In a nutshell

1 Art. 52 para. 1 FADP sets out the rules governing the formal proceedings of the Federal Data Protection and Information Commissioner (FDPIC). The provision is a reference provision and stipulates that investigations pursuant to Art. 49 FADP and decisions pursuant to Art. 50 and 51 FADP are governed by the rules of the APA. Conversely, other actions of the FDPIC are not subject to the APA, namely informal preliminary investigations, low-threshold interventions, or advisory and supervisory activities. It is noteworthy that reference is also made to the APA for proceedings against federal bodies and that the FDPIC can “issue decisions” against federal bodies in accordance with the rules of the APA.

2 Paragraph 2 stipulates that only the federal body or private individual against whom an investigation has been initiated has party status. This restricts the circle of possible parties in formal proceedings of the FDPIC compared to the provisions of the APA.

3 Paragraph 3 provides the legal basis for the FDPIC's right of appeal to the Federal Supreme Court against decisions of the Federal Administrative Court.

I. General information on the procedure

4 Based on the aDSG, the FDPIC conducted so-called fact-finding investigations from 1993 to 2023, which it concluded with a final report and recommendations. Due to the FDPIC's lack of decision-making authority, the APA did not apply to these proceedings. If such a recommendation by the Commissioner was not followed or was rejected, the FDPIC could refer the matter to the Federal Administrative Court for a decision.

5 With the total revision of the FADP, which came into force on September 1, 2023, the FDPIC was given new decision-making powers, which is why it has been concluding formal proceedings with a decision since the revised FADP came into force. On International Data Protection Day in January 2025, the FDPIC published its first interim report in figures. According to this report, the FDPIC received a total of 1,406 reports of violations of the FADP between September 1, 2024, and January 21, 2025, of which 479 were pending at the time of publication. The supervisory activities were distributed as follows:

• Low-level interventions: 116

• Of these, voluntarily complied with by the responsible parties: approx. 90%

• Preliminary investigations: 16

• Open investigations / pending before the Federal Administrative Court: 8 / 2

• Campaigns 2

6 The published figures show that supervisory measures taken by the FDPIC only lead to the opening of a formal investigation in isolated cases and that low-level intervention is the main instrument of supervision. In practice, therefore, the FDPIC usually takes action after receiving a complaint without opening a formal investigation.

7 The prerequisite for opening an investigation is laid down in Art. 49 para. 1 FADP. According to this, the FDPIC shall initiate an investigation ex officio or upon complaint if there are sufficient indications that data processing may violate data protection provisions. As soon as the FDPIC initiates an investigation under Art. 49 FADP, the APA applies. This is the case as soon as it has decided internally to initiate proceedings. This may occur before the FDPIC takes any informal action, during or after such action.

8 In practice, the parties are notified of the initiation of proceedings by means of a letter of notification. The initiation of proceedings does not constitute a decision that can be challenged. Finally, the proceedings are concluded or discontinued by means of a decision in accordance with Art. 51 FADP.

9 From the perspective of the controller, it is important to know whether or not proceedings have been initiated. Once proceedings have been initiated, the parties are subject to a duty to cooperate (Art. 60 para. 2 FADP), which is punishable by law. Conversely, cooperation is not mandatory before an investigation is initiated. However, if the controller refuses to cooperate or cooperates insufficiently in the context of a preliminary investigation or low-threshold intervention, the requirements of Art. 49 para. 1 FADP are generally met, so that the facts can be established on the basis of the obligation to cooperate (Art. 49 para. 3 FADP) or with the aid of coercive measures (Art. 50 para. 1 FADP). The FDPIC may charge fees for such actions (Art. 59 para. 1 lit. d FADP), which is why it is generally in the interest of the controller to cooperate voluntarily with the FDPIC before an investigation is opened.

