The new Federal Act on Data Protection (FADP; AS 2022 491) will enter into force on 1 September 2023. One of the aims of the total revision of the DPA is to strengthen the rights of data subjects. The planned revision is intended to give individuals more control over their data and ensure that companies handle the data they obtain in a transparent and responsible manner.
The fourth chapter of the new DPA is dedicated to the rights of data subjects. According to the nDSG, the data subject is granted the right to information in Art. 25 nDSG and the right to data disclosure and transfer in Art. 28 nDSG. In the fifth chapter of the nDSG, the data subject is granted further legal rights in Art. 32 nDSG. In this article, we will take a closer look at the rights of data subjects and highlight the differences to the GDPR.
Right to information, Art. 25 nDSG
The right to information pursuant to Art. 25 nDSG gives the data subject the right to request information as to whether the controller is processing personal data relating to them. Art. 25 para. 2 nDSG contains a list of minimum information that must be provided to the data subject when requesting information. This minimum information includes
- The identity and contact details of the controller;
- The processed personal data as such;
- The purpose of the processing;
- The retention period of the personal data or, if this is not possible, the criteria for determining this period;
- The available information on the origin of the personal data, unless it was obtained from the data subject
- the existence of automated individual decision-making and the logic on which the decision is based
- the recipients or categories of recipients to whom the personal data is disclosed.
The provision of information in accordance with Art. 25 nDSG is generally free of charge. The person requesting information may only share in the costs in accordance with Art. 19 para. 1 nDSG if the costs are disproportionately high. Art. 19 nDSG provides for both a maximum limit for cost sharing and the obligation to inform the data subject in advance of the cost obligation.
According to Art. 25 para. 7 nDSG, the controller has 30 days to respond to a request for information. If this deadline cannot be met, the controller must inform the data subject of this and inform them of a new deadline.
Restrictions on the right to information can be found in Art. 26 and Art. 27 nDSG. Art. 26 nDSG sets out general restrictions, while Art. 27 nDSG only applies to the media. In both articles, the controller is given the option of refusing, restricting or postponing information under certain circumstances. An example of such a reason in Art. 26 nDSG is the protection of professional secrecy pursuant to Art. 26 para. 1 lit. a nDSG as well as obviously unfounded requests for information pursuant to Art. 26 para. 1 lit. c nDSG.
The right to information under the nDPA is very similar to the right to information under the European General Data Protection Regulation (GDPR). The GDPR also specifies minimum information that must be provided. However, Art. 15 GDPR also requires that the data subject be informed about their rights as a data subject and the existence of a right to lodge a complaint with a supervisory authority (Art. 15 para. 1 lit. e and f GDPR). The GDPR does not require further information on the export of the data. However, in contrast to Art. 15 para. 1 GDPR, the mandatory information to be provided is not exhaustively regulated in the nDSG.
The modalities for providing information are also similar. The GDPR explicitly stipulates that a copy of all processed data should be provided free of charge. Further copies are subject to a fee. If the request was received electronically, the data must be provided in a commonly used electronic format.
Right to data disclosure, Art. 28 para. 1 nDSG
According to Art. 28 para. 1 nDSG, all data subjects have the right to request the disclosure of personal data that has been disclosed to the controller in a commonly used electronic format. However, this does not mean that the controller may no longer process this data. If there is a justification, the controller may continue to process the data. The data subject must assert a claim for erasure of the data separately.
The right to data disclosure exists if two conditions are cumulatively fulfilled: Firstly, in accordance with Art. 28 para. 1 lit. a nDSG, the processing must be automated, and secondly, in accordance with Art. 28 para. 1 lit. b nDSG, it must be based on consent or be directly related to the conclusion or performance of a contract between the controller and the data subject. If the claim is asserted, the controller has 30 days to comply with the disclosure. Similar to the right of access, the data must be released free of charge in accordance with Art. 28 para. 3 nDSG, unless the Federal Council has expressly provided for an exception to this rule.
The right to data disclosure is restricted by Art. 29 nDSG. This refers to Art. 26 nDSG and enables the controller to refuse, restrict or postpone the assertion of the right to disclosure if one of the conditions in Art. 26 para. 1-2 nDSG applies.
The common electronic format is not further specified in the nDSG. Art. 21 para. 1 GDPR states that the format must guarantee transmission with reasonable effort and that the data subject must be able to use the data automatically. Image formats, PDFs and other proprietary formats should therefore not be considered common within the meaning of the nDSG and the DSV. Formats such as HTML, JSON, ODT & ODS should therefore be favoured.
The GDPR does not contain an equivalent regulation.
Right to data portability, Art. 28 para. 2 nDSG
The right to data portability is standardised in Art. 28 para. 2 nDSG. This gives the data subject the right to obtain from the controller the transfer of data to another controller.
The right exists insofar as a right to the release of the data can be assumed and the transfer does not require a disproportionate effort. The existence of a disproportionate effort should only be assumed in exceptional cases. Since Art. 28 para. 1 nDSG already specifies modalities for the disclosure of data, the transfer of this data under the same modalities is not to be regarded as a disproportionate effort. Conversion into a common format will also not constitute such a disproportionate effort. Art. 21 para. 3 GDPR specifies the concept of disproportionate effort and only refers to circumstances in which the transfer of data is not technically possible as disproportionate effort. It is important to note in connection with the assertion of Art. 28 para. 2 nDSG that the controller to whom the data is to be transferred is not legally obliged to offer to receive the transferred data. If the recipient does not offer to do so, the assertion of Art. 28 para. 2 nDSG is void. The same applies to the modalities of assertion as to the right to data disclosure.
