Are there any data breach notification requirements?
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.
Under Swiss law, there is no obligation to notify the supervisory authority or individuals impacted by data breaches. However, in certain cases, it is recommended to notify the Federal Data Protection and Information Commissioner (FDPIC) (e.g. where sensitive data is affected or where the privacy of a large number of data subjects may have been breached).
According to the preliminary draft of the revised Data Protection Act, it is expected that an obligation will apply to notify the FDPIC, without delay, of every unlawful processing of data or loss of data. This may not apply if a breach is unlikely to result in a risk to the privacy or the fundamental rights of the data subject. A failure to notify is expected to be criminally sanctioned.
In addition, the principle of good faith can result an obligation to inform employees, other data subjects and relevant third-parties when there has been a personal data breach. When notifying individuals, include steps they can take to protect themselves and otherwise minimize risk (such as changing passwords).