10 The principle of the right to be heard, which is enshrined in Art. 29 para. 2 FC and specified in Art. 29 ff. APA, guarantees the parties a personal right to participate in the proceedings. They must be given the opportunity to comment on the matter before a decision is made, to provide relevant evidence, to participate in the collection of evidence, or at least to comment on the results of the evidence. In other words, the party concerned must be given the opportunity to comment on the essential points before a decision is made. This primarily includes the legally relevant facts of the case. Accordingly, parties may only comment on the facts of the case before a decision is issued; however, the right to be heard does not extend to the intended legal assessment. Only in exceptional cases – for example, if the FDPIC intends to apply unexpected special provisions – may the right to be heard also cover the applicable provisions and the intended legal reasoning. The FDPIC's legal assessment is disclosed to the parties in the reasoned decision. If a party disagrees with the FDPIC's legal reasoning, it may lodge an appeal.

II. Reference to the APA (para. 1)

A. Proceedings under the APA against private individuals

11 The APA is applicable to proceedings of the FDPIC in which it issues a decision in the first instance, based on Art. 1 para. 1 and para. 2 lit. c APA. There is no exception under Art. 2 ff. APA. Art. 52 para. 1 FADP therefore constitutes a declaratory reference provision vis-à-vis private individuals and serves to clarify the situation.

B. Proceedings under the APA against federal bodies

12 Before the total revision of the FADP, supervision of federal bodies and private individuals was regulated in two separate provisions, with the conditions for opening an investigation differing in particular. In the revised FADP, the investigation of violations of data protection provisions is now regulated in a single section (Art. 49 ff.) for federal bodies and private individuals. It is noteworthy that, with a few minor exceptions, no different rules have been legislated for proceedings against federal bodies or private individuals.

13 According to established case law and doctrine, decisions within the meaning of Art. 5 APA are authoritative, unilateral, individually specific orders issued by an authority in application of administrative law, which are intended to have legal effects and are binding and enforceable. The procedure for issuing a decision presupposes a relationship of authority between an authority and a private individual. Orders issued by the FDPIC to other federal bodies therefore do not fulfill all the structural characteristics of the concept of a decision due to the lack of a relationship between the authority and the private individual. Therefore, insofar as the FDPIC conducts proceedings against a federal organ, the proceedings are governed by the APA pursuant to Art. 49 FADP, whereby Art. 52 para. 1 FADP corresponds to a constitutive reference provision in this area and the provisions of the APA apply mutatis mutandis.

14 The authority of the FDPIC to issue orders against federal bodies derives, on the one hand, from the wording of numerous legal provisions, which expressly refer to federal bodies and private individuals and also make a sensible distinction between federal bodies and private individuals. On the other hand, the legislature deliberately harmonized the procedures against private individuals and federal bodies, which were still different under the old law. Finally, the legislature brought the investigative powers and administrative measures into line with European requirements in order to ensure that the European Commission renews or maintains its adequacy decision with regard to Switzerland, which is of central importance for the Swiss economy in particular.

15 Apart from the FDPIC, there is no other administrative unit that can issue orders to other administrative units in accordance with the rules of the APA. The Federal Audit Office, as a comparable supervisory authority, can also request and enforce measures against other federal authorities that are not hierarchically subordinate to it, but not in accordance with the rules of the APA.

16 In our view, an order issued by the FDPIC pursuant to Art. 51 FADP against federal bodies corresponds to a “quasi-decision” because, on the one hand, the substantive requirements for a decision pursuant to Art. 5 APA are not met, but on the other hand, federal bodies are mutatis mutandis subject to the same rights and obligations as private addressees of decisions. With the constitutive reference provision, the legislature has pragmatically regulated the procedural rules under which the FDPIC, as the supervisory authority, can conduct investigations against federal bodiesand issue and enforce binding orders.

