ON DIRECT FEDERAL TAX
MEDICAL DEVICES ORDINANCE
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
CRIMINAL CODE
CYBERCRIME CONVENTION
COMMERCIAL REGISTER ORDINANCE
FEDERAL ACT ON COMBATING MONEY LAUNDERING AND TERRORIST FINANCING
FREEDOM OF INFORMATION ACT
FEDERAL ACT ON THE INTERNATIONAL TRANSFER OF CULTURAL PROPERTY
FEDERAL ACT ON MEDICINAL PRODUCTS AND MEDICAL DEVICES
TAX HARMONISATION ACT
- In Brief
- I. Preliminary Remarks
- II. General Remarks
- III. Conditions
- IV. Legal Consequence: Portability
- V. Modalities (para. 3 and DSV)
- Bibliography
- Materials
In Brief
The right to data disclosure or transfer is, alongside the right of access, the second data protection right of the data subject. It is often referred to as the right to data portability. This right allows a data subject to request certain data that has been actively provided to the controller or collected by the controller, or to have that data transferred directly to a third party. The data must be transferred in a commonly used electronic format. This is intended to enable direct reuse by the data subject or another provider. The new right to data portability was adopted from the GDPR and falls within the scope of both data protection and competition law. It is intended to give data subjects in the data economy the ability to exercise self-determination over “their” data.
I. Preliminary Remarks
1 Art. 28 of the FADP establishes the data subject’s right to have certain data concerning them disclosed (para. 1) or transferred (para. 2). This is also referred to as the right to data portability and—alongside the right of access—constitutes the second data subject right within the framework of the FADP. The subsequent Art. 29 of the FADP must be read in conjunction with Art. 28 of the FADP and sets forth possible grounds for restriction.
2 The natural person making the request, whose data is being processed by a controller, has active standing to exercise Article 28 of the FADP. The controller who processes the data covered by the right to data portability—or who has such data processed by a processor—has passive standing. This may include private individuals and, in rare cases, federal agencies.
II. General Remarks
A. Legislative Purpose
3 The legislative purpose of Art. 28 of the FADP remains controversial to this day. While the Federal Council, for example, views the right to data portability as serving competition law objectives (see N. 10), other voices in the literature emphasize consumer protection or data protection objectives. A further complication in determining the purpose of the provision is that, although the Chambers focused on social networks during the drafting of the regulation, they did not include a corresponding restriction to social networks in the right to data portability. Art. 28 FADP can therefore apply in numerous contexts and industries—such as the mobility sector, the healthcare sector, internet platforms, cloud services, or human resources. The only commonality among all these use cases is that they stem from fundamental changes in modern data processing (see also N. 23 ff.). It is only the recently emerged data economy that has made the right to data portability necessary. This must be taken into account in determining the purpose of the provision.
4 From a data protection perspective, the data subject’s right to portability is intended to enable self-determined control over data. It is intended to break through the de facto power of exclusion that the controller would otherwise have without a right to portability and to elevate the individual—who has hitherto been reduced to the status of a data object—to that of a data subject by allowing them to have a say in how their data is used. This addresses the imbalances between stakeholders created by the data economy. For the first time, the data subject is given a legal means to independently intervene in the data economy and participate in the potential of the data.
5 Closely intertwined with this, however, are competition law considerations. In this regard, the right to data portability aims to promote competition in general and foster the free flow of data. Other objectives frequently cited in the literature—such as reducing switching costs or barriers to market entry and preventing lock-in effects—can, in the view expressed here, play only a secondary role: Art. 28 of the FADP is not limited to cases in which a lock-in-effect exists or could potentially exist, and there is no need to prove that barriers to market entry exist or are being reduced. Furthermore, the data controller need not hold a specific market position or even operate in a market at all.
6 Thus, the competition law objectives diverge from a classical antitrust understanding and align more closely with “regulatory law,” which operates ex ante. These objectives are also underpinned by the idealism of the so-called Open Web. This movement, which emerged in the late 2000s, is rooted in the American IT scene and is based on the idea that it is only the free interlinking of content on the Internet (and especially on the World Wide Web), as well as access to it, that has enabled innovation and made today’s offerings possible. However, this Open Web is threatened by monopolies and data silos (so-called “walled gardens”), as large internet platforms, in particular, are increasingly isolating themselves from one another. Consequently, the right to data portability can also be seen, on a much more fundamental level, as a response to an internet consisting of walled gardens. The data economy—as it predominantly manifests on the World Wide Web—should be freed from proprietary data silos, and data subjects should be able to switch providers without facing barriers that distort competition.
