-
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 29a FC
- Art. 30 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 75b FC
- Art. 77 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123b FC
- Art. 136 FC
- Art. 166 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
- Art. 808c CO
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 5 lit. f und g FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 54 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
FEDERAL CONSTITUTION
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
SWISS CRIMINAL CODE
CYBERCRIME CONVENTION
- I. Purpose of the norm and history of origins
- II. Administrative measures
- III. Procedural law
- Bibliography
- Materials
I. Purpose of the norm and history of origins
1 Art. 51 FADP describes the administrative measures that the FDPIC may issue in the event of a violation of data protection provisions. The authority granted to the FDPIC in Art. 51 FADP is a novelty in the new data protection law. With this expansion of the powers of the FDPIC, the legislator is responding to the suggestions of the 2014 Schengen evaluators, who had criticized the fact that under the old Data Protection Act of 1992 (aDSG), the FDPIC could only issue recommendations. The 2018 Schengen evaluation also recommended strengthening the enforcement powers of the FDPIC so that it can take legally binding decisions directly. Art. 51 FADP largely implements Art. 47(2) of Directive (EU) 2016/680, specified in Art. 58(2) of Regulation (EU) 2016/679 (General Data Protection Regulation, FADP). Likewise, the requirements of Art. 15 para. 2 lit. c of the Protocol of Amendment of 18 May 2018 to Council of Europe Convention ETS 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data are thus largely fulfilled.
2 In contrast, the FADP revision refrained from expanding the sanctioning powers of the FDPIC beyond the injunctive powers, despite a recommendation to this effect by the European Union and despite a corresponding mention in Art. 15 para. 2 lit. c of the Protocol of Amendment of 18 May 2018 to the ETS 108 Convention. In contrast to the data protection authorities of various other countries - such as the supervisory authorities in the territorial scope of the GDPR - the FDPIC thus continues to be unable to impose administrative sanctions on federal bodies in particular. In the case of private persons, the FDPIC also has no direct sanctioning power, but at least various breaches of duty are made punishable here in the 8th chapter of the FADP. Namely, the FDPIC can attach a threat of punishment to its orders of administrative measures under Art. 51 FADP against private persons under Art. 63 FADP. In the opinion of the legislator, this two-tier system is more in line with Swiss legal tradition than a direct sanctioning competence of the FDPIC and is effective enough.
3 Unlike under the new regime, the FDPIC had no competence to issue legally binding measures under the aDSG. If, in the course of an investigation against a federal body or a private person, it found a violation of data protection regulations, it could only issue a recommendation to the person responsible to change or refrain from data processing (Art. 27 para. 4 aDSG [for federal bodies] or Art. 29 para. 3 aDSG [for private persons]). If the person responsible opposed the recommendation of the FDPIC by formally rejecting it or simply not complying with it in fact, the FDPIC had to submit his recommendation to the department or the Federal Chancellery (in the public sector) or directly to the Federal Administrative Court (in the private sector) in order to obtain a legally binding assessment. The decision subsequently issued by the department or the Federal Chancellery could then also be appealed to the Federal Administrative Court by the federal body concerned and - since the introduction of a corresponding right of appeal with the 2006 revision of the FADP - also by the FDPIC. In the final instance, the decisions of the Federal Administrative Court could be appealed to the Federal Supreme Court in public and private matters (Art. 82 lit. a in conjunction with Art. 86 para. 1 lit. a BGG). In addition to this multi-stage formal route via the recommendation and its possible referral, the FDPIC was able to lend de facto weight to its non-binding orders by informing the Federal Assembly and Federal Council and by publication with a corresponding reputational effect (Art. 30 aDSG).
4 In practice under the aDSG, the FDPIC issued only a few recommendations, both in the private and especially in the public sector; enforcement by way of complaint was even rarer. Frequently, the responsible parties already took the necessary measures to remedy the disclosed abuses in the course of the investigation procedure with the help of advice from the FDPIC (Art. 28 and Art. 31 Para. 1 lit. aDSG). If the FDPIC nevertheless made a recommendation once, this was generally followed without further ado.