17 It is noteworthy that the draft bill on the revision of the Data Protection Act of 2014 still differentiated between investigations against private individuals and federal bodies. It proposed a model whereby the FDPIC would first issue a recommendation to federal bodies and only issue an order if this was rejected or not complied with. This option delays the procedure through unnecessary intermediate steps. The explanatory report on the preliminary draft for the total revision of the FADP of 2016 no longer distinguishes between proceedings against private individuals and federal bodies.

18 Proceedings by the FDPIC against federal bodies under Art. 49 FADP must be distinguished from administrative assistance. Federal authorities that cooperate within the framework of administrative assistance are organizationally equal, which is why there is no relationship of subordination between them and cooperation is based on partnership. If the FDPIC initiates proceedings against a federal body on the basis of Art. 49 FADP and requests documents from the federal body under investigation, this does not fall under administrative assistance, which is why Art. 36a VGG is not applicable. In proceedings, federal authorities under investigation are subject to a duty to cooperate, which creates a relationship of subordination in such cases, as this is the only way in which the FDPIC can effectively monitor and enforce compliance with data protection regulations by federal authorities.

19 The analogous application of the provisions of the APA to proceedings against federal bodies leads in particular to the following differences in comparison with proceedings against private individuals:

20 According to the wording of Art. 60 para. 2 FADP, which is expressly directed only at private individuals, violation of the obligation to cooperate is not punishable for federal bodies. This exclusion makes sense, as application to federal bodies would be completely contrary to the system.

21 The FDPIC cannot levy fees on federal bodies, in particular for ordering precautionary measures and measures under Art. 51 FADP. According to the wording of Art. 59 para. 1 FADP, fees may only be levied on private individuals. This exclusion is also consistent, as levying fees on federal bodies would again be contrary to the system.

22 According to the wording of the law, the FDPIC may also call on other federal authorities and cantonal or municipal police authorities to enforce orders under Art. 50 para. 1 FADP. Because federal authorities are entitled to the rights under the FADP and APA and the FDPIC can inform the public about the finding of non-compliance by a federal organ under Art. 57 para. 2 FADP, this option will probably only be used in exceptional situations. With regard to the use of coercive measures under Art. 50 para. 3 FADP, there is therefore no difference between private individuals and federal authorities, which means that, in our view, the FDPIC can also use coercive measures against federal authorities.

23 For the party status of federal authorities, see the comments on paragraph 2.

C. Delimitations

1. On “informal preliminary investigations”

24 Before the FDPIC opens an investigation under Art. 49 FADP and the provisions of the APA apply, it often takes informal action in a first step. The starting point is usually a complaint or media reports, which, however, regularly contain insufficient evidence for the direct opening of an investigation. The FDPIC can therefore first examine whether there are sufficient grounds for opening an investigation. In doing so, it can use all possible sources of information and, for example, examine public sources or question the controller, data subjects or third parties about the facts of the case. The preliminary investigation stage is classified as “informal administrative action,” whereby the FDPIC must adhere to the principles of the rule of law (see Art. 5 FC) and may not act arbitrarily or in violation of the principle of equality before the law. During the informal preliminary investigation, the controller is not subject to any mandatory obligations to cooperate and the penal provision of Art. 60 para. 2 FADP does not apply – these provisions only become applicable after a formal investigation has been opened in accordance with Art. 49 FADP.

25 The informal preliminary investigation may lead to the refutation of the indications of a suspected data protection violation, so that no further action by the FDPIC is necessary. This is regularly the case because, for example, the facts of the case were inaccurately reported in a complaint. Alternatively, a low-threshold intervention may be initiated or an investigation opened.

2. On “low-threshold intervention”

26 The informal preliminary investigation must be distinguished from the instrument of “low-threshold intervention.” The term “low-threshold intervention” is not found in the law but was developed by the FDPIC. While the informal clarification aims to establish the facts in order to assess whether there are sufficient grounds for opening an investigation in accordance with Art. 49 FADP, low-threshold intervention pursues a different purpose. Low-threshold intervention attempts to restore the legal situation by means of administrative measures such as a simple letter, whereby the controller voluntarily takes the necessary measures. However, as with informal preliminary clarifications, no investigation is opened in accordance with Art. 49 FADP, which means that low-threshold intervention also qualifies as informal administrative action and the provisions of the APA do not apply. In the FDPIC's experience, this means that the necessary adjustments are implemented in a timely manner in many cases. The aim is to pursue a solution-oriented and resource-efficient approach.

