Understanding FDPIC Investigations of Data Protection Violations

Sep 7, 2023

In September 2023, the Federal Data Protection and Information Commissioner (FDPIC) released an updated factsheet outlining the process of investigating violations of data protection regulations in Switzerland. This article provides a summary of key insights from the FDPIC’s guidance on Articles 49-53 of the Federal Act on Data Protection (FADP).

Reason and Purpose of the Investigation

Under the FADP, the FDPIC is responsible for ensuring compliance with data protection regulations. The FDPIC initiates investigations when there are “sufficient indications” that a data processing activity may violate these regulations. Investigations aim to establish the facts and assess whether a violation has occurred. If a violation is confirmed, the FDPIC can impose administrative measures.

Informal Preliminary Enquiries

Before launching a formal investigation, the FDPIC may conduct informal preliminary inquiries to determine if an investigation is necessary. This phase helps clarify whether the potential violation merits a full investigation, and it allows for quick resolution in some cases.

Legal Status of Reporting Parties

Reporting a potential violation is essential, and it can be done by data subjects, third parties, or the FDPIC itself. Reporting parties may or may not have the status of a party in the investigation proceedings, depending on their role and involvement in the case.

The FDPIC’s Duty to Investigate

The FDPIC must investigate significant violations of data protection regulations, but it has the discretion to decide not to investigate minor violations. The determination of “minor importance” is somewhat subjective but guided by ensuring an adequate level of data protection.

Investigation Proceedings

Investigation proceedings follow the Federal Act on Administrative Procedure (APA) and include cooperation from the party involved. The party has specific rights throughout the investigation, such as the right to a fair hearing and access to files.

 

Recent news

EFDPO Session at Privacy Days Prague 2025

EFDPO Session at Privacy Days Prague 2025

We would like to invite you to the 9th year of the traditional privacy conference organized by the Czech Data Protection Association. The conference is divided into two days, the first day will be held only in English (EFDPO session).

read more