Skip to content

The Federal Data Protection and Information Commissioner (FDPIC) has published its 33rd annual report, thereby setting an important course for future data protection practice in Switzerland. The report highlights the issues currently occupying the supervisory authority and the areas in which companies can expect to face increased scrutiny under data protection law in future. Particular focus is placed on artificial intelligence, international data processing and the practical implementation of the revised Data Protection Act. Companies should therefore view the annual report not merely as a retrospective, but as a guide to their data protection compliance.

The FDPIC is taking an increasingly firm stance as a supervisory authority

The FDPIC’s 33rd Annual Report clearly shows that data protection supervision in Switzerland is continuing to evolve. Whilst the focus in recent years has often been on the introduction of the revised Data Protection Act (DPA), the emphasis is now shifting to its practical enforcement. The report documents numerous investigations, preliminary enquiries and interventions, thereby providing a clear picture of the FDPIC’s current priorities.

For businesses, the annual report is therefore far more than just a review of the past year. It provides insight into which issues are likely to come under increased scrutiny by the supervisory authority in future and how the FDPIC intends to apply the new instruments of the revised DPA.

A more consistent approach to investigations

One of the most striking developments concerns the EDÖB’s supervisory practice. The report shows that the authority is increasingly making active use of its investigative powers. Particularly noteworthy is a case against a Swiss company operating in the field of marketing and address trading, which failed to respond to repeated requests from the EDÖB. The Commissioner did not confine himself to issuing further reminders, but formally ordered the company to cooperate in accordance with Article 50 of the Data Protection Act (DSG) and, in addition, filed a criminal complaint under Article 65 of the DSG for breach of the duty to cooperate.

In doing so, the FDPIC makes it clear that companies must take their statutory duty to cooperate with the authorities seriously. The revised Data Protection Act provides the supervisory authority with effective tools, the use of which is clearly evident for the first time in the annual report.

Biometric surveillance remains under close scrutiny

Another key focus concerns biometric systems. Several examples illustrate that the EDÖB imposes high standards on the use of facial recognition and body cameras. The reason for this is that such systems regularly process biometric data, which, under Article 5(c)(4) of the Data Protection Act, is classified as personal data requiring special protection.

For instance, following the EDÖB’s intervention, Flughafen Zürich AG temporarily abandoned a pilot project on facial recognition during boarding pass checks because there was no adequate legal basis for it. At the same time, the FDPIC launched an investigation into BLT Baselland Transport AG regarding the use of bodycams by train crew.

Both cases demonstrate that, where technologies involving a particularly high level of intrusion are concerned, technical security measures alone are not sufficient. The decisive factor remains whether there is a sufficient legal basis and whether the processing is proportionate.

Data protection advisers should be involved at an earlier stage

The annual report also contains a clear message regarding the role of data protection officers (DPOs). The FDPIC notes that, in practice, data protection officers are often only involved at a late stage in projects. In its view, this contravenes the principle of ‘privacy by design’.

Data protection should not be assessed only once a project has already been implemented. Rather, the FDPIC expects data protection officers to be involved at an early stage in development and decision-making processes. This expectation is likely to become increasingly important in future, particularly in the context of digital transformation projects or the use of artificial intelligence.

International companies are increasingly coming under scrutiny

The international enforcement of data protection law also remains a priority. The FDPIC once again checked whether foreign companies were complying with their obligation under Article 14 of the Data Protection Act (DPA) to appoint a data protection representative in Switzerland. During the reporting year, TikTok and Tinder, amongst others, fulfilled this obligation.

In doing so, the FDPIC makes it clear that the requirements of Swiss data protection law are to be consistently enforced against foreign companies as well, provided they process personal data relating to individuals in Switzerland.

Data protection impact assessments continue to gain in importance

Another key focus concerns data protection impact assessments (DPIAs). The EDÖB emphasises that, even at the stage of new legislative proposals, a systematic assessment must be carried out to determine whether a DPIA is required. In this regard, it stresses that risks should be identified as early as possible so that data protection can be taken into account right from the planning phase of new data processing activities.

Although these comments are directed specifically at federal bodies, important conclusions can be drawn from them for businesses. Particularly in the case of AI applications or large-scale data processing, expectations are likely to rise regarding the need to document data protection risks at an early stage and to demonstrate that appropriate safeguards are in place.

Conclusion

The 33rd Annual Report demonstrates one thing above all: the FDPIC is increasingly evolving from an advisory body into an actively intervening supervisory authority. The focus is less on new legal requirements and more on their consistent enforcement. In particular, the issues of biometric data, international data processing, data protection organisation and obligations to cooperate are likely to remain relevant for businesses in the coming years.

In practice, it is therefore advisable not to read the Annual Report merely as a review of the past year. Rather, it offers valuable insights into which data protection issues the FDPIC will monitor particularly closely and address through its supervisory activities in the future.

 

Sources