Switzerland — Lawful Bases for Processing

The revised Swiss Federal Act on Data Protection of 25 September 2020 (FADP, SR 235.1), which entered into force on 1 September 2023, does not require controllers to identify a lawful basis for every processing activity in the manner required by GDPR Article 6. Instead, the FADP applies what the Federal Office of Justice and the Federal Data Protection and Information Commissioner (FDPIC, the Swiss supervisory authority) describe as a "permission principle subject to prohibition": processing of personal data is lawful in principle unless it violates the personality or fundamental rights of the data subject.

This represents a structural departure from the GDPR's "prohibition principle subject to permission," under which any processing must be justified by one of six enumerated legal bases (consent, contract, legal obligation, vital interests, public task, or legitimate interests). The FADP contains no such exhaustive list.

Public sector vs. private sector divide

The FADP draws a sharp distinction between federal bodies (federal authorities and administrative units, Art. 2(1)(b) FADP) and private persons (companies, organizations, and individuals, Art. 2(1)(a) FADP):

• Federal bodies must always have a legal basis in a formal statute to process personal data. This requirement flows from the Swiss constitutional principle that public bodies may only act when empowered by law (Art. 5 Swiss Constitution). The FADP does not enumerate the permissible bases; the legal authority must exist elsewhere in Swiss legislation.

• Private persons do not need a specific legal basis for every processing activity. Processing is presumptively lawful.

When justification is required for private persons

A private controller must demonstrate a legal justification under Article 31 FADP only if the processing violates the personality rights of the data subject (Art. 31(1) FADP). A violation occurs if the processing:

• contravenes the general processing principles (Art. 6 FADP: lawfulness, good faith, proportionality) or the transparency requirement (Art. 8 FADP);
• goes against the express wishes of the data subject; or
• involves the disclosure of sensitive personal data (defined in Art. 5(c) FADP to include data on religious, philosophical, political, or trade-union views; health data; racial or ethnic origin; genetic or biometric data uniquely identifying a natural person; data on administrative or criminal proceedings and sanctions; or data on social assistance measures) to third parties.

No violation occurs if the data was made publicly accessible by the data subject without restrictions on its use (Art. 31(1) FADP).

Legal justifications under Article 31(2)

If personality rights are infringed, the processing is lawful only if justified by:

• the consent of the data subject;
• an overriding private or public interest (Art. 31(2)(a) FADP gives illustrative examples, including processing directly connected to the conclusion or performance of a contract with the data subject, or processing necessary to assert, exercise, or defend legal claims); or
• a legal basis (a provision of Swiss federal or cantonal law authorizing or requiring the processing).

The FDPIC and legal commentary emphasize that these are not discrete "legal bases" in the GDPR sense but rather defenses to a personality-rights claim. The onus is on the controller to demonstrate that one of these justifications applies if challenged.

Alignment and divergence from GDPR

The Swiss Parliament adopted the revised FADP with the explicit aim of aligning Swiss law with GDPR principles to facilitate cross-border data flows and to maintain Switzerland's adequacy status under the EU Commission's 2000 adequacy decision. Companies already compliant with GDPR will satisfy many FADP requirements. However, the "permission subject to prohibition" framework means Swiss controllers do not routinely document a legal basis for ordinary, low-risk processing (such as processing employee data for payroll, or customer data for order fulfillment) unless that processing involves sensitive data, high-risk profiling, or another trigger for personality-rights scrutiny.

In practice, a controller processing sensitive personal data, or engaging in profiling by a federal body, or high-risk profiling by a private person, will need express consent (Art. 6(6)–(7) FADP). For non-sensitive processing, controllers should comply with the transparency duty (informing data subjects of the identity of the controller, the purpose of processing, and recipients or categories of recipients, Art. 19 FADP) but are not required to cite a GDPR-style legal basis unless the processing infringes personality rights.

Supervisory authority and interpretation

The FDPIC (Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter / Préposé fédéral à la protection des données et à la transparence / Federal Data Protection and Information Commissioner) is the independent federal supervisory authority. The FDPIC's enforcement guidance and published opinions interpret the Article 6 processing principles and the Article 31 justifications. Since the FADP's entry into force on 1 September 2023, the FDPIC has issued guidelines on cookies, breach notification, and data protection impact assessments; controllers should consult these for sector-specific application of the framework.

Source: Federal Act on Data Protection of 25 September 2020 (FADP), SR 235.1 Source: Swiss Federal Office of Justice, New data protection legislation Source: FDPIC, Basic knowledge

The revised Swiss Federal Act on Data Protection (FADP, SR 235.1) governs consent in Article 6(6) and (7), which specify when and how consent must be obtained. Because the FADP applies a "permission subject to prohibition" framework (processing is presumptively lawful unless personality rights are infringed), consent is not required for every processing activity in the way GDPR Article 6 requires. Instead, consent functions as one of the justifications available under Article 31(2) FADP when processing does infringe personality rights.

General consent standard — Article 6(6) FADP

When a controller chooses to rely on consent (or when personality rights are infringed and consent is the chosen justification under Art. 31), Article 6(6) FADP requires that consent be:

• Voluntary — given freely, without coercion or detrimental consequences for refusal;
• Informed — the data subject must receive "appropriate information" about the identity of the controller, the purpose of processing, and any disclosure to third parties or categories of third parties (this overlaps with the transparency duty under Art. 19 FADP);
• Specific — consent must be given "for one or more specific instances of processing," not blanket consent for unspecified future uses.

The FADP does not mandate a particular form (written, oral, click-through, or checkbox are all valid), but the controller bears the burden of proving that valid consent was obtained. The Federal Data Protection and Information Commissioner (FDPIC) has emphasized that consent must be an active affirmative action by the data subject; pre-ticked boxes or continued browsing do not constitute valid consent under the revised law.

Express consent triggers — Article 6(7) FADP

Article 6(7) FADP imposes a higher standard — express consent — for three categories of processing:

1. Processing sensitive personal data (Art. 5(c) FADP defines sensitive data to include: data on religious, philosophical, political, or trade-union views; health data; data on racial or ethnic origin; genetic or biometric data uniquely identifying a natural person; data on administrative or criminal proceedings and sanctions; and data on social assistance measures).

1. High-risk profiling by a private person (Art. 5(f) and (g) FADP define profiling as any form of automated processing that evaluates personal characteristics; it becomes "high risk" when the profiling entails a high risk to the personality or fundamental rights of the data subject, for example through cross-site tracking that enables comprehensive behavioral profiles or predictions about key aspects of personality, health, or economic situation).

1. Profiling by a federal body (any profiling by a public-sector controller, regardless of risk level, requires express consent if consent is the chosen legal basis).

"Express" consent means the data subject must explicitly and actively declare their agreement to the specific processing. The FDPIC's guidance on cookies and similar technologies (published January 2025, updated October 2025) clarifies that for high-risk profiling via third-party tracking and personalized advertising, an opt-in mechanism is required; opt-out or implied consent from continued browsing is insufficient. For sensitive data, the FDPIC recommends an empty checkbox accompanied by clear explanatory text (e.g., "I agree to the processing of my health data for the following purposes: [list]").

