Personal data: What you should know

MyRight explains which personal data is especially worth protecting and what else you should know on the subject of data.

The answer in detail

What is data?

Data is nothing more than information. Today, we generally mean information that has been saved digitally in binary form so that it can be processed more easily. But data that is available in physical form also falls into this category.
 

What is personal data?

Personal data means information about an identified or identifiable person. Their name, address, or date of birth are examples of such data. A person is identified if their identity can be known directly from the information. For example, a HR file, a data set in a customer file, or a form of ID. A person is identifiable if their identity can be ascertained only by combining the information with other information (without excessive effort). For example, through their name and address. 
 

What applies if a specific person cannot be identified based on the data?

For personal data to fall under the provisions of the Data Protection Act, it must be possible to identify a specific person – with a reasonable amount of effort. If this is not the case or the personal data was anonymized, it is no longer deemed to be personal data within the meaning of the law. This data is thus no longer be protected. 
 

Which types of data are recognized?

A distinction is made between usual personal data and especially sensitive personal data. 
Especially sensitive personal data includes information that allows for conclusions to be drawn about the personal values and views of a person. Statements about their health, their identity within the more narrow sense, or such data that is normally processed by authorities. Examples include data about:

  • Opinions and activities relating to religion, values, politics, or labor unions
  • An individual's health, personal sphere, race or ethnicity 
  • Social assistance measures
  • Data relating to administrative or criminal proceedings or sanctions.

The revised Federal Act on Data Protection, which enters into force on September 1, 2023, will expand the catalog of especially sensitive personal data to include: 

  • Genetic data
  • Biometric data which clearly identifies a natural person
     

Is there anything special to note with regard to especially sensitive personal data?

Yes, such data can only be processed if the person concerned expressly consents to the intended processing.


What does express consent mean in this context and what is meant by processing?

Express consent is presumed if it corresponds to the actual will of the person affected and this person actively carries out the action of granting consent. 

The term “processing” means every type of handling of personal data. However, the law mentions the following terms in particular:

  • Procure 
  • Save
  • Store
  • Use
  • Alter
  • Disclose
  • Archive
  • Delete
  • Destroy
     

What is profiling?

Profiling is the systematic recording of behavioral traits from one or more individuals. These traits are then analyzed and used for targeted advertising measures, for example. However, profiling means only the automated interpretation of data. If this data is interpreted by a person, this is not considered to be profiling within the meaning of the law. 
 

Is there anything else that you should know on the subject of personal data?

Yes, if you process personal data, you must inform the affected person in an appropriate way in advance. This not only applies to the procurement of personal data, but also to the further processing of this data. 
 

What does “inform” mean in this context?

The provision of advance notification by the responsible party serves to ensure that the affected person has been notified of all required information so that they can assert their rights. In other words, it is about transparency. Such “information” must at least include:

  • The identity and contact details of the person responsible
  • The purpose of the processing
  • The recipient of the personal data passed on (if this is the case)


How do you find out whether someone has saved personal data about you and which data they have saved?

If you want to know whether and which data a company has stored on you, you can submit a request for information to the responsible party. By law, each person has the right to find out whether and which of their personal data is saved and/or processed.

To do so, use our template and include a copy of your ID or passport with the request. Many companies now allow for requests to be sent by email or web form. Get information beforehand from the website of the company concerned to find out whether you can submit your request electronically. You can find further information on requests for information in our legal tip.
 

In what form will you receive your data?

The information is generally provided in written form, usually in a standard electronic format or in writing by post. 
 

Do you need to send a copy of your ID or passport if you submit a request for information?

Yes, reliable identification of the person submitting the request must be included. While submitting a copy of your ID is standard, the identification can also be submitted by other means.
 

Does such a request cost anything?

A request for information is generally free of charge. However, there is an exception to the rule. If the provision of information is associated with an excessively high level of effort, the providing party may require the affected person to bear some of the cost. This is the case, for example, if the data has already been converted into an anonymous form, or if research has to be conducted in non-electronic data archives. 
However, in such cases, the cost may not exceed CHF 300. Moreover, you must be informed of the cost in advance.
 

How can you tell if your data has been misused?

There is not a sole moment that indicates data misuse. Rather, this can be noticed in many different ways. For example, a marketing call from abroad may indicate misuse of your data. However, the person calling may legally be in possession of your data. In such cases, you can assert your right to information with the responsible party. The scope of the information provided must include where the data was obtained. 
 

What rights do you have in connection with your personal data?

As the person concerned, you can also request that your data be:

  • Sent to you
  • Transferred to another person
  • Deleted or destroyed completely or partially
  • “Released” for processing only for certain purposes
  • Corrected
  • Not disclosed to other persons    
     

What steps can you take against the misuse of your data.

This depends on what exactly has happened. If someone has come into possession of your data and harasses you with unsolicited calls, you can assert your right to have your data deleted. However, if your data was used to commit a crime, you must absolutely file charges. In such cases, it is a good idea to obtain legal advice. We would be happy to assist you here


If someone has saved your data, is the storage permanent?

No. The law stipulates that the affected person not only has the right to demand information about who has saved their personal data, but also the deletion of all data or parts thereof. 
 

What steps do you need to take if you want to require a company to delete your data?

Deletion can be requested by registered letter. 
 

What if the company you request information from does not respond?

To assert the right to information, a court complaint can be filed against private owners of data collections at the place of residence of the affected person or at the place of residence of the owner of the data collection. The judge will rule in a simplified procedure. We would be happy to assist you here
 

What changes for private individuals with the introduction of the revised Data Protection Act on September 1, 2023?

  • There are no major changes affecting private individuals. Affected persons still have the same rights as before the revision. In addition, transparency on data processing is increased and the rights of affected people strengthened.
  • The new requirements primarily stipulate that companies must increase data security. If you want to know what changes for companies, we recommend reading our legal tip for companies.