In September 2023, the Federal Data Protection and Information Commissioner (FDPIC) released an updated factsheet outlining the process of investigating violations of data protection regulations in Switzerland. This article provides a summary of key insights from the FDPIC’s guidance on Articles 49-53 of the Federal Act on Data Protection (FADP).
Reason and Purpose of the Investigation
Under the FADP, the FDPIC is responsible for ensuring compliance with data protection regulations. The FDPIC initiates investigations when there are “sufficient indications” that a data processing activity may violate these regulations. Investigations aim to establish the facts and assess whether a violation has occurred. If a violation is confirmed, the FDPIC can impose administrative measures.
Informal Preliminary Enquiries
Before launching a formal investigation, the FDPIC may conduct informal preliminary inquiries to determine if an investigation is necessary. This phase helps clarify whether the potential violation merits a full investigation, and it allows for quick resolution in some cases.
Legal Status of Reporting Parties
Reporting a potential violation is essential, and it can be done by data subjects, third parties, or the FDPIC itself. Reporting parties may or may not have the status of a party in the investigation proceedings, depending on their role and involvement in the case.
The FDPIC’s Duty to Investigate
The FDPIC must investigate significant violations of data protection regulations, but it has the discretion to decide not to investigate minor violations. The determination of “minor importance” is somewhat subjective but guided by ensuring an adequate level of data protection.
Investigation proceedings follow the Federal Act on Administrative Procedure (APA) and include cooperation from the party involved. The party has specific rights throughout the investigation, such as the right to a fair hearing and access to files.