235.1

English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force.

Federal Act on Data Protection

(FADP)

of 19 June 1992 (Status as of 1 March 2019)

The Federal Assembly of the Swiss Confederation,

based on Articles 95, 122 and 173 paragraph 2 of the Federal Constitution1,2 and having regard to the Federal Council Dispatch dated 23 March 19883,

decrees:

  Section 1 Aim, Scope and Definitions

  Art. 1 Aim

This Act aims to protect the privacy and the fundamental rights of persons when their data is processed.

  Art. 2 Scope

1 This Act applies to the processing of data pertaining to natural persons and legal persons by:

a.

private persons;

b.

federal bodies.

2 It does not apply to:

a.

personal data that is processed by a natural person exclusively for personal use and which is not disclosed to outsiders;

b.

deliberations of the Federal Assembly and in parliamentary committees;

c.

pending civil proceedings, criminal proceedings, international mutual assistance proceedings and proceedings under constitutional or under administrative law, with the exception of administrative proceedings of first instance;

d.

public registers based on private law;

e.

personal data processed by the International Committee of the Red Cross.

  Art. 3 Definitions

The following definitions apply:

a.

personal data (data): all information relating to an identified or identifiable person;

b.

data subjects: natural or legal persons whose data is processed;

c.

sensitive personal data: data on:

1.

religious, ideological, political or trade union-related views or activities,

2.

health, the intimate sphere or the racial origin,

3.

social security measures,

4.

administrative or criminal proceedings and sanctions;

d.

personality profile: a collection of data that permits an assessment of essential characteristics of the personality of a natural person;

e.

processing: any operation with personal data, irrespective of the means applied and the procedure, and in particular the collection, storage, use, revision, disclosure, archiving or destruction of data;

f.

disclosure: making personal data accessible, for example by permitting access, transmission or publication;

g.

data file: any set of personal data that is structured in such a way that the data is accessible by data subject;

h.

federal bodies: federal authorities and services as well as persons who are entrusted with federal public tasks;

i.1

controller of the data file: private persons or federal bodies that decide on the purpose and content of a data file;

j.2

formal enactment:

1.

federal acts,

2.

decrees of international organisations that are binding on Switzerland and international treaties containing legal rules that are approved by the Federal Assembly;

k.3

1 Amended by No I of the FA of 24 March 2006, in force since 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).
2 Amended by No I of the FA of 24 March 2006, in force since 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).
3 Repealed by No I of the FA of 24 March 2006, with effect from 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).

  Section 2 General Data Protection Provisions

  Art. 4 Principles

1 Personal data may only be processed lawfully.1

2 Its processing must be carried out in good faith and must be proportionate.

3 Personal data may only be processed for the purpose indicated at the time of collection, that is evident from the circumstances, or that is provided for by law.

4 The collection of personal data and in particular the purpose of its processing must be evident to the data subject.2

5 If the consent of the data subject is required for the processing of personal data, such consent is valid only if given voluntarily on the provision of adequate information. Additionally, consent must be given expressly in the case of processing of sensitive personal data or personality profiles.3

1 Amended by No I of the FA of 24 March 2006, in force since 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).
2 Inserted by No I of the FA of 24 March 2006, in force since 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).
3 Inserted by No I of the FA of 24 March 2006, in force since 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).

  Art. 5 Correctness of the data

1 Anyone who processes personal data must make certain that it is correct. He must take all reasonable measures to ensure that data that is incorrect or incomplete in view of the purpose of its collection is either corrected or destroyed.1

2 Any data subject may request that incorrect data be corrected.

1 Second sentence inserted by No I of the FA of 24 March 2006, in force since 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).

  Art. 61Cross-border disclosure

1 Personal data may not be disclosed abroad if the privacy of the data subjects would be seriously endangered thereby, in particular due to the absence of legislation that guarantees adequate protection.

