General legal sources
If someone is processing personal data, data protection law applies. However, the question arises as to which data protection law applies.
As a contracting state, Switzerland is subject to the overarching Council of Europe Convention 108 or – in its modernized version – the Council of Europe Convention 108+. Once ratified, the requirements of the Convention 108+ apply to both the federal government and the cantons. The second legal framework is formed by EU legislation. Switzerland is not a member of the European Union, due to the signing and ratification of the Schengen Association Agreement, the EU-Directive 2016/680 applies to public institutions in the areas of police and judicial cooperation.
Furthermore there is the famous General Data Protection Regulation 2016/679 (GDPR). It does not apply directly to public authorities and companies in Switzerland, but because the EU-Commission has to decide whether Switzerland has an appropriate level of data protection, the standard of the GDPR regulations must be taken into account. Additionally, the GDPR does apply directly to Swiss companies or public authorities in some cases. Namely, if they meet one of the following criteria:
- They have a location in an EU country.
- They offer goods or services to persons in the EU.
- They monitor the behavior of persons in the EU.
What applies in Switzerland?
And then we come to the question of what applies in Switzerland. The federal government is responsible for creating laws where corresponding legislative powers are granted by the Swiss Constitution. An application for powers to govern data protection was made, but was rejected in the National Council in 1977. Therefore, the federal government still has no comprehensive legislative powers in the area of data protection. It is only responsible for such legislation where it can derive legislative powers from another constitutional provision.
Firstly, this is the case in civil law and civil procedure law. This is why the federal government may regulate data processing for private individuals. Secondly, the federal government is responsible for regulating data processing wherever it has constitutionally assigned duties. If it is allowed to regulate social welfare (e.g. OASI or DI), then this also includes the rules for data processing by social welfare agencies. As a result, the federal government can regulate these two areas: data processing by federal institutions and data processing by private entities (individuals/private companies).
The federal government has done this by enacting the Federal Act on Data Protection.
The cantons are responsible for all other areas. The cantons may/must enact their own data protection laws for data processing by their cantonal and communal public institutions. At first glance, this may sound like a federalist jumble of laws. However, Switzerland’s association with Schengen has ensured that these regulations have been fairly harmonised in the area of public law.
Different laws – depending on who is processing the data
To summarize, it can be said that the person or entity performing the data processing determines which data protection laws is applicable. If private individuals or federal institutions are processing personal data, the Federal Act on Data Protection applies to them. If cantonal or communal public institutions are processing personal data, the respective data protection act or information and data protection act of their canton applies. In other words, for you, as employees of a public authority or public institution of the Canton of Basel-Stadt such as the university, the Information and Data Protection Act of the Canton of Basel-Stadt (IDG) always applies.
But does the IDG provide an answer as to whether a particular data processor is allowed to collect, transmit etc. personal data? You will find out in the next chapter.
University of Basel