Data subject rights according to nFADP

Right to information, Art. 25 nFADP

The right to information under Art. 25 nFADP gives the data subject the right to request information about whether the controller is processing personal data about him or her. Art. 25 para. 2 nDSG contains a list of minimum information that must be provided to the data subject when requesting information. This minimum information includes:

• The identity and contact details of the data controller;
• The personal data processed as such;
• The purpose of the processing;
• The retention period of the personal data or, if this is not possible, the criteria for determining this period;
• The available information on the origin of the personal data, insofar as it has not been obtained from the data subject;
• the existence of an automated individual decision, and the logic on which the decision is based;
• the recipients or categories of recipients to whom personal data are disclosed.

The provision of information pursuant to Art. 25 nFADP is generally free of charge. Only in the case of a disproportionately high expense may the person requesting information share in the costs pursuant to Art. 19 para. 1 nFADP. In this context, Art. 19 nFADP provides for both a maximum limit for cost sharing and the obligation to inform the data subject in advance of the cost obligation.

According to Art. 25 para. 7 nFADP, the data controller has 30 days to respond to a request for information. If this deadline cannot be met, the data controller must inform the data subject and notify him or her of a new deadline.

Restrictions on the right to information are found in Art. 26 and Art. 27 nFADP. Art. 26 nFADP imposes general restrictions, while Art. 27 nFADP only applies to the media. In both articles, the person responsible is given the possibility to refuse, limit or postpone information under certain circumstances. An example of such a ground in Art. 26 nFADP is the protection of professional secrecy under Art. 26 para. 1 lit. a nDSG as well as obviously unfounded requests for information under Art. 26 para. 1 lit. c nFADP.

The right to information under the nFADP has strong similarities to the right to information under the European General Data Protection Regulation (GDPR). The GDPR also stipulates minimum information that must be provided. However, Art. 15 GDPR additionally requires that the data subject be informed about the data subject rights to which he or she is entitled and the existence of a right of appeal to a supervisory authority (Art. 15 para. 1 lit. e and f GDPR). The GDPR does not require further information on the export of the data. In contrast to Article 15 (1) of the GDPR, the mandatory information to be provided is not exhaustively regulated in the GDPR.

The modalities for providing information are also similar. The GDPR explicitly stipulates that a copy of all processed data must be provided free of charge. Further copies are subject to a charge. If the request was received electrically, the data must be provided in a common electrical format.

Right to data surrender, Art. 28 para. 1 nFADP

According to Art. 28 para. 1 nFADP, all data subjects have the right to request that personal data disclosed to the data controller be handed over in a common electronic format. However, this does not mean that the data controller may no longer process the data. If there is a justification, the data controller may continue to process the data. The data subject must assert a claim for the deletion of the data separately.

The right to data disclosure exists if two conditions are cumulatively fulfilled: Firstly, according to Art. 28 para. 1 lit. a nFADP, the processing must be automated, and secondly, according to Art. 28 para. 1 lit. b nFADP, it must be carried out on the basis of consent or be directly related to the conclusion or performance of a contract between the data controller and the data subject. If the claim is asserted, the controller has 30 days to comply with the surrender. Similar to the right of access, the data must be released free of charge according to Art. 28 para. 3 nFADP, unless the Federal Council has expressly provided for an exception to this rule.

The right to data surrender is restricted by Art. 29 nFADP. This refers to Art. 26 nFADP and enables the data controller to refuse, restrict or postpone the assertion of the claim for surrender if one of the conditions from Art. 26 para. 1-2 nFADP is relevant.

The common electronic format is not further specified in the nFADP. Art. 21 para. 1 FADP states that the format must guarantee transmission with a proportionate effort and that the data subject must be able to use the data automatically. Image formats, PDFs and other proprietary formats should not be considered common within the meaning of the FADP and the GDPR. Formats such as HTML, JSON, ODT & ODS should therefore be preferred.

The GDPR does not contain an equivalent regulation.

Right to data transmission, Art. 28 (2) nFADP

The right to data transfer is standardised in Art. 28 para. 2 nFADP. This grants the data subject the right to request the data controller to transfer the data to another controller.

The right exists insofar as a claim to the surrender of the data can be assumed and the transfer does not require disproportionate effort. The existence of a disproportionate effort can only be assumed in exceptional cases. Since Art. 28 para. 1 nFADP already stipulates modalities for the release of data, the transfer of this data under the same modalities is not to be regarded as a disproportionate effort. The conversion into a common format will also not constitute such a disproportionate effort. Art. 21 para. 3 DPA concretises the concept of disproportionate effort and designates as disproportionate effort only those circumstances in which a transfer of the data is technically not possible. It is important to note in connection with the assertion of Art. 28 Para. 2 nFADP that the controller to whom the data is to be transferred is not legally obliged to offer the receipt of transferred data. If the recipient does not offer this, an assertion of Art. 28 (2) nFADP runs empty. The same applies to the modalities of assertion as to the right to data disclosure.