2 In the absence of legislation that guarantees adequate protection, personal data may be disclosed abroad only if:

a.

sufficient safeguards, in particular contractual clauses, ensure an adequate level of protection abroad;

b.

the data subject has consented in the specific case;

c.

the processing is directly connected with the conclusion or the performance of a contract and the personal data is that of a contractual party;

d.

disclosure is essential in the specific case in order either to safeguard an overriding public interest or for the establishment, exercise or enforcement of legal claims before the courts;

e.

disclosure is required in the specific case in order to protect the life or the physical integrity of the data subject;

f.

the data subject has made the data generally accessible and has not expressly prohibited its processing;

g.

disclosure is made within the same legal person or company or between legal persons or companies that are under the same management, provided those involved are subject to data protection rules that ensure an adequate level of protection.

3 The Federal Data Protection and Information Commissioner (the Commissioner, Art. 26) must be informed of the safeguards under paragraph 2 letter a and the data protection rules under paragraph 2 letter g. The Federal Council regulates the details of this duty to provide information.

1 Amended by No I of the FA of 24 March 2006, in force since 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).

  Art. 7 Data security

1 Personal data must be protected against unauthorised processing through adequate technical and organisational measures.

2 The Federal Council issues detailed provisions on the minimum standards for data security.

  Art. 7a1

1 Inserted by No I of the FA of 24 March 2006 (AS 2007 4983; BBl 2003 2101). Repealed by No 3 of the FA of 19 March 2010 on the Implementation of Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, with effect from 1 Dec. 2010 (AS 2010 3387 3418; BBl 2009 6749).

  Art. 8 Right to information

1 Any person may request information from the controller of a data file as to whether data concerning them is being processed.

2 The controller of a data file must notify the data subject:1

a.2

of all available data concerning the subject in the data file, including the available information on the source of the data;

b.

the purpose of and if applicable the legal basis for the processing as well as the categories of the personal data processed, the other parties involved with the file and the data recipient.

3 The controller of a data file may arrange for data on the health of the data subject to be communicated by a doctor designated by the subject.

4 If the controller of a data file has personal data processed by a third party, the controller remains under an obligation to provide information. The third party is under an obligation to provide information if he does not disclose the identity of the controller or if the controller is not domiciled in Switzerland.

5 The information must normally be provided in writing, in the form of a printout or a photocopy, and is free of charge. The Federal Council regulates exceptions.

6 No one may waive the right to information in advance.

1 Amended by No I of the FA of 24 March 2006, in force since 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).
2 Amended by No I of the FA of 24 March 2006, in force since 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).

  Art. 91Limitation of the duty to provide information

1 The controller of a data file may refuse, restrict or defer the provision of information where:

a.

a formal enactment so provides;

b.

this is required to protect the overriding interests of third parties.

2 A federal body may further refuse, restrict or defer the provision of information where:

a.

this is required to protect overriding public interests, and in particular the internal or external security of the Confederation;

b.

the information would jeopardise the outcome of a criminal investigation or any other investigation proceedings.

3 As soon as the reason for refusing, restricting or deferring the provision of information ceases to apply, the federal body must provide the information unless this is impossible or only possible with disproportionate inconvenience or expense.

4 The private controller of a data file may further refuse, restrict or defer the provision of information where his own overriding interests so require and he does not disclose the personal data to third parties.

5 The controller of a data file must indicate the reason why he has refused, restricted or deferred access to information.

1 Amended by No 3 of the FA of 19 March 2010 on the Implementation of Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, in force since 1 Dec. 2010 (AS 2010 3387 3418; BBl 2009 6749).

  Art. 10 Limitations of the right to information for journalists

1 The controller of a data file that is used exclusively for publication in the edited section of a periodically published medium may refuse to provide information, limit the information or defer its provision provided:

a.

the personal data reveals the sources of the information;

b.

access to the drafts of publications would have to be given;

c.

the freedom of the public to form its opinion would be prejudiced.

2 Journalists may also refuse restrict or defer information if the data file is being used exclusively as a personal work aid.

  Art. 10a1Data processing by third parties

1 The processing of personal data may be assigned to third parties by agreement or by law if:

a.

the data is processed only in the manner permitted for the instructing party itself; and

b.

it is not prohibited by a statutory or contractual duty of confidentiality.

