– September 13, 2021

Data protection in the workplace: What must the employer observe?

On 25 September 2020, the Swiss National Council and Council of States approved the final text of the new Data Protection Act (DPA). With the total revision, the DPA will be adapted to the rapidly changing technological and social conditions. This will strengthen the self-determination of individuals with regard to their personal data.

The most important changes in the law

According to the new text of the law, the FADP only applies to natural persons. Legal persons must be guided accordingly by company law provisions. Genetic and biometric data, such as fingerprints and retina scans, are protected as “data requiring special protection”. The territorial scope of the FADP is also extended according to the so-called impact principle. Accordingly, the decisive factor is not where the data processing takes place, but whether its effects ultimately fall within Switzerland. Accordingly, companies with a foreign branch can also be held liable for data protection violations under the DPA in Switzerland. Foreign companies without a registered office in Switzerland may also be required to appoint a Swiss representative if they process the data of individuals in Switzerland.

Data processing at the workplace: What does the employer have to consider?

The area of tension arises where the employer may have a business interest in accessing or even processing employees’ data. Such behaviour can infringe on the privacy of employees and is not always permissible from the perspective of data protection law. The principles of Art. 4 DPA must always be observed: data processing must always be purpose-binding, transparent and proportionate. 

1. May my employer monitor me at the workplace? 
The use of surveillance measures interferes with the privacy of the person concerned and may infringe on his or her right of personality (as defined in Art. 28 of the Civil Code). Surveillance measures can also affect the health of the employee (Art. 26 ArGV), especially from a psychological point of view, and violate the employer’s right to provide for the future (Art. 328b OR).
The use of general surveillance measures (e.g. video surveillance at the workplace, monitoring of internet use, monitoring of a company car by means of GPS tracking, etc.) is disproportionate and therefore also generally inadmissible. Even if the surveillance is for a specific purpose, i.e. if a violation of law or a breach of contract is actually discovered or proven, the evidence obtained may be unusable in later proceedings due to the illegal collection of evidence. 
Exceptionally, general surveillance may be justified if it is necessary for security reasons. In such cases, the employer must at least inform the employee in advance. 

2. May my employer read my e-mails?
The inspection and use of e-mails and messages constitute data processing within the meaning of Art. 3 lit. e FADP and are therefore subject to the data protection principles of Art. 4 FADP. 
First and foremost, business emails must be distinguished from personal emails. While access to personal e-mails of employees is generally prohibited, business e-mails can be checked in compliance with the principle of proportionality. A comprehensive check of business e-mails is only permissible if there is a concrete suspicion of misconduct.

3. May my employer listen to or record my telephone conversations?
Telephone conversations may be recorded for the purpose of performance monitoring or for security reasons. However, the persons concerned must give their consent to this. Here, too, it is essential to distinguish between business and personal telephone conversations, for example, by having the external connections switched through central connections.  


Do you have any questions about data protection? Please feel free to contact us. Our lawyers will be happy to answer your questions.