No separate consent for children

Unlike GDPR Article 8, the FADP does not set a statutory age threshold for valid consent or require parental authorization for minors. The general provisions of the Swiss Civil Code apply: consent is valid if the data subject has the capacity of judgment (Urteilsfähigkeit, Art. 16 Swiss Civil Code). For minors, this is assessed case-by-case based on the maturity needed to understand the processing in question. Controllers may choose to apply GDPR-style parental-consent rules as a best practice when processing children's sensitive data, but the FADP itself does not mandate it.

Withdrawal and documentation

Consent may be withdrawn at any time (this is implicit in the requirement that consent be voluntary; the FDPIC has confirmed that withdrawal must be as easy as granting consent). Upon withdrawal, the controller must cease processing based on that consent, though processing conducted before withdrawal remains lawful if consent was valid when obtained.

Controllers should document consent (the record-of-processing-activities requirement under Art. 12 FADP does not explicitly mandate consent logs, but the FDPIC's enforcement practice treats inability to prove valid consent as a violation of Art. 6). For express-consent scenarios (sensitive data, high-risk profiling), written or electronically time-stamped records are the practical standard.

Interaction with the transparency duty

Article 19 FADP imposes a separate duty to inform the data subject about processing at the time personal data is collected, regardless of whether consent is required. The controller must identify itself, state the purpose, and disclose any third-party recipients. When seeking consent, these transparency requirements fold into the "informed" prong of Article 6(6): the consent request must itself supply the information required by Article 19, so a single consent banner or form typically satisfies both obligations.

Supervisory authority guidance and enforcement

The FDPIC has published sector-specific guidance on consent for cookies (October 2025 update), data protection in clubs and associations, and advertising and marketing (all available at edoeb.admin.ch). The FDPIC's April 2024 investigation into the Ricardo auction platform found that cross-site tracking leading to high-risk profiling required express opt-in consent and that reliance on continued browsing violated Article 6(7) FADP. Controllers engaged in personalized advertising, behavioral profiling, or processing health, biometric, or political data should consult the FDPIC's guidelines and implement granular opt-in mechanisms for each distinct processing purpose.

Practical distinction from GDPR

GDPR-compliant businesses will satisfy most FADP consent requirements, but the structural difference is important: under GDPR, consent is one of six mandatory legal bases for any processing; under FADP, consent is one of three justifications available when processing infringes personality rights (Art. 31). For low-risk processing of non-sensitive data (employee payroll, customer order fulfillment), a Swiss controller often does not need to document a legal basis at all, whereas a GDPR controller must cite Article 6(1)(b) (contract) or 6(1)(f) (legitimate interests). When consent is used, however, the FADP's express-consent threshold for sensitive data and high-risk profiling mirrors GDPR Article 9(2)(a) and makes the two regimes practically convergent for high-risk use cases.

Source: Federal Act on Data Protection of 25 September 2020 (FADP), SR 235.1, Articles 6, 31 Source: FDPIC, Data protection in clubs and associations — consent requirements Source: FDPIC, Advertising & marketing — consent requirements

The revised Swiss Federal Act on Data Protection (FADP, SR 235.1) applies a "permission subject to prohibition" framework: processing of personal data by private persons (companies, organizations, individuals, Art. 2(1)(a) FADP) is presumptively lawful unless it infringes the personality rights or fundamental rights of the data subject. When personality rights are infringed, the controller must demonstrate one of the three justifications under Article 31(2) FADP: consent, overriding private or public interest, or a legal basis in statute or regulation. Understanding when personality rights are infringed is therefore the threshold question for every Swiss data-protection analysis — it determines whether the controller must justify the processing at all.

Article 30 FADP — the general prohibition on personality-rights violations

Article 30(1) FADP states that private persons may process personal data only if doing so does not unlawfully infringe the personality rights of the data subject. This provision ties the FADP to the Swiss Civil Code's general personality-rights protection (Art. 28 Swiss Civil Code, which grants every person the right to defend themselves against unlawful infringement of their personality and to seek injunctive relief, damages, or satisfaction). The FADP functions as a lex specialis that defines what constitutes an unlawful personality-rights infringement in the data-processing context and what justifications defeat the claim of unlawfulness.

Article 30(2) FADP cross-references Article 31 FADP for the specific triggers and defenses: personality rights are infringed under the conditions set out in Article 31, and the controller may defeat the claim by demonstrating one of the Article 31(2) justifications.

Article 31(1) FADP — the three statutory triggers

Article 31(1) FADP specifies that processing infringes the personality rights of the data subject if it occurs in one of three ways:

1. In breach of the general principles of data processing (Art. 6 FADP) or the transparency requirement (Art. 19 FADP).

1. Against the express wishes of the data subject.

1. By disclosing sensitive personal data (Art. 5(c) FADP) or a personality profile (a detailed assessment of the data subject's character, behavior, abilities, or circumstances, Art. 5(d) FADP) to third parties.

Each trigger is independent: satisfying any one of the three is sufficient to establish a personality-rights infringement and shift the burden to the controller to demonstrate a justification under Article 31(2).

Trigger 1: Breach of processing principles or the transparency requirement

Article 6 FADP sets out the core processing principles that bind both private persons and federal bodies:

• Lawfulness (Art. 6(1) FADP): processing must comply with all applicable Swiss law, including sectoral statutes (employment law, anti-money laundering, competition law, criminal procedure) and contractual obligations (non-disclosure agreements, licensing restrictions). Processing that violates another statute is also a personality-rights infringement under the FADP.

• Good faith (Art. 6(2), first sentence FADP): processing must be conducted honestly and with respect for the data subject's reasonable expectations. The Federal Data Protection and Information Commissioner (FDPIC) has clarified that good faith is breached when the controller processes data in a way that surprises or disadvantages the data subject beyond what they could reasonably anticipate from the context. Examples include repurposing customer data collected for order fulfillment for unrelated direct-marketing campaigns without notice; secretly recording employee communications in areas where employees expect privacy (restrooms, locker rooms); or processing publicly available data in a manner that the data subject could not foresee (scraping social-media profiles to build detailed psychographic profiles for sale to third parties).

• Proportionality (Art. 6(2), second sentence FADP): only data that are suitable and necessary for the intended purpose may be processed, and there must be a reasonable relationship between the purpose and the means used. This principle overlaps with the data-minimization obligation in Article 6(4) FADP. Proportionality is breached when the controller collects more data than needed (requiring a copy of a passport to verify a person's age when asking for date of birth would suffice); retains data longer than the purpose requires (keeping customer transaction records indefinitely when tax law mandates only ten years); or uses disproportionately intrusive means (deploying always-on video surveillance when motion-triggered recording would achieve the same security goal).

• Purpose limitation (Art. 6(3) FADP): personal data may be collected only for specific purposes that are recognizable to the data subject, and the data may be processed only in a manner compatible with those purposes. Further processing for a different, incompatible purpose is a personality-rights infringement unless the controller obtains fresh consent or can demonstrate an overriding interest. The FDPIC's enforcement practice treats silent repurposing — collecting data for purpose A and then using it for unrelated purpose B without informing the data subject — as a breach of both purpose limitation and good faith.

• Accuracy (Art. 6(5) FADP): the controller must take reasonable steps to ensure that personal data are accurate and kept up to date. Processing demonstrably false data (for example, continuing to report a person to credit agencies after a debt has been paid, or maintaining incorrect employee records that affect performance reviews) breaches this principle and infringes personality rights.