2 The instructing party must in particular ensure that the third party guarantees data security.

3 Third parties may claim the same justification as the instructing party.

1 Inserted by No I of the FA of 24 March 2006, in force since 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).

  Art. 111Certification procedure

1 In order to improve data protection and data security, the manufacturers of data processing systems or programs as well as private persons or federal bodies that process personal data may submit their systems, procedures and organisation for evaluation by recognised independent certification organisations.

2 The Federal Council shall issue regulations on the recognition of certification procedures and the introduction of a data protection quality label. In doing so, it shall take account of international law and the internationally recognised technical standards.

1 Amended by No I of the FA of 24 March 2006, in force since 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).

  Art. 11a1Register of data files

1 The Commissioner maintains a register of data files that is accessible online. Anyone may consult the register.

2 Federal bodies must declare all their data files to the Commissioner in order to have them registered.

3 Private persons must declare their data files if:

a.

they regularly process sensitive personal data or personality profiles; or

b.

they regularly disclose personal data to third parties.

4 The data files must be declared before they are opened.

5 In derogation from the provisions in paragraphs 2 and 3, the controller of data files is not required to declare his files if:

a.

private persons are processing the data in terms of a statutory obligation;

b.

the Federal Council has exempted the processing from the registration requirement because it does not prejudice the rights of the data subjects;

c.

he uses the data exclusively for publication in the edited section of a periodically published medium and does not pass on any data to third parties without informing the data subjects;

d.

the data is processed by journalists who use the data file exclusively as a personal work aid;

e.

he has designated a data protection officer who independently monitors internal compliance with data protection regulations and maintains a list of the data files;

f.

he has acquired a data protection quality mark under a certification procedure in accordance with Article 11 and has notified the Commissioner of the result of the evaluation.

6 The Federal Council regulates the modalities for the declaration of data files for registration, the maintenance and the publication of the register, the appointment and duties of the data protection officer under paragraph 5 letter e and the publication of a list of controllers of data files that are relieved of the reporting obligation under paragraph 5 letters e and f.

1 Inserted by No I of the FA of 24 March 2006, in force since 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).

  Section 3 Processing of Personal Data by Private Persons

  Art. 12 Breaches of privacy

1 Anyone who processes personal data must not unlawfully breach the privacy of the data subjects in doing so.

2 In particular, he must not:

a.

process personal data in contravention of the principles of Articles 4, 5 paragraph 1 and 7 paragraph 1;

b.

process data pertaining to a person against that person’s express wish without justification;

c.

disclose sensitive personal data or personality profiles to third parties without justification.1

3 Normally there is no breach of privacy if the data subject has made the data generally accessible and has not expressly prohibited its processing.

1 Amended by No I of the FA of 24 March 2006, in force since 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).

  Art. 13 Justification

1 A breach of privacy is unlawful unless it is justified by the consent of the injured party, by an overriding private or public interest or by law.

2 An overriding interest of the person processing the data shall in particular be considered if that person:

a.

processes personal data in direct connection with the conclusion or the performance of a contract and the personal data is that of a contractual party;

b.

is or intends to be in commercial competition with another and for this purpose processes personal data without disclosing the data to third parties;

c.

process data that is neither sensitive personal data nor a personality profile in order to verify the creditworthiness of another, and discloses such data to third parties only if the data is required for the conclusion or the performance of a contract with the data subject;

d.

processes personal data on a professional basis exclusively for publication in the edited section of a periodically published medium;

e.

processes personal data for purposes not relating to a specific person, in particular for the purposes of research, planning and statistics and publishes the results in such a manner that the data subjects may not be identified;

f.

collects data on a person of public interest, provided the data relates to the public activities of that person.

  Art. 141Duty to provide information on the collection of sensitive personal data and personality profiles

1 The controller of the data file is obliged to inform the data subject of the collection of sensitive personal data or personality profiles; this duty to provide information also applies where the data is collected from third parties.

2 The data subject must be notified as a minimum of the following:

a.

the controller of the data file;

b.

the purpose of the processing;

c.

the categories of data recipients if a disclosure of data is planned.

3 If the data is not collected from the data subject, the data subject must be informed at the latest when the data is stored or if the data is not stored, on its first disclosure to a third party.