27 For example, the FDPIC may be notified that a controller has not responded to a request for information made by the person making the notification. Based on one or more such reports, the FDPIC can contact the controller and request that it process the specific request for information made by the person who filed the report and provide a statement on the general procedure for processing requests for information. If the response from the controller indicates that requests for information will be handled correctly and within the statutory time limit in future, there is no need to open an investigation in such cases.

28 If the low-level intervention does not result in compliance with data protection requirements, there are usually sufficient grounds to open a formal investigation. This is the case, for example, if the FDPIC receives further complaints about the same matter after a low-level intervention has been carried out. Irrespective of any action taken outside the scope of an investigation, the FDPIC may open an investigation as soon as there are sufficient indications that this is necessary.

3. About the campaign

29 In addition to conducting investigations in accordance with Art. 49 FADP, the FDPIC also exercises supervisory activities based on Art. 4 para. 1 in conjunction with Art. 57 para. 1 lit. a, c and g FADP. The FDPIC refers to such activities as campaigns. From the perspective of controllers, investigations are conducted on a case-by-case basis, while the data protection authority may initiate contact as part of campaigns without specific cause. In other words, the FDPIC does not take action as part of campaigns on the basis of information concerning a specific data protection violation by a specific controller, but because the same or similar data protection problems have been identified repeatedly in a particular area of data protection law. In order to achieve effective control and enforcement of data protection regulations, the FDPIC can address several controllers at the same time, draw attention to general data protection problems identified in a specific area, and remind them of the relevant requirements. It is also possible to announce future supervisory activities in a specific area.

30 The FDPIC is not yet aware of any campaigns. A look at Germany shows what such a campaign could look like: As part of its supervisory activities, the Bavarian State Office for Data Protection Supervision (BayLDA) carries out various so-called focused data protection audits, i.e., audits without specific cause that have a particular focus. For example, the data protection requirements for advertising to prospective tenants were audited in this way. To this end, responsible parties were selected at random and specifically checked with regard to data protection requirements when searching for tenants by requiring them to complete a checklist within a statutory period. This action is based in particular on Art. 58 para. 1 lit. a GDPR, according to which all information necessary for the fulfillment of legal tasks must be provided.

31 The supervisory activity of the BayLDA described in the previous no. can, depending on its specific form, be classified as an informal preliminary clarification or low-threshold intervention, but which is simultaneously directed at several controllers in a specific area.

32 Unlike European data protection authorities, which, based on Art. 58 para. 1 lit. a GDPR, can request all information necessary for the performance of their statutory tasks, the FDPIC can, based on Art. Although Art. 50 FADP is intended to meet European requirements, the aforementioned provision in the FADP has been restricted compared to the European provisions. Controllers are not subject to the obligation to cooperate under penalty of law pursuant to Art. 60 para. 2 in conjunction with Art. 49 para. 2 FADP within the scope of the EDÖB's supervisory activities. Within the scope of the FDPIC's supervisory activities, controllers are not subject to the obligation to cooperate under penalty of law pursuant to Art. 60 para. 2 in conjunction with Art. 49 para. 3 FADP, and no fees are payable (Art. 59 para. 1 FADP e contrario).