7 Given the breadth of possible use cases, the aforementioned objectives—which are sometimes very different—are not always easy to reconcile. That said, the right to data portability pursues both data protection and competition law objectives. However, it should primarily be regarded as a data protection instrument that also pursues competition law objectives. This follows systematically from the fact that the right to portability applies only to personal data and can be exercised solely by data subjects (under data protection law). Accordingly, there is a clear connection to the data subject’s personality and their right to informational self-determination. Conversely, no competition law requirements need to be met for the right to be exercised. It is not even necessary for the controller to operate in a market or in a manner relevant to competition.
8 Consequently, the right to data portability in data protection law is not (as some argue) foreign to the system, but rather “system-creating”. It is an expression of a fundamental legislative decision, according to which the data subject should have the opportunity to have a say in the data concerning them. By enshrining it in the FADP, the legislature made it clear that the focus in the future should be on the data subject.
9 Particularly in light of its somewhat non-linear development in Switzerland (more on this shortly), the right to data portability must also be understood in a broader context: it is an instrument of Swiss data policy par excellence and not “merely” an instrument of data protection law. The right to data portability stems from fundamental data policy considerations and is intended to enable the free flow of data in the age of the data economy. In this sense, while it may—as is now the case—be structured under data protection law, it does not necessarily have to be closely linked to the FADP. Indeed, at the very beginning of the deliberations on the FADP revision, the spokesperson for the relevant committee aptly noted: “It is not simply a matter of data protection, but also of other data policy issues such as portability, etc., which we […] must address.”
B. Legislative History
10 Art. 28 of the FADP has no counterpart in the aDSG. It is a genuine innovation of the revision, adopted from the DSGVO (see N. 12) . However, its introduction remained uncertain until the very end: The Federal Council considered such a provision “problematic” and refrained from including a right to data portability in the (preliminary) draft. It justified this by arguing that such a right was aimed more at enabling data subjects to reuse their data to foster competition than at protecting their privacy. Furthermore, it feared high costs and doubted the successful implementation, as it would require an agreement on data carriers and IT standards among the data controllers. Instead, the Federal Council wanted to examine the introduction of sector-specific portability rights.
11 During the parliamentary deliberations, however, the SPK-N nevertheless included a general right to data portability in the bill. This was intended to open up new economic opportunities and shift the balance of power between small and large platforms. A minority also called for the right to be defined even more broadly, so that all data relating to an individual would be subject to the right to data portability. However, the majority of the National Council and the Federal Council were of the view that such a right would go too far in light of potential issues regarding trade secrets. Ultimately, the Chambers decided to enshrine the right to data portability in its current form, “always with the underlying consideration of what will and will not compromise its appropriateness.”
C. Comparative Legal Notes
12 The right to data portability was adopted virtually unchanged from the DSGVO, which is why the provision in Art. 20 DSGVO can be used as a basis for Swiss interpretation. However, there are specific differences in the wording, which—where relevant—will be addressed in the discussion of the individual requirements.
III. Conditions
A. Personal Data of the Data Subject
13 Art. 28(1) of the FADP first provides that the data subject may request the controller to provide “their personal data.” It follows that only data relating to a natural person is portable (Art. 2(1) and Art. 5(a) FADP). Thus, data not related to the data subject is not covered, unless the controller can link the data to the data subject. Examples include anonymous performance metrics in software, such as information on CPU utilization or memory usage on a user’s device. The requirement, therefore, is that the data be closely linked to the data subject’s identity.
14 Consequently, data relating to legal entities is not subject to the right to data portability. Data that a data controller subsequently anonymizes is also not covered. If the data is pseudonymized, it must be regarded as personal data if the data controller can link it to the data subject.
15 As the Latin language versions make clear, the data must relate to the person making the request. However, nothing can be inferred from the ambiguous wording in the German language version (“ihrer Personendaten”), which would also allow for a different, broader interpretation. It follows that purely third-party data—that is, data relating exclusively to third parties—is not subject to the right to data portability.
16 However, there is debate regarding data that relates also to third parties, such as photos in which multiple people are depicted.
