Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Under Swiss law, any person may request all available information on whether data concerning them is being processed. Employers and other data controllers must notify the data subject about:
- all available data concerning the individual in the data file, including the source of the data;
- the purpose and legal basis of processing, if applicable;
- the categories of the personal data processed;
- the other parties involved with the file; and,
- the recipients of the data.
Third-party processors are only under an obligation to provide information if they do not disclose the identity of the controller or if the controller is not domiciled in Switzerland.
Requests must be answered within 30 days after receipt of the request. Responses are generally provided in writing and free of charge.
The employer (or other data controller) may refuse the provision of information when:
- there is a legal provision that allows for the refusal; or,
- required to protect the overriding interests of third-parties.
HR Best Practices: Data subject rights will be more aligned with the General Data Protection Regulation once the Swiss Federal Act on Data Protection goes into effect.
When processing a request for access from a data subject, make sure not to disclose information connected to other data subjects. Processors and sub-processors should establish official procedures and contacts for employee requests.