-
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 29a FC
- Art. 30 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 75b FC
- Art. 77 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123b FC
- Art. 136 FC
- Art. 166 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
- Art. 808c CO
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 5 lit. f und g FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 54 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
FEDERAL CONSTITUTION
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
SWISS CRIMINAL CODE
CYBERCRIME CONVENTION
In brief
This provision is crucial in terms of strengthening the competences of the FDPIC. In particular, the obligations of federal bodies and private persons to cooperate in the investigation are important. What is new and also significant is that the FDPIC can open an investigation against private persons if there are sufficient indications of a breach of data protection regulations. Under the previous FADP, the authority to investigate private persons was more limited.
I. General
A. Normative Purpose and Background
1 While Art. 4 FADP states in general terms that the FDPIC is responsible for supervising the application of federal data protection legislation, Art. 49 FADP regulates one of the most important powers of the FDPIC in connection with this supervision, namely the investigation of possible data protection violations by federal bodies and private persons.
2 One of the most important objectives of the revision of the FADP was to strengthen the supervisory competences of the FDPIC. This was also because the previous FADP was considered toothless with regard to the supervision of data processing by private persons (Art. 29 aFADP).
3 In addition, the previous investigative powers of the FDPIC were below international standards, which is why it was feared that without a strengthening of the investigative powers of the FDPIC, a positive adequacy decision of the EU could be in danger.
B. History of origins
4 In the normative concept for the revision of the Data Protection Act, the strengthening of the competences of the FDPIC was stated as one of the core demands in the revision of the DPA and, among other things, the introduction of a preliminary investigation procedure and the strengthening of the investigative powers were discussed.
5 In Art. 41 FDPA, various measures from the norm concept were implemented: Thus, the investigative powers vis-à-vis federal bodies and private persons, which had previously been contained in Art. 27 and Art. 29 aFADP, were combined in one provision, and the informal preliminary clarification procedure was regulated. While Art. 29 aFADP only permitted the opening of investigations against private persons under limited conditions, these restrictions were to be deleted in the future. This was also justified by the fact that the previous restrictions in Art. 29 aFADP would not meet the requirements of E-SEV 108. The new investigative powers of the FDPIC were also said to be a crucial element with regard to Art. 45 of Regulation (EU) 2016/679 to ensure that the European Commission renews or maintains the adequacy decision vis-à-vis Switzerland. Art. 41 VE-DSG was the subject of lively discussion in the consultation. While certain participants in the consultation welcomed the strengthening of investigative powers, others thought it went much too far.
6 The content of Art. 43 of the Draft Data Protection Act was based on Art. 41 of the Draft Data Protection Act. However, the preliminary investigation procedure was not mentioned. Also, the investigative measures explicitly mentioned in Art. 41 para. 3 VE-DSG were omitted or copied into another provision. In turn, the message on the DPA revision emphasized that the new regulation of the investigative powers of the FDPIC was important because its monitoring powers vis-à-vis the private sector would not currently meet the requirements of the E-SEV 108.
7 Art. 43 E-DSG was the subject of parliamentary deliberations. In the National Council, the discussion focused primarily on the requirements for opening an investigation. The "Romano" minority wanted to raise the minimum requirements for opening an investigation. The reason given for this was that mere indications of a violation of data protection regulations would not satisfy the requirements of a procedure based on the rule of law. It was also feared that the FDPIC could be overburdened if the requirements were too low. The majority, on the other hand, did not want to "handcuff" the FDPIC. The responsible Federal Councillor Keller-Sutter pointed out that the proposal of the majority - there must be sufficient indications and not merely signs of a data protection breach - would not represent a material change compared to Art. 43 E-DSG. However, it is critical of a further increase in the requirements. The "Romano" minority amendment would lead to a certain degree of legal uncertainty in the procedures of the FDPIC. In addition, the increased requirements for the opening of proceedings would jeopardize the adequacy of the Swiss level of data protection in an area of particular importance to the EU. Neither Convention 108+ nor the EU legal acts would provide for such a limitation of the investigative powers of data protection supervisory authorities. The National Council followed the majority opinion.
