-
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 29a FC
- Art. 30 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 75b FC
- Art. 77 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123b FC
- Art. 136 FC
- Art. 166 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
- Art. 808c CO
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 5 lit. f und g FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 54 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
FEDERAL CONSTITUTION
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
SWISS CRIMINAL CODE
CYBERCRIME CONVENTION
In a nutshell
Compliance with data protection regulations by the FDPIC is a legal obligation that already arises from the FDPIC's capacity as a federal body. Since no external data protection supervision is provided for the FDPIC, the legislator obliges the FDPIC to self-monitor: according to Art. 48 FADP, the FDPIC must ensure that legally compliant enforcement is guaranteed by means of appropriate control measures. Art. 40 FADP specifies that the FDPIC must draw up processing regulations for all of its automated data processing operations - regardless of whether it processes sensitive personal data or carries out profiling. This ensures that compliance with data protection regulations is also monitored within the FDPIC, which strengthens the credibility of the FDPIC as a supervisory authority vis-à-vis third parties.
I. General
1 Article 48 of the FADP is addressed to the FDPIC - but not in its capacity as a supervisory authority, but as a federal body that processes personal data. It obliges the FDPIC to ensure appropriate control measures to guarantee data security in particular and the legally compliant enforcement of federal data protection regulations in general, also within its institution. Since no external data protection supervision is provided for the FDPIC as a supervisory authority, the legislator obliges the FDPIC with this provision to self-monitor the processing of personal data.
2 The FDPIC processes personal data, including particularly sensitive personal data, for the following purposes (Art. 39 FADP):
to carry out its supervisory activities (lit. a),
to carry out its advisory activities (lit. b),
for cooperation with other authorities (lit. c),
for the performance of its duties under the penal provisions of the FADP (lit. d),
to fulfill its duties under the Public Information Act (lit. e-g),
to inform parliamentary supervision (lit. h), to inform the public (lit. i) and to carry out its training activities (lit. j).
The FDPIC processes personal data both in his function as data protection commissioner and as public information commissioner. Specifically, he maintains in particular a business administration system (Art. 57h GAOA), a personnel administration system, a list of data protection advisors (Art. 10 para. 3 lit. d FADP; Art. 10 para. 4 FADP in conjunction with Art. 27 para. 2 FADP), the directory of processing activities of federal bodies (Art. 12 para. 4 FADP), and a data breach notification portal (Art. 24 FADP). In particular, within the scope of its legal duties, the FDPIC may process personal data of its employees, personal data of other federal employees, as well as data of third parties, including data of legal entities (Art. 57r GAOA).
3 The FDPIC itself is not subject to any external data protection supervision, which is why it is required to carry out self-monitoring. The provision in Art. 48 FADP makes it clear that even the FDPIC, as a supervisory authority in the area of data protection, is not above data protection law and must also ensure compliance within its own authority. External control of the FDPIC would disproportionately limit its independence measured against the rather low risk of data misuse.
4 As a federal body, the FDPIC is bound not only by the general provisions in Arts. 5-13 and 16-29, but also by the special provisions on data processing by federal bodies under Arts. 33 ff. FADP. Art. 48 FADP provides that the FDPIC must provide for appropriate control measures to ensure compliance with these obligations. This obligation to self-monitor is due to the fact that there is no corresponding external data protection supervision for the FDPIC. The primary obligations are thus no different from those of other federal bodies; Art. 48 FADP concerns only the obligations of the FDPIC to control with regard to compliance with these primary obligations. In particular, the FDPIC must take all those control measures that it usually carries out in the context of its supervisory activities vis-à-vis other federal bodies, insofar as these also prove to be appropriate in the case of self-monitoring. This strengthens the credibility of the FDPIC in its supervisory activities vis-à-vis federal bodies and private individuals.
5 The provision in Art. 48 FADP on self-monitoring by the FDPIC was incorporated into the Federal Data Protection Act with the total revision of 25 September 2020 (entry into force on 1 September 2023).