Since the grounds for restricting the right to data portability in Art. 29(1) in conjunction with para. 26(1)(b) of the FADP refer to the overriding interests of third parties, it can be assumed that personal data that also relates to third parties may be subject to the right to data portability. This therefore also covers data with a “dual reference” that has a certain connection to the data subject, even if the data does not (solely) relate to that person. This applies, for example, to entire chat or email histories or archived bank transactions (including information on payers or payees). Only if there are overriding interests of third parties (or if the data pertains exclusively to third parties) is the data not subject to the right to data portability. If this were not the case, Art. 28 of the FADP would be rendered ineffective in many of the very cases intended by its legislative purpose.
17 Therefore, the following procedure must be followed to determine whether certain data is subject to the right to data portability: As a first step, the controller must clarify whether the requirements of Art. 28 of the FADP are generally met, in particular whether the personal data in question was provided by the data subject. If the data also concerns third parties (but not only third parties) and exhibits a dual relationship, a second step must be taken—in the sense of a “restrictive corrective measure”—to weigh whether overriding interests of third parties necessitate a restriction. If there are no overriding interests of third parties, the data may be ported.
B. Disclosed Data
18 The right to data portability is limited to data that the data subject has “disclosed” to the controller. The concept of disclosure isnot to be understood within the meaning of the legal definition in Art. 5(e) of the FADP. However, this is not necessary for its interpretation: It was already established in the legislative materials during the legislative process which data are meant. The Federal Council subsequently defined the scope of this characteristic in the DSV. In addition, the Federal Office of Justice (BJ) commented on its scope in its explanatory notes. For this reason, the requirement of disclosure in Switzerland (unlike under the DSGVO) is, at least in theory, largely undisputed. In practice, however, difficult questions of demarcation may still arise.
19 According to Art. 20 para. 1(a) of the DSV, data is considered disclosed primarily when a data subject knowingly and voluntarily provides it to the controller (so-called master data; also “provided data”). This includes all data disclosed directly and intentionally, such as address information entered as part of an online order or data that must be provided when registering on a platform or filling out a medical history form at a hospital. Passwords or private keys are not included in this category, provided they are encrypted—which should generally be the case—and cannot be linked by the controller to the data subject.
20 Furthermore, data is considered to have been provided if a controller has collected it about the data subject and their behavior in the context of using a service or device (para. 20(1)(b) of the GDPR) . Such observed data is generated—knowingly or unknowingly—by the data subject indirectly while using a service or device. This includes, for example, metrics from a fitness app on a smartwatch generated based on athletic performance, the songs listened to on a streaming service, or consumption and location data from a smart vehicle.
21 Not included are derived data, i.e., data that the controller generates through its own analysis of data (Art. 20 para. 2 of the Data Protection Act). Since this constitutes an independent activity on the part of the controller, such data is excluded from portability. In this case, the legislature has given greater weight to the protection of the controller’s own work and investments than to the data subject’s right to enable the further use of “their” personal data.
22 The distinction between observed and derived data must be made on a case-by-case basis and may not always be straightforward. For example, in the healthcare sector, “observing” usually also means “measuring,” and a simple measurement is often underpinned by complex technology that operates according to scientific methods. In such cases, the transition from pure observation to derivation can be fluid and difficult to determine.
C. Automated Processing
23 Another limitation is that only data processed automatically by the controller is subject to the right to data portability (para. 28(1)(a) FADP). This is primarily intended to exclude data that isstored in paper form. Examples include physical medical history forms in a doctor’s office, as long as these are not subsequently transferred to electronic patient records.
24 Only electronically processed data is covered. This is because, despite the FADP’s inherent technology neutrality, the right to data portability is aimed at digital data traffic and is intended to apply specifically to data traffic on the Internet. However, this requirement hardly constitutes a restriction today, as most data processing is likely to be automated.
25 The data controller is under no obligation to digitize data stored in paper form or in any other analog format. However, if data is processed only partially automatically, the data controller may be obligated in individual cases to transfer this data, because the restriction does not specify exclusively automated processing. Since the data controller must, in this case, provide or transfer the data in a commonly used electronic format, additional obligations may then apply.
D. Consent or Direct Connection to a Contract
26 As a further requirement, Art. 28 of the FADP provides for a restriction on data processed with the consent of the data subject or in direct connection with the conclusion or performance of a contract between the controller and the data subject (para. 1(b)). This requirement refers to the grounds for justifying data processing set forth in Art. 31 of the FADP and was adopted tel quel from the DSGVO.
