Two recent criminal cases from Geneva and Zurich show that enforcement of the new Data Protection Act in Switzerland is becoming stricter, and that breaches of the Act’s data protection provisions may also result in criminal sanctions. Whilst the Geneva High Court clarified the limits of criminal liability for data security breaches in its judgement ACPR/239/2025 of 26 March, the Zurich City Magistrates’ Court, in penalty order No. 2023-066-252 of 10 June 2024 – as far as can be ascertained, for the first time – a fine for failing to provide sufficient information. These decisions demonstrate that the criminal law provisions of the DSG can indeed be highly relevant in practice.
With the revised Data Protection Act (DSG) coming into force on 1 September 2023, Switzerland has fundamentally reformed its data protection regulations. In addition to aligning the content of the legislation more closely with European standards, enforcement mechanisms have been strengthened in particular, including the penal provisions in Chapter 8 of the DSG: Article 60 of the DSG provides for criminal sanctions in the event of intentional breaches of key data protection obligations. These include, amongst other things, the duty to provide information and the duty to disclose data, as well as the duty to safeguard personal data. Violations may result (upon application) in a fine of up to 250,000 Swiss francs.
Unlike the EU’s General Data Protection Regulation (GDPR), which can also impose heavy fines on companies, the penal provisions of the DSG are primarily directed at natural persons. The law thus focuses on individual responsibility, for example that of data protection officers or members of the executive board. Nevertheless, this focus on individuals also has an impact at company level: internal responsibilities must be clearly defined, compliance structures expanded and documented processes established.
Two recent cases from Geneva and Zurich illustrate how the penal provisions of the DSG can have concrete practical significance.
Legal background: Focus on Article 60 of the DSG
Article 60 of the DSG imposes sanctions for intentional breaches of core data protection obligations. These include, in particular:
- Duty to provide information (Art. 19 DSG)
- Obligation to provide information (Art. 25 DSG)
- Data security (Art. 8 DSG)
- Obligations to report to and cooperate with the authorities (Article 49(3) of the DSG)
Only intentional conduct is punishable under Article 60 of the DSG, whereby conditional intent is sufficient. Negligence, on the other hand, is not covered by the offence under Article 60 of the DSG. The decisive factor is therefore whether the infringing act was committed knowingly and intentionally, or was at least considered a possibility and accepted with approval. This subjective limitation contributes to legal certainty but sets the threshold for criminal liability high – particularly in the case of technical measures such as firewalls, access controls or encryption solutions.
By contrast, the threshold for criminal liability in the area of data subjects’ rights, namely the duty to provide information, is significantly lower: even contradictory or incomplete information may be regarded as an intentional breach if it is not based on a comprehensible misunderstanding. Case law therefore imposes high standards of transparency and accuracy of content.
Geneva case: No criminal liability for organisational shortcomings
In its judgment with case number ACPR/239/2025 of 26 March 2025, the Cour de Justice de Genève (High Court) ruled on the admissibility of a decision by the Public Prosecutor’s Office of the Canton of Geneva (Ministère public de la République et canton de Genève). The case arose from the following facts: An employee in the accounts department of a clinic had access to medical data and had unlawfully accessed the patient records of a fellow student who was receiving psychiatric treatment at the clinic in question. This access took place even though she did not have explicit authorisation for the query in question. The complainant’s criminal complaint specifically highlighted the alleged lack of an identity and access management system – a key tool for restricting access.
The Geneva Public Prosecutor’s Office ordered that the criminal investigation be discontinued (despite the fact that it was later established that the employee had accessed her fellow student’s medical records for around 30 seconds). The Geneva High Court upheld this decision on the grounds that, whilst there had indeed been organisational shortcomings in the clinic’s system, these had not crossed the threshold of an ‘obvious breach’ of data security. In view of the strict principle of legality in criminal law (nullum crimen, nulla poena sine lege, Art. 1 of the Swiss Criminal Code), the Geneva High Court held that only clear-cut and serious cases would fall under Art. 61(c) of the Data Protection Act. Ultimately, the Geneva High Court dismissed the appeal lodged against the decision not to proceed. The Geneva High Court’s reasoning makes it clear that: Technical or organisational shortcomings relating to data security aspects only constitute a criminal offence if they are serious and obvious. Furthermore, there must be intent. Companies thus benefit from a certain degree of leeway when implementing statutory data protection requirements in a reasonable manner.