The GDPR also provides for a right to data transfer in Art. 20 GDPR. However, unlike the right flowing from the nFADP, this right cannot be restricted by the controller in its assertion.

Right to rectification, Art. 32 para. 1 nFADP as well as notice of dispute, Art. 32 para. 3 nFADP

The right to rectification pursuant to Art. 32 para. 1 nFADP grants data subjects the right to demand the rectification of inaccurate personal data. This right to rectification does not exist insofar as a legal provision prohibits the modification of personal data or the personal data is processed for archiving purposes in the public interest. The right to rectification supplements the processing principle and the associated duties of the data processors, in particular the proactive duty of the data processors to ensure that the personal data are accurate and up to date, as standardised in Art. 6 para. 6 nFADP. In order to determine the inaccuracy of the data, the processing purpose mentioned in Art. 6 para. 5 nFADP must be taken into account and a comprehensive weighing of the individual case must take place. It must be taken into account that the incompleteness of the data may also lead to inaccuracy.

If neither the inaccuracy nor the accuracy of the processed data is proven, the data subject may request a note of denial pursuant to Art. 32 para. 3 nFADP. Even if, according to the wording of the provision, the notice of denial can be demanded by the “claimant”, this does not mean a restriction to a judicial assertion. Only the notification of the notice of dispute to third parties and the publication of the judgment must be obtained by means of an action. In practice, this note probably has no consequences, neither legal nor factual. At most, it has a certain symbolic value.

Article 16 of the GDPR stipulates the equivalent right to rectification. The GDPR further states that the rectification must be made without undue delay (“without undue delay”). In contrast to Art. 32 (1) nFADP, Art. 16 GDPR does not provide for explicit exceptions to the right of rectification. However, the GDPR goes further than the GDPR with regard to the notice of objection. According to Art. 19 DPA, the controller shall notify all recipients to whom personal data have been disclosed of any rectification or restriction of processing, unless this proves impossible or involves a disproportionate effort. The controller shall also inform the data subject of those recipients if the data subject so requests.

No independent right to erasure (“being forgotten”) – possibility of civil law claims under Art. 28 CC, Art. 28a CC and Art. Art. 28 g-l CC

There is no right to deletion standardised in the nFADP. Instead, general civil law is used and action can only be taken against (allegedly) unlawful personal data processing on the basis of personal rights. For this purpose, the NDSL refers, within the framework of the right of rectification in Art. 32 para. 2, to the civil law actions for the protection of personality rights pursuant to Art. 28 CC, Art. 28a CC and Art. 28 g-l CC. Art. 28 g-l CC. The person affected by the processing of personal data thus has the possibility to take civil action against the “person involved in the infringement” – i.e. the person responsible, but also the processor or other auxiliary persons. From Art. 32 para. 2 nFADP in conjunction with Art. 28 ff. Art. 28 ff. CC, the following claims can be derived:

• Negatory claims
  • Injunctive relief (prohibition of future, threatened, possibly repeated processing that violates personality rights)
  • Action for removal (removal of current and ongoing/existing processing that violates personality rights)
  • Declaratory action (establishment of an [completed] infringement which continues or repeats to have a disturbing effect)
• Reparatory claims
  • Damages (monetary compensation for the pecuniary loss caused)
  • Satisfaction (compensation for immaterial harm suffered)
• Disgorgement of profits
• Right of reply

In particular, the court can prohibit certain data processing or order corrective measures such as the deletion or destruction of personal data. It must be taken into account that the burden of proof in civil proceedings is based on Art. 8 of the Civil Code, i.e. the person concerned must prove a violation.

In contrast, the right to erasure is explicitly regulated in the GDPR. Article 17 of the GDPR grants data subjects the right to demand the immediate deletion of their data if one of the grounds set out in Article 17(1)(a-f) of the GDPR applies.

Right of objection, Art. 30 Para. 2 lit. b nFADP

Data subjects have the right to object to the processing of personal data. If personal data is nevertheless processed, the legislator considers this to be of sufficient intensity to constitute a violation of personality rights. However, according to Art. 30 para. 2 lit. b nFADP, an “explicit declaration of intent” by the person concerned is required. In addition, the processing of data concerning them can be prohibited to the processor without further requirements and without proof of interest (opt-out principle). However, this violation of personality may be justified under certain circumstances according to Art. 31 nFADP. In such cases, the objection does not prevent processing.

A right of objection is also provided for in Art. 21 DPA. This gives data subjects the right to object to the processing of their personal data on grounds relating to their particular situation, unless there are compelling legitimate grounds which take precedence. Processing by the controller must then cease, unless the controller, for its part, can show compelling legitimate grounds which require the data to be further processed.

Sources

• Federal Act of 25 September 2020 on Data Protection (Data Protection Act, DPA; AS 2022 491; comes into force on 1 September 2023)
• Regulation (EU) 2016/679 (General Data Protection Regulation; GDPR)
• Bruno Baeriswyl/Kurt Pärli/Dominika Blonski, Stämpflis Handkommentar (SHK) zum Datenschutzgesetz, 2023, 2nd ed.