The transparency requirement under Article 19 FADP mandates that the controller inform the data subject, at the time personal data are collected, of the controller's identity, the purpose of processing, and any recipients or categories of recipients to whom the data will be disclosed (Art. 19(2) FADP). Failure to provide this information — for example, installing cookies that enable cross-site tracking without a cookie banner or privacy notice, or collecting employee biometric data without informing staff — is itself a personality-rights infringement under Article 31(1) FADP, even if the underlying processing would otherwise be proportionate and in good faith.

Trigger 2: Processing against the express wishes of the data subject

Processing against the express wishes of the data subject infringes personality rights even if the processing complies with the Article 6 principles and the transparency duty. "Express wishes" does not require a formal written objection; the FDPIC has stated that a clear verbal objection, a written opt-out request, or activation of a technical opt-out signal (such as the Global Privacy Control header) all qualify. Common scenarios include:

• A customer clicks "unsubscribe" on marketing emails but continues to receive newsletters or promotional offers from the same controller or from affiliated companies to whom the customer data were transferred.

• An employee objects to the disclosure of their personal data to a third-party HR software vendor, and the employer proceeds with the transfer anyway (absent an overriding interest or legal obligation that defeats the objection).

• A website visitor enables a browser "Do Not Track" signal or activates Global Privacy Control, and the controller nevertheless deploys third-party tracking cookies.

The FDPIC's October 2025 cookies guidance clarifies that for high-risk profiling via tracking technologies, express consent (not mere absence of objection) is required under Article 6(7) FADP, so relying on the "express wishes" trigger will not help the controller — the processing is unlawful from the outset unless express consent is obtained.

Important limitation: The data subject's wishes are not absolute. If the controller can demonstrate an overriding interest (for example, the employer needs to transfer employee data to the payroll processor to comply with wage-payment and social-insurance obligations) or a legal basis (for example, a bank must report suspicious transactions to the Money Laundering Reporting Office Switzerland under the Anti-Money Laundering Act, Art. 9 AMLA, and the customer's objection does not override the statutory duty), the processing is justified under Article 31(2) even though it proceeds against the data subject's wishes.

Trigger 3: Disclosure of sensitive personal data or personality profiles to third parties

The third trigger applies when the controller discloses (transfers, makes accessible, or permits access to) two categories of particularly intrusive data to third parties:

1. Sensitive personal data (Art. 5(c) FADP), defined to include:

• Data on religious, philosophical, political, or trade-union views;
• Health data (medical diagnoses, treatment records, genetic information, biometric data uniquely identifying a natural person such as fingerprints or facial-recognition templates, or data on a person's physical or mental health);
• Data on racial or ethnic origin;
• Data on administrative or criminal proceedings and sanctions (arrest records, convictions, fines, disciplinary actions);
• Data on social assistance measures (welfare benefits, disability support, unemployment insurance).

1. Personality profiles (Art. 5(d) FADP), defined as a collection of data that enables an assessment of essential characteristics of the data subject's personality, such as behavior, abilities, performance, economic situation, health, personal preferences, interests, reliability, conduct, or location. This definition captures comprehensive dossiers built from multiple data sources (a credit report aggregating payment history, employment data, and debt-enforcement records; a detailed employee evaluation file; a behavioral-advertising profile tracking website visits, purchase history, and social-media interactions).

"Disclosure to third parties" threshold

Disclosure means making the data available to a person or entity outside the controller's organization. Sharing sensitive data or personality profiles internally (within the same legal entity or among employees of the same controller) does not trigger Article 31(1) unless the disclosure also breaches one of the other principles (proportionality, purpose limitation, good faith). Sharing with a processor (a third party that processes data on the controller's behalf under a written contract, Art. 9 FADP) is treated as disclosure to a third party and triggers the justification requirement if the data are sensitive or constitute a personality profile.

Common scenarios:

• A hospital (controller) discloses a patient's medical records (sensitive health data) to a specialist physician or laboratory (third party): personality rights are infringed, and the hospital must demonstrate an Article 31(2) justification (typically the patient's consent or an overriding interest in providing necessary medical care).

• An employer transfers employee performance reviews and salary data (a personality profile) to a payroll-services provider (third party): personality rights are infringed, and the employer must show consent, overriding interest (payroll is necessary to perform the employment contract), or legal basis (social-insurance reporting obligations under the Federal Act on Old-Age and Survivors' Insurance).

• A data broker sells compiled marketing profiles (personality profiles) to advertisers (third parties): personality rights are infringed, and the broker must demonstrate consent or overriding interest. The FDPIC's enforcement practice indicates that selling personality profiles for marketing purposes typically requires express consent from the data subjects because the sensitivity and scope of the profiles make an overriding-interest claim difficult to sustain.

Article 31(1), final clause — the "made publicly accessible" exemption

Article 31(1) FADP contains an important limitation: no personality-rights infringement occurs if the data subject has made the personal data publicly accessible themselves and has expressly not prohibited their processing. This exemption applies to all three triggers (processing principles, express wishes, sensitive-data disclosure).

"Publicly accessible" means the data subject has intentionally and without restriction published the data in a manner that any member of the public can access them without authorization. Examples include:

• Posting information on a publicly viewable social-media profile (a Twitter/X post, a public Facebook page, a LinkedIn profile with privacy settings set to "public") without limiting the audience or imposing terms of use that restrict data scraping or reuse.

• Publishing a personal website or blog that is indexed by search engines and accessible without registration.

• Participating in a publicly reported event (a professional conference, a political demonstration, a sports competition) where photographs, videos, or participant lists are made publicly available.

"Expressly not prohibited their processing" means the data subject has not accompanied the publication with a notice or terms restricting further use. If the data subject publishes data but adds a notice such as "Do not use for commercial purposes" or "No data scraping," or if the publication is on a platform whose terms of service prohibit scraping (most social-media platforms' terms prohibit automated collection), the exemption does not apply and processing may still infringe personality rights.

The FDPIC has emphasized that the "made publicly accessible" exemption is narrow. It does not permit unlimited repurposing. Even if data are publicly accessible, processing them in a way that violates good faith or proportionality — for example, scraping public social-media profiles to build psychographic profiles for sale, or using publicly posted photographs of individuals in advertising without permission — may still infringe personality rights under the first trigger (breach of processing principles). The exemption shields the controller from the disclosure-to-third-parties trigger and from the express-wishes trigger if the data subject has not restricted use, but the controller must still comply with the Article 6 principles.

Interaction with the Article 31(2) justifications

Establishing that processing infringes personality rights under Article 31(1) shifts the burden to the controller but does not make the processing unlawful. The controller may still justify the processing by demonstrating:

• Consent (Art. 6(6) and (7), Art. 31(2) FADP): the data subject has given voluntary, informed, and specific consent; express consent is required for sensitive data, high-risk profiling, or profiling by federal bodies.

• Overriding private or public interest (Art. 31(2)(a) FADP): the controller's legitimate interest outweighs the personality-rights infringement, applying a case-by-case balancing test that considers the nature and sensitivity of the data, the purpose, the data subject's reasonable expectations, and proportionality.

• Legal basis (Art. 31(2) FADP): a provision of Swiss federal or cantonal statute or regulation authorizes or requires the processing.