27 However, the DSGVO is based on the principle of a prohibition subject to exceptions. In Switzerland, by contrast, data processing by private individuals is generally permitted as long as the data subject’s privacy is not unlawfully infringed (permission subject to exceptions). Accordingly, under the FADP, a justification within the meaning of Art. 31 FADP is not required in every case for data processing by private individuals. Rather, data processing cannot unlawfully infringe upon the data subject’s personality in the first place, for example because it is carried out in accordance with the data protection principles (Art. 30, para. 1 and para. 2, subparagraph a, FADP a contrario). However, this misinterprets the requirement under para. 28(1)(b) of the FADP.
28 A literal interpretation would thus mean that only data processing operations are subject to the right to data portability if they can be based on the justifying grounds of consent (para. 31(1), Option 1, FADP) or an overriding interest due to a direct connection to a contract (para. 31(2)(a) FADP). While this would ensure that data processing based on a legal obligation is not covered by the right to data portability, there is no apparent reason why data processing that does not require a legal basis should be excluded from portability.
29 The legal literature therefore assumes legislative oversight and, in light of the purpose of the provision, advocates for a broader interpretation. The focus should therefore be on thevoluntary nature of the data processing. Consequently, the initiative for the specific data processing must at least (also) have originated from the data subject. The data processing must not take place completely detached from the will of the data subject. If this is the case, the requirement in Art. 28(1)(b) of the FADP is met, regardless of whether a justification within the meaning of Art. 31 of the FADP is invoked.
30 Conversely, this means that data processing based on another justification is not subject to the right to data portability. This is particularly relevant when a legal basis for data processing exists (Art. 31(1), para. 3, FADP). While the DSGVO provides for an explicit exclusion of processing carried out in the performance of public tasks (Art. 20(3), second sentence, DSGVO), this is not the case under the FADP. Nevertheless, the restriction in Art. 28(1)(b) FADP already makes it clear that data processing based on a legal basis is generally excluded. Accordingly, data processing by federal bodies, which are bound by the principle of legality, is generally not covered by the right to data portability.
IV. Legal Consequence: Portability
31 If the conditions set forth in Section III are cumulatively met, the data subject may request that the data be provided to them (para. 1) or transferred to another controller (para. 2). Both the provision and the transfer of the data must be made in a commonly used electronic format (see N. 38 et seq.).
32 Exercising the right to data portability does not alter the legal relationship between the data subject and the controller. Consent that has been granted is not deemed revoked, nor is any contractual relationship between the parties affected. The controller may continue to assert grounds for justification. Consequently, the controller is not required to delete the ported data.
A. To the data subject (disclosure of data; para. 1)
33 Under the basic provision of Art. 28(1) FADP, the controller discloses the data to the data subject. The data subject may then use the data for purely personal purposes (such as storing a photo collection locally on their computer) or independently transfer it to a third party of their choice. The latter, however, is not a process based on Art. 28 FADP.
B. To a Data Controller (Data Transfer; para. 2)
34 According to Art. 28 para. 2 FADP, a direct transfer to third parties (referred to in Art. 28 as “another data controller”) is also possible upon request by the data subject. To this end, all the requirements under para. 1 must first be met. In addition, however, the transfer must not entail a disproportionate effort. Para. 2 is satisfied if the third party can obtain the data directly from the controller with passive legal standing, for example because the controller grants the third party access via an application programming interface (API). However, there is no legal entitlement to this.
35 Art. 21 para. 3 of the DSV specifies that a disproportionate burden exists if the transfer is technically impossible. Such an impossibility, however, is unlikely to ever arise, since the disclosure of data to the data subject is, from a technical standpoint, neither simpler nor more complex than the transfer of data to another controller. Since the controller is legally obligated to disclose the data under para. 1, a data transfer under para. 2 should also generally be possible (without disproportionate effort). This is all the more true given that the controller must design its systems from the outset in such a way that it can fulfill its legal obligations (Art. 7 FADP).
