Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Under Swiss Law, any person may request all available information, including:
- whether data concerning them is being processed;
- the source of the data;
- the purpose and legal basis of processing;
- the categories of the personal data processed;
- the other parties involved with the file; and,
- the recipients of the data.
Processors are only under an obligation to provide information if they do not disclose the identity of the controller or if the controller is not domiciled in Switzerland.
Requests must be answered within one month of receipt of the request. The format of the response shall be in relation to the means used to make the request, unless otherwise requested by the data subject. Individuals have the right to receive requests in writing. As a general rule, the access request shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, a reasonable fee may be charged. Fees should take into account the administrative costs of providing information or taking the action requested.
The employer (or other data controller) may refuse the provision of information basing the refusal on:
- professional secrecy and other statutory obligations;
- overriding interests of third-parties; or,
- the controller’s own overriding interests (in certain circumstances).
If information is requested on data relating to deceased persons, it must be provided if the applicant proves an interest.
HR Best Practices: Note that data subject rights will likely become more aligned with the General Data Protection Regulation once the Swiss Federal Act on Data Protection is updated.
When processing a request for access from a data subject, make sure not to disclose information connected to other data subjects. Processors and sub-processors should establish official procedures and contacts for employee requests.