The GDPR also provides for a right to data portability in Art. 20 GDPR. However, unlike the right arising from the nDSG, this right cannot be restricted by the controller in its assertion.
Right to rectification, Art. 32 para. 1 nDSG and right to object, Art. 32 para. 3 nDSG
The right to rectification pursuant to Art. 32 para. 1 nDSG grants data subjects the right to demand the rectification of inaccurate personal data. This right to rectification does not apply if a statutory provision prohibits the alteration of personal data or if the personal data is processed for archiving purposes in the public interest. The right to rectification supplements the processing principle and the associated obligations of the processor, in particular the proactive obligation of the processor to ensure that the personal data is accurate and up to date, as standardised in Art. 6 para. 6 nDSG. To determine the inaccuracy of the data, the processing purpose mentioned in Art. 6 para. 5 nDSG must be taken into account and a comprehensive assessment must be made in each individual case. It should be noted that incomplete data can also lead to inaccuracy.
If neither the inaccuracy nor the accuracy of the processed data is proven, the data subject may request that a note of dispute be added in accordance with Art. 32 para. 3 nDPA. Even if, according to the wording of the provision, the “person bringing the action” can request a note of dispute, this does not imply any restriction to a judicial assertion. Only the notification of the note of dispute to third parties and the publication of the judgement must be obtained by means of a lawsuit. In practice, this note is unlikely to have any consequences, either in law or in fact. At most, it has a certain symbolic value.
Art. 16 GDPR sets out the equivalent right to rectification. The GDPR also states that rectification must be carried out without undue delay (“without undue delay”). In contrast to Art. 32 para. 1 nDSG, Art. 16 GDPR does not provide for any explicit exceptions to the right to rectification. However, the GDPR goes further than the nDSG with regard to the right to object. According to Art. 19 GDPR, the controller must notify all recipients to whom personal data has been disclosed of any rectification or restriction of processing, unless this proves impossible or involves disproportionate effort. The controller shall also inform the data subject about these recipients if the data subject so requests.
No independent right to erasure (“being forgotten”) – possibility of civil law claims pursuant to Art. 28 ZGB, Art. 28a ZGB and Art. Art. 28 g-l ZGB
There is no standardised right to erasure in the nDSG. Instead, recourse is made to general civil law and action can only be taken on the basis of personality rights against (allegedly) unlawful personal data processing that violates personality rights. To this end, the nDPA refers to the civil law actions for the protection of personality rights pursuant to Art. 28 ZGB, Art. 28a ZGB and Art. Art. 28 g-l ZGB. The person affected by the processing of personal data thus has the option of taking civil action against the “person involved in the violation” – i.e. the controller, but also the processor or other auxiliary persons. From Art. 32 para. 2 nDSG i.V.m. Art. 28 ff. ZGB, the following claims can be derived:
- Negative claims
- Injunctive relief (prohibition of future, imminent, possibly repetitive processing that violates personality rights)
- Action for removal (removal of current and ongoing/existing processing that violates personality rights)
- Action for a declaratory judgement (determination of a [completed] infringement that continues or again has a disruptive effect)
- Reparatory claims
- Damages (monetary compensation for the financial loss caused)
- Satisfaction (compensation for non-material damage suffered)
- Disgorgement of profits
- Right of reply
In particular, the court can therefore prohibit certain data processing or order corrective measures such as the deletion or destruction of personal data. It should be noted that the burden of proof in civil proceedings is based on Art. 8 of the Swiss Civil Code, i.e. the person concerned must therefore prove an infringement.
The GDPR, on the other hand, explicitly regulates the right to erasure. Art. 17 GDPR grants data subjects the right to request the immediate erasure of their data if one of the reasons standardised in Art. 17 para. 1 lit. a-f GDPR applies.
Right to object, Art. 30 para. 2 lit. b nDSG
Data subjects have the right to object to the processing of personal data. If personal data is nevertheless processed, the legislator considers the processing to be of sufficient intensity to constitute a violation of personality rights. However, according to Art. 30 para. 2 lit. b nDSG, an “express declaration of intent” by the data subject is required. In addition, the processing of data concerning them can be prohibited without further requirements and without proof of interest on the part of the processor (opt-out principle). However, this violation of personality rights may be justified under certain circumstances in accordance with Art. 31 nDSG. In such cases, the objection does not prevent processing.
A right to object is also provided for in Art. 21 GDPR. This gives data subjects the right to object to the processing of their personal data on grounds relating to their particular situation, unless there are compelling legitimate grounds that take precedence. Processing by the controller must then cease unless the controller can provide compelling legitimate grounds for further processing of the data.
Sources
- Federal Act of 25 September 2020 on Data Protection (Data Protection Act, DPA; AS 2022 491; enters into force on 1 September 2023)
- Regulation (EU) 2016/679 (General Data Protection Regulation; GDPR)
- Bruno Baeriswyl/Kurt Pärli/Dominika Blonski, Stämpflis Handkommentar (SHK) zum Datenschutzgesetz, 2023, 2nd ed.