Page 1

Federal Data Protection and Transparency Officer
PFPDT

Treatment guide
personal data
in the private sector

August 2009

Feldeggweg 1, 3003 Bern
Phone. 058 463 74 84, Fax 058 465 99 96
www.edoeb.admin.ch

Page 2

Contents
Guide to the processing of personal data in the private sector ................................... 1
Contents: .............................................. .................................................. ............................... 2
1.

Data protection in the private sector .......................................... ................... 3

2.
2.1
2.2
2.3
2.3.1
2.4
2.5
2.5.1
2.5.2
2.5.3
2.6
2.6.1
2.7
2.8

The master of the file and his responsibility ........................................... ................................. 4
Data processing: general principles ............................................ .............................. 4
Data gathering ............................................... .................................................. .............. 5
Communication of data to third parties ............................................ ...................................... 5
Data processing by third parties ............................................ .......................................... 5
Declaration of files ............................................... .................................................. .......... 5
Communication of data abroad ........................................... ..................................... 6
Conditions to be fulfilled ............................................... .................................................. ............... 6
Contract................................................. .................................................. .................................. 6
Declaration ................................................. .................................................. ........................... 7
Obligation to provide information ............................................. ................................. 7
Free information and exceptions ............................................. ............................... 7
Data security ............................................... .................................................. ............ 8
Criminal provisions ................................................ .................................................. ............. 9

3.

Some useful tips for "getting started" in data protection .............. 10

4.

Annex: Definitions according to the Federal Data Protection Act ..................... 11

2/11

Page 3

1. Data protection in the private sector
The Federal Data Protection Act (LPD) and the Ordinance on the Federal Data Protection Act
tion data (OLPD) came into force on 1 st July 1993. Their revision entered into the strength
1 st January 2008. Since then, all processing of personal data must comply with the requirements of
this law. A particular responsibility lies with the "file masters", a term which designates the personnel.
ring which decides the purpose and content of the file.
This brochure is intended for file managers in the private sector. Another brochure,
on data processing within the federal administration, is available on the website of the PreFederal Commission for Data Protection and Transparency (PFPDT). Data processing by
cantonal and communal administrations is governed by cantonal law.
This brochure presents the data protection principles that a data controller must respect,
as well as the questions that must be asked before collecting, processing or transmitting data.
Certain files, as well as the transfer of certain data, must be declared to the Federal Agent at
data protection. In the following pages you will therefore also find the cases in
which the file master must first declare the files it has decided to open.
For all questions relating to the liability of file masters or to the law on the protection of
data in general, please contact us. You will find our address at the end
of this brochure.

3/11

Page 4

2. The master of the file and his responsibility
By "master of the file", we mean the private person - natural or legal - who decides on the purpose and
contents of the file. From a data protection point of view, the controller of the file and the person who
enter or modify data can be two different people.

2.1 Data processing: general principles
The following principles, and which are set out in arts. 4 and 5 LPD, must imperatively be respected
in any data processing operation.
Personal data can only be collected lawfully . We consider that
were collected illicitly when they were obtained by force, by trickery, by misnace or by deception.
According to the LPD, personal data must be processed in accordance with the principle of good
faith ; this means that the data processing has been carried out in a recognizable manner for the persounds concerned. This principle is not respected when a person has not been informed - or has been
incorrectly informed - of the type and purpose of the treatment. In particular are considered to be misleading
intentional peries covert data collection, unauthorized wiretapping, or
still the data collections without the knowledge of the interested party by the manipulation of programs.
Personal data may only be processed for the purpose that is indicated during collection, which
is prescribed by law or which appears from the circumstances. Thus, the addresses collected for example in
as part of a competition may not be used for other commercial purposes.
If you wish to change the purpose of the processing, you must obtain the express consent of the persons concerned.
identified and inform these people of the scope of their agreement, or else assert a preponderant interest
rant to this modification.
Anyone who has a file should ensure that the data contained in the file is
correct . In other words, it is necessary on the one hand for the data to be up to date and on the other
can be corrected if they are inaccurate.
Any processing of personal data constitutes an attack on the personality and it is therefore necessary to ensure
limit this damage as much as possible. For this reason, the file master only has the right to process
data which he absolutely needs and which are relevant for the performance of his tasks (main
principle of proportionality ).
The collection of personal data and in particular the purpose of their processing must be acknowledged.
sands for the affected person. The requirement of recognizability introduced by the revision of the LPD
embodies the principle of good faith and thus aims to make data processing more transparent.
This principle means that the data subject must be able to recognize, under normal conditions,
that data concerning it has been or could be collected (predictability). This person must
in particular to know the purpose of the data processing or to be able to note that the purpose was indicated during
collection or as the circumstances show.