8 The Council of States concurred with the decision of the National Council regarding Art. 43(1) E-DSG. The Council of States primarily discussed Art. 43 (3) E-DSG. The debate was about the protection of professional secrecy. Although Art. 43 (3) E-DSG would already protect the professional secrecy of lawyers and doctors, for example, the Council of States committee requested that the reservation of professional secrecy be explicitly mentioned again. BR Keller-Sutter defended the proposal of the Federal Council. She emphasized that professional secrecy was already sufficiently protected in the applicable procedural laws. In the view of the Federal Council, the renewed emphasis on professional secrecy would rather lead to legal uncertainties. The question would arise why other important grounds for refusal under general procedural law were not also expressly mentioned again. However, the Council of States followed its commission. The National Council followed this decision of the Council of States.
II. Investigation
A. Difference from previous law
9 Until now, investigations against federal bodies as well as private persons were governed by different provisions (Arts. 27 and 29 aFADP). The requirements for opening an investigation were also different. Art. 27 para. 2 aFADP did not provide for a specific threshold for opening investigations against federal bodies. According to Art. 29 para. 1 aFADP, on the other hand, the FDPIC was only allowed to open investigations against private persons if the processing methods were likely to infringe the personality of a larger number of persons (system error), data collections had to be registered or there was a duty to inform according to Art. 6 para. 3 aFADP. However, these requirements in Art. 29 para. 1 aFADP did not meet the international standards.
10 Now, the former requirements for opening an investigation against private persons are deleted. In addition, uniform rules apply to the opening of investigations against federal bodies and private persons. This leads to a strengthening of the FDPIC.
B. Opening of the investigation (para. 1)
11 Pursuant to Art. 49 para. 1 FADP, the FDPIC shall open an investigation ex officio or upon notification if there are sufficient indications that a data processing operation may violate data protection provisions.
12 The report may be made by a third party or by the data subject, i.e. in principle by anyone. However, the person making the report does not have party status in the proceedings (Art. 52 para. 2 FADP e contrario). The report can also be made anonymously. Since the FDPIC now only has to initiate an investigation if there are sufficient indications of a data protection violation, an anonymous report may have a negative impact on this decision. Whether or not a report is made, for example, by a person with a close connection to the reported data processing, is thus certainly relevant in this assessment.
13 The FDPIC can also become active if press releases report on possible data protection violations, which already corresponds to current practice.
14 Data protection regulations within the meaning of Art. 4 para. 1 FADP do not only refer to the regulations of the FADP, but also to the sector-specific data protection regulations of the Confederation. This includes data protection-related provisions in other federal decrees as well as international treaties specific to data protection law. This extension beyond the DPA is primarily relevant for federal bodies.
15 An investigation may only be opened if there are sufficient indications of a breach of data protection regulations. This requirement was introduced by Parliament (see n. 7 above). Based on the parliamentary deliberations, it is not possible to find any overly clear guidelines as to what is to be considered a sufficient indication. A minority of the National Council wanted Art. 43 E-DSG to be worded as follows: "In the event of well-founded suspicion, the Commissioner shall open an investigation ex officio or upon well-founded complaint against a federal body or a private person if there are clear indications that a data processing operation could violate data protection regulations." However, these stricter requirements - in particular the requirement that there must be clear indications - were rejected. Sufficient indications do not have to be clear indications or reasonable suspicion in the sense of criminal procedure law. According to BR Keller-Sutter, sufficient indications should not be a material change compared to the Federal Council's proposal, which simply spoke of indications. In the end, the Federal Council also did not want the FDPIC to exhaust its resources with blanket investigations. It must be a matter of indications that justify the use of the FDPIC's resources. The parliamentary deliberations and in particular the votes of the majority show that one wanted to grant the FDPIC discretionary powers in this regard.
C. Waiver of investigation (para. 2)
16 According to Art. 49 para. 2 DPA, the FDPIC may waive a formal investigation if the violation of data protection rules is of minor importance. According to the dispatch, this would be the case, for example, if a sports or cultural association sends an e-mail message to all its members without concealing the identity of the recipients. Paragraph 2 can also be applied, according to the message, if the FDPIC is of the opinion that the advice given to the person responsible is sufficient to eliminate a situation that is hardly problematic in itself.
