Global Investigations Review - The law and practice of international investigations

Data Privacy & Transfer in Investigations

Last verified on Wednesday 21st August 2019

Switzerland

Claudio Bazzani and Katrin Ivell
Homburger
  1. 1.

    What laws and regulations in your jurisdiction regulate the collection and processing of personal data?

  2. In Switzerland, the Federal Data Protection Act (FDPA) is the main piece of legislation that governs the collection, storage, transfer and other processing of personal data. Further details are stipulated in the Ordinance on the FDPA. The processing of personal data by cantonal authorities is governed by cantonal laws.

    The FDPA and its Ordinance are currently under revision, with the aim to aligning Swiss data protection laws with the EU General Data Protection Regulation (GDPR). The revised FDPA is expected to come into force in 2020 at the earliest.

    Given that Switzerland is not an EU member, the GDPR is in principle not applicable in Switzerland. However, where the GDPR provides for extraterritorial reach, it may on a case-by-case basis be relevant also for processing activities in Switzerland.

  3. 2.

    What other laws and regulations may prevent data sharing in the context of an investigation?

  4. There are a number of additional statutory provisions that may prohibit or restrict the sharing of relevant data. The most important provisions are the following:

    Banking secrecy and other professional secrecy laws: The Swiss bank customer secrecy law is set out in the Federal Banking Act (FBA) and makes it a crime to disclose information relating to current or former customers of a Swiss bank. Disclosure of such protected information is not allowed except with the relevant customers' consent or in situations provided for in Swiss federal and cantonal legislation (including in the context of international judicial or administrative assistance). A Swiss bank's employees, agents and representatives, including outside counsel, are subject to this provision. Even negligent violation of the banking secrecy provision is a criminal offense. Similar criminal law provisions exist for other professions, such as lawyers, doctors, pharmacists, etc.

    Blocking statute: The Swiss Penal Code (SPC) prohibits and sanctions (i) unlawful activities on behalf of a foreign state if no authorisation has been granted by the responsible administrative body and (ii) the disclosure of Swiss manufacturing and business secrets. The prohibition of such unlawful activities protects Switzerland's territorial sovereignty and aims at preventing foreign states or parties from circumventing international conventions on mutual assistance. 

    Employment law: In Switzerland, employers have a contractual duty of care towards their employees and a statutory duty to protect data involving or relating to the employee. Both duties survive the termination of the employment relationship and may restrict the disclosure of employee data to foreign authorities.

  5. 3.

    What can constitute personal data for the purposes of data protection laws?

  6. The FDPA defines personal data as information which relates to identified or identifiable individuals and legal entities. A person is considered as identified when it is possible to conclude that the data relates to a specific person. A person is considered as identifiable if it can be identified by combining several pieces of information (each of which, on its own, may not be sufficient to identify the person). 

  7. 4.

    Does personal data protection relate only to natural persons or also legal persons?

  8. The personal data protection provided for by the FDPA relates to both natural as well as legal persons. The draft of the revised FDPA proposes to no longer qualify data relating to legal entities as personal data.

  9. 5.

    To whom do data protection laws apply?

  10. The FDPA applies to anybody involved in the data processing, including in particular the data controller and the data processor.

  11. 6.

    What acts or operations on personal data are regulated by data protection laws?

  12. The FDPA defines processing of data as any operation with personal data, irrespective of the means and the procedure applied. Processing includes, without limitation, the collection, storage, use, revision, disclosure, archiving and destruction of data. The definition is broad and includes both the collection and analysis of data in an internal investigation and the disclosure of personal information and other data to a foreign authority.

  13. 7.

    What are the principal obligations on data controllers to ensure the proper processing of personal data?

  14. The FDPA requires, inter alia, that personal data only be processed lawfully, in good faith and in a proportionate manner. The principle of proportionality requires that personal data be processed only insofar as the processing is suitable and necessary to achieve the purpose for which the data is processed. The principle of purpose limitation stipulated in the FDPA requires that personal data is only processed in accordance with the purpose that (i) was indicated when the data was originally obtained or provided or (ii) is obvious from the circumstances or (iii) is provided by law. The principle of transparency requires that the collection of personal data and the purpose of its processing is evident to the data subject.