4 The duty of the controller of the data file to provide information ceases to apply if the data subject has already been informed or, in cases under paragraph 3, if:

a.

the storage or the disclosure of the data is expressly provided for by law; or

b.

the provision of information is not possible or possible only with disproportionate inconvenience or expense.

5 The controller of the data file may refuse, restrict or defer the provision of information subject to the requirements of Article 9 paragraphs 1 and 4.

1 Amended by No 3 of the FA of 19 March 2010 on the Implementation of Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, in force since 1 Dec. 2010 (AS 2010 3387 3418; BBl 2009 6749).

  Art. 151Legal claims

1 Actions relating to protection of privacy are governed by Articles 28, 28a and 28l of the Civil Code2. The plaintiff may in particular request that data processing be stopped, that no data be disclosed to third parties, or that the personal data be corrected or destroyed.

2 Where it is impossible to demonstrate that personal data is accurate or inaccurate, the plaintiff may request that a note to this effect be added to the data.

3 The plaintiff may request that notification of third parties or the publication of the correction, destruction, blocking, and in particular the prohibition of disclosure to third parties, the marking of the data as disputed or the court judgment.

4 Actions on the enforcement of a right to information shall be decided by the courts in a simplified procedure under the Civil Procedure Code of 19 December 20083.

1 Amended by Annex 1 No II 14 of the Civil Procedure Code of 19 Dec. 2008, in force since 1 Jan. 2011 (AS 2010 1739; BBl 2006 7221).
2 SR 210
3 SR 272

  Section 4 Processing of Personal Data by Federal Bodies

  Art. 16 Responsible body and controls1

1 The federal body that processes or arranges for the processing of personal data in fulfilment of its tasks is responsible for data protection.

2 If federal bodies process personal data together with other federal bodies, with cantonal bodies or with private persons, the Federal Council may specifically regulate the control of and responsibility for data protection.2

1 Amended by No I of the FA of 24 March 2006, in force since 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).
2 Amended by No I of the FA of 24 March 2006, in force since 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).

  Art. 17 Legal basis

1 Federal bodies may process personal data if there is a statutory basis for doing so.

2 They may process sensitive personal data and personality profiles only if a formal enactment expressly provides therefor or if, by way of exception:

a.

such processing is essential for a task clearly defined in a formal enactment;

b.

the Federal Council authorises processing in an individual case because the rights of the data subject are not endangered; or

c.

the data subject has given his consent in an individual case or made his data general accessible and has not expressly prohibited its processing.1

1 Amended by No I of the FA of 24 March 2006, in force since 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).

  Art. 17a1Automated data processing in pilot projects

1 The Federal Council may, having consulted the Commissioner and before a formal enactment comes into force, approve the automated processing of sensitive personal data or personality profiles if:

a.

the tasks that require such processing required are regulated in a formal enactment;

b.

adequate measures are taken to prevent breaches of privacy;

c.

a test phase before the formal enactment comes into force is indispensable for the practical implementation of data processing.

2 A test phase may be mandatory for the practical implementation of data processing if:

a.

the fulfilment of a task requires technical innovations, the effects of which must first be evaluated;

b.

the fulfilment of a task requires significant organisational or technical measures, the effectiveness of which must first be tested, in particular in the case of cooperation between federal and the cantonal bodies; or

c.

processing requires that sensitive personal data or personality profiles be transmitted online to cantonal authorities.

3 The Federal Council shall regulate the modalities of automated data processing in an ordinance.

4 The competent federal body shall provide the Federal Council with an evaluation report at the latest within two years of the pilot system coming into operation. The report contains a proposal on whether the processing should be continued or terminated.

5 Automated data processing must be terminated in every case if within five years of the pilot systems coming into operation no formal enactment has come in force that contains the required legal basis.

1 Inserted by No I of the FA of 24 March 2006 (AS 2006 4873; BBl 2003 2101, 2006 3547). Amended by No I of the FA of 24 March 2006, in force since 15 Dec. 2006 (AS 2007 4983; BBl 2003 2101).

  Art. 18 Collection of personal data

1 In the case of systematic surveys, in particular by means of questionnaires, the federal organ shall disclose the purpose of and the legal basis for the processing, and the categories of persons involved with the data file and of the data recipients.