17 According to Rosenthal, a waiver should also be possible if, in the case of data breach notifications, it is clear that the breach is not serious or that the responsible party has the matter under control.
18 On the other hand, there are arguments against a waiver if the data processing in question affects a large number of individuals and there is therefore a general interest on the part of the public.
19 The FDPIC should act if in his view there is sufficient public interest for an investigation. On the other hand, it should refrain from an investigation if only the privacy of an individual is affected. In the latter case, the person concerned has the option of bringing an action against the private individual before a civil court or of challenging the decision of the federal body before the competent complaints body.
20 Art. 49 para. 1 in conjunction with. para. 2 FADP is an "optional" provision, which leaves the FDPIC some room for maneuver in deciding whether to open or refrain from an investigation. Parliament has left this leeway to the FDPIC (see n. 7 above). It is up to the FDPIC to decide on the appropriateness of such an investigation. Thus, there is still no entitlement of the whistleblower to conduct a formal investigation.
21 The FDPIC has already made it clear that he will continue to carry out informal contacts, i.e. preliminary investigations. If these informal contacts show that the person responsible acknowledges deficiencies that have been brought to his attention and remedies them within a reasonable period of time, the FDPIC will refrain from opening a formal investigation. Due to the limited resources of the FDPIC, it can generally be assumed that he will continue to prioritize the handling of complaints in accordance with the principle of opportunity even after the new FADP enters into force.
D. Obligation to cooperate (para. 3)
22 Art. 49 para. 3 FADP regulates the duties of cooperation of the private person and the federal body in the event of a formal investigation by the FDPIC, with the majority of the provisions under Arts. 27 para. 3 and 29 para. 2 aFADP having been adopted.
23 The party to the proceedings must provide the FDPIC with all the information and documents that the FDPIC requires for the investigation. According to Art. 49 Para. 3 FADP, a party is not obliged to do more than provide information and hand over documents. Cooperation may be requested informally. Further measures in the investigation are regulated in Art. 50 and 52 FADP.
24 According to Art. 49 para. 3 FADP, the federal bodies and the private person must cooperate. As under the previous law, the FDPIC may also require the data processors with primary responsibility at the federal body concerned or the private person concerned, as well as other employees, contract processors, auxiliary persons and third parties who are involved in the data processing to be investigated or who can provide relevant information about it, to cooperate.
25 The obligations to cooperate under Art. 49 para. 3 FADP may relate to information on a specific case, but may also be of a fundamental nature. They relate to all documents that may be relevant for the evaluation by the FDPIC.
26 So that the persons obliged to cooperate do not have to incriminate themselves, there are also rights to refuse information in the investigation by the FDPIC. The rights to refuse information are based on Art. 16 and 17 APA.
27 Art. 16 para. 1 APA refers to Art. 42 paras. 1 and 3 of the Federal Act of 4 December 1947 on Federal Civil Procedure with regard to the right to refuse to give evidence. According to Art. 42 paras. 1 and 3 of the Federal Act on Civil Procedure, persons questioned may refuse to testify if answering the question may expose them to the risk of criminal prosecution. This concerns persons who are subject to a legal obligation of secrecy according to Art. 321, 321bis and 321ter StGB. This means that doctors can refuse to provide the FDPIC with personal data about their patients if the patients do not consent to this disclosure. The same applies to lawyers and their clients. Art. 90 GDPR also provides for the possibility of establishing such rights of refusal in national law.
28 A deviating provision in Art. 50 para. 2 FADP remains reserved. This only states that professional secrecy is reserved. This reservation was inserted during the parliamentary deliberations (see n. 8 above). This is an emphasis which in itself would not have been necessary, since legal professional secrets are already taken into account via the APA. The reservation of professional secrets already applied under previous law. However, professional secrecy can only be held against the FDPIC if the person protected by professional secrecy does not release the person obliged to cooperate from the obligation of secrecy.
