We've seen how powerful OSINT is. Under what conditions is it actually legal under Swiss data protection law?
OSINT is legal under the revDSG when there's a valid justification ground, processing principles are followed, and specially protected data receives extra care.
Valid justification grounds:
- Consent from the data subject, freely given and informed.
- Overriding private or public interest, such as due diligence or security investigations.
- Explicit legal basis in law, such as regulatory obligations.
Processing principles that must always be met:
- Lawful collection through legitimate means.
- Good faith and transparency in how data is handled.
- Proportional to the purpose, not collecting more than necessary.
- Purpose-bound, used only for the stated goal, not repurposed later.
Specially protected data requires heightened standards: Health information, political opinions, religious beliefs, biometric data, and similar sensitive categories demand careful assessment, explicit consent where possible, and enhanced security measures for storage and processing.
Practical example: using LinkedIn to verify a candidate's professional background during a due diligence process is generally acceptable. It serves a legitimate purpose, the scope is proportionate, and the information reviewed is what the candidate themselves chose to publish. This kind of targeted, purpose-driven OSINT passes the legal test.