5 Nevertheless, the lack of authority of the FDPIC to impose effective measures and, if necessary, also sanctions, has been and continues to be criticized in doctrine and data protection practice. In the political and legislative debate on the aDSG, corresponding weaknesses were also identified and a possible strengthening of the position of the FDPIC was discussed. However, opinions differed as to the concrete form this stronger position should take and in particular on the question of whether the FDPIC should have sanctioning powers. For example, in 2014, a parliamentary initiative calling for the introduction of administrative sanctioning powers for the FDPIC was not followed. The moderately restrained expansion of the position of the FDPIC undertaken with the revision of the FADP reflects the opinion in politics, doctrine and practice as well as the pressure due to international requirements (cf. n. 1 f. above).
6 Practice will show whether the newly designed regime, with the FDPIC's powers to issue orders but without direct sanctioning powers, will ensure effective supervisory activity. In addition to the appropriate division of powers, effective supervision also requires that the FDPIC be adequately resourced. In this regard, there has been some criticism in the literature of the resources, which are considered to be too scarce and which, despite an increase that has already taken place, will probably continue to force the FDPIC to proceed according to the principle of opportunity in its supervisory activities in the future. In this regard, the 2018 Schengen Evaluators were also critical and recommended that the FDPIC be allocated sufficient financial and human resources to fulfill all of its tasks in the Schengen context.
II. Administrative measures
7 Article 51 of the FADP gives the FDPIC wide latitude: if there is a breach of data protection rules, it may order measures aimed at remedying the unlawful situation, but it is not obliged to do so. The list of measures is not exhaustive. When deciding whether an order is to be issued and, if so, which, the principle of proportionality applies: those measures are to be ordered which are necessary to (re)ensure the lawfulness of the data processing in the specific individual case. The principle of proportionality is also explicitly anchored in Art. 51 (5) FADP: If the federal body or the private person has already taken the necessary measures during the investigation to restore compliance with data protection regulations, Art. 51 (5) FADP provides that the FDPIC may limit himself to issuing a warning. Furthermore, in view of the design of Art. 51 FADP as an optional provision, it should also be possible, in the interest of a targeted practice appropriate to the individual case, according to the view represented here, for the FDPIC to limit himself in the case of minor deficiencies to giving the responsible parties advice on how to remedy the deficiencies within the scope of his advisory activities (Art. 58 para. 1 lit. a FADP), instead of issuing an order for measures. It is to be expected that the FDPIC, if only for reasons of efficiency, will work towards ensuring that data controllers take the measures necessary to restore the lawfulness of the data processing without being forced to issue an order.
8 The FDPIC's power to issue an injunction pursuant to Art. 51 FADP is very broad in terms of content. It is limited only, but at least, by the fact that it is dependent on the violation of data protection provisions: the FDPIC cannot, of course, order anything different or more extensive than would be required by the legal data protection provisions anyway.
9 The measures listed in Art. 51 FADP can be divided into two categories: Paragraphs 1, 2 and 4 provide for measures against data processing that violates data protection regulations. Para. 3 contains accompanying measures in the event of violations of regulatory provisions or obligations towards the data subject. The FDPIC may, if necessary, impose a penalty on administrative measures ordered against private individuals in accordance with Art. 63 FADP (cf. n. 2 above).
A. Measures against data processing in violation of data protection regulations (Art. 51 para. 1, 2 and 4 FADP)
10 The first category of measures covers data processing operations that violate data protection regulations and is aimed at restoring compliance with the violated regulations. Depending on the constellation, the FDPIC may issue the necessary orders pursuant to Art. 51 para. 1, 2 or 4 FADP.
11In the sense of a general clause, Art. 51 para. 1 FADP grants the FDPIC the power, with regard to data processing that violates data protection regulations, to order a partial or complete adjustment, interruption or termination as well as the partial or complete deletion or destruction of the personal data concerned.
