-
- Art. 3 FC
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 13 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 26 FC
- Art. 29a FC
- Art. 30 FC
- Art. 31 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 45 FC
- Art. 51 FC
- Art. 52 FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 69 FC
- Art. 74 FC
- Art. 75b FC
- Art. 77 FC
- Art. 81 FC
- Art. 96 para. 1 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 119a FC
- Art. 122 FC
- Art. 123a FC
- Art. 123b FC
- Art. 130 FC
- Art. 136 FC
- Art. 164 FC
- Art. 166 FC
- Art. 170 FC
- Art. 176 FC
- Art. 178 FC
- Art. 189 FC
- Art. 191 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 97 CO
- Art. 98 CO
- Art. 99 CO
- Art. 100 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 633 CO
- Art. 701 CO
- Art. 713 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Art. 808c CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 60 PRA
- Art. 60a PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 64 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 73 PRA
- Art. 73a PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Art. 1 IMAC
- Art. 1a IMAC
- Art. 3 para. 1 and 2 IMAC
- Art. 8 IMAC
- Art. 8a IMAC
- Art. 11b IMAC
- Art. 16 IMAC
- Art. 17 IMAC
- Art. 17a IMAC
- Art. 32 IMAC
- Art. 35 IMAC
- Art. 47 IMAC
- Art. 48 IMAC
- Art. 54 IMAC
- Art. 55a IMAC
- Art. 63 IMAC
- Art. 67 IMAC
- Art. 67a IMAC
- Art. 74 IMAC
- Art. 74a IMAC
- Art. 80 IMAC
- Art. 80a IMAC
- Art. 80b IMAC
- Art. 80c IMAC
- Art. 80d IMAC
- Art. 80h IMAC
- Art. 80k IMAC
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 4 FADP
- Art. 5 lit. c FADP
- Art. 5 lit. d FADP
- Art. 5 lit. f und g FADP
- Art. 6 para. 3-5 FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 18 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 28 FADP
- Art. 29 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 52 FADP
- Art. 54 FADP
- Art. 55 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 16 CCC (Convention on Cybercrime)
- Art. 18 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 27 CCC (Convention on Cybercrime)
- Art. 28 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
-
- Art. 2 para. 1 AMLA
- Art. 2a para. 1-2 and 4-5 AMLA
- Art. 2 para. 2 AMLA
- Art. 2 para. 3 AMLA
- Art. 3 AMLA
- Art. 7 AMLA
- Art. 7a AMLA
- Art. 8 AMLA
- Art. 8a AMLA
- Art. 11 AMLA
- Art. 14 AMLA
- Art. 15 AMLA
- Art. 20 AMLA
- Art. 23 AMLA
- Art. 24 AMLA
- Art. 24a AMLA
- Art. 25 AMLA
- Art. 26 AMLA
- Art. 26a AMLA
- Art. 27 AMLA
- Art. 28 AMLA
- Art. 29 AMLA
- Art. 29a AMLA
- Art. 29b AMLA
- Art. 30 AMLA
- Art. 31 AMLA
- Art. 31a AMLA
- Art. 32 AMLA
- Art. 33 AMLA
- Art. 34 AMLA
- Art. 38 AMLA
FEDERAL CONSTITUTION
FEDERAL ACT ON DIRECT FEDERAL TAX
MEDICAL DEVICES ORDINANCE
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
CRIMINAL CODE
CYBERCRIME CONVENTION
COMMERCIAL REGISTER ORDINANCE
FEDERAL ACT ON COMBATING MONEY LAUNDERING AND TERRORIST FINANCING
FREEDOM OF INFORMATION ACT
FEDERAL ACT ON THE INTERNATIONAL TRANSFER OF CULTURAL PROPERTY
FEDERAL ACT ON MEDICINAL PRODUCTS AND MEDICAL DEVICES
TAX HARMONISATION ACT
- In a nutshell
- I. General
- II. Grounds for Restrictions (Para. 1 in conjunction with Article 26)
- III. Legal Consequences
- IV. Duty to Provide Reasons (para. 2)
- Bibliography
- Materials
In a nutshell
Article 29 of the FADP addresses the possible grounds for restricting the right to data disclosure or transfer under Article 28 of the FADP. It refers to the grounds for restricting the right of access. This is intended to prevent the data subject from using the right to data portability to obtain data that is not subject to the right of access. However, the blanket reference to the right of access does not sufficiently take into account the specific nature of the right to data portability, which can lead to inconsistencies in various cases.
I. General
A. Purpose and Background of the Provision
1 Article 29 of the FADP specifies the grounds on which a controller may restrict the disclosure or transfer of data pursuant to Article 28 of the FADP (also known as the right to data portability). However, the provision does not list these grounds independently but refers to the grounds for restricting the right of access in Art. 26 para. 1 and 2 of the FADP. For this reason, the explanations provided there can largely be applied to the right to data portability.
