-
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 29a FC
- Art. 30 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 75b FC
- Art. 77 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123b FC
- Art. 136 FC
- Art. 166 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
- Art. 808c CO
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 5 lit. f und g FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 54 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
FEDERAL CONSTITUTION
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
SWISS CRIMINAL CODE
CYBERCRIME CONVENTION
- In a nutshell
- I. General
- II. Objective Facts
- III. Subjective Elements of the Offence
- IV. Illegality and culpability
- Bibliography
- Materials
In a nutshell
The provision of Art. 61 criminalizes (i) the intentional violation of the specifications during data export, (ii) the intentional violation of the specifications during the transfer of data processing to a commissioned processor, and (iii) the intentional non-compliance with minimum data security requirements. A fine of up to 250,000 Swiss francs may be imposed if one of these offences is committed. In the case of the criminal variant of intentional non-compliance with minimum data security requirements (Art. 61 lit. c), there are justified doubts as to its justiciability.
I. General
1 The provision of Art. 61 is new. The Federal Council justified the introduction of this provision in the dispatch by stating that the totally revised Data Protection Act provides for "new elementary obligations" that are "not covered by the existing penal provisions". This is an abstract endangerment offense; the offense is completed when the act is committed, so criminal liability does not require unauthorized third parties to have knowledge of the personal data concerned.
2 The criminal provision of Art. 61 is an application offense.
3 The purpose of Art. 61 is to enforce the obligations of data controllers and processors laid down by law (Art. 16 para. 1 and 2 in conjunction with Art. 17; Art. 9 para. 1 and 2; Art. 8 para. 3) by making their violation punishable. According to the dispatch, the punishment should ultimately contribute to the effective protection of the personality of the persons concerned. Art. 61 lit. a should also be read in the context of the objective of the revision of the FADP, as mentioned by the Federal Council in its report on the evaluation of the FADP of December 9, 2011: the revision should address the increase in data processing, the increasingly international dimension of data processing, and the growing difficulty of continuing to be able to control data once it has been disclosed.
4 The offense of Art. 61 is a special offense: Only those who are responsible for ensuring compliance with the obligations set forth in Art. 61 are eligible as offenders; in the case of legal entities, these are their managers pursuant to Art. 29 SCC. By its nature, the provision of Art. 61 is thus primarily directed at persons authorized to give instructions, since they must ensure the fulfillment of the duties in question. Anyone who does not prevent infringements by subordinate employees or does not reverse their effects also qualifies as an offender (Art. 6 para. 2 and 3 of the Criminal Code in conjunction with Art. 64 para. 1 of the FADP).
5 As far as the criminal element of Art. 61 lit. c is concerned, this was repeatedly criticized in the legislative process as being too vague. However, the request for deletion was ultimately not granted. Meyle/Morand/Vasella rightly question the justiciability of the "minimum data security requirements" regulated in the DPA (see below, n. 17 ff.).
II. Objective Facts
6 Art. 61 FADP lists three facts, the fulfillment of which is considered a breach of due diligence obligations. The consequence of a violation on the part of private persons is a fine of up to 250,000 Swiss francs. In particular, the violation of the following three facts is subject to criminal prosecution upon request: Violation of the requirements for data export (Art. 61 lit. a, below n. 7 ff.), violation of the requirements for handing over data processing to a contract processor (Art. 61 lit. b, below n. 12 ff.) and non-compliance with minimum data security requirements (Art. 61 lit. c, below n. 15 ff.).
A. Violation of data export requirements (Art. 61 lit. a)
1. General
7 Under the previous law, anyone who disregarded the legal requirements in the context of a data disclosure to countries without adequate legal data protection remained unpunished. Pursuant to Art. 34 para. 2 lit. a aDSG, only those who took care of protection in the form of a contract but intentionally failed to report this contract to the FDPIC pursuant to Art. 6 para. 3 aDSG or intentionally provided false information in doing so were liable to prosecution.
8 Pursuant to Art. 61 lit. a, anyone who intentionally exports data to a state without adequate data protection and who can neither demonstrate an adequate data protection guarantee nor rely on an exception pursuant to Art. 17 is now liable to prosecution. If the Federal Council has not issued an "adequacy decision" based on Art. 16 para. 1, personal data may only be disclosed to the state in question under the conditions mentioned in Art. 16 para. 2, with the greatest practical relevance being the conclusion of standard contractual clauses ("standard data protection clauses", lit. d).