12In addition, Art. 51 para. 2 and para. 4 FADP separately regulate two specific cases of data processing in breach of data protection regulations, namely the unlawful disclosure of data abroad and the failure to designate a Swiss representation for foreign data processors in accordance with Art. 14 FADP.
13In the event of data being disclosed abroad in violation of the regulations, the FDPIC may order its suspension or prohibition (Art. 51 para. 2 FADP). This covers violations of Art. 16 and Art. 17 FADP, which regulate the export of data from Switzerland, and violations of provisions concerning the disclosure of personal data abroad in other federal laws. The inclusion of violations of other federal laws was left unchanged despite corresponding criticism in the consultation. In practice, however, it is likely to have little independent significance, since such data exports regularly violate the principle of the lawfulness of data processing (Art. 6 para. 1 FADP) and could thus also be subsumed under the general clause of Art. 51 para. 1 FADP.
14In the event of a violation of Art. 14 FADP, the FDPIC may order the designation of a Swiss representation by private data controllers domiciled or headquartered abroad (Art. 51 para. 4 FADP).
B. Accompanying measures in the event of violations of regulatory provisions or obligations towards data subjects (Art. 51 para. 3 FADP)
15The second category of measures is directed against cases in which regulatory provisions or obligations towards data subjects are not observed. It is not necessary that a data protection breach has occurred. Art. 51 para. 3 FADP contains a non-exhaustive list of possible orders. These should be read in conjunction with the obligations imposed on federal bodies and private persons by the second and third chapters of the FADP.
16The majority of the measures listed in Art. 51 para. 3 FADP are information and consultation orders requiring the controller to inform or consult the FDPIC and/or the data subjects regarding specific operations (Art. 51 para. 3 lit. a, c, e, f and g FADP). Specifically, the FDPIC may request data controllers to do so by means of an order,
to inform him in advance of the relevant clauses or guarantees, if data disclosure abroad is planned without adequate protection within the meaning of Art. 16 para. 1 FADP and data protection is to be ensured by means of contractual data protection clauses pursuant to Art. 16 para. 2 lit. b FADP or by means of specific guarantees drawn up by the competent federal body (Art. 16 para. 2 lit. c FADP) (Art. 51 para. 3 lit. a FADP);
to inform him in accordance with Art. 17 para. 2 FADP about cases of data disclosure abroad that fall under the exemption rules of Art. 17 para. 1 lit. b no. 2, lit. c and lit. d FADP (Art. 51 para. 3 lit. a FADP);
comply with its obligations to inform the data subjects when obtaining personal data (Art. 19 FADP) and when making automated individual decisions (Art. 21 FADP) (Art. 51 para. 3 lit. c FADP);
to consult him pursuant to Art. 23 FADP in cases where a data protection impact assessment carried out still reveals a high risk to the personality or fundamental rights of the data subjects despite the protective measures provided (Art. 51 para. 3 lit. e FADP);
to report data security breaches to it in accordance with Art. 24 FADP and, under the conditions of Art. 24 para. 4 and 5 FADP, to inform the data subjects thereof (Art. 51 para. 3 lit. f FADP);
to comply with its duty to provide information to the data subjects in accordance with Art. 25 FADP (Art. 51 para. 3 lit. g FADP).
17The other measures listed in lit. b and d of Art. 51 para. 3 FADP are orders for action. Consequently, the FDPIC may request data controllers by means of an order to,
to take the necessary technical and organizational measures (TOM) for data processing, in compliance with data protection regulations (Art. 7 para. 1 and 2 FADP), and to ensure adequate data security in accordance with Art. 8 FADP and Art. 1 et seq. FADP (Art. 51 para. 3 lit. b FADP);
to use data protection-friendly default settings in accordance with Art. 7 para. 3 FADP (Art. 51 para. 3 lit. b FADP);
to carry out a data protection impact assessment in accordance with Art. 22 FADP (Art. 51 para. 3 lit. d FADP).