2 …1

1 Repealed by No I of the FA of 24 March 2006, with effect from 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).

  Art. 18a1Duty to provide information on the collection of personal data

1 Federal bodies are obliged to inform the data subject of the collection of personal data; this duty to provide information also applies where the data is collected from third parties.

2 The data subject must be notified as a minimum of the following:

a.

the controller of the data file;

b.

the purpose of processing;

c.

the categories of the data recipients where a disclosure of data is planned;

d.

the right to information in accordance with Article 8;

e.

the consequences of the refusal of the data subject to provide the requested personal data.

3 If the data is not collected from the data subject, the data subject must be informed at the latest when the data is stored or if the data is not stored, on its first disclosure to a third party.

4 The duty of the controller of the data file to provide information ceases to apply if the data subject has already been informed or, in cases under paragraph 3, if:

a.

the storage or the disclosure of the data is expressly provided for by law; or

b.

the provision of information is not possible or possible only with disproportionate inconvenience or expense.

5 If the duty to provide information would compromise the competitiveness of a federal body, the Federal Council may limit the application of the duty to the collection of sensitive personal data and personality profiles.

1 Inserted by No 3 of the FA of 19 March 2010 on the Implementation of Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, in force since 1 Dec. 2010 (AS 2010 3387 3418; BBl 2009 6749).

  Art. 18b1Restriction of the duty to provide information

1 Federal bodies may refuse, restrict or defer the provision of information subject to the requirements of Article 9 paragraphs 1 and 2.

2 As soon as the reason for refusal, restriction or deferral ceases to apply, the federal bodies are bound by the duty to provide information unless compliance is not possible or possible only with disproportionate inconvenience or expense.

1 Inserted by No 3 of the FA of 19 March 2010 on the Implementation of Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, in force since 1 Dec. 2010 (AS 2010 3387; BBl 2009 6749).

  Art. 19 Disclosure of personal data

1 Federal bodies may disclose personal data if there is legal basis for doing so in accordance with Article 17 or if:1

a.

the data is indispensable to the recipient in the individual case for the fulfilment of his statutory task;

b.2

the data subject has consented in the individual case;

c.3

the data subject has made the data generally accessible and has not expressly prohibited disclosure; or

d.

the recipient demonstrates credibly that the data subject is withholding consent or blocking disclosure in order to prevent the enforcement of legal claims or the safeguarding of other legitimate interests; the data subject must if possible be given the opportunity to comment beforehand.

1bis Federal bodies may also disclose personal data within the terms of the official information disclosed to the general public, either ex officio or based on the Freedom of Information Act of 17 December 20044 if:

a.

the personal data concerned is connected with the fulfilment of public duties; and

b.

there is an overriding public interest in its disclosure.5

2 Federal bodies may on request also disclose the name, first name, address and date of birth of a person if the requirements of paragraph1 are not fulfilled.

3 Federal bodies may make personal data accessible online if this is expressly provided for. Sensitive personal data and personality profiles may be made accessible online only if this is expressly provided for in a formal enactment.6

3bis Federal bodies may make personal data generally accessible by means of automated information and communication services if a legal basis is provided for the publication of such data or if they make information accessible to the general public on the basis of paragraph1bis. If there is no longer a public interest in the accessibility of such data, the data concerned must be removed from the automated information and communication service.7

4 The federal body shall refuse or restrict disclosure, or make it subject to conditions if:

a.

essential public interests or clearly legitimate interests of a data subject so require or

b.

statutory duties of confidentiality or special data protection regulations so require.

1 Amended by No I of the FA of 24 March 2006, in force since 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).
2 Amended by No I of the FA of 24 March 2006, in force since 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).
3 Amended by No I of the FA of 24 March 2006, in force since 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).
4 SR 152.3
5 Inserted by Annex No 4 of the Freedom of Information Act of 17 Dec. 2004, in force since 1 July 2006 (AS 2006 2319; BBl 2003 1963).
6 Second sentence according to No I of the FA of 24 March 2006, with effect from 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).
7 Inserted by Annex No 4 of the Freedom of Information Act of 17 Dec. 2004, in force since 1 July 2006 (AS 2006 2319; BBl 2003 1963).

