-
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 29a FC
- Art. 30 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 75b FC
- Art. 77 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123b FC
- Art. 136 FC
- Art. 166 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
- Art. 808c CO
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 5 lit. f und g FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 54 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
FEDERAL CONSTITUTION
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
SWISS CRIMINAL CODE
CYBERCRIME CONVENTION
- In a nutshell
- I. General
- II. para. 1, consent, overriding interest, legal grounds for justification
- III. para. 2
- Bibliography
- Materials
In a nutshell
[In the introduction to Article 31, by other author(s)]
I. General
[General on Art. 31; Preamble and background, by other author(s)]
II. para. 1, consent, overriding interest, legal grounds for justification
[on Art. 31 para. 1; by other author(s)]
III. para. 2
A. General information / test steps
[General to para. 2; by other author(s)]
B. List of legal cases
1. Lit. a - d
[By other authors(s)]
2. Lit. e, Processing for non-personal purposes
1 Processing for non-personal purposes is the provision on overriding interests that has been expanded the most compared to its predecessor provision in Art. 13 para. 2 lit. e aDSG. In addition to the previous regulation on the publication of results (new in no. 3 of the provision, below n. 15), there is an obligation to anonymize or pseudonymize at the earliest possible time (no. 1) and, as a qualified offence, a requirement for the disclosure of particularly sensitive personal data to third parties (no. 2). The regulator thus no longer starts with the publication of the results, but intervenes directly in internal process management during processing. On the one hand, the higher density of regulation is the result of a legal concretization of existing principles; on the other hand, it means a tightening of the requirements for controllers when processing for non-personal purposes.
a) Non-personal purpose as a basic offense
2 The central element of the provision is processing for non-personal purposes. Non-personal purposes are defined as purposes for which the identity of the data subject is irrelevant. In other words, the purpose of the activity is also fulfilled if anonymized or encrypted data is processed. There is a wide range of possible processing purposes that can fall under this justification. Not only large numbers of people are covered, but the processing of the data of an individual person or a group can also serve non-personal purposes, as long as it is only about the characteristics and not the identity. The identity of the data subject may, however, be of practical importance to the data controllers themselves, for example in the area of longitudinal studies in which information is collected from data subjects at regular intervals.
3 The law itself does not define the term "non-personal purpose", but mentions private research, statistics and planning as examples. The regulation is therefore also referred to as a "research privilege" under data law. Population, spatial and transport planning are mentioned in the doctrine as examples of planning. The privileged status of these areas is justified by the fact that they not only provide an important basis for economic decision-making, but also meet a variety of social and public needs. The list of areas is not exhaustive. In particular, the evaluation of internet and app usage data or the use of AI models in the context of big data analysis, where any interest in the individual is eliminated in advance, should be considered. On the other hand, the explicit mention in the law does not mean that data processing in the areas of research, statistics and planning always serves non-personal purposes. An example of personal purposes is precision medicine, where positive study results should also benefit the persons concerned. Other activities for other purposes include historical and genealogical research, which are not covered by the privilege if they relate to specific persons or groups.
4 The provision regulates data processing by private individuals. This includes, for example, private pharmaceutical research, private clinical studies or studies carried out by private organizations, market research and planning in companies. As a result of Art. 40 FADP, the provision also covers activities of federal bodies under private law. For government activities, Art. 39 FADP applies, which contains an analogous provision on data processing for non-personal purposes by federal bodies.
5 There will also be processing purposes that have both personal and non-personal components, namely in research. For such activities, the question arises to what extent the justification ground can be invoked. For federal bodies, Art. 35 DPO states that the exceptions under Art. 39 para. 2 FADP only apply to processing for non-personal purposes. An analogous regulation for private controllers is therefore understandable; it leads to a separate data law consideration for different aspects of a specific activity.