III. Procedural law
A. General
18The measures are issued by the FDPIC as an order: In procedural terms, the provisions of the FADP apply in principle to administrative measures under Art. 51 FADP (Art. 52 para. 1 FADP). Pursuant to Art. 52 para. 2 FADP, only the federal body or the private person against whom an investigation has been opened has party status. The persons affected by a data processing operation are therefore not parties, even if the investigation was initiated by their notification under Art. 49 para. 1 FADP. In principle, the FDPIC issues his rulings exclusively to the addressees. Only in cases of general interest does he inform the public (Art. 57 para. 2 FADP). The FDPIC must give sufficient reasons for his rulings so that the persons responsible are in a position to evaluate and implement the measures ordered or to lodge an appeal against them. In other words, the content of the order must in each case be a concrete instruction for action, which can be enforced as such. Blanket orders stating that the addressee of the order must adapt its data processing in such a way that it complies with the data protection requirements of the FADP would therefore not be precise enough. If no measures are ordered after an investigation or if only a warning is issued in accordance with Art. 51 para. 5 FADP, the investigation procedure must nevertheless be formally concluded by the FDPIC.
19Decisions on measures by the FDPIC pursuant to Art. 51 FADP may be contested by the federal body or the private person against whom they are directed by means of an appeal to the Federal Administrative Court in accordance with the general rules of the administration of federal justice (cf. Art. 52 para. 1 FADP in conjunction with Art. 44 ff. APA). Appeal decisions of the Federal Administrative Court are subject to appeal in public law matters to the Federal Supreme Court (Art. 82 lit. a in conjunction with Art. 86 para. 1 lit. a BGG). In addition to the addressee of the order, the FDPIC also has the right of appeal (Art. 52 para. 3 FADP). In the absence of party status (cf. Art. 52 para. 2 FADP and n. 18 above), however, the data subjects are not entitled to lodge appeals against decisions of the FDPIC and against appeal decisions.
20With regard to the enforcement of the administrative measures ordered, Articles 39-43 of the FADP apply in addition pursuant to the reference in Article 52 para. 1 of the FADP.
21Unlike under the aDSG, under which no fees could be imposed on the person responsible for issuing a recommendation (cf. Art. 33 aVDSG), Art. 59 para. 1 lit. d FADP now provides that a fee may be charged to private persons for ordering measures under Art. 51 FADP (cf. also Art. 44 FADP). No fee continues to be charged for orders against federal bodies in the absence of a corresponding legal basis (Art. 59 para. 1 lit. d FADP e contrario; cf. 2017 Dispatch, p. 7098).
B. Precautionary measures
22In the FADP of 2017, it was envisaged that a paragraph in the article concerning the investigation procedure would explicitly empower the FDPIC to order precautionary measures for the duration of the investigation and to have them enforced by a federal authority or the cantonal or municipal police bodies (Art. 44 para. 2 FADP [2017]). However, after Parliament deleted this paragraph from Art. 50 FADP, the final version of Art. 44 E-FADP, the FADP no longer directly grants the FDPIC the authority to issue precautionary orders for the duration of its investigations. Now the competence of the FDPIC to issue precautionary measures arises only indirectly from the article on fees, which in Art. 59 para. 1 lit. d FADP declares the issuance of precautionary measures by the FDPIC against private persons to be subject to a fee. As was already the case under the aDSG, however, the ordering of provisional or even superprovisional measures in the context of investigations under data protection law must be possible in any case; the deletion of the provision in question must be interpreted as a legislative oversight and not as a qualified silence.
23Whereas under the old law the FDPIC had to appeal to the Federal Administrative Court (Art. 33 para. 2 aDSG) for the issuance of provisional measures due to the lack of its own competence to issue such orders, it can now issue them itself.
24However, Article 32 para. 2 aDSG, which is no longer applicable under the new law, not only assigned jurisdiction to the Federal Administrative Court to issue precautionary measures in the context of data protection investigations, but also regulated the requirements and procedure. In the former context, Art. 33 para. 2 aDSG required that the data subjects be threatened with damage that cannot be easily remedied. Procedurally, the provision declared Art. 79-84 BZP to be applicable mutatis mutandis.