  Art. 20 Blocking disclosure

1 A data subject that credibly demonstrates a legitimate interest may request the federal body concerned to block the disclosure of certain personal data.

2 The federal body shall refuse to block disclosure or lift the block if:

a.

there is a legal duty of disclosure; or

b.

the fulfilment of its task would otherwise be prejudiced.

3 Any blocking of disclosure is subject to Article 19 paragraph 1bis.1

1 Inserted by Annex No 4 of the Freedom of Information Act of 17 Dec. 2004, in force since 1 July 2006 (AS 2006 2319; BBl 2003 1963).

  Art. 211Offering documents to the Federal Archives

1 In accordance with the Archiving Act of 26 June 19982, federal bodies shall offer the Federal Archives all personal data that is no longer in constant use.

2 The federal bodies shall destroy personal data designated by the Federal Archives as not being of archival value unless it:

a.

is rendered anonymous;

b.3

must be preserved on evidentiary or security grounds or in order to safeguard the legitimate interests of the data subject.

1 Amended by No I of the FA of 24 March 2006, in force since 1 Jan. 2008 (AS 2007 4983; BBl 2003 2101).
2 SR 152.1
3 Amended by No 3 of the FA of 19 March 2010 on the Implementation of Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, in force since 1 Dec. 2010 (AS 2010 3387 3418; BBl 2009 6749).

  Art. 22 Processing for research, planning and statistics

1 Federal bodies may process personal data for purposes not related to specific persons, and in particular for research, planning and statistics, if:

a.

the data is rendered anonymous, as soon as the purpose of the processing permits;

b.

the recipient only discloses the data with the consent of the federal body and

c.

the results are published in such a manner that the data subjects may not be identified.

2 The requirements of the following provisions need not be fulfilled:

a.

Article 4 paragraph 3 on the purpose of processing

b.

Article17 paragraph 2 on the legal basis for the processing of sensitive personal data and personality profiles;

c.

Article 19 paragraph 1 on the disclosure of personal data.

  Art. 23 Private law activities of federal bodies

1 If a federal body acts under private law, the provisions for the processing of personal data by private persons apply.

2 Supervision is governed by the provisions on federal bodies.

  Art. 241

1 Repealed by Art. 31 of the FA of 21 March 1997 on Measures to Safeguard Internal Security, with effect from 1 July 1998 (AS 1998 1546; BBl 1994 II 1127).

  Art. 25 Claims and procedure

1 Anyone with a legitimate interest may request the federal body concerned to:

a.

refrain from processing personal data unlawfully;

b.

eliminate the consequences of unlawful processing;

c.

ascertain whether processing is unlawful.

2 If it is not possible to prove the accuracy or the inaccuracy of personal data, the federal body must mark the data correspondingly.

3 The applicant may in particular request that the federal body:

a.

corrects or destroys the personal data or blocks its disclosure to third parties;

b.

communicates its decision to third parties, in particular on the correction, destruction, blocking of the data or marking of the data as disputed, or publishes the decision.

4 The procedure is governed by the Federal Act of 20 December 19681 on Administrative Procedure (Administrative Procedure Act). The exceptions contained in Articles 2 and 3 of the Administrative Procedure Act do not apply.

5 …2

1 SR 172.021
2 Repealed by Annex No 26 of the Administrative Court Act of 17 June 2005, with effect from 1 Jan. 2007 (AS 2006 2197; BBl 2001 4202).

  Art. 25bis1Procedure in the event of the disclosure of official documents containing personal data

For as long as proceedings relating to access to official documents within the meaning of the Freedom of Information Act of 17 December 20042 that contain personal data are ongoing, the data subject may within the terms of such proceedings claim the rights accorded to him on the basis of Article 25 of this Act in relation to those documents that are the subject matter of the access proceedings.

1 Inserted by Annex No 4 of the Freedom of Information Act of 17 Dec. 2004, in force since 1 July 2006 (AS 2006 2319; BBl 2003 1963).
2 SR 152.3