9 Within the scope of the DSGVO, the European Commission repealed the previous standard contractual clauses with effect from September 27, 2021, by implementing Decision (EU) 2021/914 of June 4, 2021, and replaced them with new standard contractual clauses. The FDPIC approved these new standard contractual clauses on August 27, 2021, with the proviso that they be adapted and/or supplemented as necessary in specific cases of application. However, anyone who discloses data to a country that does not have adequate legal data protection cannot be content with merely concluding recognized standard contractual clauses. Rather, the wording of Art. 16 para. 2 lit. d requires that these standard contractual clauses actually ensure "adequate" data protection. The new standard contractual clauses require the parties to (i) additionally ensure that they can comply with the standard contractual clauses regardless of the national law of the importer and (ii) document their assessment in this regard. A transfer impact assessment (TIA) must therefore be carried out and data may only be transferred if this TIA is satisfactory.
10 Art. 10 para. 1 DPA specifies or relativizes that the data exporter must take "appropriate measures" in the case of data disclosure by means of standard contractual clauses to ensure that the data importer complies with the clauses in question. It follows that (under the risk-based approach) a residual risk that the local law of the importer undermines the importer's compliance with the standard contractual clauses may be accepted, as long as measures have been taken to adequately reduce this risk. Cf. the commentary on Art. 16 and 17.
2. No criminal liability of the importer
11 Anyone who (as an exporter) discloses personal data abroad despite knowing that the recipient (importer) of the data does not ensure appropriate data protection despite the contract exposes himself to the risk of criminal liability under Art. 61 lit. a. In contrast, the importer who accepts personal data or uses it in violation of the contract or data protection is not subject to the risk of criminal liability - the only criminal offense under Art. 61 lit. a is the disclosure of personal data.
B. Violation of the requirements when transferring data processing to a processor (Art. 61 lit. b)
1. General
12 Pursuant to Art. 61 lit. b, anyone who intentionally hands over data processing to a processor without the requirements of Art. 9 para. 1 and 2 being met is liable to prosecution. According to Art. 9 para. 1, the processing of personal data may be transferred to a processor by contract or by law if (a) the data are processed in the same way as the controller would be permitted to do himself and (b) no legal or contractual obligation of secrecy prohibits the transfer. According to Art. 9 para. 2, the controller must in particular ensure "that the processor is able to guarantee data security". The objective elements of Art. 61 lit. b would be fulfilled, for example, if a company, as the data controller, used a data processor (e.g., a cloud service provider) without having concluded a legally sufficient data processing contract with the data processor.
13 Art. 7 DPA specifies these requirements for commissioned processing: the controller must approve the commissioning of subcontracted processors in advance in a general or specific manner (Art. 7 para. 1 DPA). In the case of a general authorization, the data controller must be informed of any intended change regarding the involvement or substitution of other third parties, and the data controller may object (Art. 7 para. 2 DPA). See the commentary on Art. 9 for more details.
2. No Criminal Liability of the Data Processor (or the Persons Acting on His or Her Behalf)
14 Violation of Art. 9 para. 3, i.e. the order processor's obligation to obtain prior approval from the controller for new subcontractors, is not punishable. Even in the case of a violation of Art. 9 para. 1 or 2, according to the wording of Art. 61 lit. b, the order processor (or the persons acting on his behalf) is not liable to punishment: only the person responsible (or the persons acting on his behalf) can be punished. The same must also apply in the event that the commissioned processor in turn transfers the data processing to a subcontracted processor: norms justifying punishment must be interpreted narrowly.
C. Violation of minimum data security requirements (Art. 61 lit. c)
1. General
15 According to Art. 61 lit. c, anyone who intentionally fails to comply with the minimum data security requirements issued by the Federal Council pursuant to Art. 8 para. 3 is liable to prosecution. Reference is made here to the first section ("Data security", Art. 1 ff.) of the first chapter of the DPA.
16 The provision of Art. 61 lit. c is an abstract endangerment offense designed as a blanket standard (cf. already above, n. 1); a "data breach" need not have occurred. And conversely, not every "data breach" results in criminal liability - if there is a "data breach" but the "minimum data security requirements" have been met, there is no criminal liability.
2. Violation of the principles of Art. 1 DPA
17 The provision of Art. 1 DPA contains principles that the controller and the processor must observe when determining the appropriate level of protection and the measures suitable for it. These are general guidelines, and not concrete (minimum) data security requirements. According to the correct opinion of Meyle/Morand/Vasella, this very general provision regarding the procedure of the controller in determining security measures is not justiciable - it is not apparent which "minimum requirements" for data security within the meaning of Art. 8 para. 3 should result from Art. 1 DPA.
18 If the controller does not adhere to the principles of Art. 1 DPA, for example, if he does not determine the need for protection of personal data according to the criteria provided for in para. 1 or if he does not take relevant criteria into account in the risk assessment as provided for in para. 2 or if he does not review his measures "over the entire processing period" as provided for in para. 5, this does not indicate a violation of "minimum requirements" for data security: on the one hand, Art. 1 DPA does not define such requirements, but only contains guidelines on how to achieve them, and on the other hand, a controller may also implement effective measures to ensure adequate data security without strictly following Art. 1 DPA.