4. Informing the public about findings and decisions

33 Pursuant to Art. 57 para. 2 FADP, the FDPIC shall inform the public of its findings and decisions in cases of general interest. Since the administrative procedure is concluded with the delivery of the decision, the provisions of the APA are no longer applicable on the basis of Art. 52 para. 1 FADP. The official publication of a decision is considered an actual administrative act and is therefore not contestable as such, as it is a so-called real act. If the FDPIC and the party disagree on the form or type of publication and if the party's legitimate interests are affected, a contestable decision must be issued in accordance with Art. 25a APA. This publication order then constitutes a decision within the meaning of Art. 5 para. 1 lit. c APA, which obliges the party to tolerate the publication to the extent ordered.

34 A party's legitimate interests are affected if it asserts business secrets or official secrets which, in the opinion of the FDPIC, do not constitute such secrets and therefore, in its view, do not need to be anonymized or published. The definition in Art. 7 para. 1 lit. g LTras must be used as a basis for this.

35 The relevant legal requirements must be met for the disclosure of personal data or data relating to legal entities.

5. For consultation

36 In practice, the distinction between fee-based consultation in accordance with Art. 59 para. 1 lit. e FADP and informal preliminary clarification or low-threshold intervention can lead to uncertainty. If, for example, the FDPIC informs the controller in an informal preliminary investigation or as part of a low-threshold intervention what measures must be taken to ensure that a data protection violation can be ruled out or that an investigation can be refrained from being opened, such information can be classified as free advisory services. From a legal policy perspective, such an approach becomes questionable at the latest when controllers are contacted by the FDPIC after data protection violations have become known and are advised on how to correct the situation in accordance with data protection requirements; and the situation is then voluntarily corrected in a timely manner so that the FDPIC refrains from opening an investigation. Instead of a sanction – such as a fine – those responsible would receive free legal advice after a data protection violation had become known. On the other hand, this is precisely the purpose of low-threshold intervention, which is why this approach should be limited to violations of minor importance in accordance with Art. 49 para. 2 FADP.

D. Special provisions in relation to the APA

37 The FADP contains special provisions that take precedence over the APA as lex specialis. The most important provisions are:

• Restriction of parties (Art. 52 para. 2 FADP)

• Information to the person who made the complaint (Art. 49 para. 4 FADP)

• Obligation to cooperate (Art. 49 para. 3 FADP)

• Taking of evidence (Art. 50 para. 1 FADP)

• Compulsory taking of evidence (Art. 50 para. 3 FADP)

• Information to the public (Art. 57 para. 2 FADP)

The special provisions in the FADP take into account the special position of the FDPIC as a supervisory authority, which is why, for example, the obligations to cooperate and the possibilities for taking evidence go further than in the APA. These must be distinguished from the rights to participate, which are governed by the general provisions of the APA.

III. Parties to the proceedings (para. 2)

A. Overview

38 According to Art. 52 para. 2 FADP, only the federal body or private individual against whom an investigation has been opened is a party. This means that the status of parties is regulated differently in Art. 52 para. 2 FADP than in Art. 6 APA.

While, under the provisions of the APA, private organizations, associations, and authorities or third parties affected by the administrative act may also be parties, the party status in the FDPIC's investigation proceedings is limited to the federal body or private individual against whom the investigation has been initiated.

39 Proceedings may be conducted against several parties, in particular if the facts to be investigated concern several parties. If several parties are involved in processing, information provided to one party in the course of the proceedings may adversely affect the other party. In order to ensure that the right to be heard is upheld in such situations, it is necessary to combine the proceedings. Such situations arise, for example, when processing is carried out on behalf of a controller by a processor.

B. Private individuals as parties

40 Only the private individual against whom an investigation has been opened is a party. This means that party status is restricted to the person to whom the decision is addressed. The data subject, even if the FDPIC has opened the investigation on the basis of a complaint made by the data subject, is not a party to the proceedings. Private individuals are both natural persons and legal entities under private law.