    Any processing of data that does not comply with the processing rules stipulated in the FDPA is considered a breach of the data subject's personality rights. Such breach is unlawful unless it is justified by the consent of the data subject, by an overriding private or public interest, or by a provision of Swiss law:

    • Consent may be given explicitly or implicitly, but it is valid only if given voluntarily on an "informed consent" basis. To provide "informed consent", the person concerned needs to know which data is processed, the purpose of the data processing and its scope (see also question 12). 
    • Justification based on overriding private interests requires a case-by-case balancing of the relevant interests at stake (ie, of the interests of the person processing the data in the processing on the one hand and of the interests of the data subject on the other). The Swiss Federal Supreme Court has consistently held that overriding private interests must not easily be assumed; only considerable interests in data processing can outweigh the data subject's data protection interests.
    • The justification of an overriding public interest refers to the public interest from a Swiss point of view. Although as a matter of principle, public interests of foreign states or authorities do not as such constitute a valid overriding public interest, on a case-by-case basis, the support of a foreign state may be considered an overriding public interest from a Swiss point of view. The existence of an overriding public interest has to be reviewed for each individual case by weighing the public interest against the private interests of the concerned persons.
    • In addition, a breach of privacy and integrity may be justified where the breach is required to comply with – or is otherwise authorised by – Swiss law. A breach cannot, however, be justified by reference to an obligation under a foreign law.

    Finally, certain restrictions apply for data disclosure into jurisdictions that are deemed not to have an adequate level of data protection (see question 16).

    DATA EXTRACTION BY THIRD PARTIES FOR DATA COLLECTION PURPOSES

  15. 8.

    Before data extraction by third parties commences, should steps be taken to ascertain whether non-locally generated data was lawfully transferred to, or within, your jurisdiction in the first instance?

  16. Swiss data protection law does not generally require such steps. However, non-locally generated data that was transferred into Switzerland is subject to the same FDPA-regime as locally generated data.

  17. 9.

    Are there additional requirements where third parties process the data on behalf of the entity to which data protection laws primarily apply?

  18. Typically, the data controller and the data processor have to enter into a data processing agreement. The data controller must ensure that any third party, who processes data on behalf of the data controller, processes the data only for the purposes of and as instructed by the data controller and only in a manner in which the data controller itself would be allowed to process the data. Further, the data controller must ensure that the data processor guarantees data security. Additionally, the transfer of the data to third parties for processing purposes is subject to the restrictions set out in question 2.

  19. 10.

    Is the consent of the data subject mandatory for the processing of personal data as part of an investigation? And how can consent be given by a data subject?

  20. Consent is not mandatory for the processing of personal data. However, consent provides one possible justification for a breach of the processing rules of the FDPA (see question 7 above). There are no specific formalities to be observed to obtain consent, but see question 12 for the notion of "information consent" and its requirements. Typically, it is advisable to obtain consent in a form that can be documented (eg, in writing).

  21. 11.

    If not mandatory, should consent still be considered when planning and carrying out an investigation?

  22. Whether or not consent of data subject is being sought will depend on, among other things, the circumstances and the subject matter of any investigation, the type of information anticipated to being provided to domestic and foreign authorities and the identity and exposure of the data subject.

  23. 12.

    Is it possible for data subjects to give their consent to such processing in advance?

  24. Consent is only valid if given voluntarily on an "informed consent" basis. For consent to be given "voluntarily", the data subject needs to have an actual choice, which may, depending on the circumstances, not be the case for employees required to give consent to their employer. For consent to be considered "informed", the data subject needs to know which data is processed, the purpose of the data processing and its scope. Thus, while it is not per se impossible to obtain consent in advance by way of standard terms and conditions, particular attention must be paid to the requirement of specificity.

  25. 13.

    What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

  26. Any data subject may request information from the data controller as to whether data concerning the data subject is being processed. The data controller is required, upon request, to notify the data subject of (i) the available data concerning the subject in the data file, including the available information on the source of the data, (ii) the purpose of and the legal basis for the processing, (iii) the categories of the personal data processed, (iv) the other parties in involved with the data file, and (v) the third-party data recipient.

    The data controller may refuse, restrict or defer the provision of information to the data subject if this is required (i) to protect the overriding interests of third parties or (ii) to protect its own overriding interests, provided that the data is not shared with third parties. In addition, the data controller may in principle refuse access to information that is legally privileged.

    The information must generally be provided in writing (ie, in the form of a printout or a photocopy) and free of charge.

    TRANSFER FOR LEGAL REVIEW AND ANALYSIS

  27. 14.

    How are law firms, and legal process outsourcing firms, generally characterised in your jurisdiction?

  28. Legal process outsourcing firms are normally characterised as data processors that process data on behalf of their clients (ie, the data controllers). Law firms may, depending upon the specific work they perform, act as controller or processor.

  29. 15.

    Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

  30. The disclosure of the data to third parties within the jurisdiction for review purposes must be in line with the principal obligations on data controllers to ensure the proper processing of personal data (see question 7).

  31. 16.

    What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

  32. In addition to the general data protection principles set out above, the FDPA provides that personal data may not be disclosed to recipients outside of Switzerland if this seriously endangers the privacy of the data subject. Such risk is presumed as a matter of statutory law if the country of destination is lacking adequate data protection regulation. In this regard, "data protection regulation" means mandatory and enforceable law, whether codified or not. In the absence of legislation that guarantees adequate protection, the FDPA stipulates that personal data may only be disclosed abroad if, among others, (i) sufficient safeguards, in particular contractual clauses, ensure an adequate level of protection abroad or (ii) if the data subject has consented to the export. The FDPA further requires that the Swiss Data Protection Commissioner is informed if contractual safeguards serve as the basis for a data export.

    In practice, cross-border data transfer agreements are regularly used to comply with the FDPA requirements regarding the export of data to a jurisdiction without adequate data protection regulation in place. The Swiss Data Protection Commissioner published a model agreement that may be used for this purpose, but it has also acknowledged the use of the standard EU model clauses for cross-border data transfers. 

    The Swiss Data Protection Commissioner maintains a list of countries that are deemed to have adequate data protection. It is noteworthy that, according to the list, the US is not among those countries. Switzerland and the USA, however, agreed on a framework for the transfer of personal data from Switzerland to the USA, the Swiss-US Privacy Shield. US companies, which are self-certified under the Swiss-US Privacy Shield, are deemed to provide an adequate level of data protection from a Swiss point of view. As a result, data transfers to those companies are permissible even absent consent of the data subject or further contractual safeguards.

    Depending on the specific circumstances, disclosure to recipients outside of Switzerland may further be restricted due to applicable professional secrecy obligations.

    TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES

  33. 17.

    Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

  34. The transfer of personal data to Swiss regulators and enforcement authorities outside of formal legal proceedings (eg, by way of voluntary cooperation) must be in line with the general data processing principles set out in the FDPA. In practice, however, these principles do not usually restrict the ability to share personal data with Swiss regulators and enforcement authorities.

  35. 18.

    Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

  36. Disclosure of personal data to foreign regulators or enforcement authorities is restricted by the same set of rules that govern the disclosure of personal data to a non-government third party. Therefore, the disclosure must be in line with the general data protection principles set out above and, if the country of destination is lacking adequate data protection regulations the special provisions governing cross-border disclosure set out in question 16.

    In practice, data transfer clauses or data transfer agreements are usually not available options when it comes to information sharing with authorities, as they are reluctant to or not empowered to enter into data transfer agreements in connection with investigations.

    In addition, Swiss courts take a very narrow view on when an overriding public interest in cross-border data disclosure to foreign regulators or enforcement authorities can be made out. As a result, seeking consent from the data subject may in some circumstances the only viable solution. If such consent is withheld and if none of the other justifications can be shown, the FDPA prohibits the disclosure of personal data to foreign law enforcement entities. In that case, redactions or codes may have to be used to protect the privacy of the affected data subjects.

    Depending on the specific circumstances, the disclosure of personal data to foreign regulators or enforcement authority may be further restricted by secrecy rules and blocking statutes (see question 2).

  37. 19.

    What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

  38. A useful analysis upon receipt from a regulator for disclosure of personal data might focus on the following key questions that help determine the strategy of how to proceed. Those key questions are the following:

    • Who and what is the content and subject-matter of the request from the regulator?
    • Is the regulator focusing on the entity or on individuals?
    • If the focus is on individuals, are they employees of the entity or third parties? What type and level or confidentiality obligation (if any) is owed to them?
    • What are the legal provisions at stake in the request? What are the legal provisions on which the request is based?
    • What is the likely use of the data sought by the regulator?
    • What are the likely consequences to the affected data subjects?

    The answers to these questions will drive the overall assessment, and will, in particular, allow the determination of whether restrictions other than based on the data protection framework will apply.

  39. 20.

    What are the sanctions and penalties for non-compliance with data protection laws?

  40. Data subjects can seek injunctive relief preventing an unlawful processing of personal data, a declaratory judgment that the infringement is unlawful if it continues to have an offensive effect. In case a data subject suffered a financial loss, he or she could additionally file a civil lawsuit against the disclosing entity and claim damage as well as moral restitution. 

    CONTINUING OBLIGATIONS ON ORIGINAL AND INTERVENING DATA CONTROLLERS

  41. 21.

    What are the continuing obligations on the original data controller that apply in an investigation?