2 The blanket reference to the grounds for restricting the right of access is not without controversy, as the two data subject rights pursue different objectives and the grounds for restriction do not always apply to the various use cases. Nevertheless, this reference does prevent the restrictions on the right of access from being circumvented through the right to data portability.
3 Along with the right to data portability, Art. 29 FADP was only inserted during the parliamentary deliberations as part of the FADP revision. The provision was not debated separately and was uncontroversial.
B. Comparative Law Notes
4 Art. 29 FADP was adopted by analogy from the DSGVO. However, the DSGVO does not contain a separate provision. Rather, the DSGVO restricts the right to data portability in various places. Under Article 12(5)(1) of the DSGVO, the controller may charge a reasonable fee for data portability in the case of manifestly unfounded or excessive requests (lit. a) or refuse the request entirely (lit. b). In doing so, the controller must provide evidence that the request is abusive (Art. 12(5), para. 2, DSGVO).
5 According to Art. 20(4) DSGVO, the right to data portability must not infringe upon the rights and freedoms of others. According to the prevailing view, this also applies to the controller. Consequently, the right to data portability under the DSGVO may be restricted by trade and business secrets or intellectual property rights, such as copyrights.
6 Furthermore, the DSGVO contains in para. 20, second sentence, an explicit exclusion for processing carried out in the public interest or in the exercise of official authority. Furthermore, under the conditions set forth in Article 23 of the DSGVO, additional restrictions may be provided for in Union law or in the law of a Member State. In accordance with Article 85(2) and Article 89(3) of the DSGVO, further derogations are also possible, which may limit the right to data portability in certain circumstances.
II. Grounds for Restrictions (Para. 1 in conjunction with Article 26)
A. Legal Basis, Specifically Professional Secrets (Article 26(1)(a))
7 A restriction on the right to data portability is permissible if provided for by a law in the formal sense (Art. 29(1) in conjunction with Art. 26(1)(a) of the FADP). Such a legal basis must relate to the right to data portability and would have to be assessed on a case-by-case basis. To date, however, no such legal bases exist.
8 The provision relating to the right of access cites the protection of professional secrecy as an example. This makes it clear that the reference to the right of accessis not very convincing, since the right to data portability covers only data that relates to the data subject and has also been disclosed by the data subject to the controller. Professional secrecy, on the other hand, is primarily intended to protect the data subject. Since the data subject always exercises their right to data portability on their own initiative—and thus consent has been given—professional secrecy is not violated (see Art. 321 no. 2 of the SCC).
B. Overriding Interests of Third Parties (Art. 26 para. 1(b))
9 The data controller may restrict the right to data portability if this is necessary due to overriding interests of third parties (Art. 29(1) in conjunction with para. 26(1)(b) of the FADP). In this context, the dual or third-party use of data is the primary concern, but trade secrets or intellectual property rights of third parties are also conceivable. Restrictions based on the controller’s interests, by contrast, must be considered under para. 2 of Art. 26 of the FADP.
10 With regard to the interests of third parties, a balancing of interests must take place. It should not be readily assumed that the interests of third parties prevail: The data in question always relates (at least in part) to the data subject and consists of information that the data subject has already disclosed to the controller. In light of the legislature’s decision to grant the data subject the right to data portability so that they may dispose of “their” data, the grounds for restriction must therefore not be interpreted too broadly. However, it is also true that, in cases of doubt, the controller is more likely to accept a potential violation of the right to data portability—which is not subject to sanctions under the FADP—than a violation of third-party rights.
C. Manifestly Unfounded (Art. 26(1)(c))
11 If a request is manifestly unfounded, the controller may also restrict the right to data portability (Art. 29(1) in conjunction with Art. 26(1)(c) of the FADP). By way of example, Art. 26 of the FADP—which is tailored to the right of access—lists cases in which a request pursues a purpose contrary to data protection or is manifestly vexatious. However, the possibility of restricting portability in the event of a purpose contrary to data protection is difficult to reconcile with the right to portability in light of the objectives of data protection and competition law. The right to data portability aims, among other things, to ensure the free flow of data; therefore, a request should not be readily deemed manifestly unfounded. This reference to the right of access is thus also unsatisfactory. The right to data portability is intended to enable the transfer of data between different parties in as standardized a manner as possible, free from case-by-case considerations. Accordingly, it is unclear in which cases the controller may refuse a request under this provision.
12 However, a request may be presumed to be unfounded, for example, if the right to data portability is exercised in abuse of the law. The text also mentions the case of evidence gathering against the data controller in civil proceedings.
D. Further Grounds for Restriction (Art. 26 para. 2)
13 Art. 29(1) FADP also refers to Art. 26(2) FADP. That provision sets forth additional grounds for restriction for private individuals (lit. a) and for federal bodies (lit. b). Since the latter are rarely parties to proceedings regarding the right to data portability, the grounds for restriction for federal bodies can hardly be considered relevant from the outset.