41 Any private individual may be a party to proceedings if there are sufficient indications of a violation of data protection provisions. As soon as the FDPIC opens proceedings, it may order administrative measures based on Art. 51 FADP, thereby affecting the rights and obligations of the party and fulfilling the requirements of Art. 49 FADP and Art. 6 APA. In order to initiate proceedings against a private individual, no data processing is necessary on their part. This follows from the examples of administrative measures in Art. 51 FADP, according to which, for example, the measures under Art. 7 FADP or a data protection impact assessment may be ordered before data processing takes place. This is possible, for example, on the basis of reports or in the context of legislative projects, or if the FDPIC learns of large projects from media reports.

42 In addition to the controller pursuant to Art. 5 lit. j FADP, processors pursuant to Art. 5 lit. k FADP, a data protection advisor pursuant to Art. 10 FADP and the representative pursuant to Art. 14 FADP as parties to proceedings, provided that the content of the investigation involves a violation of data protection regulations by the private individual under investigation.

43 The question of a party's passive legal standing arises in particular in the case of international corporations,because the controller is regularly listed as a legal entity based in Ireland. For example, the data protection guidelines of Instagram, Facebook, and Threads name Meta Platforms Ireland Ltd (MPIL) as the controller. MPIL has also designated a representative in Switzerland and has a branch in Switzerland (Facebook Switzerland GmbH). In principle, all three entities mentioned above are eligible as parties. In our opinion, all three entities mentioned above can be parties to proceedings, provided that the subject matter of the investigation falls within the scope of their respective responsibilities.

44 For example, proceedings against Meta's branch in Switzerland are possible. Even if it is argued that the Swiss branch has nothing to do with the processing in question because it merely acts as a research laboratory for the entire group, that the owner of the intellectual property rights is another entity and that requests for deletion are also answered by that entity, proceedings against the branch in Switzerland are possible. In our opinion, a location in Switzerland always constitutes a link to the rest of the international group and is therefore responsible for compliance with Swiss regulations, including the FADP. Even if the Swiss location is not organizationally entitled to adapt the data processing in question, the FDPIC can at least establish the violation and order the branch to have the processing in question adapted for data subjects in Switzerland in accordance with data protection requirements via the competent body within the group. International groups should not be able to evade Swiss data protection obligations through internal organization.

C. Federal bodies as parties

45 A federal body may also be a party in data protection proceedings. According to Art. 5 lit. i DSG, a federal body is an authority or agency of the federal government or persons entrusted with public tasks. The term “federal body” corresponds to the definition in Art. 3 lit. h aDSG. Federal departments and federal offices, as well as their divisions and sections, are considered federal bodies. This also includes federal institutions and enterprises, as well as military commands. However, all natural and legal persons who process data for the federal government in the performance of public law tasks are also considered federal bodies. Cantonal and municipal bodies are not considered federal bodies, even if they perform federal tasks.

46 In proceedings not conducted under Art. 49 FADP, authorities or federal organs in proceedings against private individuals do not have party status within the meaning of Art. 6 APA due to the sovereign relationship with private individuals, but they have similar powers and are referred to as the “lower instance” in appeal proceedings. If the FDPIC initiates proceedings against a federal organ on the basis of Art. 49 FADP, the federal organ has the same status and powers as private individuals as the addressee of the substantive decision due to the constitutive reference provision. Consequently, the federal organ against which proceedings have been initiated is a party in the appeal proceedings and the FDPIC is the lower court.

IV. Right of appeal of the FDPIC (para. 3)

47 Decisions of the FDPIC are subject to appeal in accordance with Art. 44 APA. The appeal authority is the Federal Administrative Court (Art. 47 para. 1 lit. b APA in conjunction with Art. 31 and 33 lit. d VGG). Based on Art. 52 para. 3 FADP, the FDPIC has the right to appeal against decisions of the Federal Administrative Court. This provides a special legal basis in accordance with Art. 89 para. 2 lit. d BGG. For further information, please refer to the relevant provisions.

The opinion expressed reflects the personal opinion of the author and is not binding on the FDPIC.