36 Of course, a third party is not obligated to accept the data or to ensure the technical feasibility of the transfer. It has no role under data protection law as long as it has not received any personal data and is therefore not processing it. In this respect, the term “other controller” in the law is misleading, especially since Art. 28 FADP—unlike Art. 20 DSGVO—does not include a prohibition on obstruction that would impose obligations on the “other controller” regarding the right to data portability. Under EU regulations, it is therefore posited that technical feasibility must relate to the relationship between the controller and the third party. A transfer is always considered disproportionate if the data processing systems of the controller and the third party are incompatible. The requirement thus relates to a characteristic of the third party without imposing any obligations on it.
37 No disproportionate burden can be inferred from the costs incurred by the controller. The right to data portability is a right of the data subject that must be granted regardless of any implementation costs. The costs incurred for the transfer to a third party therefore cannot be invoked, especially since it is difficult to see how such a transfer would entail higher costs than the disclosure of the data to the data subject.
C. Data Format
38 Art. 28 of the FADP provides for the disclosure or transfer in a common electronic format. These should be data formats that enable the data to be transferred with reasonable effort and reused by the data subject or another controller (see Art. 21 para. 1 of the FADP).
39 Since this clarification is of little help, the provision in Art. 20 of the DSGVO must be consulted, even though the Swiss wording was modeled more closely on that of the right of access in Art. 15 para. 3 of the DSGVO. Art. 20 of the DSGVO refers to a “structured, commonly used, and machine-readable format.”
1. Common
40 A format is considered common if it is widely used in the relevant industry for the type of data in question and within the relevant geographic area. However, too much emphasis should not be placed on the geographic area. In the globalized data economy, Switzerland is not a technological island, and the requirement for commonality would thus be set unnecessarily high. Nor does commonality correspond to the state of the art. What matters is not which format appears to be the “best,” but rather what is most widely used and has thus proven itself in practice. Consequently, a format is considered common when it has established itself as a standard. The focus should therefore primarily be on industry standards and common practice.
41 Excluded from this, however, are proprietary formats, which may be widespread but can only be licensed at high cost. They are not to be considered common, nor are formats used solely for internal purposes. Conversely, open formats are not common per se, but must be generally used and widespread. If no common formats exist (yet) in a particular sector, the responsible party should resort to such generally used open formats, such as XML, JSON, or CSV.
42 Common use must be assessed from the perspective of the data controller with passive legal standing: A DICOM file (for Digital Imaging and Communications in Medicine, with the file extension .dcm) may be unfamiliar to a patient but is commonly used in radiology. This also applies if the controller operates in a different industry than the third party to whom the data is to be transferred. However, this can pose a practical obstacle to cross-sector transfers.
2. Electronic
43 An electronic format essentially corresponds to machine readability under the DSGVO. There, machine-readability is regarded as a fundamental “form requirement” for the digital society, since only this enables the automated processing of information by computers. Since the right to data portability is aimed at the data economy, the format must ensure that the data can be automatically imported into a computer system in a structured form. The data must therefore be electronically processable and capable of being further processed automatically.
44 In certain cases, however, Swiss regulations may be more restrictive than the machine-readability requirement. While there is sometimes debate under the DSGVO as to whether computer printouts should be considered machine-readable due to the technical possibility of automated text recognition (so-called optical character recognition; OCR), these are clearly not classified as an electronic format under the FADP.
3. No Interoperability Requirement
45 The requirements regarding data format do not imply a requirement for interoperability. Interoperability does not refer to data (formats) anyway, but rather to systems that engage in bidirectional exchange. This would therefore require not only the exchange of data, but also interaction across different systems. For example, a social network could allow a user to transfer her photos to another provider. Interoperability between two social networks, by contrast, would only be achieved if, for example, a comment posted under a photo on one social network could be displayed on another social network and interacted with there (such as through a new comment). The different systems must therefore not only be capable of exchanging data but must also agree on the conditions that apply to that data.
46 Art. 21 para. 2 of the GDPR clarifies in this regard that the right to data portability imposes no obligation on the controller to adopt or maintain technically compatible data processing systems. Needless to say, this obligation does not apply to third parties either, who are not required to accept the ported data in the first place. Nor do the provisions of the FADP and the DSV impose an obligation to ensure interoperability between systems.