  42. As a general rule, the original data controller has a continuing obligation to ensure that any processing of data, including by third parties, is in line with applicable laws. This is primarily achieved by providing suitable instruction to the data processor and by seeking the data processor's written confirmation that those instructions have been understood and will be adhered to.

    As far as data extraction is concerned, the data controller must ensure that any third party who processes data on behalf of the data controller processes the data in a manner in which the data controller itself would be allowed to process the data. Also, the data controller is under a continuing obligation to provide the data subject with the following information, if requested:

    • the available data concerning the subject in the data file, including the available information on the source of the data;
    • the purpose of and the legal basis for the processing;
    • the categories of the personal data processed;
    • the other parties in involved with the data file; and
    • (the third-party data recipient (see question 13). 

    Upon transfer of data to a third-party processor, the data controller must ensure that the disclosure of the data to third parties for review purposes is in line with the rules on proper processing of personal data (see question 7). In addition, if data were transferred to a third party in another country for the purpose of reviewing the data, the provisions set out in FDPA governing cross-border processing apply in addition to the general provisions (see question 16).

    Finally, when transferring data to regulators and authorities, it should be borne in mind that such transfer must be in line with the general data protection principles set out above and, if applicable, with the provision that data must not be disclosed abroad if the privacy of the data subjects would be seriously endangered by the disclosure (see question 18).

  43. 22.

    What are the continuing obligations on any intervening data controller that apply in an investigation?

  44. Swiss law does not distinguish between an original data controller and an intervening data controller. As such, intervening data controllers would be subject to the same obligations as original data controllers.

    RELEVANT MATERIALS

  45. 23.

    Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

  46. Federal Data Protection Act available under www.admin.ch/opc/en/classified-compilation/19920153/index.html.

    Federal Banking Act available under www.admin.ch/opc/de/classified-compilation/19340083/index.html (German, French and Italian language versions only).

    Swiss Penal Code available under www.admin.ch/opc/en/classified-compilation/19370083/index.html.

    Additional information regarding data protection is available from the website of the Federal Data Protection and Information Commissioner (FDPIC) under https://www.edoeb.admin.ch/edoeb/en/home.html. See specifically the guidance provided to certain Swiss banks in relation to the provision of employee data to US authorities under https://www.edoeb.admin.ch/edoeb/en/home/documentation/annual-reports/20th-annual-report-2012-2013/transfer-of-employee-data-to-the-us-authorities.html (German, French and Italian language versions only).

Interested in contributing to this Know-how?

E-mail our Insight Manager


Questions

  1. 1.

    What laws and regulations in your jurisdiction regulate the collection and processing of personal data?


  2. 2.

    What other laws and regulations may prevent data sharing in the context of an investigation?


  3. 3.

    What can constitute personal data for the purposes of data protection laws?


  4. 4.

    Does personal data protection relate only to natural persons or also legal persons?


  5. 5.

    To whom do data protection laws apply?


  6. 6.

    What acts or operations on personal data are regulated by data protection laws?


  7. 7.

    What are the principal obligations on data controllers to ensure the proper processing of personal data?


  8. DATA EXTRACTION BY THIRD PARTIES FOR DATA COLLECTION PURPOSES

  9. 8.

    Before data extraction by third parties commences, should steps be taken to ascertain whether non-locally generated data was lawfully transferred to, or within, your jurisdiction in the first instance?


  10. 9.

    Are there additional requirements where third parties process the data on behalf of the entity to which data protection laws primarily apply?


  11. 10.

    Is the consent of the data subject mandatory for the processing of personal data as part of an investigation? And how can consent be given by a data subject?


  12. 11.

    If not mandatory, should consent still be considered when planning and carrying out an investigation?


  13. 12.

    Is it possible for data subjects to give their consent to such processing in advance?


  14. 13.

    What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?


  15. TRANSFER FOR LEGAL REVIEW AND ANALYSIS

  16. 14.

    How are law firms, and legal process outsourcing firms, generally characterised in your jurisdiction?


  17. 15.

    Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?


  18. 16.

    What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?


  19. TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES

  20. 17.

    Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?


  21. 18.

    Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?


  22. 19.

    What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?


  23. 20.

    What are the sanctions and penalties for non-compliance with data protection laws?


  24. CONTINUING OBLIGATIONS ON ORIGINAL AND INTERVENING DATA CONTROLLERS

  25. 21.

    What are the continuing obligations on the original data controller that apply in an investigation?


  26. 22.

    What are the continuing obligations on any intervening data controller that apply in an investigation?


  27. RELEVANT MATERIALS

  28. 23.

    Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.