14 It is conceivable, however, that a private data controller might wish to restrict data portability because its overriding interests so require (lit. a, no. 1). A data controller may thus invoke its own trade secrets and intellectual property rights as grounds for restriction under Art. 29(1) in conjunction with para. 2(a) of the FADP. Overall, however, this is likely to be rare, since only data disclosed by the data subject is covered by the right to data portability, while derived data—i.e., data based on a service provided by the controller—is excluded from the scope of application. In principle, the legislature has already subordinated the controller’s interests to those of the data subject and competition by introducing the right to data portability; therefore, the controller is unlikely to be able to invoke trade secrets very often.
15 If the controller wishes to restrict portability on the basis of its overriding interests, para. 2 of Art. 26 of the FADP lists an additional requirement that must be met. The controller must not be permitted to disclose personal data to third parties (no. 2). However, this condition is incompatible with the right to data portability under Art. 28(2) of the FADP and is therefore, in our view, irrelevant as a condition for restriction. It is also possible to conclude that the controller cannot rely on Art. 26(2)(a) of the FADP at all if the data subject requests data portability.
III. Legal Consequences
16 If there is a valid ground for restriction, the controller may refuse, restrict, or postpone the porting. In doing so, the controller must ensure proportionality and enable the right to data portability as fully as possible. Thus, before refusing a request, the controller must always first consider whether to postpone or restrict it.
IV. Duty to Provide Reasons (para. 2)
17 Pursuant to Art. 29(2) of the FADP, the controller must state why it is refusing, restricting, or postponing the porting. This corresponds to the obligation that a controller must also fulfill under the right of access (see Art. 26(4) of the FADP). The controller must inform the data subject that the porting is being refused, restricted, or deferred and provide reasons for this. A 30-day deadline from receipt of the request also applies here (Art. 22 in conjunction with Art. 18 para. 3 of the Data Protection Ordinance). For further details, please refer to the commentary on Art. 25 of the FADP.
Note:
The structure and content of this commentary are based on the author’s dissertation on the right to data portability. The footnotes refer specifically to the dissertation only when they contain more detailed explanations.
Bibliography
Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Datenschutzgesetz (DSG), 2. Aufl., Bern 2023 (zit.: SHK-Autor/in, Art. … DSG N. ...).
Bieri Adrian/Powell Julian (Hrsg.), Orell Füssli Kommentar zum Schweizerischen Datenschutzgesetz mit weiteren Erlassen, Zürich 2023 (zit.: OFK-Autor/in, Art. … DSG N. ...).
Erard Frédéric/di Tria Livio, Consentement aux traitements de données en cabinet médical, Ni libre, ni éclairé, ni nécessaire ?, Jusletter 23.9.2024.
Gola Peter/Heckmann Dirk (Hrsg.), Datenschutz-Grundverordnung, Bundesdatenschutzgesetz: DS-GVO / BDSG, Kommentar, 3. Aufl., München 2022 (zit.: GK-Autor/in, Art. ... DSGVO N. ...).
Landolt Robin, Datenkooperationen, Der unternehmensübergreifende Zugang zu Daten im Spannungsfeld zwischen Datenschutz und Wettbewerbsförderung, Zürich 2024.
Mätzler Samuel, Das Recht auf Datenportabilität, Eine rechtsvergleichende Untersuchung von Art. 28 DSG anhand dreier Datenökosysteme, Zürich 2026.
Meier Philippe/Métille Sylvain (Hrsg.), Loi fédérale sur la protection des données, Commentaire Romand, Basel 2023 (zit.: CR-Autor/in, Art. … DSG N ...).
Rosenthal David, Das neue Datenschutzgesetz, Jusletter 16.11.2020.
Steiner Thomas/Morand Anne-Sophie/Hürlimann Daniel (Hrsg.), Onlinekommentar zum Bundesgesetz über den Datenschutz, Version vom 31.7.2023 (zit.: OK-Autor/in, Art. … DSG N. ...).
Taeger Jürgen/Gabel Detlev (Hrsg.), Kommunikation & Recht Kommentar zu DSGVO/BDSG/TDDDG, 4. Aufl., Frankfurt am Main 2022 (zit.: KRKomm-Autor/in, Art. ... DSGVO N. ...).
Vasella David/Blechta Gabor-Paul (Hrsg.), Basler Kommentar zum Datenschutzgesetz und Öffentlichkeitsgesetz, 4. Aufl., Basel 2024 (zit.: BSK-Autor/in, Art. … DSG N. ...).
Materials
Artikel 29-Datenschutzgruppe, Leitlinien zum Recht auf Datenübertragbarkeit, WP 242 rev.01, zuletzt überarbeitet und angenommen am 5.4.2017.
Botschaft zum Bundesgesetz über die Totalrevision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz vom 15.9.2017, BBl 2017 6941 ff. (zit.: Botschaft DSG 2017).
Fahne 17.059, Datenschutzgesetz, Teilrevision und Änderung weiterer Erlasse zum Datenschutz, Entwurf 3 Herbstsession 2019, Beschluss Nationalrat, <https://perma.cc/JQL2-XP5J> (zit.: Fahne 17.059, Beschluss Nationalrat).