47 In its explanatory notes, the Federal Office of Justice (BJ) further suggests that the transferred information should be precisely described in interoperable formats with appropriate and comprehensible metadata so that it can be meaningfully transferred to a new system. The metadata should be comprehensive enough to enable the use and reuse of the data without disclosing trade secrets. This suggests an obligation to prepare (new) metadata, which should not be followed. Art. 28 of the FADP merely establishes—and particularly in light of Art. 21 para. 2 of the FADP—aright to the data “as is”. This also covers any metadata that, for example, enables the structuring of a larger dataset. However, no obligation to supplement the metadata (including, in some cases, data that the controller may not even need in its system) can be inferred from this. This is particularly true since the Swiss regulation, unlike Article 20 of the DSGVO, does not explicitly require the data to be structured. Furthermore, the specific metadata that can technically be included in a format may vary depending on the (common) format in question. Therefore, only those metadata pertaining to the data subjects that are contained in a commonly used electronic format within the meaning of Art. 28 of the FADP must be disclosed.
V. Modalities (para. 3 and DSV)
48 Art. 28 para. 3 of the FADP provides that the controller must, in principle, transfer personal data free of charge. In addition, Art. 22 of the FADP specifies the time limit, jurisdiction, and other modalities. Art. 22 of the FADP, however, limits itself to referring, mutatis mutandis, to the modalities of the right of access, without addressing the substance of the right to data portability. In principle, therefore, reference can be made to the comments on the right of access.
A. Form and Time Limit
49 Article 22 in conjunction with Article 16(1) of the DSV requires the data subject to submit a written request. In this request, the data subject must identify themselves (Article 22 in conjunction with Article 16(5) of the DSV). This can be done, for example, by enclosing a copy of their identification document with the request. More commonly, however, identification is likely to occur when the data subject submits the request directly from their (logged-in) account with the controller. In such cases, however, the controller should take special precautions in light of data security requirements (for example, by implementing mechanisms to detect unusual login attempts from external IP addresses). With the controller’s consent, the request may also be made verbally; however, this is likely to occur rarely.
50 The porting must take place within 30 days of receipt of the request (Art. 22 in conjunction with Art. 18(1) of the Data Protection Ordinance). If the porting cannot be completed within this period, the data controller must inform the data subject of this and specify the timeframe within which the porting can be completed (Art. 22 in conjunction with Art. 18 para. 2 of the Data Protection Act). Any potential restriction must also be communicated within the same timeframe (Art. 22 in conjunction with Art. 18(3) of the Data Protection Act).
51 A continuous or periodic data flow is not required. Nor is the controller required to grant the data subject or the other controller unrestricted access to the data (for example, through access to an interface). The right to data portability is conceived as a static transfer mechanism and thus provides merely a “snapshot.”
52 Like the right of access, the right to data portability can therefore, in principle, be granted in any form. For example, a USB drive could be sent by mail, or the data could be sent electronically via email. Furthermore, particularly in the case of larger data sets, the controller may offer access via an API or the option to download the data directly from its servers (e.g., from an SFTP server, a secure web interface, or a web portal).
B. Jurisdiction
53 The right to data portability is directed against the controller, even if the data is stored by a processor. If there are multiple controllers, the data subject may assert their right against each one individually (Art. 22 in conjunction with para. 1 of the Data Protection Act). In each case, the controllers are obligated to process the request themselves and not merely to forward it. Processors must assist the controller in responding to the request or, on behalf of the controller, respond to it themselves (Art. 22 in conjunction with Art. 17 para. 2 of the GDPR). The processor must therefore provide the controller with data relevant to portability if the controller does not have it at its disposal.
C. No Cost
54 The controller must provide or transfer the data free of charge (para. 28(3) FADP). In exceptional cases, a fee of up to CHF 300 is permissible if the porting involves a disproportionate effort (Art. 22 in conjunction with Art. 19(1) and (2) of the Data Protection Ordinance). This may be the (rare) case, for example, when a complex process of separating third-party data from that of the data subject is necessary. The controller must inform the data subject of the amount of the fee in advance (Art. 22 in conjunction with Art. 19(3) of the Data Protection Ordinance).
Note:
The structure and content of this commentary are based on the author’s dissertation on the right to data portability. The footnotes refer specifically to the dissertation only when they contain more detailed explanations.
Bibliography
Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Datenschutzgesetz (DSG), 2. Aufl., Bern 2023 (zit.: SHK-Autor/in, Art. … DSG N. ...).
Benhamou Yaniv/Cottier Bertil (Hrsg.), Petit commentaire LPD, Loi sur la protection des données, Basel 2023 (zit.: PC-Autor/in, Art. … DSG N. ...).