Zurich case: Fine for providing incorrect information on data origin
In the second case from Zurich, in October 2024 the City Magistrates’ Court of Zurich ordered the data controller of an email marketing company to pay a total of CHF 450.00 for an intentional breach of the Data Protection Act (failure to comply with disclosure obligations) (a fine of CHF 200.00 and CHF 250.00 to cover the costs and fees for issuing the penalty order). In connection with unsolicited advertising emails, the data subject had requested information from the sender as to where her data had come from and why she had received advertising messages. The response stated that the data came from an external provider – which, however, turned out to be incorrect.
The Zurich authorities regarded this false statement as deliberate misrepresentation and thus as a criminal breach of the duty to provide information under Article 60 of the DSG. Particularly noteworthy: the offence was deemed to have been committed not only in the event of a complete refusal to provide information, but also in the case of a response that was factually incorrect.
In practice, this means that companies must respond to requests for information not only formally within the prescribed time limit, but also correctly in substance. Conjecture or mere standard phrases without a verifiable basis also entail criminal law risks – as the decision of the City Magistrates’ Court of Zurich makes very clear. The penalty order issued by the City Court of Zurich thus sends a clear signal and is likely to prompt many companies to tighten up their internal processes when dealing with requests for information.
Conclusion and recommendations for action
The two decisions from Geneva and Zurich provide important building blocks for the practical interpretation of the revised Data Protection Act (in particular the penal provisions of the DPA). They make it clear that, whilst the new Article 60 of the Data Protection Act (in the chapter on penal provisions) is applied in a targeted and restrained manner, it nevertheless has a significant impact on companies’ organisational obligations. The Zurich case in particular emphasises that even seemingly minor errors – such as incorrect or inaccurate information – can be relevant under criminal law, provided that intent in this regard is proven.
These two rulings establish a nuanced enforcement framework: Whilst criminal liability in relation to data security measures only arises in the event of clear and serious breaches of duty, a significantly stricter line is taken in the area of data subjects’ rights. Anyone providing information must ensure that their response is factually correct, comprehensible and timely. At the same time, the requirement of intent serves as an important safeguard against overreactions and the over-extension of criminal liability – particularly in complex or ambiguous technical situations.
For companies, however, this is by no means a green light; rather, it is a clear call to action: Data protection must be understood as an integral part of corporate governance, taking into account potential criminal law consequences, and managed accordingly. The days of purely formal or piecemeal data protection efforts are over – what is required is a comprehensive, risk-based data protection management system (DPMS).
Overview of recommended measures:
- Define clear internal responsibilities: Who within the company is responsible for providing information? Who checks whether the information provided is accurate and complete? These questions must be clearly answered within the company’s organisational structure – ideally documented in writing.
- Establish reliable processes: Standardised yet substantively robust procedures are needed for handling data subjects’ requests, particularly with regard to deadlines, verification steps and documentation. Tools or templates must not be ‘black boxes’.
- Train and raise awareness amongst staff: Data protection must not be left solely to legal specialists. Staff in marketing, customer service or HR, in particular, must know how to handle requests for information or data erasure – and where their limits lie.
- Regularly review technical and organisational measures: Existing security measures should be regularly reviewed to ensure they are appropriate and up to date. External audits or penetration tests can provide valuable insights in this regard.
- Communicate on the basis of facts: Information provided to data subjects must never be speculative. Companies should only disclose information that can be substantiated and verified internally. Unclear circumstances must be openly acknowledged – not glossed over.
- Monitor interfaces with external service providers: Anyone working with data processors or technical subcontractors must ensure that these parties document their activities correctly and communicate transparently. Here, too, the reputational and criminal liability risks should not be underestimated.
In the long term, it is likely that the criminal liability of legal persons – for example under Section 102 of the Swiss Criminal Code – will also gain in significance in data protection practice. With the rulings discussed, the judiciary has sent a clear signal: Data protection breaches are not trivial matters, but may, under certain circumstances, also entail (criminal) legal risks. Companies are therefore well advised to further develop not only their policies but also their culture regarding the handling of personal data – ensuring it is transparent, verifiable and legally sound.