5054/99/final

WP 22

Adopted 7 June 1999

The Working Party[1] was informed that the European Commission is drafting a proposal for a Decision based on Article 25(6) of Directive 95/46/EC, stating that, by reason of its domestic law, Switzerland ensures an adequate level of protection within the meaning of Article 25(2) of the aforementioned Directive.

With a view to drawing up an opinion for the European Commission, assisted by the Committee set up under Article 31 of Directive 95/46/EC, the Working Party has carried out an analysis of the data protection rules applied in Switzerland[2].

In this regard, a distinction must be made between the legislative situation at federal level (which is governed by the Law on Data Protection of 19 June 1992, as subsequently amended and supplemented by the ruling of the Swiss Federal Council of 14 June 1993) and the existing situation in each of the cantons.

Given the division of powers between the Confederation and the cantons, the Federal Law applies to the processing of personal data by the entire Swiss private sector and by the federal public authorities. The cantonal provisions, on the other hand, govern the processing of personal data by public sector bodies at canton or commune level. The cantons are responsible, for instance, for processing in the following sectors: policing, education, health and in particular public hospitals. In the interests of completeness, it should be pointed out that the cantons are also responsible for processing certain types of personal data in accordance with federal law, for example for the purposes of federal tax collection.

Before examining the federal and cantonal legislation, it should be pointed out that such legislation should be in line with:

1.- the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention No 108), which was ratified by Switzerland on 2 October 1997 and which, while not directly applicable, establishes international commitments for both the Federation and the cantons;

2. - the Federal Constitution (amended by referendum on 18 April last), as interpreted in the case law of the Federal Supreme Court. It should be pointed out that the amended Constitution gives every person the right to privacy and, in particular, the right to be protected against the misuse of data concerning them (Article 13 on the protection of the private sphere).

1. The Working Party is of the opinion that the Federal Data Protection Law ensures an adequate level of protection.

On 24 July 1998, the Working Party adopted a working document on transfers of personal data to third countries[3] which explains the requirements of Directive 95/46/EC and lists the concrete factors which should be taken into account when assessing whether or not there is an adequate level of protection. Examination of the table of comparison between the requirements of the Directive and the provisions of the Federal Law[4] shows that the Federal Law, which covers both automatic and manual data processing, contains all of the principles listed in the working document, including the principles on the protection of individuals and the mechanisms intended to ensure that the basic principles are applied effectively.

However, further explanation of the principle of transparency and the protection of sensitive data is required.

The principle of transparency is explicitly provided for in the specific case of systematic data collection by federal bodies. In a general sense, however, this principle is covered by the rule of good faith contained in the second paragraph of Article 4 of the Law [5]

The Law does not of course provide for a ban on the processing of sensitive data, but lays down specific provisions regarding the processing of such data and on personality profiles, which are subject to the same protection rules. Article 17 lays down that federal bodies can only process such data if there is a law specifically providing for such processing, or if, by way of exception, a task specified in a law makes it an absolute requirement, if the Federal Council has authorised it, or if the individual has consented to it or has made the data public. With regard to the private sector, Article 13(1) makes the processing of all data subject to the person's consent, to the overriding public or private interest or to official authorisation, while Article 12 prohibits the transfer of sensitive data to third parties, unless there are sound reasons to justify such action. Finally, Article 35 of the Law consolidates the protection of sensitive data by providing for criminal penalties against any person who violates the requirement of discretion by illegally disclosing such data.

2. The situation at cantonal level is more difficult to assess.[6]

However, following a study carried out at the Commission's request[7], which focuses on the legislation in several cantons in particular and draws on information provided by the Federal Commissioner, the following factors have emerged:

- some types of data processing are subject to specific confidentiality rules: the processing of medical data in public hospitals, for example, is governed by medical confidentiality.

In conclusion, the Working Party recommends that the Commission and the Committee set up under Article 31 of Directive 95/46/EC should conclude that Switzerland ensures an adequate level of protection within the meaning of Article 25(6) of the Directive.

Done at Brussels, 7 June 1999.

For the Working Party

Peter Hustinx

Chairman

[1] Set up in accordance with Article 29 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23 November 1995, p. 31 Available on the following website: http://www.europa.eu.int/comm/dg15/en/media/dataprot/index.htm.

[2] In order to obtain more specific information on certain points, the Chairman of the Working Party sent a letter to the Federal Data Protection Commissioner on 15 March 1999, who replied on 24 March 1999. There have also been informal contacts between the secretariat of the Working Party and the Federal Commissioner.

[3] Available on the website given in footnote 1.

[4] Document 5007/99, available from the European Commission: Directorate-General XV "Internal Market and financial services", Unit E1 "Free movement of information and data protection", Rue de la Loi 200, B-1049 Brussels.

[5] This interpretation was confirmed by the Federal Commissioner in informal contacts with the Working Party's secretariat.

[6] It emerges that, of the 26 cantons in the Confederation:

- 17 have adopted data protection legislation (...), and three of these have inserted a data protection provision into their cantonal constitution;

- four have adopted government directives, two of these have also inserted a provision into their cantonal constitution, and a third has prepared a draft law;

- the remaining cantons have no specific cantonal legislation (three of them are preparing a draft law).

[7] Available from the European Commission (see address given in footnote 4 above).