Are there any data breach notification requirements?
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.
Under Swiss law, there is no obligation to notify the supervisory authority or individuals impacted by data breaches. However, in certain cases, it is recommended to notify the Federal Data Protection and Information Commissioner (FDPIC) (e.g. where sensitive data is affected or where the privacy of a large number of data subjects may have been breached).
Under the revised Data Protection Act, going into effect on September 1, 2023, employers and other data controllers will be obligated to notify the FDPIC, as soon as possible if there is a data breach that creates a high risk to data subjects.
In addition, the principle of good faith can result an obligation to inform employees, other data subjects and relevant third-parties when there has been a personal data breach. When notifying individuals, include steps they can take to protect themselves and otherwise minimize risk (such as changing passwords).