The three-trigger framework in Article 31(1) is cumulative with the justification requirement: even if the controller has obtained consent, processing that breaches good faith or proportionality may still violate Article 30 FADP and expose the controller to civil liability under Article 32 FADP or regulatory investigation under Article 49 FADP. The FDPIC's enforcement guidance treats the processing principles in Article 6 as mandatory minimum standards that bind regardless of whether consent has been obtained.

Practical application and documentation

Controllers should assess each processing activity against the three Article 31(1) triggers:

1. Does the processing comply with all Article 6 principles and the Article 19 transparency duty? If not, personality rights are infringed and a justification is required.

1. Has the data subject expressed objection or activated an opt-out signal? If yes, and processing continues, personality rights are infringed and a justification is required (or the controller must cease processing).

1. Does the processing involve disclosing sensitive data or personality profiles to third parties? If yes, personality rights are infringed and a justification is required.

If the answer to any question is yes, the controller must document the applicable Article 31(2) justification (consent, overriding interest, or legal basis) in its record of processing activities (Art. 12 FADP). While the FADP does not mandate a written balancing-test memorandum for every processing operation, the FDPIC's enforcement practice expects controllers to be able to explain and defend their justification if challenged by the data subject, during a FDPIC investigation, or in civil litigation under Article 32 FADP.

For controllers operating under both Swiss FADP and EU GDPR, the safest approach is to apply the stricter of the two regimes: conduct a GDPR-style legal-basis analysis for every processing operation (GDPR requires identification of a legal basis for all processing, not just personality-rights-infringing processing), and separately confirm that processing complies with the Article 6 FADP principles and does not trigger Article 31(1) without a valid justification.

Supervisory authority guidance and enforcement

The FDPIC has published sector-specific guidance illustrating the Article 30 and 31(1) triggers in practice:

• Data processing by the employer (July 2024 and ongoing updates at edoeb.admin.ch): addresses when employee data processing infringes personality rights (collecting extracts from debt-enforcement or criminal-records registers beyond positions of trust; excessive workplace surveillance; disclosing employee data to third-party service providers without informing staff or demonstrating overriding interest).

• Video surveillance by private individuals (May 2023): clarifies that filming public areas or areas used by others typically infringes personality rights, and the controller must demonstrate an overriding interest (which is rarely satisfied for private-security purposes in public spaces).

• Cookies and similar technologies (version 1.1, October 2025): explains that cross-site tracking and behavioral profiling via cookies infringe personality rights both by breaching the transparency duty (if no cookie banner is shown) and by enabling high-risk profiling (triggering the express-consent requirement under Art. 6(7) FADP).

• Advertising and marketing (at edoeb.admin.ch): addresses when direct marketing to customers infringes personality rights (disclosure of customer lists to third-party marketers without consent; behavioral profiling for targeted ads without express consent).

Controllers uncertain whether their processing infringes personality rights should consult the FDPIC's published guidance for their sector, conduct a data protection impact assessment (DPIA) if the processing presents a high risk (Art. 22 FADP), and document the legal analysis so that it can be produced if the FDPIC opens an investigation (Art. 49 FADP) or a data subject files a civil claim (Art. 32 FADP).

Source: Federal Act on Data Protection of 25 September 2020 (FADP), SR 235.1, Articles 30, 31, 6, 19 Source: FDPIC, Data processing by the employer — personality rights and Article 30 FADP Source: FDPIC, Guidance on cookies and similar technologies, version 1.1, October 2025 — Article 30 and transparency Source: FDPIC, Video surveillance by private individuals — when personality rights are infringed

When processing infringes the personality rights of a data subject—for example, by violating the general principles of lawfulness, good faith, and proportionality (Art. 6 FADP), by disclosing sensitive personal data to third parties, or by processing against the data subject's express wishes—the controller must demonstrate a legal justification under Article 31(2) FADP. One of the three available justifications is an overriding private or public interest (Art. 31(2)(a) FADP). This provision functions as the FADP's closest analog to GDPR Article 6(1)(f) (legitimate interests) and Article 6(1)(b) (contract performance), but it applies a Swiss personality-rights framework rather than the GDPR's enumerated legal-basis model.

The Article 31(2)(a) balancing test

Article 31(2)(a) FADP does not set out an exhaustive list of qualifying interests. Instead, the controller must show that its private or public interest outweighs the personality rights and fundamental rights of the data subject. The Federal Data Protection and Information Commissioner (FDPIC) and Swiss legal commentary emphasize that this is a case-by-case balancing exercise in which the controller must consider:

• the nature and sensitivity of the personal data (sensitive data under Art. 5(c) FADP weighs heavily in favor of the data subject; non-sensitive data shifts the balance toward the controller);
• the purpose of processing and whether it serves a recognized private or public interest;
• the reasonable expectations of the data subject (for example, an employee providing data to an employer expects payroll processing but not disclosure to third-party marketing firms);
• the proportionality of the processing (whether the same purpose could be achieved with less intrusive means, such as anonymized data, aggregation, or shorter retention periods).

The FDPIC has clarified that the controller bears the burden of demonstrating that the interest is overriding when challenged, and that mere commercial convenience or cost-saving does not automatically qualify as an overriding interest.

Statutory examples in Article 31(2)(a) FADP

The text of Article 31(2)(a) itself provides two illustrative (not exhaustive) examples of processing that may qualify:

1. Processing in direct connection with the conclusion or performance of a contract with the data subject (for example, processing a customer's name, delivery address, and payment information to fulfill an online purchase; processing an employee's bank details and tax identification number for payroll).

1. Processing necessary to assert, exercise, or defend legal claims (for example, retaining communications and transaction records to defend against a contractual dispute; disclosing personal data to legal counsel or a court in litigation; processing witness statements in preparation for arbitration).

These examples mirror GDPR Article 6(1)(b) (contract) and Recital 47 (legal claims as a legitimate interest), but they are examples of an overriding interest, not separate legal bases. A controller relying on Article 31(2)(a) for contract performance still applies the balancing test if the processing infringes personality rights.

FDPIC guidance and enforcement — specific applications

The FDPIC has published sector-specific guidance on when an overriding interest may be claimed:

• Employer data processing: In employment relationships, the employer has an overriding interest in processing employee data for purposes directly connected to the employment contract (payroll, benefits administration, work assignments). However, the FDPIC has warned that consent is rarely valid in the employment context due to the power imbalance (Art. 6(6) FADP requires voluntary consent, and employees cannot freely refuse), so employers typically rely on Article 31(2)(a) and must demonstrate that processing is necessary and proportionate. Requesting extracts from the debt enforcement register or criminal records is justified only for positions of trust (employees managing cash, customer accounts, or valuable goods); routine background checks for all employees would not satisfy the overriding-interest test (FDPIC guidance on data processing by the employer, July 2024).

• Video surveillance for security: A private person installing video cameras for property security may claim an overriding private interest, but the interest must actually outweigh the privacy intrusion. The FDPIC's guidance on video surveillance by private individuals states that surveillance of one's own property is generally permissible, but filming public areas (streets, sidewalks) or areas used by others (shared courtyards, laundry rooms) requires a balancing of interests and often fails the test unless the intrusion is minimal and unavoidable (for example, a bank ATM camera incidentally capturing a small section of the adjacent sidewalk is acceptable; a webcam broadcasting a public square for entertainment purposes is not). The FDPIC emphasizes that crime prevention in public spaces is a police function, not a private interest (FDPIC guidance on video surveillance of public places by private individuals, May 2023).