3. Violation of the objectives of Art. 2 DPA.
19 The provision of Art. 2 DPA defines data security protection objectives that the controller and the processor must achieve by means of technical and organizational measures: Confidentiality (lit. a), Availability (lit. b), Integrity (lit. c) and Traceability (lit. d).
20 These protection goals are identical to those pursuant to Art. 6 para. 2 of the Federal Act of 18 December 2020 on Information Security at the Confederation (Information Security Act). Like the principles pursuant to Art. 1 DPA, the objectives pursuant to Art. 2 DPA are also very general (which is evident from the heading "Objectives" alone) and no "minimum requirements" for data security within the meaning of Art. 8 para. 3 can be derived from them. What concrete technical and organizational measures would have to be implemented is not clear from this. Meyle/Morand/Vasella rightly question the justiciability of this provision as well.
4. Violation of the provision on technical and organizational measures (Art. 3 DPA)
21 The provision of Art. 3 DPO contains specifications for technical and organizational measures and thus concretizes data security. However, it does not contain any "minimum requirements" for data security within the meaning of Art. 8 para. 3 (either); instead, Art. 3 DPO merely concretizes the protection goals contained in Art. 2 DPO.
22 In a broad interpretation, Art. DPO could be interpreted as containing "minimum requirements" to the extent that, according to this provision, the protection goals as defined in Art. 2 DPO must be "ensured". However, such an interpretation would mean that every violation of a protection goal would be evidence that a suitable measure was lacking. This in turn would not be compatible with the risk-based approach recognized in the area of data security. In this respect, the word "ensure" should be interpreted as "strive for".
23 Art. 3 DPA, together with Art. 1 and 2 DPA, is to be read as a concretization of the concept of data security, without "minimum requirements" for data security being derived from it. In addition, the controller and the processor do not necessarily have to take into account all the protection objectives pursuant to Art. 3 DPA for their technical and organizational measures. The justiciability of this provision is also rightly questioned by Meyle/Morand/Vasella.
5. Omission of logging in accordance with Art. 4 DPA
24 The provision of Art. 4 DPA takes over the previous Art. 10 DPA. The purpose of logging is to ensure purpose limitation.
25 As a rule, logging is not a "minimum requirement for data security" as mentioned in Art. 61 lit. c (even though Art. 4 DPA is listed under the first section of the DPA, "Data Security"), and failure to log cannot be punishable in this respect. Criminal liability would be conceivable by way of exception if a prosecuting authority could prove in an individual case that logging as a measure of traceability was also indirectly intended to serve data security and that the accused person was aware of this at least in broad outline.
6. Failure to draw up processing regulations in accordance with Art. 5 et seq. DPA
26 The provisions of Art. 5 f. FADP take over the previous Art. 11 FADP and Art. 21 FADP. In the explanatory report FADP, the Federal Council itself states that the creation of processing regulations is about accountability - i.e. not about data security. This is not altered by the fact that an obligation to draw up such regulations only exists in the case of increased risk.
27 A "minimum requirement for data security", as mentioned in Art. 61 lit. c, is the creation of "processing regulations" (even though Art. 5 f. DPA are listed under the first section "data security" of the DPA) is not and the omission of this preparation can in this respect also not be punishable.
7. Consideration of costs in determining appropriate data security and appropriate measures
28 Pursuant to Art. 1 para. 1 DPA, in order to ensure adequate data security, the controller and the processor must determine the need for protection of the personal data and establish "the appropriate technical and organizational measures in view of the risk." Art. 1 para. 2 FADP circumscribes criteria for assessing the need for protection of the personal data and Art. 1 para. 3 FADP circumscribes criteria for assessing the risk to the personality or fundamental rights of the data subject. The higher the need for protection of the personal data and/or the higher the risk mentioned, the stricter the requirements for the measures. According to Art. 1 para. 4 DPA, the "implementation costs" must also be taken into account when determining the technical and organizational measures.
29 According to the Federal Council, implementation costs should be understood broadly and include not only necessary financial resources, but also personnel and time resources. The costs are already to be taken into account when determining which measures are "appropriate" and which are not. Meyle/Morand/Vasella rightly point out that the view taken by the Federal Council, according to which data controllers and processors "cannot exempt themselves from the obligation of adequate data security on the grounds that excessive costs are involved", would render the provision of Art. 1 para. 4 DPA meaningless: "only" "adequate" security is required, and costs must be included as a criterion in determining adequacy.
30 The "minimum requirements for data security" are thus not violated (and it is not punishable) if the controller or the processor also take the costs, among other things, into account when determining the appropriate data security and the appropriate measures.