4/11

Page 5

You should therefore delete the data when you no longer need it. Anyone who does not
failure to comply with these principles undermines the personality of the person concerned. Such an attack
is only justified when the controller of the file can assert a justifying reason such as the agreement of the
data subject, an overriding public or private interest, or a law (art. 13 LPD).

2.2 data collection
In accordance with the principles just mentioned, you can only collect data
that you absolutely need to achieve your goal.
One of the conditions necessary to ensure that the processing or use of personal data
is in accordance with the law is a collection of data carried out in strict compliance with the law (art. 13
LPD). The checklist below will help you with this.
When you collect data, you should inform the people about whom the data is collected.
data is collected, if this is not clear from the circumstances.
We advise you to check the accuracy of the data. You will thus save yourself from requests
unnecessary information.

2.3 Communication of data to third parties
The communication of data to third parties is only permitted in well-defined cases and in certain circumstances.
conditions (art. 13 LPD). Please ensure that you follow the principles governing processing
Datas.
The communication of data is in particular authorized when a predominant private or public interest
or a law provides for it.

2.3.1 Data processing by third parties
As a company, you can entrust the processing of personal data to a third party in the same way.
sure where no legal or contractual obligation requires you to keep the secret. But in your
quality of principal you must ensure that the data is treated in the same way as you
you would be allowed to do this yourself. As the master of the file, you therefore remain responsible for
data processing.

2.4 File declaration
Private individuals must declare their files to the PFPDT when they regularly process
sensitive data or personality profiles or when they regularly communicate
personal data to third parties (art. 11a, para. 3, LPD).
The obligation to declare a file falls if the conditions appearing in art. 11a, al. 5, LPD and art. 4
OLPD are met, in particular if the data controller has appointed a data protection adviser.
born independent responsible for ensuring the internal application of the provisions relating to the protection of
data and keep an inventory of files (art. 11a, para. 5, letter e, LPD).

5/11

Page 6

You can declare your files either by filling out the appropriate form to download on the site
www.leprepose.ch or by doing so online at www.datareg.admin.ch.

2.5 Data communication abroad
The communication abroad of personal data the processing of which does not pose any problem in
Switzerland may ultimately prove to be problematic for the data subject, who is likely to
in some cases, losing control of the data concerning it. The risk of personal injury
his personality is therefore increased. For this reason, the data controller is obliged to guarantee the protection of
data even in the event of data communication abroad.
Problems can arise, for example, when an association supporting sick people
AIDS service communicates the list of its members to a partner organization based in a country that does not provide
not an adequate level of data protection. In such a case, if these data were to be
communicated to third parties, it is possible, in certain circumstances, that one or the other
concerned have problems on the day they wish to travel to the country in question.

2.5.1 Conditions to be fulfilled
It is often difficult for data processors to assess the risks of a transfer. We
therefore considers that the personalities of the persons concerned are seriously threatened when the country
in which the data is transferred does not ensure an adequate level of data protection
(art. 6, al. 1, LPD).
In principle, it can be assumed that the states which have ratified the Council of Europe Convention of
January 28, 1981 for the protection of individuals with regard to automatic processing of data at
personal character and who have signed the corresponding additional protocol ensure a level of protection
adequate tion. This is particularly the case for EU countries.
To facilitate the assessment of the situation in the event of data communication abroad (and as
information for the persons concerned), the PFPDT has drawn up a list of States with
tion ensuring an adequate level of data protection. This list can be viewed at
www.leprepose.ch.
The transfer of personal data to countries which do not ensure a level of protection of
adequate data should only intervene if the conditions provided for in art. 6, al. 2, LPD are met.

2.5.2 Contract
However, an equivalent data protection system alone does not guarantee that any breach
to personality can be avoided. It is therefore advisable in all cases to establish a contract between the
master of the file and the recipient of the data, a contract which will regulate the protection and security of
born.
When a file is transferred to a State which does not have a data protection system
equivalent, it is mandatory to conclude such a contract. In addition, the transfer must be declared to the Agent
federal data protection and transparency (see next chapter).

6/11

Page 7

2.5.3 Declaration
The communication of data abroad referred to in art. 6, al. 2, let. a and g, LPD must be announced at
PFPDT (art. 6, al. 3, LPD).

2.6 Obligation to provide information
Anyone whose data you process in a file has the right to request free of charge
information on the data in question to require, if necessary, that they be rectified or
deleted.
You must provide the requested information within 30 days. If you restrict the right of access,
you also have 30 days to inform the person concerned, in the form of a decision
written reasoned. There can be no restriction except when a law in the formal sense so provides or when the interests
preponderant decisions of the file master or a third party justify it and that the data is not shared
notified to third parties (art. 9 LPD).
The person concerned can assert his right of access to the civil judge who decides according to a pro
quick and easy procedure.