6 With regard to the three areas mentioned in the Act and other areas, special legislation must then be taken into account, which, depending on the enactment, ranges from a general reference standard to detailed regulations. Of particular importance is human research law (currently under revision) with the HRA and related enactments such as the Cancer Registration Act, which contain their own provisions on pseudonymization and triage provisions regarding the application of the HRA and FADP (e.g. Art. 28 KRG). In the electricity supply sector, Art. 17c para. 1 StromVG refers to the FADP with regard to smart metering. In statistics, the special legislation under the Federal Statistics Act (BStatG) applies insofar as it covers private institutions (Art. 2 para. 3 BStatG, cf. also principles pursuant to Art. 4 BStatG).
7 If processing is carried out for non-personal purposes, the various provisions of no. 1 to 3 apply. The provisions in detail:
b) No. 1, anonymization or pseudonymization (encryption)
8 Data controllers must anonymize the data as soon as the purpose of the processing permits. The provision thus takes up the principle of Art. 6 para. 4 FADP and at the same time qualifies it with an exception. According to this provision, data controllers can take other appropriate measures to prevent the person from being identifiable if anonymization is technically impossible or involves disproportionate effort. Due to the development of biometric recognition software, the anonymization of personal portraits, for example, is de facto impossible today, whereas a black bar across the eye area used to be sufficient. In view of the purpose of the standard, the exception must be applied with a sense of proportion despite the technical and financial consequences and requires a balancing of interests in individual cases, which balances the interests of those affected against the intended privileging of the activities in question.
9 Appropriate measures include, in particular, pseudonymization, encryption or coding. Pseudonymization plays an important role in practice and at the same time represents a technical challenge. Especially with regard to data obtained from biological material (biosamples), i.e. from parts of the human body such as tissue or blood samples, the technical requirements for pseudonymization have increased. Laboratory technology, above all DNA analysis, facilitates identification, possibly in combination with characteristics of other samples. Human research law makes corresponding provisions for the handling of biological material and genetic data (Art. 32 ff. HRA).
10 In connection with measures to prevent identifiability, reference should be made to the extensive catalog of technical and organizational measures in Art. 3 DPA, in particular the rules on confidentiality and integrity. There are also various guidelines on encryption, such as the binding scientific linking guidelines of the Federal Statistical Office or the cross-industry guidelines of the European Cybersecurity Agency (Enisa). The guidelines contain, among other things, requirements for handling the codes and for de-pseudonymization.
c) No. 2, Disclosure to third parties
11 The second requirement concerns the processing of particularly sensitive data (for the term, see commentary on Art. 5 lit. c FADP). The provision refers to Art. 30 para. 2 lit. c FADP, according to which the disclosure of such data to third parties constitutes a violation of personality rights. As in no. 1, a principle is established and this is mitigated with an exception. The exception was not yet included in the draft bill and was introduced in the National Council.
12 If the additional criterion of particularly sensitive data is fulfilled, the principle applies that this data may only be passed on to third parties in such a way that the data subject cannot be identified. Data may therefore also only be transferred in anonymized or encrypted form. The transfer of data to third parties is thus initially treated no differently to publication (no. 3). No. 2 aims to prevent the disclosure of non-anonymized, particularly sensitive personal data from being justified on the grounds that it is being processed for research, planning or statistical purposes.
13 The exception applies if measures to prevent identifiability are not possible, which may be the case with a person's extensive genetic data, for example. According to the wording, disproportionality of the measure is not a justification (see no. 1). In the event of impossibility, it must be ensured that third parties only process the data for non-personal purposes. The provision does not require that the processing purpose of the third party must be the same as that of the controller, which is understandable in view of the different areas of responsibility in research, statistics and planning. The duty of guarantee primarily applies to the controller, whereby no. 2 does not contain any methodological requirements for (contractually) ensuring the non-personal purpose limitation vis-à-vis third parties.