29 Official secrets may not be held against the FDPIC.
30 The persons obliged to cooperate may also not invoke business and trade secrets or contractual secrecy obligations.
31 In the case of informal preliminary investigations prior to the opening of a formal investigation, private persons do not have to provide the FDPIC with any information. Art. 49 para. 3 FADP applies only after formal proceedings have been opened. However, it may make sense for data controllers to cooperate with the FDPIC voluntarily if there is a possibility that the matter can thereby be clarified without the need for formal proceedings.
32 It should be noted that documents provided to the FDPIC in connection with an informal preliminary investigation are subject to the Public Information Act. The informal preliminary investigation does not fall under Art. 3 FoIA. According to its own statement, the FDPIC also cannot guarantee any restriction or refusal of access by third parties under Art. 7 FoIA. Particularly confidential information as well as, for example, personal data of third parties must therefore be processed prior to release. In addition, in the case of particularly confidential information, e.g. information on data security measures, it may be advisable not to provide the information to the FDPIC in writing, but to present the information to him orally on site during a visual inspection or to show it to him, e.g. on the occasion of a video conference with a split screen.
E. Information of the person concerned (para. 4)
33 The data subject is not a party to the proceedings (Art. 52 para. 2 FADP e contrario). This also applies if the data subject has filed a complaint. The data subject is therefore not entitled to inspect the files.
34 According to Art. 49 para. 4 FADP, if the data subject has filed a complaint, the FDPIC must at least inform the data subject of his or her further course of action and the outcome of any investigation.
35 The data subject may then assert his or her rights through the applicable legal remedies, i.e., he or she may file a complaint with a civil court if the responsible party is a private person, or he or she may file a complaint against the decision of the responsible federal body.
Bibliography
Rudin Beat, Kommentierung zu Art. 2 DSG, in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Datenschutzgesetz, Stämpflis Handkommentar, 2. Aufl., Bern 2022.
Baeriswyl Bruno, Kommentierung zu Art. 27 und Art. 29 DSG, in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Datenschutzgesetz, Stämpflis Handkommentar, 2. Aufl., Bern 2022.
Waldmann Bernhard/Oeschger Magnus, in: Belser Eva Maria/Epiney Astrid/Waldmann Bernhard, Datenschutzrecht – Grundlagen und öffentliches Recht, Bern 2011.
Bieri Adrian/Powell Julian, Die Totalrevision des Bundesgesetzes über den Datenschutz - Übersicht der wichtigsten Neuerungen für Unternehmen, Jusletter vom 16.11.2020.
Huber René, Kommentierung zu Art. 27 und Art. 29 DSG, in: Maurer-Lambrou Urs/Blechta Gabor-Paul (Hrsg.), Datenschutzgesetz/Öffentlichkeitsgesetz, Basler Kommentar, 3. Aufl., Basel 2014.
Reudt-Demont Janine/Gordon Clara-Ann/Egli Luisa, Das revidierte Datenschutzgesetz, LSR 2021, S. 264–269.
Jöhri Yvonne, Kommentierung zu Art. 27 DSG, in: Rosenthal David/Jöhri Yvonne (Hrsg.), Handkommentar zum Datenschutzgesetz sowie weiteren, ausgewählten Bestimmungen, Zürich 2008.
Rosenthal David, Kommentierung zu Art. 29 DSG, in: Rosenthal David/Jöhri Yvonne (Hrsg.), Handkommentar zum Datenschutzgesetz sowie weiteren, ausgewählten Bestimmungen, Zürich 2008.
Rosenthal David, Das neue Datenschutzgesetz, Jusletter vom 16.11.2020.
Materials
Botschaft zum Bundesgesetz über die Totalrevision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz vom 15.9.2017, BBI 2017 S. 6941 ff., abrufbar unter https://fedlex.data.admin.ch/filestore/fedlex.data.admin.ch/eli/fga/2017/2057/de/pdf-x/fedlex-data-admin-ch-eli-fga-2017-2057-de-pdf-x.pdf, besucht am 30.3.2023.