The New Federal Act on Data Protection (nFADP) has not only introduced a whole series of obligations for data controllers aimed at improving the transparency of processing and increasing the sense of accountability, but has at the same time strengthened the self-determination of data subjects, and more precisely informational self-determination, by allowing the individual to have greater control over the data concerning him or her and, if necessary, to request measures to be taken in the event of a breach. In other words, data subjects have the right to be informed about any activity involving the collection of their personal data, but above all the right to access this data. The right of access to personal data is the key element of data protection as it allows them to effectively exercise the other rights enshrined in the Federal Act on Data Protection, both in its current and revised versions, and in particular
The right of access is first and foremost a right that entitles the data subject to know whether their data is being processed (Art. 8 para. 1 FADP - Art. 25 para. 1 nFADP), how the processing is being carried out, and secondly, to have a copy of the information that the data controller has on them.
This right is a strictly personal right that cannot be waived in advance (Art. 8 para. 6 FADP - Art. 25 para. 5 nFADP). Therefore, any person capable of discernment can and must exercise this right themselves without having to seek the consent of their legal representative (e.g. minors).
In both versions, FADP and nFADP, the information must be provided in writing and in principle free of charge. There is a 30-day time limit for the provision of information, which may be extended if the collection of information and related data requires more time or can possibly be provided in a staggered manner.
The list of information to be provided in the event of a data subject's request for access is laid down in both the current (Art. 8(2)(a) and (b) FADP) and the revised (Art. 25(2)(a) to (g) nFADP) legislation. With the new text, the list of minimum information to be disclosed has been considerably extended and broadly corresponds to that provided for in European law (Art. 15 para. of the GDPR).
Although the right of access is the key element for data protection, like the other rights, it is not absolute. Restrictions have been provided for by the legislator in both the FADP and the nFADP (Art. 9 FADP and Art. 26 nFADP respectively), and have been extended especially in the text of the nFADP to limit the abusive use found in the years1.
Indeed, in its case-law, the Federal Supreme Court (FSC) has emphasised that a request for access (Art. 8 FADP) should be considered abusive when it is intended exclusively to gather evidence in view of a civil action (see two decisions of the FSC: ATF 138 III 425 and ATF 141 III 119 )2. In these two judgments, the FSC had denied the abusive character of the request for access. It was only with the judgment 4A_277/2020 of 18.11.20203 that the FSC for the first time considered the abusive nature of a particular request in connection with a commercial dispute by also referring to the wording of the nFADP, and in particular to the fact that the data subject must be provided with the information necessary to enable him to assert his rights under the FADP and that transparent data processing is guaranteed (Art. 25 para. 2 nFADP).
The exercise of the right of access has also been discussed at European level. In this respect, reference is made to the recent judgment of the Court of Justice of the European Union (CJEU) of 12 January 20234, which held that the right of access allows data subjects to request from the controller information concerning the identity of the recipients to whom the data is or has been disclosed. In this judgment, the CJEU recalled that the right of access is a necessary right to enable data subjects to assert their other rights under the FADP, as it allows them to verify not only that the personal data concerning them is correct but also that it is being processed lawfully.
Even if this ruling is not binding on Switzerland, with the exception of the extraterritorial application of the GDPR (theory of effects), the Federal Data Protection and Information Commissioner (FDPIC) could adopt the same interpretation since the objective of the nFADP is to improve the transparency of the processing of personal data and the self-determination of the data subjects. In this regard, it will be interesting to see whether the criminal sanction provided for in Section 60(1)(a) of the nFADP will be applied to a data controller who does not provide the identity of the data recipients at the request of the data subject, as this could be regarded as intentional provision of incomplete information.
As far as the rights of data subjects are concerned, the provisions of both the current and the revised legislation are comparable. The decisive element of the text of the nFADP is the self-determination of the persons concerned and in particular informational self-determination.
Every processing activity must be preceded by an information notice, which must contain a minimum amount of information predefined by law and from which no exceptions may be made. Whoever processes personal data must do so in a transparent manner and must be able, at the request of the data subject, to provide him/her with all the information necessary to check that the processing is carried out in accordance with the processing principles laid down in the Federal Act on Data Protection. In the event of an infringement, the data subject may request that the measures provided for in the Federal Act on Data Protection be taken, which provide for both criminal sanctions (Art. 34 para. 1 lit. a) and b) FADP - Art. 60 para. 1 lit. a) and b) nFADP) and administrative sanctions (Art. 51 nFADP) as well as the possibility of civil action under Art. 28 ff CC (Art. 15 FADP - Art. 32 para. 2 nFADP).
- The controller may refuse to provide information, or restrict or delay the provision of information if the request for information is obviously unjustified, in particular if does not serve the purpose of data protection or is clearly frivolous (ar. 26 para 1 lit c)
- The text of the judgment ATF 138 III 425 can be found at the following link:
https://www.bger.ch/ext/eurospider/live/fr/php/aza/http/index.php?lang=fr&type=show_document&page=1&from_date=&to_date=&sort=relevance&insertion_date=&top_subcollection_aza=all&query_words=&rank=0&highlight_docid=atf%3A%2F%2F138-III-425%3Afr&number_of_ranks=0&azaclir=clir- The text of the judgment can be consulted at the following link:
https://www.bger.ch/ext/eurospider/live/it/php/aza/http/index.php?highlight_docid=aza%3A%2F%2F18-11-2020-4A_277-2020&lang=it&type=show_document&zoom=YES&- The text of the CJEU judgment can be found at the following link:
https://curia.europa.eu/juris/document/document.jsf?text=&docid=269146&pageIndex=0&doclang=FR&mode=lst&dir=&occ=first&part=1&cid=1986127
All content © . All Rights Reserved. Credits