• Cookies and web analytics for research and statistics: Controllers may claim an overriding interest in using cookies and similar technologies for website analytics and optimization, but Article 31(2)(e) FADP sets three additional statutory prerequisites when processing personal data for non-personal statistical purposes: (1) the data are made anonymous as soon as the purpose permits; (2) the recipient does not disclose the data to third parties without the controller's consent; and (3) the results are published in a manner that prevents identification of data subjects. If these conditions are met, the legislator has pre-balanced the interests in favor of statistical processing. For cookies that enable cross-site tracking or high-risk profiling, however, the FDPIC's October 2025 cookies guidance states that an overriding interest may only be affirmed with reservations, and express consent under Article 6(7) FADP is typically required instead (FDPIC guidance on cookies and similar technologies, version 1.1, October 2025).

• Direct marketing: The FDPIC recognizes that a controller may have an overriding interest in conducting direct marketing to its own customers (processing customer contact details to send product recommendations or promotional offers), but disclosure to third parties for marketing purposes typically requires consent. The controller must also comply with the prohibition on unsolicited advertising under the Unfair Competition Act (UCA, SR 241) and must offer an easy opt-out mechanism. The FDPIC's advertising and marketing guidance emphasizes that the overriding-interest justification is narrow: the marketing must be a natural extension of the existing customer relationship, not high-risk profiling or unexpected secondary use (FDPIC guidance on advertising and marketing, available at edoeb.admin.ch).

• Credit reporting and debt collection: Credit agencies and debt collectors process and disclose personal data under an overriding private interest framework. Anyone requesting credit information must demonstrate a legitimate interest (for example, a landlord considering a rental application, a bank assessing a loan, a retailer evaluating payment terms). The FDPIC has clarified that mere curiosity is insufficient, and the credit agency is responsible for verifying the requester's interest. Credit agencies may not process sensitive personal data or conduct high-risk profiling unless the data subject has given express consent (Art. 6(7) FADP). Data must relate to persons of majority age and may not be older than ten years (FDPIC guidance on credit and collection).

Interaction with consent and legal obligation

When personality rights are infringed, the controller may choose among three justifications: consent (Art. 31(2) FADP); overriding private or public interest (Art. 31(2)(a)); or a legal basis in Swiss statute or regulation. In practice, consent is often impractical (power imbalances in employment, customer friction, withdrawal complexity), and explicit statutory authorization is rare outside the public sector, so Article 31(2)(a) is the workhorse justification for private controllers.

A controller may not switch freely between justifications. If processing begins under an overriding interest and the data subject later objects or withdraws consent (if consent was originally obtained), the controller must re-assess whether the interest still outweighs the data subject's rights in light of the objection. The FDPIC's enforcement practice treats failure to conduct this balancing—or processing where the balance clearly favors the data subject—as a personality-rights violation actionable under Article 32 FADP (civil remedies) and subject to investigation under Article 51 FADP.

No GDPR-style documentation requirement, but records recommended

Unlike GDPR Article 6(1)(f), which requires controllers to document their legitimate-interests assessment (GDPR Recital 47 and EDPB Guidelines 06/2020), the FADP does not explicitly mandate that controllers prepare a written balancing test. However, the record of processing activities under Article 12 FADP must identify the purposes of processing and the categories of recipients, and the FDPIC's enforcement practice expects controllers to be able to explain and defend their overriding-interest claim if challenged. Controllers processing sensitive data, conducting profiling, or disclosing data to third parties should document the balancing factors, especially the proportionality assessment and any less-intrusive alternatives considered.

Distinction from GDPR legitimate interests

GDPR-compliant businesses will find the Article 31(2)(a) framework familiar, but three key differences apply:

1. Triggering condition: GDPR Article 6(1)(f) is a standalone legal basis required for any processing; Article 31(2)(a) is a justification required only when processing infringes personality rights. A Swiss controller processing non-sensitive employee data for payroll may not need to cite any legal basis at all under the permission-subject-to-prohibition framework, whereas a GDPR controller must cite Article 6(1)(b).

1. Consent hierarchy: Under GDPR, consent and legitimate interests are alternative bases of equal standing (subject to special-category restrictions under Article 9). Under the FADP, if personality rights are infringed and the controller has obtained valid consent, consent governs; the overriding-interest analysis is only necessary when consent is absent, invalid, or withdrawn.

1. Public-sector use: GDPR Article 6(1)(f) is generally unavailable to public authorities performing tasks in the public interest. The FADP does not impose this blanket restriction; a federal body may theoretically claim an overriding public interest under Article 31(2)(a), but in practice federal bodies must have a legal basis in statute (Art. 34 FADP and the constitutional principle of legality, Art. 5 Swiss Constitution), so they rarely rely on the overriding-interest justification.

For controllers operating in both Switzerland and the EU, the safest approach is to conduct both a GDPR legitimate-interests assessment (meeting EDPB standards) and an FADP Article 31(2)(a) balancing test, documenting the factors and proportionality analysis for each regime.

Source: Federal Act on Data Protection of 25 September 2020 (FADP), SR 235.1, Articles 31, 6, 34 Source: FDPIC, Data processing by the employer — overriding interest Source: FDPIC, Video surveillance by private individuals — overriding private interest Source: FDPIC, Guidance on cookies and similar technologies, version 1.1, October 2025 Source: FDPIC, Credit and collection — legitimate interest requirement

When processing infringes the personality rights of a data subject under the revised Swiss Federal Act on Data Protection (FADP, SR 235.1), the third available justification under Article 31(2) FADP is a legal basis — a provision in Swiss federal or cantonal statute or regulation that authorizes or requires the processing. This justification is particularly important for federal bodies (federal authorities and administrative units, Art. 2(1)(b) FADP), which are subject to a blanket statutory-basis requirement under Article 34 FADP and the Swiss constitutional principle of legality.

The legal-basis justification under Article 31(2) differs structurally from consent and overriding interest: it is not a balancing test or a voluntary action by the data subject, but rather an external mandate — processing is lawful because a statute says so.

Article 34 FADP — mandatory legal basis for federal bodies

Federal bodies operate under a strict constitutional constraint: they may act only when empowered by law (Art. 5 of the Federal Constitution of the Swiss Confederation, the legality principle or Legalitätsprinzip). Article 34(1) FADP codifies this principle for data processing: federal bodies may process personal data only if they have a legal basis for doing so. The legal basis must be found in a formal federal statute or ordinance, not in internal policy, administrative practice, or contractual agreement.

Article 34(2) FADP sets three tiers of required legal precision based on the nature and risk of the processing:

1. Sensitive personal data (Art. 5(c) FADP, including data on religion, health, race, biometric identifiers, or criminal proceedings) and profiling by a federal body (any profiling, regardless of risk level, Art. 5(f) FADP) require a legal basis in a formal federal act (a statute enacted by the Federal Assembly). An ordinance issued by the Federal Council is insufficient unless the statute itself delegates the authority to process such data (Art. 34(2)(a) FADP).