14 The dispatch on the aDSG then refers to statutory confidentiality provisions. Where these prohibit the disclosure of data to third parties, they take precedence as special regulations, such as professional secrecy protected under criminal law (e.g. medical confidentiality). Statistics departments or researchers can therefore not justify the disclosure of secret data on the basis of no. 2. The same applies to contractual or otherwise stipulated confidentiality obligations.
d) No. 3, Publication of results
15 no. 3 incorporates the previous provision according to which data subjects must not be identifiable when the results are published (Art. 13 para. 2 lit. e aDSG). In other words, there is still no requirement for anonymization in the publication. In the doctrine, it is noted that the publication of studies with a small number of affected persons may give rise to a risk of conclusions being drawn about the individual, for example in the case of studies on rare diseases or planning for small geographical areas. However, when publishing results based on data from a large number of affected persons, this appears to be less of a problem insofar as the identification of the person by a human being is more difficult. The machine recognition systems mentioned above, on the other hand, function independently of geographical or numerical restrictions, meaning that it is ultimately technical progress that is constantly increasing the requirements for the publication of results.
Bibliography
Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Datenschutzgesetz, Stämpflis Handkommentar, 2. Aufl., Bern 2022 (zit. SHK DSG-Bearbeiter/-in).
Baeriswyl Bruno, Die Einwilligung hilft (nicht) weiter, digma 2020 S. 62 ff. (zit. Baeriswyl).
Baeriswyl Bruno, "Big Data" ohne Datenschutz-Leitplanken, digma 2013 S. 14 ff. (zit. Baeriswyl, Big Data).
Baeriswyl Bruno/Pärli Kurt (Hrsg.), Datenschutzgesetz (DSG), Stämpflis Handkommentar, Bern 2015 (zit. SHK aDSG-Bearbeiter/-in).
Kasper Gabriel, People Analytics in privatrechtlichen Arbeitsverhältnissen, Vorschläge zur wirksameren Durchsetzung des Datenschutzrechts, Zürich/St. Gallen 2021 (zit. Kasper).
Bieri Adrian/Powell Julian (Hrsg.), Orell Füssli Kommentar zum Schweizerischen Datenschutzgesetz mit weiteren Erlassen, Zürich 2023 (zit. OFK-Bearbeiter/-in).
Blechta, Gabor-Paul/Vasella, David (Hrsg.), Datenschutzgesetz /Öffentlichkeitsgesetz, DSG/BGÖ. Basler Kommentar, 4. Aufl., Basel 2024 (zit. BSK nDSG-Bearbeiter/-in).
Laux, Christian, Introduction into the legal aspects of big data (part #3: privacy aspects – basics), Swiss Data Analytics Magazine 2015/01, S. 13 ff. (zit. Laux).
Maurer-Lambrou, Urs/Blechta, Gabor-Paul (Hrsg.), Datenschutzgesetz/Öffentlichkeitsgesetz, Basler Kommentar, 3. Aufl., Basel 2014 (zit. BSK-Bearbeiter/-in).
Meier Philippe, Protection des données, Fondements, principes généraux et droit privé, Bern 2010 (zit. Meier).
Reudt-Demont Janine, Digitalisierung des Gesundheitswesens 2023, LSR 2023 S. 39 ff. (zit. Reudt-Demont).
Rosenthal David/Jöhri Yvonne, Handkommentar zum Datenschutzgesetz sowie weiteren, ausgewählten Bestimmungen, Zürich 2008 (zit. Rosenthal/Jöhri (2008)).
Volz Stephanie, KI Sandboxen für die Schweiz?, SZW 2022 S. 51 ff., 56 (zit. Volz).
Materials
Botschaft zum Bundesgesetz über die Totalrevision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz vom 15.9.2017, BBl 2017 6941 ff., abrufbar https://www.fedlex.admin.ch/eli/fga/2017/2057/de (zit. Botschaft 2017).
Botschaft zum Bundesgesetz über den Datenschutz (DSG) vom 23.3.1988, BBl 1988 II 413 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/1988/2_413_421_353/ de, (zit. Botschaft 1988).
Erläuterungsbericht Totalrevision der Verordnung zum Bundesgesetz über den Datenschutz, BJ, 23.6.2021 (zit. Erläuterungsbericht).