2.6.1 Free information and exceptions
Information is generally provided free of charge, as the request for information is
a fundamental right which guarantees the protection of personality; the exercise of this right cannot therefore be
subject to the collection of a fee (art. 8, al. 5, LPD).
However, there are two exceptions to this rule:
• a contribution to the costs can be requested when the desired information has already been
communicated to the applicant within twelve months of the request; the master of the file cannot
however, not request a contribution to the costs if the applicant can claim a legitimate interest.
time (eg if the data has changed in the meantime); the purpose of this provision is to limit the
number of quarrelsome inquiries;
• a fee may also be levied when the communication of the requested information
involves a significant amount of work (e.g. because the data has already been rendered anonymes) or that it is necessary to carry out extensive searches (in manual files); you
however, cannot invoke a heavy workload if the importance of this workload
is due to poor organization or poor management of your file.
The cost contribution may not exceed 300 francs. The applicant must first be informed
formed by the amount he will have to pay, so that he can possibly withdraw his request.

7/11

Page 8

Summary table:

A request for information is sent to the master of the file or to the competent person.
Are the requested data processed in a file whose structure allows for
searches by person concerned?
no

Yes

You must communicate to the applicant in
the 30 days that no personal data
concerning him is not processed.

You must either inform the applicant
within 30 days or notify him that the delay will be
extended, or inform him of the limitation of
his right of access (reasoned decision).

Has the applicant already obtained the information
ment during the last twelve months?

no

Yes
Does the applicant have a legitimate interest in obtaining
deny the information again?

Yes

Communication of information
does it cause a volume of work
important?

Yes

no

The applicant is informed that he must participate
at the expense. Does he maintain his request?

no

Yes

No contribution to costs

Participation in
fees (max. 300 fr.)

no

Withdrawal of theorder

2.7 Data security
While data protection aims to protect privacy, data security aims
to protect information, in other words to guarantee its confidentiality, availability and integrity. The
data security includes all measures that must be taken by file masters
to meet the requirements of data protection law.
8/11

Page 9

Art. 7 LPD provides that personal data must be protected against any unauthorized processing.
torised by appropriate organizational and technical measures. These measures include between
others the control of data access, transport, communication, storage, use and
data entry. The master of the file is required to log the data processing carried out and
to establish a regulation governing the processing.
The details of the prescribed measures can be consulted in art. 8 to 12 OLPD.

2.8 Criminal provisions
The master of a file is punishable if he does not comply with one of the following three obligations: obligation
to provide information to the persons concerned, obligation to declare the files and
file transfers abroad, obligation to cooperate with the Federal Officer for the Protection of
data and transparency when establishing the facts (art. 34 LPD).
So keep in mind that the rules of data protection must be respected every time
that an individual stores and / or processes data in a file whose structure allows
searches by person concerned.

9/11

Page 10

3. Some useful tips for "getting started" in the
Data protection
If you are processing data, start by making a list of all your files whose structure allows
puts to search data by person. This measurement will allow you to determine who collects
data, what data is collected and for what purpose. This list will help you put in
implement more effectively the measures necessary for correct data processing.
We recommend that you appoint an internal body that will ensure that the rules of protection
data are respected. The experiences made in Germany over the last thirty years in
the field of data protection have shown that it is absolutely essential, in
large companies at least, to designate a responsible body.
We also advise you to inform your employees of the provisions provided for in the LPD.
concerning the processing of personal data. For example, pass around a note presenting the
provisions of the law, and draw the attention of your employees to the principles governing the processing
personal data (purpose of processing, transmission of personal data, etc.). Furthermore,
you can, in writing, submit your employees to the obligation to respect professional secrecy (art.
35 LPD).
It is essential to provide for planning and coordination in the field of human protection.
data. Otherwise, it will be difficult for you to meet all the requirements that
are asked in this complex area.
Think about it: data processing that does not respect data protection principles may
harm your image as well as that of your business.

10/11

Page 11

4. Annex: Definitions according to the Federal Law on
Data protection
Data
personal:

All information relating to an identified person or
identifiable.

Nobody
concerned:

The natural or legal person (natural person, companies,
sociation) about which data is processed.

Data
sensitive:

Personal data on religious opinions or activities, phiphilosophy, political or union, health, the private sphere or
race, social assistance, prosecution
or criminal or administrative sanctions.

Profile of the
personality:

An assembly of data which allows to appreciate the characteristics
essentials of the personality of a natural person.

Treatment:

Any transaction relating to personal data - regardless of
the means and processes used - in particular the collection, conservation,
operation, modification, communication, archiving or desdata construction.

Communication:

Making personal data accessible, for example
by authorizing their consultation, transmitting or disseminating them.

File:

Any set of personal data whose structure makes it possible to
search the data by data subject.

Federal body:

The federal authority or service as well as the person as such
responsible for a task of the Confederation (eg sickness funds).

File master:

The private person or the federal body that decides on the purpose and content
of the file.

11/11

