Under Swiss data protection law, when is processing of personal data permitted, and when do you need a legal justification?
If all data protection principles are followed, processing is generally permitted. If any principle is violated, you need a specific legal justification.
Swiss data protection law (DSG) takes a pragmatic approach:
The default rule: If all processing principles are met, processing personal data is fundamentally allowed. No extra permission needed.
When you need a justification (Rechtfertigungsgrund): A legal justification is required under Art. 31 and 39 DSG when:
- Processing principles are not fully met.
- The affected person objects to the processing.
- Specially protected personal data is disclosed to third parties.
The three types of legal justification:
| Justification | What it means |
|---|---|
| Consent (Einwilligung) | Voluntary, informed, and unambiguous agreement from the affected person. |
| Legal basis (Gesetzliche Grundlage) | A law permits or requires the data processing. |
| Overriding interest (Überwiegendes Interesse) | The interests of the processor or a third party outweigh the protection interest, per Art. 31 DSG. |
How privacy is protected in practice combines two approaches:
- Privacy by policy: Laws and self-regulation set the rules.
- Privacy by architecture: Technology enforces the rules.
Both are needed. Laws without enforcement technology are toothless. Technology without legal backing is optional.