Why do you even need a privacy policy on your website? The aim is to ensure that data subjects, or users whose personal data is collected, are informed about the scope and purpose of the data processing. The obligation to provide this information is based on the applicable data protection laws. The Swiss Federal Act on Data Protection (FADP), the revised version of which comes into force on September 1, 2023, and to some extent the European General Data Protection Regulation (GDPR) are particularly relevant to Swiss companies.
Since every company probably processes personal data in one form or another, i.e., information that allows identification of data subjects either alone or in combination with other information, companies should at least have a general privacy policy and make it available on their website. This should provide general information about which processing activities the company carries out both offline (e.g., when processing customer contracts) and online (especially when using the website).
For transparency reasons, however, it may be necessary to draw up additional privacy policies for individual processing activities. If, for example, a company operates an online application platform on its website, it must regularly provide applicants with further information, such as what data is collected, whether this data is disclosed to third parties (such as external recruitment service providers) and for how long the data is retained after the application process has ended. For this specific example, the privacy policy would be posted in the online application portal. However, in reality, such specific privacy policies are often necessary for “offline” data processing operations. For this reason, they are generally not published on the website, but are provided to the persons concerned in some other way (e.g., by posting on a noticeboard or distributing paper copies).
Regardless of whether the privacy policy is general or specific, you will always have to ask yourself the same or at least similar questions when writing it.
Who needs to prepare the privacy policy?
The answer to this question may seem simple at first: anyone who acts as the data controller and processes personal data. The data controller is the company that determines what purposes are to be achieved by data processing and what means are to be used for these purposes – the data controller is thus in the driver’s seat and determines how things are done. For example, your company may be considered a data controller with respect to the data it collects in connection with the operation of your website, since it collects and processes such data, for example, in order to optimize its internet presence or contact visitors to the website.
"Anyone who processes personal data as a data controller must prepare a privacy policy."
The duty to inform also applies if the data processing is transferred to a third party. If your company has outsourced the hosting of the website to an external service provider and the service provider does so exclusively in accordance with the company’s instructions, your company remains the data controller and must continue to inform your website visitors about the data processing associated with their use of the website. To be more precise, you will also need to inform visitors about the fact that the hosting is carried out by a third party on your behalf.
If you’re part of a group of companies, a joint general privacy policy can be created for the entire group, provided that the processing activities are relatively similar (as is usually the case) and the group companies to which the privacy policy applies are clearly indicated. In the case of complex group structures, it may be necessary, in the interests of transparency, to refer to an external overview or a list of group companies which is published on the website, for example.
What needs to be included in the privacy policy?
Both the revised FADP and the GDPR define a specific minimum content for privacy policies, but the scope of information under the GDPR is more comprehensive. Regardless of whether the FADP or both the FADP and the GDPR apply, information must be provided about the identity of the data controller, the categories of personal data (name, contact data, health data, etc.) and the data subjects (customers, employees, suppliers, etc.), the processing purposes (fulfillment of customer contracts, ensuring the functionality of the website, etc.) and any recipients (subcontractors and service providers, insurance companies, partner companies or similar) to whom personal data is disclosed. If the data is transferred abroad, specific information must also be provided about this.
The privacy policy of a Swiss company generally already includes all of this information. However, due to the influence of the EU and also because Swiss companies are covered by the GDPR under certain circumstances, more comprehensive privacy policies are very common here in Switzerland as well. Of course, providing more information than strictly necessary is not against the law. Nevertheless, think carefully about the minimum scope of your privacy policy and only include additional information if you see any added value in it or if you are legally required to do so (especially if your company is subject to the GDPR). This can also make it less time-consuming.
Examples of what a privacy policy covers on a website
If your company has a website, you’ll need to create a privacy policy for it. Even though every website is built differently, of course, and privacy policies therefore differ accordingly in terms of content, there are quite a few features and data processing operations that typically occur and therefore need to be covered on a regular basis:
- If a contact form or a similar contact feature is integrated, users must be informed about what exactly will be done with the data they provide (presumably processing their request and your company contacting them).
