The answer to this question may seem simple at first: anyone who acts as the data controller and processes personal data. The data controller is the company that determines what purposes are to be achieved by data processing and what means are to be used for these purposes – the data controller is thus in the driver’s seat and determines how things are done. For example, your company may be considered a data controller with respect to the data it collects in connection with the operation of your website, since it collects and processes such data, for example, in order to optimize its internet presence or contact visitors to the website.
The duty to inform also applies if the data processing is transferred to a third party. If your company has outsourced the hosting of the website to an external service provider and the service provider does so exclusively in accordance with the company’s instructions, your company remains the data controller and must continue to inform your website visitors about the data processing associated with their use of the website. To be more precise, you will also need to inform visitors about the fact that the hosting is carried out by a third party on your behalf.
Both the revised FADP and the GDPR define a specific minimum content for privacy policies, but the scope of information under the GDPR is more comprehensive. Regardless of whether the FADP or both the FADP and the GDPR apply, information must be provided about the identity of the data controller, the categories of personal data (name, contact data, health data, etc.) and the data subjects (customers, employees, suppliers, etc.), the processing purposes (fulfillment of customer contracts, ensuring the functionality of the website, etc.) and any recipients (subcontractors and service providers, insurance companies, partner companies or similar) to whom personal data is disclosed. If the data is transferred abroad, specific information must also be provided about this.
- If a contact form or a similar contact feature is integrated, users must be informed about what exactly will be done with the data they provide (presumably processing their request and your company contacting them).
- It’s often possible to sign up for a newsletter or similar marketing communication via a submission form on the website, with subscribers providing at least their name and e-mail address. It should be noted here that subscribers must also still be informed of an unsubscribe option. (This is not a requirement of data protection, but of Art. 3 para. 1 letter o of the Swiss Federal Act on Unfair Competition.)
- Even if your website is only informative in nature, in most cases cookies or similar tracking technologies are used in practice, through which, as a minimum, IP addresses or similar “identifiers” are collected, which could contain personal data.
- If third-party services are integrated, such as tracking tools like Google Analytics or social media pixels, information must be provided about which personal data is transmitted to third parties and for what purposes. If data is transferred abroad (which is likely to always be the case), this must also be disclosed. In Switzerland, this will even be explicitly required in the future via the recipient country. For common third-party service providers such as Google, Facebook, Twitter, etc., standard wording can be found on the internet. This wording can be used, but still check it critically and make any necessary adjustments.
What is the best approach?
Complete revision of the FADP
The currently valid Swiss Federal Act on Data Protection (FADP) was completely revised in a legislative and consultation process lasting several years. The new FADP will come into force on September 1, 2023. The aim of the revision was to optimize the FADP in terms of transparency and self-determination (see explanations by the Swiss Federal Office of Justice), as well as to align it to a certain extent with the requirements of the European General Data Protection Regulation (GDPR).
Checklist: What do we recommend?
- Involve the relevant people from the respective business units, who can provide you with the necessary information on the processing activities.
- Use templates and examples from reputable sources. A frequently used template can be found on the DSAT website.