Data protection – right of access and legal consequences in case of non-compliance: administrative, civil or criminal action?

In its decision of 29 January 2025 (published 1 July 2025), the Commissioner ordered the bank to provide the applicants with the data in question and requested that it cover the administrative procedure costs (CHF 5,800). It also reminded the bank that anyone failing to comply with a Commissioner’s decision risks a fine of up to CHF 250,000.

The current edition of the FADP entered into force on 1 September 2023 and this decision highlights key components concerning right of access:

• The data controller (here, the bank) must provide any natural person who requests it with information about the personal data it processes within 30 days (Art. 25 FADP and 18, para. 1 Data Protection Ordinance (“DPO”)).
• This period may be extended (Art. 18, para. 2 DPO); however, the extension must be justified and communicated to the applicant within the initial 30-day period. The FADP does not set a maximum period for such an extension – unlike the General Data Protection Regulation (GDPR) which allows a maximum extension of two months for complex requests.
• The information to be provided includes, in particular, the data “as such” processed by the controller. A generic response, consisting only of a theoretical list of processed data, is not acceptable as it does not allow the applicant to exercise other rights, such as the right to rectify erroneous or obsolete data. An example of a generic response would include the following: “We process all categories of data relating to an identified or identifiable natural person. This includes personal information (name, first name, date of birth, address, contact details (telephone, email, etc.), particularly sensitive data (e.g. sexual orientation inferred from marital status), all kinds of financial data (salary certificates, tax assessments, etc.), credit information (ZEK/IKO, Kremo, etc.) as well as data resulting from profiling, for example, when visiting our websites to improve customer satisfaction or for marketing purposes.”[1]

There are three avenues available to anyone who believes their right of access has not been respected:

• The administrative route. This is the subject of the decision in question and allows anyone who believes their rights have been violated to submit a complaint to the Commissioner. In practice, the Commissioner only takes up cases that meet certain criteria (Art. 49, para. 2 FADP a contrario). The law allows the Commissioner to refrain from opening an investigation where the personal data concerned are not sensitive and the risk of recurrence is low.[2] The Commissioner may also refrain from investigating if he considers that providing advice to the data controller is sufficient to remedy a situation that is not problematic in itself.[3] At the end of his investigation, the Commissioner may, as in this case, order the controller to provide the applicant with the information to which they are entitled (Art. 51, para. 3 FADP); however, the Commissioner does not have the power to order compliance with the aforementioned 30-day period or to impose fines. That said, failure to comply with a decision issued by the Commissioner may result in a fine of CHF 250,000 (Art. 63 FADP). Decisions of the Commissioner may be appealed to the Federal Administrative Court (Art. 52 para. 1 FADP cum Art. 2 para. 4 and 47 para. 1 let. b of the Federal Act on Administrative Procedure “(APA”)), within 30 days (Art. 52 para. 1 FADP cum Art. 50 para. 1 APA).
• The civil route. This allows any person whose access (partial or total) to their personal data is refused to bring an action to enforce right of access.[4] It also allows the applicant to bring an action for protection of personality under Arts. 28 et seq. CC, to which Art. 32 para. 2 FADP refers, and to claim, in this context, damages resulting from an infringement.
• The criminal route. This penalises the intentional provision of inaccurate or incomplete information (Art. 60 FADP). Declaring that no data have been processed when this is not the case is also covered by this provision.[5] Note, however, that inaction, outright refusal,[6] and delay in providing information[7] are not criminally sanctioned under Swiss law.

References

[1] Decision, par. 10 (unofficial English translation from German original).

[2] Swiss Federal Council Message on the FADP, FF 2017 6706 ; CR LPD-Raedler, art. 49 N 51 et 52.

[3] Swiss Federal Council Message on the FADP, FF 2017 6706 ; CR LPD-Raedler, art. 49 N 51 et 52.

[4] PC FADP-Béguin, Art. 25 N 71.

[5] Swiss Federal Council Message on the FADP, FF 2017 6716 ; Statthalteramt Bezirk Zürich, Decision ST.2024.1046 du 4 mars 2025, available online via https://datenrecht.ch/wp-content/uploads/20250304-statthalteramt-bezirk-zuerich-strafbefehl-dsg.pdf ; Tistounet/Fischer, Répondre à moitié, risquer le tout : responsabilité pénale et droit d’accès selon la LPD, 15 juillet 2025, available online via  https://swissprivacy.law/366/.

[6] Swiss Federal Council Message on the FADP, FF 2017 6716 ; Husi-Stämpfli /Morand /Sury/Di Tria/Dias Matos, Protection des données, Genève – Zürich – Bâle 2024, p. 259 ; Simmler, in: Bieri/Powell (éd.), DSG Kommentar, Kommentar zum Schweizerischen Datenschutzgesetz mit weiteren Erlassen, Zürich 2023, Art. 60 Verletzung von Informations-, Auskunfts- und Mitwirkungspflichten N 10.

[7] Simmler, in: Bieri/Powell (éd.), DSG Kommentar, Kommentar zum Schweizerischen Datenschutzgesetz mit weiteren Erlassen, Zürich 2023, Art. 60 Verletzung von Informations-, Auskunfts- und Mitwirkungspflichten N 10.