25After the omission of Art. 33 para. 2 aDSG, there are now no explicit prerequisite and procedural rules for interim legal protection. As a result, however, there should be little change in the substantive assessment of provisional measures in data protection investigations. The FADP, which is applicable to the investigation procedure pursuant to Art. 52 para. 1 FADP, only contains provisions on the issuance of precautionary measures in the appeal procedure (cf. in particular Art. 55 and Art. 56 FADP), but not in the upstream administrative procedure. However, the admissibility of precautionary measures in administrative proceedings is recognized, since it results directly from the requirement to enforce substantive law. For the adoption of precautionary measures by the FDPIC in the investigation procedure, it is a prerequisite that a disadvantage that cannot be easily remedied is to be expected. Unlike under the aDSG, according to the view expressed here, this disadvantage does not necessarily have to threaten the persons affected by the data processing, even if in practice it will probably regularly be located with them. Furthermore, there must be a corresponding urgency for the immediate order and it must appear suitable, necessary and proportionate based on the overall circumstances in order to protect overriding public or private interests. As provisional orders, provisional measures may neither prejudice nor render impossible the state of affairs that is ultimately to be regulated. At the time when provisional orders are under discussion, the outcome of the data protection investigation is usually still uncertain and only a summary examination of the factual and legal situation can take place. Accordingly, although a prognosis of the main case must be made in the course of the examination of precautionary measures, this only stands in the way of a provisional order if it is clearly negative.
26In terms of content, the orders are likely to be based on the catalog of administrative measures under Art. 51 FADP. It will often be a question of using provisional orders to prohibit potentially data-protection-infringing data processing for the duration of the proceedings, in order to avoid additional damage that could result from the unchanged continuation of the processing in question during a sometimes complex and lengthy investigation.
Bibliography
Baeriswyl Bruno, Kommentierung zu Art. 51 DSG, in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Datenschutzgesetz, Stämpflis Handkommentar, 2. Aufl., Bern 2023.
Baeriswyl Bruno, Der «grosse Bruder» DSGVO und das revDSG: Ein vergleichender Überblick, SZW 2021, S. 8–15 (zit. Baeriswyl DSGVO-Vergleich).
Baeriswyl Bruno, Souveräner Rechtsschutz ist notwendig, digma 2017, S. 38–42 (zit. Baeriswyl Souveräner Datenschutz).
Baeriswyl Bruno, Kommentierung zu Art. 27 aDSG, in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Datenschutzgesetz, Stämpflis Handkommentar, Bern 2015.
Baeriswyl Bruno, Kommentierung zu Art. 29 aDSG, in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Datenschutzgesetz, Stämpflis Handkommentar, Bern 2015.
Brunner Stephan C., Mit rostiger Flinte unterwegs in virtuellen Welten? Leitgedanken zur künftigen Entwicklung des schweizerischen Datenschutzrechts, Jusletter 4.4.2011.
Huber René, Kommentierung zu Art. 27 aDSG, in: Maurer-Lambrou Urs/Blechta Gabor-Paul (Hrsg.), Datenschutzgesetz/Öffentlichkeitsgesetz, Basler Kommentar, 3. Aufl., Basel 2014.
Huber René, Kommentierung zu Art. 29 aDSG, in: Maurer-Lambrou Urs/Blechta Gabor-Paul (Hrsg.), Datenschutzgesetz/Öffentlichkeitsgesetz, Basler Kommentar, 3. Aufl., Basel 2014.
Huber René, Die Teilrevision des Eidg. Datenschutzgesetzes – ungenügende Pinselrenovation, recht 2006, S. 205–221.
Kugelmann Dieter/Buchmann Antonia, Kommentierung zu Art. 58 DSGVO, in: Schwartmann Rolf/Jaspers Andreas/Thüsing Gregor/Kugelmann Dieter (Hrsg.), Heidelberger Kommentar DS-GVO/BDSG, Heidelberg 2018.