1. Disclosure of personal data to entities outside the federal administration — such as cantonal authorities, foreign governments, international organizations, or private persons — requires a legal basis in a formal federal act or in an ordinance based on such an act (Art. 34(2)(c) FADP). Federal bodies frequently rely on sector-specific statutes (for example, the Federal Act on International Administrative Assistance in Tax Matters authorizes the Federal Tax Administration to disclose taxpayer data to foreign tax authorities in treaty-governed cases).

1. All other processing by federal bodies requires a legal basis in a formal federal act, an ordinance based on such an act, or in cantonal law if the federal body is acting under a delegation from a canton (Art. 34(1) FADP). In practice, federal bodies cite dozens of sector-specific statutes: the Federal Personnel Act for employee data, the Federal Statistical Act for census data, the Aliens and Integration Act for immigration data, and so forth.

Article 34(3) FADP permits limited exceptions: if the legal basis does not specify in detail how the data are to be processed, the federal body must define the details in a processing regulation (a formal internal regulation filed with the Federal Data Protection and Information Commissioner, the FDPIC). Processing regulations are required when a federal body processes sensitive data, conducts profiling, discloses data abroad, or links data collections (Art. 6 of the Data Protection Ordinance, SR 235.11). The FDPIC maintains a public register of federal processing regulations.

Private persons and the legal-basis option

Private controllers (companies, organizations, individuals, Art. 2(1)(a) FADP) are not required to have a statutory basis for every processing activity — the FADP applies a "permission subject to prohibition" framework, so processing is presumptively lawful unless personality rights are infringed. However, when personality rights are infringed (for example, by disclosing sensitive data to third parties, violating the good-faith principle, or processing against the data subject's express wishes), Article 31(2) FADP allows the controller to justify the processing by pointing to a legal basis if one exists.

Common examples for private persons include:

• Statutory disclosure obligations under the Anti-Money Laundering Act (requiring banks and financial intermediaries to report suspicious transactions to the Money Laundering Reporting Office Switzerland, MROS, Art. 9 AMLA) or the Federal Act on International Automatic Exchange of Information in Tax Matters (requiring Swiss financial institutions to collect and disclose account-holder data to the Federal Tax Administration for transmission to foreign tax authorities under FATCA and CRS).

• Employer obligations under the Federal Act on Old-Age and Survivors' Insurance (requiring employers to collect and report employee social-security numbers and salary data to AHV/AVS compensation offices, Art. 49 AHVG / LAVS).

• Cantonal statutes authorizing or requiring specific processing — for example, cantonal tax laws requiring businesses to file detailed customer or supplier lists, or cantonal building codes requiring property owners to disclose tenant data to municipal housing registries. Cantonal law may serve as a legal basis for private persons under Article 31(2) FADP when the canton has jurisdiction over the subject matter.

In each case, the controller does not need consent or an overriding interest if a statute mandates the processing. The FDPIC's enforcement practice treats statutory compliance as a complete justification, provided the processing stays within the boundaries of the statutory authorization (for example, a bank reporting suspicious transactions to MROS may not also disclose the same data to a commercial credit bureau under the AMLA authorization — that would require a separate justification).

Interplay with consent and overriding interest

Article 31(2) FADP lists consent, overriding interest, and legal basis as alternative justifications, not a hierarchy. A controller may choose which justification to rely on if more than one is available. However, certain statutory schemes pre-empt consent or interest-balancing:

• Mandatory disclosure statutes (anti-money laundering, tax reporting, criminal-procedure cooperation) do not permit the data subject to veto the processing by withholding consent; the statute itself supplies the justification and may even prohibit the controller from informing the data subject (the "tipping-off" prohibition in Art. 10a AMLA forbids a bank from telling a customer that a suspicious-activity report was filed).

• Permissive statutes (statutes that authorize processing but do not mandate it) give the controller discretion to process, but personality rights may still be infringed if the processing exceeds reasonable expectations. In such cases, the controller should still conduct the overriding-interest balancing test and document the proportionality analysis. The FDPIC has stated that a legal basis does not excuse disproportionate or bad-faith processing; the general principles in Article 6 FADP (lawfulness, good faith, proportionality) still bind.

Documentation and record-keeping

Federal bodies must cite the specific legal basis in their record of processing activities (Art. 12 FADP) for every processing operation. Private persons are not required to identify a legal basis in their record unless they are affirmatively relying on Article 31(2) to justify personality-rights-infringing processing. In practice, controllers subject to both Swiss FADP and EU GDPR often document the legal basis for every processing activity to satisfy GDPR Article 6 documentation requirements, even when Swiss law does not mandate it.

Distinction from GDPR Article 6(1)(c) legal obligation

GDPR Article 6(1)(c) (processing necessary for compliance with a legal obligation) is one of six mandatory legal bases required for every processing operation. FADP Article 31(2) legal basis is a justification required only when personality rights are infringed, and only for controllers subject to Swiss jurisdiction. However, the two provisions are functionally similar: both permit processing when a statute mandates it, and both require that the statutory basis be accessible, foreseeable, and sufficiently clear (the FDPIC has adopted the European Court of Human Rights' quality-of-law test from Rotaru v. Romania, ECHR 2000-V, in assessing whether a statute is sufficiently precise under Art. 34 FADP).

For controllers operating in both Switzerland and the EU, processing mandated by Swiss federal statute (AML reporting, tax disclosure, employer social-insurance reporting) typically satisfies both FADP Article 31(2) and GDPR Article 6(1)(c), provided the Swiss statute is accessible to EU data subjects and the processing stays within the statutory scope.

Supervisory authority guidance and enforcement

The FDPIC publishes sector-specific guidance on legal-basis requirements for federal bodies and private persons. Key guidance documents include:

• Research and data protection (updated July 2024): explains that federal bodies conducting research must identify a statutory basis (such as the Research and Innovation Promotion Act or the ETH Act) if the research goes beyond the scope permitted by Article 39 FADP (anonymized or pseudonymized statistical research).

• Processing regulations for federal bodies (available at edoeb.admin.ch): template and checklist for federal bodies that must file processing regulations under Article 34(3) FADP.

• Cross-border transfers by federal bodies: federal bodies disclosing data to foreign governments or international organizations must have a legal basis under Article 34(2)(c) FADP and comply with the cross-border transfer rules in Chapter 2 Section 3 FADP (adequacy, standard clauses, or derogations). The legal basis authorizes the disclosure; the transfer mechanism ensures adequate protection for the data once disclosed.

The FDPIC's enforcement practice holds that federal bodies bear the burden of identifying the statutory provision and demonstrating that the processing falls within its scope. Private persons relying on a legal basis to justify personality-rights-infringing processing must similarly cite the provision and explain how the processing is authorized. Failure to identify a valid legal basis when required is a data-protection violation actionable under Article 32 FADP (civil remedies) and may trigger a FDPIC investigation under Article 49 FADP.

Federal bodies vs. cantonal/communal bodies

Article 34 FADP applies only to federal bodies (as defined in Art. 2(1)(b) FADP). Cantonal and communal authorities (cantonal administrations, universities other than the Federal Institutes of Technology, cantonal and municipal hospitals, cantonal police) are subject to cantonal data-protection law, not the FADP, and fall under the jurisdiction of cantonal data-protection authorities. However, many cantons have enacted FADP-aligned statutes with similar legal-basis requirements for cantonal public bodies, and the FDPIC has recommended that cantonal authorities adopt the Article 34 framework to facilitate cross-cantonal data sharing and maintain coherence with federal practice.