Bibliography

Auer Christoph/Müller Markus/Schindler Benjamin (Hrsg.), VwVG Kommentar, 2. Aufl., Zürich 2019 (zit.: VwVG-Kommentar, Bearbeiter/-in).

Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Datenschutzgesetz, Stämpflis Handkommentar, 2. Aufl., Bern 2022 (zit. SHK-DSG, Bearbeiter/-in).

Bieri Adrian/Powell Julian (Hrsg.), Orell Füssli Kommentar zum Schweizerischen Datenschutzgesetz mit weiteren Erlassen, Zürich 2023 (zit. OFK-DSG, Bearbeiter/-in).

Blechta Gabor-Paul/Vasella David (Hrsg.), Datenschutzgesetz/Öffentlichkeitsgesetz, DSG/BGÖ. Basler Kommentar, 4. Aufl., Basel 2024 (zit. BSK-DSG, Bearbeiter/-in).

Da Molin Luca/Wesiak-Schmidt Kirsten (Hrsg.), Datenschutz im Unternehmen, Praxishandbuch mit Beispielen und Checklisten, Zürich 2023 (zit.: Datenschutz im Unternehmen, Bearbeiter/-in).

Lobsiger Adrian, Hohes Risiko – kein Killerargument gegen Vorhaben der digitalen Transformation, SJZ, 2023, S. 311-319 (zit. Lobsiger, hohes Risiko – kein Killerargument).

Métille Sylvain/Meier Philippe (Hrsg.), Commentaire Romand Loi sur la protection des données (LPD), Basel 2023 (zit. CR-LPD, Bearbeiter/-in).

Rosenthal David, Das neue Datenschutzgesetz, Jusletter, 16.11.2020 (zit. Rosenthal, nDSG).

Waldmann Bernhard/Krauskopf Patrick (Hrsg.), Praxiskommentar Verwaltungsverfahrensgesetz (VwVG), 3. Aufl., Freiburg und Zürich 2022 (zit. PK VwVG, Bearbeiter/-in).

Materials

Botschaft zum Bundesgesetz über die Totalrevision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz vom 15.9.2017, BBl 2017 6941 ff., abrufbar https://www.fedlex.admin.ch/eli/fga/2017/2057/de (zit.: Botschaft DSG 2017).

Botschaft zum Bundesgesetz über den Datenschutz (DSG) vom 23.3.1988, BBl 1988 II 413 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/1988/2_413_421_353/de,
(zit.: Botschaft DSG 1988).

Bundesamt für Justiz BJ, Erläuternder Bericht zum Vorentwurf für das Bundesgesetz über die Totalrevision des Datenschutzgesetzes und die Änderungen weiterer Erlasse zum Datenschutzgesetz, 21.12.2016, abrufbar unter https://www.bj.admin.ch/bj/de/home/staat/gesetzgebung/archiv/datenschutzstaerkung.html, (zit.: Erläuternder Bericht Totalrevision DSG).

Bundesamt für Justiz BJ, Normkonzept zur Revision des Datenschutzgesetztes, Bericht der Begleitgruppe Revision DSG, 29.10.2014, abrufbar unter https://www.bj.admin.ch/bj/de/home/staat/gesetzgebung/archiv/datenschutzstaerkung/berichte.html, (zit.: Normkonzept DSG).

Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB), 31. Tätigkeitsbericht 2023/2024, abrufbar unter https://www.edoeb.admin.ch/de/taetigkeitsbericht-des-edob, (zit.: EDÖB, 31. Tätigkeitsbericht 2023/2024).

Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB), Untersuchungen von Verstössen gegen Datenschutzvorschriften durch den EDÖB, Anwendung von Art. 49-53 des revidierten Datenschutzgesetztes, Stand: Oktober 2024, https://www.edoeb.admin.ch/edoeb/de/home/datenschutz/grundlagen/verstoesse.html,
(zit.: EDÖB Untersuchungen).