II. Control measures
A. Data security in particular
6 Article 48 FADP requires the FDPIC to establish appropriate control measures to guarantee data security within its own institution. According to Art. 5 lit. h FADP, a data security breach is "a breach of security that results in personal data being inadvertently or unlawfully lost, deleted, destroyed or altered, or disclosed or made accessible to unauthorized persons."
7 The obligation to ensure data security for the FDPIC already arises in a general way from Art. 8 FADP. In accordance with this provision, data controllers and processors must ensure data security appropriate to the risk by means of suitable technical and organizational measures. The measures put in place must make it possible not only to detect breaches of data security retrospectively, but also to prevent them. Data security is specified in more detail in the DPO. In particular, Art. 3 DPO lists a number of technical and organizational measures to achieve the data security goals set forth in Art. 2 DPO, such as access, user, input and disclosure controls. The processing regulations for federal bodies pursuant to Art. 6 FADP also serve as a means of ensuring data security.
8 Against this background, the Federal Council has specified the FDPIC's obligation for self-monitoring in Art. 40 FDPIC. The FDPIC must draw up processing regulations for all automated processing - irrespective of whether, for example, sensitive personal data are being processed, profiling is being carried out or the purpose of the processing or the manner in which the data are processed may lead to a serious interference with the fundamental rights of the data subject. Indeed, Art. 40 DPA declares Art. 6 para. 1 DPA and the requirements therein for the establishment of a processing regulation not applicable in the case of the FDPIC.
9 Apart from the obligation to draw up processing regulations, Art. 40 FDPIC does not mention any further measures within the framework of self-monitoring by the FDPIC. In the explanatory notes to Art. 40 DPA, the Federal Office of Justice states that the FDPIC, like the other federal bodies, must also provide for appropriate internal processes that implement the processing regulations and verify compliance. The legal provision in Art. 48 FADP, however, speaks in a more general manner of "appropriate control measures, in particular with regard to data security" The creation, implementation, review as well as regular adaptation of the processing regulations pursuant to Art. 40 FADP consequently does not release the FDPIC from its more general obligation pursuant to Art. 48 FADP to provide for more extensive control measures, provided that these are judged to be appropriate and adequate.
B. Legally compliant enforcement of data protection regulations in general
10 Art. 48 FADP obliges the FDPIC to establish control measures that ensure the legally compliant enforcement of federal data protection regulations. This obligation goes beyond the creation and implementation of processing regulations as defined in Art. 40 FADP. In particular, it requires that the planned data processing operations be regularly checked for their conformity with the federal data protection provisions. It is precisely within the framework of the internal control system (ICS) that the FDPIC should provide for further measures to ensure compliance with the FADP requirements.
11 In contrast to the obligation to draw up processing regulations, however, control measures going beyond this are only required if, on the one hand, they are suitable for ensuring compliance with the data protection provisions and, on the other hand, they are proportionate to the risk of data misuse and the threat to the fundamental rights of the data subject. Specifically, the FDPIC's obligation must not result in making its statutory supervisory and advisory duties impossible or disproportionately difficult. This said, the FDPIC may take into account the necessary human resources incurred in the context of self-regulation in its budget request.
The view expressed reflects the personal opinion of the authors and does not bind the Federal Office of Justice.
Bibliography
Baeriswyl Bruno, Kommentierung zu Art. 48 DSG, in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Datenschutzgesetz, Stämpflis Handkommentar, 2. Aufl., Bern 2023.
Petermann Büttler Judith, Kommentierung zu Art. 48 DSG, in: Bieri Adrian/Powell Julian (Hrsg.), Datenschutzgesetz, Orell Füssli Kommentar, Zürich 2023.
Materials
Botschaft des Bundesrates vom 15.9.2017 zum Bundesgesetz über die Totalrevision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz (BBl 2017 S. 6941).
Erläuternder Bericht des BJ zur Datenschutzverordnung DSV vom 31. 8.2022.