- It’s often possible to sign up for a newsletter or similar marketing communication via a submission form on the website, with subscribers providing at least their name and e-mail address. It should be noted here that subscribers must also still be informed of an unsubscribe option. (This is not a requirement of data protection, but of Art. 3 para. 1 letter o of the Swiss Federal Act on Unfair Competition.)
- Even if your website is only informative in nature, in most cases cookies or similar tracking technologies are used in practice, through which, as a minimum, IP addresses or similar “identifiers” are collected, which could contain personal data.
- If third-party services are integrated, such as tracking tools like Google Analytics or social media pixels, information must be provided about which personal data is transmitted to third parties and for what purposes. If data is transferred abroad (which is likely to always be the case), this must also be disclosed. In Switzerland, this will even be explicitly required in the future via the recipient country. For common third-party service providers such as Google, Facebook, Twitter, etc., standard wording can be found on the internet. This wording can be used, but still check it critically and make any necessary adjustments.
What is the best approach?
In principle, there’s no magic formula for writing a privacy policy, regardless of the type of data processing it’s intended to cover. However, for efficiency and cost reasons, it can be quite helpful to rely on existing privacy policies and templates – there’s no need to reinvent the wheel every time. But this doesn’t mean that a company should copy random privacy policies without reading them and use them for its own purposes. Not all published privacy policies comply with the legal requirements, and there’s a risk of not, or not fully, complying with the information obligations under data protection law. This can lead to fines, which are already in effect in the EU and will be coming into effect in Switzerland at the latest with the revised FADP, which comes into force on September 1, 2023.
Complete revision of the FADP
The currently valid Swiss Federal Act on Data Protection (FADP) was completely revised in a legislative and consultation process lasting several years. The new FADP will come into force on September 1, 2023. The aim of the revision was to optimize the FADP in terms of transparency and self-determination (see explanations by the Swiss Federal Office of Justice), as well as to align it to a certain extent with the requirements of the European General Data Protection Regulation (GDPR).
Therefore, make sure that you rely on reputable sources. For example, you could adopt the privacy policy of a company that is affiliated with you and that you know has already undergone a legal review. Or you can use trusted, publicly available templates. A well-known example is the publicly available privacy policy template on the website of the “DSAT Data Privacy Self-Assessment Tool”. The template was prepared by the law firm VISCHER, where the writer of this article works, in cooperation with another renowned Zurich-based law firm and is available in German, English and French. This is a general privacy policy that includes comprehensive wording for standard processing activities, as well as for processing activities related to the operation of a website, covering the information requirements of both the Swiss FADP and the GDPR. The template can be downloaded free of charge by companies and adapted to their specific situation, and is already in use in Switzerland. Hostpoint’s privacy policy is actually based on this template, among others.
However, even if such templates or existing privacy policies are used, adjustments will be unavoidable, as each company has its own organization, as well as its own structures and processes, products and services. In order to find out how your own company’s processing activities are structured, it’s advisable to involve the relevant people from the business; for example, the HR department knows the employee data processing procedures best and knows which data is used for which purposes. It’s up to you whether you ask for the necessary information on processing activities through workshops, questionnaires or individual discussions. Remember that a good privacy policy is always a collaborative effort and never a product of one individual.
Checklist: What do we recommend?
The following tips can reduce the time and effort required to create a privacy policy:
- Consider the processing activities for which your company is responsible under data protection law, which means determining the purpose and means. Only these need to be covered in the privacy policy.
- Check whether your company is (also) covered by the GDPR. If not, your privacy policy can be significantly shorter and more concise.
- Consider carefully in which individual cases a special privacy policy is necessary and cover the majority of your processing activities with your general privacy policy.
- Create a joint general privacy policy for your group company. This allows synergies to be exploited and costs to be shared.
- Involve the relevant people from the respective business units, who can provide you with the necessary information on the processing activities.
- Use templates and examples from reputable sources. A frequently used template can be found on the DSAT website.