Berners-Lee Tim, Long Live the Web, Scientific American 2010, 80–85.
Bieri Adrian/Powell Julian (Hrsg.), Orell Füssli Kommentar zum Schweizerischen Datenschutzgesetz mit weiteren Erlassen, Zürich 2023 (zit.: OFK-Autor/in, Art. … DSG N. ...).
Bieri Adrian/Powell Julian, Die Totalrevision des Bundesgesetzes über den Datenschutz, Jusletter 16.11.2020.
Brorsen Hans/Falk Richard, Die «Maschinenlesbarkeit» von Informationen, Unter der Haube der EU-Digitalregulierung, MMR 2025, 7–12.
Cattaneo Gianni, Legge federale sulla protezione dei dati (nLPD) e Ordinanza sulla protezione dei dati (nOPDa): struttura, principi e obblighi nel settore privato, in: Bernasconi Giorgio A./Pasucci Paola (Hrsg.), Protezione dei dati personali: orizzonte 2023, Introduzione alle nuove norme di livello federale e cantonale, Basel 2024, 3–67.
Drepper Johannes/Schlünder Irene/Buckow Karoline, Praktische Umsetzbarkeit der Datenportabilität im Bereich der medizinischen Forschung, in: Stiftung Datenschutz, Praktische Umsetzung des Rechts auf Datenübertragbarkeit, Rechtliche, technische und verbraucherbezogene Implikationen, 3. Aufl., Leipzig 2018, 178–196.
Ehmann Eugen/Selmayr Martin (Hrsg.), Beck’scher Kurz-Kommentar zur Datenschutz-Grundverordnung, 3. Aufl., München 2024 (zit.: KUKO-Autor/in, Art. … DSGVO N. ...).
Ehrenzeller Bernhard/Schindler Benjamin/Schweizer Rainer J. (Hrsg.), St. Galler Kommentar zur schweizerischen Bundesverfassung, 4. Aufl., Zürich et al. 2023 (zit.: SGK-Autor/in, Art. 13 BV N. ...).
Engels Barbara, Data portability among online platforms, Internet Policy Review 2/2016, 1–17.
Expertengruppe zur Zukunft der Datenbearbeitung und Datensicherheit, Bericht vom 17.8.2018, <https://perma.cc/YB65-ECG9> (zit.: Expertengruppe Zukunft).
Fix Alexander Daniel, Das Recht auf Datenportabilität, Art. 20 DSGVO als Schnittstelle zwischen Wettbewerbsförderung und Datenschutz, Berlin 2022.
Götzinger Lena/Vasella David, Datenportabilität und ihre Umsetzung, SZW 2021, 40–51.
Kratz Alexander, Datenportabilität und «Walled Gardens», InTeR 2019, 26–31.
Krause Peter, Datenportabilität, Pflichten für Verantwortliche im Rahmen des Rechts auf Datenübertragbarkeit (Teil 2), PinG 2019, 13–20.
Landolt Robin, Datenkooperationen, Der unternehmensübergreifende Zugang zu Daten im Spannungsfeld zwischen Datenschutz und Wettbewerbsförderung, Zürich 2024.
Laux Christian, Das Recht auf Datenportabilität, digma 2019, 166–170.
Mahon Pascal, Le droit à l’intégrité numérique : réelle innovation ou simple évolution du droit ? Le point de vue du droit constitutionnel, in: Guillaume Florence/Mahon Pascal (Hrsg.), Le droit à l’intégrité numérique, Basel 2021, 43–63.
Mätzler Samuel, Das Recht auf Datenportabilität, Eine rechtsvergleichende Untersuchung von Art. 28 DSG anhand dreier Datenökosysteme, Zürich 2026.
Meier Philippe/Métille Sylvain (Hrsg.), Loi fédérale sur la protection des données, Commentaire Romand, Basel 2023 (zit.: CR-Autor/in, Art. … DSG N. ...).
Métille Sylvain, Loi fédérale sur la protection des données révisée : principes généraux et nouveautés, in: Défago Valérie/Dunand Jean-Philippe/Mahon Pascal/Posse-Ousmane Samah/Raedler David (Hrsg.), La protection des données dans les relations de travail à la lumière de la nouvelle loi fédérale sur la protection des données, Genf et al. 2024, 3–47.
