Global Data and Cyber Handbook

Switzerland

Select a Topic
Start Comparison
Legal Bases for Processing of Personal Data
Jump to
Legal Bases for Processing of Personal Data Start Comparison
Is an identified legal basis required in order to collect or process non-sensitive personal data?

Last review date: 11 December 2024

No, only in case any principles of data processing are violated and thus a violation needs to be justified.

The following are potential justifications  for processing personal data in violation of personal rights:

☒  the data subject has provided consent to the processing for the identified purposes

☒  the personal data is necessary to perform a contract with the data subject

☒  the personal data is necessary to comply with a legal obligation

☒  the personal data is necessary to protect the vital interests of a natural person

☒  the personal data is necessary for a public interest

☒  the personal data is necessary to fulfil a legitimate interest of the controller or third party (provided that the interest is not overridden by the data subject's privacy interests and the data subject has not made use of his/her right to object)

☒  other

The controller may have an overriding interest in the following cases in particular:

a. The controller processes personal data relating to a contracting party in direct connection with the conclusion or the performance of a contract.

b. The controller is or intends to be in commercial competition with another person and for this purpose processes personal data that are not disclosed to third parties; legal entities that belong to the same group of companies as the controller are not regarded as third parties for the purposes of this provision.

c. The controller processes personal data to verify the creditworthiness of the data subject, provided the following requirements are satisfied:

  1. The matter involves neither sensitive personal data nor high-risk profiling.
  2. The data are only disclosed to third parties if the third parties require the data for the conclusion or the performance of a contract with the data subject.
  3. The data are no more than ten years old.
  4. The data subject has attained the age of majority.

d. The controller processes the personal data professionally and exclusively for publication in the editorial section of a periodically published medium or the controller uses the data, if they are not published, as an aid to their own personal work.

e. The controller processes the personal data for purposes not related to specific persons, in particular for research, planning or statistics, provided the following requirements are satisfied:

  1. The controller anonymizes the data as soon as the purpose of processing permits; if anonymity is impossible or if it requires disproportionate effort, the controller shall take appropriate measures to prevent the identification of the data subject.
  2. If the matter involves sensitive personal data, the controller shall disclose such data to third parties in such a manner that the data subject is not identifiable; if this is not possible, it must be guaranteed that the third parties only process the data for purposes unrelated to the data subject's person.
  3. The results are published in such a manner that data subjects are not identifiable.

f. The controller collects personal data relating to a public figure that relate to that person's public activities.

Is an identified legal basis required in order to collect or process sensitive personal data?

Last review date: 11 December 2024

No

No, but under certain circumstances a legal basis is required (e.g., if sensitive personal data is disclosed to third parties).

Moreover, similarly as for processing non-sensitive personal data are justifications required in case the data is processed in violation of the personality rights (this is e.g. the case if sensitive personal data is disclosed to third parties). The justifications are the ones listed above in the "Legal Bases for Processing of Personal Data" section (the only difference is that if the basis is consent, the consent has to be explicit). Moreover, note that certain legislation may require consent for the processing of personal data. This is mainly the case with regard to specific health data (e.g., connected to human research). 

☒  the data subject has given consent to the processing, where consent is measured to a higher standard than for non-sensitive personal data (for example, additional requirement for consent to be "explicit") (note that for processing of non-sensitive personal data the consent does not have to be explicit; this is a difference from processing sensitive personal data based on consent, in such case the consent always has to be explicit)

☒  other

See introductory section.

Are there special requirements that apply to the collection or processing of personal data from minors?

Last review date: 11 December 2024

No explicit requirements in the FADP.

In what circumstances do these special requirements apply?

Last review date: 11 December 2024

N/A

What are the special requirements that apply to collecting or processing personal data from minors?

Last review date: 11 December 2024

N/A

{{ $store.state.loadingScreen.message }} ...