Source: Federal Act on Data Protection of 25 September 2020 (FADP), SR 235.1, Articles 31, 34 Source: Federal Constitution of the Swiss Confederation of 18 April 1999, Article 5 (Principles of the Rule of Law) Source: FDPIC, Research and data protection — legal basis for federal bodies under Article 34 FADP

Article 5(c) FADP defines sensitive personal data (données personnelles sensibles / besonders schützenswerte Personendaten) as a distinct category subject to heightened procedural and substantive protections throughout the revised Swiss Federal Act on Data Protection (FADP, SR 235.1). Unlike ordinary personal data, sensitive data trigger mandatory express consent requirements (Art. 6(7) FADP), elevated legal-basis precision for federal bodies (Art. 34(2)(a) FADP), and stronger weighting in the overriding-interest balancing test (Art. 31(2)(a) FADP). Controllers must identify whether their processing involves sensitive data as a threshold determination before assessing lawful-basis and transparency obligations.

Enumerated categories under Article 5(c) FADP

Article 5(c) FADP provides a closed list of seven categories of sensitive personal data. The definition is exhaustive; no other data qualify as "sensitive" under the FADP unless they fall within one of the following categories:

1. Data on religious, philosophical, political, or trade-union views (Art. 5(c) no. 1 FADP) — includes religious affiliation or absence thereof (e.g., membership in a church, mosque, or secular humanist organization); philosophical convictions about fundamental worldview questions (e.g., pacifism, veganism as ethical philosophy); political opinions or party membership; and membership in or support for trade unions or professional associations with trade-union functions. The Federal Data Protection and Information Commissioner (FDPIC) has clarified that this category covers both active membership and passive indicators of affiliation, such as subscription lists for political newsletters or attendance records at religious services.

1. Health data (Art. 5(c) no. 2 FADP) — includes all data concerning the physical or mental health of a data subject, both past and present; medical diagnoses, treatment records, prescriptions, laboratory results, imaging studies, genetic test results (when health-related), and insurance claims data; and health-adjacent data such as fitness-tracker metrics, menstrual-cycle tracking, nutrition logs, and sleep patterns when processed in a health context. The FDPIC treats patient-doctor communications, psychotherapy notes, and addiction-treatment records as paradigmatic examples of sensitive health data. Controllers operating telehealth platforms, fitness apps, or employee wellness programs process sensitive data if they collect or infer health-related information.

1. Data on racial or ethnic origin (Art. 5(c) no. 3 FADP) — includes self-identified or attributed racial, ethnic, or national origin; data revealing ancestry, cultural or linguistic community, or migration background; and biometric data (such as facial-recognition templates or DNA samples) when processed to infer or confirm racial or ethnic characteristics. The FDPIC has emphasized that this category applies regardless of the purpose of processing; a photograph becomes sensitive data if processed specifically to classify individuals by race, even for ostensibly benign purposes such as diversity monitoring.

1. Genetic data (Art. 5(c) no. 4 FADP) — means personal data relating to the inherited or acquired genetic characteristics of a natural person that provide unique information about that person's physiology or health, in particular data resulting from an analysis of a biological sample (DNA, RNA sequencing, chromosomal analysis). Genetic data are always sensitive, regardless of whether they reveal health information. Ancestry-testing services, forensic databases, and research biobanks process sensitive data under this category. The FDPIC applies the GDPR Recital 34 interpretation: genetic data are distinct from biometric data (category 5) but may overlap when genetic markers are used for unique identification.

1. Biometric data uniquely identifying a natural person (Art. 5(c) no. 5 FADP) — includes data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person that enable or confirm unique identification, such as facial-recognition templates, fingerprint scans, iris or retinal scans, voiceprints, gait-analysis profiles, and vein-pattern recognition. The FDPIC distinguishes between raw biometric data (a photograph, a video, an audio recording) and processed biometric templates: a photograph is ordinary personal data; a facial-recognition hash derived from that photograph and enrolled in a one-to-one or one-to-many matching system is sensitive biometric data. Controllers using biometric authentication (fingerprint unlock, face ID, voice authentication) or biometric surveillance (automated facial recognition in public or private spaces) process sensitive data.

1. Data on administrative or criminal proceedings and sanctions (Art. 5(c) no. 6 FADP) — includes data relating to criminal investigations, prosecutions, convictions, and sentences; administrative sanctions (fines, license suspensions, professional disciplinary actions); and data on suspected offenses or allegations not yet adjudicated. The FDPIC treats criminal-record extracts, police reports, court judgments, and debt-enforcement-register entries (Betreibungsregisterauszug / extrait du registre des poursuites) as sensitive data. Employers requesting criminal-record checks, landlords requesting debt-enforcement extracts, and financial institutions conducting sanctions screening process sensitive data and must satisfy the overriding-interest balancing test (Art. 31(2)(a) FADP) or obtain express consent (Art. 6(7) FADP).

1. Data on social assistance measures (Art. 5(c) no. 7 FADP) — includes data concerning receipt of social-welfare benefits, unemployment assistance, disability support, housing subsidies, food assistance, child-protection interventions, or other social-assistance programs. The FDPIC has clarified that this category reflects the heightened vulnerability and stigma associated with social-assistance receipt. Municipal social-services departments, housing authorities administering subsidized housing, and non-profit organizations distributing aid process sensitive data when they collect information about recipients' eligibility or participation in social-assistance programs.

Distinction from GDPR Article 9 special categories

The FADP Article 5(c) definition substantially overlaps with GDPR Article 9(1) special categories of personal data, but four differences matter for controllers operating in both jurisdictions:

• Sex life and sexual orientation are GDPR Article 9 special categories but are not enumerated in FADP Article 5(c). Processing such data under Swiss law is governed by the general personality-rights framework (Art. 31 FADP) and may require justification if it infringes personality rights, but it does not automatically trigger the express-consent or elevated legal-basis requirements that apply to Article 5(c) sensitive data. Controllers processing sexual-orientation data for EU data subjects must apply GDPR Article 9 safeguards; for Swiss data subjects the same processing is analyzed under the proportionality and good-faith principles (Art. 6 FADP).

• Trade-union membership is sensitive under both regimes, but the FADP also includes philosophical views (Art. 5(c) no. 1), which is broader than the GDPR's religion-or-belief category and may capture ethical veganism, pacifism, or other comprehensive worldviews.

• Biometric data are sensitive under both regimes, but the FADP requires that the biometric data be processed for the purpose of uniquely identifying a natural person (Art. 5(c) no. 5). A photograph stored in an HR file without biometric processing is ordinary personal data under FADP; under GDPR it may be biometric data if it is capable of unique identification, even if not yet processed for that purpose (GDPR Article 4(14)).

• Genetic data are always sensitive under FADP Article 5(c) no. 4, mirroring GDPR Article 9(1). No divergence.