Reudt-Demont Janine/Gordon Clara-Ann/Egli Luisa, Das revidierte Datenschutzgesetz: Wichtigste Neuigkeiten mit Fokus auf Gesundheitsdaten, LSR 2021, S. 264–269.
Rosenthal David, Das neue Datenschutzgesetz, Jusletter 16.11.2020 (zit. Rosenthal nDSG).
Rosenthal David, Der Entwurf für ein neues Datenschutzgesetz: Was uns erwartet und was noch zu korrigieren ist, Jusletter 27.11.2017 (zit. Rosenthal E-DSG).
Rosenthal David, Kommentierung zu Art. 29 aDSG, in: Rosenthal David/Jöhri Yvonne (Hrsg.), Handkommentar zum Datenschutzgesetz sowie weiteren, ausgewählten Bestimmungen, Zürich 2008.
Rudin Beat, Verpasste Chance und Handlungsbedarf: Ein Blick auf die Datenschutzrechts-Reform(en) und die Wirksamkeit der Datenschutzaufsicht, digma 2020, S. 180–187.
Selmayr Martin, Kommentierung zu Art. 58 DSGVO, in: Ehmann Eugen/Selmayr Martin (Hrsg.), Datenschutz-Grundverordnung, München 2017.
Thür Hanspeter, Rolle der Datenschutzbeauftragten: Aufgabe und Instrumente der Datenschutzbehörde im Wandel, digma 2003, S. 80–82.
Walter Jean-Philippe, «Vingt ans de législation sur la protection des données, rétrospectives et perspectives» – L’évolution du droit de la protection des données: perspectives, Jusletter 25.6.2012.
Materials
Bericht des Bundesrates über die Evaluation des Bundesgesetzes über den Datenschutz vom 9.12.2011, BBl 2012 S. 335 ff., abrufbar unter https://www.fedlex.admin.ch/filestore/fedlex.data.admin.ch/eli/fga/2012/86/de/pdf-a/fedlex-data-admin-ch-eli-fga-2012-86-de-pdf-a.pdf, besucht am 28.6.2023.
Botschaft zur Genehmigung des Protokolls vom 10.10.2018 zur Änderung des Übereinkommens zum Schutz des Menschen bei der automatischen Verarbeitung personenbezogener Daten vom 6.12.2019, BBl 2020 S. 565 ff., abrufbar unter https://www.fedlex.admin.ch/filestore/fedlex.data.admin.ch/eli/fga/2020/60/de/pdf-a/fedlex-data-admin-ch-eli-fga-2020-60-de-pdf-a.pdf, besucht am 28.6.2023.
Botschaft zum Bundesgesetz über die Totalrevision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz vom 15.9.2017, BBl 2017 S. 641 ff., abrufbar unter https://www.fedlex.admin.ch/filestore/fedlex.data.admin.ch/eli/fga/2017/2057/de/pdf-a/fedlex-data-admin-ch-eli-fga-2017-2057-de-pdf-a.pdf, besucht am 28.6.2023.
Bundesgesetz über den Datenschutz, Änderung vom 24.3.2006, BBl 2006 S. 3547 ff., abrufbar unter https://www.fedlex.admin.ch/filestore/fedlex.data.admin.ch/eli/fga/2006/373/de/pdf-a/fedlex-data-admin-ch-eli-fga-2006-373-de-pdf-a.pdf, besucht am 28.6.2023.
Durchführungsbeschluss 7281/19 des Rates der Europäischen Union zur Festlegung einer Empfehlung zur Beseitigung der 2018 bei der Evaluierung der Anwendung des Schengen-Besitzstands im Bereich des Datenschutzes durch die Schweiz festgestellten Mängel vom 8.3.2019, abrufbar unter https://data.consilium.europa.eu/doc/document/ST-7281-2019-INIT/de/pdf, besucht am 28.6.2023.
Normkonzept zur Revision des Datenschutzgesetzes – Bericht der Begleitgruppe Revision DSG vom 29.10.2014, abrufbar unter https://www.newsd.admin.ch/newsd/message/attachments/75506.pdf, besucht am 28.6.2023.