III. Subjective Elements of the Offence
31 From a subjective point of view, the elements of the offense under Art. 61 require intent, with contingent intent being sufficient. The offender acts with contingent intent if, although he does not know with certainty that his conduct will violate the requirements for data export (Art. 16 para. 1 and 2; Art. 17) or for the transfer of data processing to a processor (Art. 9 para. 1 and 2) or if he does not comply with the minimum requirements for data security (Art. 8 para. 3 in conjunction with Art. 1 et seq. FADP), he accepts or accepts that he may commit a violation.
32 In the case of the criminal offense under Art. 61 lit. b, there is contingent intent if, when transferring data processing to a processor, the perpetrator at least accepts that the processor will (i) process the data in violation of the law or (ii) fail to ensure data security. Decisive for the answer to the question of whether such an acceptance exists are the circumstances under which the order processor in question was "examined" and ultimately selected. The provisions of Art. 9 are very open and vaguely formulated (especially in comparison to the parallel provision of Art. 28 DSGVO), which in practice is likely to make it more difficult for the criminal authorities to prove criminal conduct in individual cases (apart from the fact that with regard to the justiciability of the criminal variant of intentional non-compliance with minimum data security requirements, there are in any case well-founded doubts, see above n. 17 ff.). In contrast, merely (unpunished) negligent conduct would be assumed, for example, if the perpetrator assumed, based on external legal advice obtained (about which no doubts had to arise), that a certain commissioned data processing contract was legally sufficient, but this turned out to be insufficient.
IV. Illegality and culpability
Cf. OC-Gassmann on Art. 60, n. 26 f.
Bibliography
EDÖB, Die Übermittlung von Personendaten in ein Land ohne angemessenes Datenschutzniveau gestützt auf anerkannte Standardvertragsklauseln und Musterverträge vom 27. August 2021, https://www.edoeb.admin.ch/dam/edoeb/de/Dokumente/datenschutz/Paper%20SCC_DE.pdf.download.pdf/Paper%20SCC_DE.pdf, besucht am 8.8.2023.
Meyle Hannes/Morand Anne-Sophie/Vasella David, DSV: keine Mindestanforderungen an die Datensicherheit, keine entsprechende Strafbarkeit, weitere Anmerkungen, https://datenrecht.ch/dsv-keine-mindestanforderungen-an-die-datensicherheit-keine-entsprechende-strafbarkeit-weitere-anmerkungen/, besucht am 8.8.2023.
Popp Peter/Berkemeier Anne, Kommentierung zu Art. 1 StGB, in: Niggli Marcel Alexander/Wiprächtiger Hans (Hrsg.), Basler Kommentar, Strafrecht (StGB/JStGB), 4. Aufl., Basel 2018.
Rosenthal David, Neue EU Standardvertragsklauseln für Datentransfers in unsichere Drittländer, https://www.rosenthal.ch/downloads/VISCHER-faq-scc.pdf, besucht am 8.8.2023.
Rosenthal David/Gubler Seraina, Die Strafbestimmungen des neuen DSG, SZW 1/2021, S. 52 ff.; Wohlers Wolfgang, Kommentierung zu Art. 61 DSG, in: Baeriswyl Bruno/Pärli Kurt/Blonski, Dominika (Hrsg.), Stämpflis Handkommentar, Datenschutzgesetz, 2. Aufl., Bern 2023.
Materials
Botschaft zum Bundesgesetz über die Totalrevision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz vom 15.9.2017, BBl 2017 S. 6941 ff. (zit. Botschaft 2017), abrufbar unter https://www.admin.ch/opc/de/federal-gazette/2017/6941.pdf, besucht am 8.8.2023.
Erläuternder Bericht des Bundesamts für Justiz BJ zur Verordnung über den Datenschutz vom 31.8.2022, abrufbar unter https://www.bj.admin.ch/dam/bj/de/data/staat/gesetzgebung/datenschutzstaerkung/vdsg/erlaeuterungen-vo.pdf.download.pdf/erlaeuterungen-vo-d.pdf (zit. Erläuternder Bericht DSV), besucht am 8.8.2023.
Kommentar des Bundesamts für Justiz BJ zur Vollzugsverordnung zum Bundesgesetz über den Datenschutz vom 1.1.2008 (zit. Kommentar BJ zur VDSG), abrufbar unter https://www.edoeb.admin.ch/dam/edoeb/de/Dokumente/deredoeb/kommentar_des_bundesamtsfuerjustizzurvollzugsverordnungvom14juni.pdf.download.pdf/kommentar_des_bundesamtsfuerjustizzurvollzugsverordnungvom14juni.pdf, besucht am 8.8.2023.