Operational consequences of sensitive-data classification

Once a controller determines that processing involves Article 5(c) sensitive personal data, several FADP provisions impose stricter requirements:

1. Express consent mandatory (Article 6(7) FADP). Processing sensitive personal data requires express consent from the data subject unless another justification under Article 31(2) applies. Express consent means the data subject must explicitly and actively declare their agreement; implied consent, pre-ticked boxes, and opt-out mechanisms are insufficient. The FDPIC's guidance on data protection in clubs and associations (edoeb.admin.ch) and patient-data disclosure (edoeb.admin.ch) emphasizes that for health data, religious affiliation, and other Article 5(c) categories, an opt-in mechanism with clear explanatory text is required. Controllers may not process sensitive data based on the general consent standard in Article 6(6) FADP; the higher express-consent threshold always applies.

2. Federal bodies must have statutory authorization in a formal act (Article 34(2)(a) FADP). Federal bodies (federal authorities and administrative units, Art. 2(1)(b) FADP) may process sensitive personal data only if authorized by a formal federal statute enacted by the Federal Assembly. An ordinance (regulation issued by the Federal Council) is insufficient unless the statute itself delegates authority to process sensitive data. This rule codifies the Swiss constitutional principle of legality (Art. 5 Federal Constitution) and ensures parliamentary oversight of high-risk public-sector processing. Federal bodies processing health data (e.g., the Federal Office of Public Health during pandemic response), criminal-proceedings data (federal police, customs), or social-assistance data (unemployment insurance) must cite the specific statutory provision authorizing such processing.

3. Heightened weight in the overriding-interest balancing test (Article 31(2)(a) FADP). When a private controller processes sensitive data in a manner that infringes personality rights, the controller may attempt to justify the processing by demonstrating an overriding private or public interest (Art. 31(2)(a) FADP). However, the FDPIC's enforcement practice and legal commentary hold that sensitive data weigh heavily on the data-subject side of the balance. A processing activity that would be justified by an overriding interest if it involved ordinary personal data (e.g., disclosing a customer's purchase history to a credit bureau) will often fail the balancing test if it involves sensitive data (e.g., disclosing a customer's prescription-drug purchases). The FDPIC's guidance on credit and collection explicitly states that credit agencies may not process sensitive personal data or conduct high-risk profiling unless the data subject has given express consent.

4. Enhanced transparency and DPIA triggers (Articles 19, 22 FADP). The duty to inform data subjects (Art. 19 FADP) applies to all processing, but the FDPIC has clarified that the more sensitive the data, the higher the requirements for the extent and level of detail of the information provided. Controllers processing health data, biometric data, or other Article 5(c) categories should provide granular purpose descriptions, name specific third-party recipients (not just categories), and explain retention periods and cross-border disclosures. Additionally, processing sensitive data on a large scale or in a manner that enables comprehensive profiling will often trigger the data protection impact assessment (DPIA) requirement under Article 22 FADP (processing likely to result in a high risk to personality or fundamental rights). The FDPIC treats large-scale health-data processing, biometric surveillance, and processing of criminal-proceedings data as presumptive DPIA triggers.

5. Record-of-processing-activities and processing-regulations obligations (Articles 12, 5 DPO). Private controllers processing sensitive personal data on a large scale or conducting high-risk profiling must maintain a record of processing activities under Article 12 FADP (even if they have fewer than 250 employees, which would otherwise exempt them). Additionally, under Article 5 of the Data Protection Ordinance (DPO, SR 235.11), private controllers must issue processing regulations if they process sensitive personal data on a large scale. Federal bodies must issue processing regulations for any processing of sensitive personal data (Art. 6 DPO). Processing regulations are internal governance documents describing the purposes, data categories, recipients, retention periods, and security measures; they must be filed with the FDPIC.

Examples: determining whether data are sensitive

• Employee payroll data (name, salary, bank account, social-security number): not sensitive. These are ordinary personal data. Processing for payroll is justified by the employment contract and overriding interest (Art. 31(2)(a) FADP) without express consent. However, if payroll data are disclosed to a debt-collection agency because the employee is subject to wage garnishment, the disclosure involves data on administrative proceedings (the debt-enforcement order) and becomes sensitive under Article 5(c) no. 6.

• Employee sick-leave records: sensitive health data under Article 5(c) no. 2. The employer processes sensitive data when recording the employee's absence due to illness, even if the specific diagnosis is not disclosed. Express consent is often impractical in the employment context (employees cannot freely refuse); the employer must instead rely on an overriding interest under Article 31(2)(a) and Article 328b of the Swiss Code of Obligations (employer may process data necessary for performance of the employment contract).

• Membership list of a chess club: not sensitive (assuming the club has no political, religious, or trade-union character). If the club is a workers' chess association affiliated with a trade union, the membership list becomes sensitive under Article 5(c) no. 1 (trade-union views).

• Photograph on a website: not sensitive (ordinary personal data). If the photograph is processed through a facial-recognition system to enroll a biometric template for access control, it becomes sensitive biometric data under Article 5(c) no. 5.

• Customer purchase of over-the-counter vitamins at a pharmacy: not sensitive in most contexts (ordinary commercial transaction). If the same customer purchases prescription medication or if the pharmacy processes the transaction data to infer health conditions (e.g., targeting advertising for diabetes supplies to customers who purchase glucose test strips), the data become sensitive health data under Article 5(c) no. 2.

Interpretation and supervisory guidance

The FDPIC has published sector-specific guidance on sensitive-data processing in multiple contexts: patient data (health data, Art. 5(c) no. 2); data protection in clubs and associations (religious, political, trade-union views, Art. 5(c) no. 1); employer processing (health data from sick leave, criminal-record checks, Art. 5(c) nos. 2 and 6); video surveillance (biometric data if facial recognition is deployed, Art. 5(c) no. 5); and credit and collection (prohibition on processing sensitive data unless express consent obtained). All guidance is available at edoeb.admin.ch. The FDPIC treats the Article 5(c) definition as exhaustive and has declined to extend "sensitive" status to other categories by analogy, even for data that carry significant privacy risk (such as precise geolocation or financial account numbers); such data are protected by the general principles (lawfulness, proportionality, good faith, Art. 6 FADP) but do not trigger the express-consent or elevated legal-basis rules reserved for Article 5(c) sensitive data.

Cross-border and GDPR alignment

Switzerland's 2000 EU adequacy decision (Commission Decision 2000/518/EC, under the 1995 Data Protection Directive) remains in effect post-GDPR; the European Commission has confirmed that the revised FADP maintains adequate protection. However, controllers transferring data between Switzerland and the EU must apply the stricter regime for each data element. For data on sexual orientation or sex life (GDPR Article 9 special categories but not FADP Article 5(c) sensitive data), EU-destined transfers must satisfy GDPR Article 9(2) conditions (explicit consent, substantial public interest, etc.) even though Swiss law does not classify the data as sensitive. For biometric data, the FADP's narrower "uniquely identifying" qualifier means some biometric processing may be non-sensitive under Swiss law but special-category under GDPR; apply GDPR safeguards for EU data subjects. Controllers operating in both jurisdictions should document which regime governs each processing operation and apply the higher standard when in doubt.

Source: Federal Act on Data Protection of 25 September 2020 (FADP), SR 235.1, Articles 5, 6, 31, 34 Source: FDPIC, Patient data disclosure — sensitive health data under Article 5(c) no. 2 FADP Source: FDPIC, Data protection in clubs and associations — sensitive data categories Source: FDPIC, Credit and collection — prohibition on processing sensitive personal data Source: FDPIC, Guidelines on data breaches — sensitive data and high-risk assessment