Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Under Swiss law, any person may request all available information on whether data concerning them is being processed. Employers and other data controllers must notify the data subject about:
Third-party processors are only under an obligation to provide information if they do not disclose the identity of the controller or if the controller is not domiciled in Switzerland.
Requests must be answered within 30 days after receipt of the request. Responses are generally provided in writing and free of charge.
The employer (or other data controller) may refuse the provision of information when:
HR Best Practices: Data subject rights will be more aligned with the General Data Protection Regulation once the Swiss Federal Act on Data Protection goes into effect.
When processing a request for access from a data subject, make sure not to disclose information connected to other data subjects. Processors and sub-processors should establish official procedures and contacts for employee requests.