Rosenthal David, Das neue Datenschutzgesetz, Jusletter 16.11.2020.
Schweitzer Heike, Datenzugang in der Datenökonomie: Eckpfeiler einer neuen Informationsordnung, GRUR 2019, 569–579.
Sperlich Tim, Informationelle Selbstbestimmung zwischen Wettbewerbs- und Datenschutzrecht, Eine Analyse und Beurteilung der Wechselwirkungen zwischen dem Wettbewerbs- und Datenschutzrecht, Berlin 2021.
Steiner Thomas, Zwischen Autonomie und Angleichung, Eine Analyse zur Anwendung des neuen DSG im Lichte der DSGVO, in: Widmer Michael (Hrsg.), Datenschutz, Rechtliche Schnittstellen, Zürich 2023, 51–138.
Steiner Thomas/Morand Anne-Sophie/Hürlimann Daniel (Hrsg.), Onlinekommentar zum Bundesgesetz über den Datenschutz, Version vom 31.7.2023 (zit.: OK-Autor/in, Art. … DSG N. ...).
Swire Peter P./Lagos Yianni, Why the Right to Data Portability Likely Reduces Consumer Welfare: Antitrust and Privacy Critique, Maryland Law Review 2013, 335–380.
Swiss Data Alliance, Leitlinie zur Umsetzung der Datenübertragbarkeit in der Schweiz, Version 1.0 vom 20.8.2020.
Thouvenin Florent, Informationelle Selbstbestimmung: Intuition, Illusion, Implosion, ZSR Beiheft 2023.
Thouvenin Florent/Weber Rolf H./Früh Alfred, Elemente einer Datenpolitik, Zürich et al. 2019.
Vasella David/Blechta Gabor-Paul (Hrsg.), Basler Kommentar zum Datenschutzgesetz und Öffentlichkeitsgesetz, 4. Aufl., Basel 2024 (zit.: BSK-Autor/in, Art. … DSG N. ...).
Weber Rolf H./Thouvenin Florent, Gutachten zur Möglichkeit der Einführung eines Datenportabilitätsrechts im schweizerischen Recht und zur Rechtslage bei Personal Information Management Systems (PIMS) vom 22.12.2017.
Wolff Heinrich Amadeus/Brink Stefan/von Ungern-Sternberg Antje (Hrsg.), BeckOK Datenschutzrecht, 53. Aufl., München 2025 (zit.: BeckOK DSR-Autor/in, Art. … DSGVO N. ...).
Ziegler Noémi/Vasella David, Informationelle Selbstbestimmung, Was leistet das Datenschutzrecht für die Selbstbestimmung der Betroffenen?, digma 2019, 158–164.
Materials
Artikel 29-Datenschutzgruppe, Leitlinien zum Recht auf Datenübertragbarkeit, WP 242 rev.01, zuletzt überarbeitet und angenommen am 5.4.2017.
Botschaft zum Bundesgesetz über die Totalrevision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz vom 15.9.2017, BBl 2017 6941 ff. (zit.: Botschaft DSG 2017).
Bundesamt für Justiz, Erläuternder Bericht zum Vorentwurf für das Bundesgesetz über die Totalrevision des Datenschutzgesetzes und die Änderung weiterer Erlasse zum Datenschutz vom 21.12.2016 (zit.: BJ, Erläuternder Bericht VE-DSG).
Bundesamt für Justiz, Erläuternder Bericht Verordnung über den Datenschutz (Datenschutzverordnung, DSV) vom 31.8.2022 (zit.: BJ, Erläuternder Bericht DSV).
Bundesamt für Kommunikation, «Massnahmen für eine zukunftsorientierte Datenpolitik der Schweiz», Medienmitteilung vom 9.5.2018, <https://perma.cc/VJE24KLZ> (zit.: BAKOM, Medienmitteilung vom 9.5.2018).
Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter, Das neue Datenschutzgesetz aus Sicht des EDÖB vom 9.2.2021 (zit.: EDÖB).
Fahne 17.059, Datenschutzgesetz, Teilrevision und Änderung weiterer Erlasse zum Datenschutz, Entwurf 3 Herbstsession 2019, Beschluss Nationalrat, <https://perma.cc/JQL2-XP5J> (zit.: Fahne 17.059, Beschluss Nationalrat).