Article 3.a defines personal data as all information relating to an identified or identifiable person;
Special Category of personal data
According to Article 3, sub-point c) sensitive personal data include data relating to:
- religious, ideological, political or trade union-related views or activities;
- health, the intimate sphere or the racial origin;
- social security measures;
- administrative or criminal proceedings and sanctions.
In the case of processing of sensitive personal data, consent must be given expressly.
The controller of the data file is obliged to inform the data subject of the collection of sensitive personal data or personality profiles; this duty to provide information also applies where the data is collected from third parties.
The data subject must be notified as a minimum of the following:
- the controller of the data file;
- the purpose of the processing;
- the categories of data recipients if a disclosure of data is planned.
If the data is not collected from the data subject, the data subject must be informed at the latest when the data is stored or if the data is not stored, on its first disclosure to a third party.
The duty of the controller of the data file to provide information ceases to apply if the data subject has already been informed or, in the case the data is not collected from the data subject, if:
- the storage or the disclosure of the data is expressly provided for by law; or
- the provision of information is not possible or possible only with disproportionate inconvenience or expense.
If the consent of the data subject is required for the processing of personal data, such consent is valid only if given voluntarily on the provision of adequate information.
The GDPR definition of ‘consent’, written in Art. 4 (11), is: “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
There are no particular provisions on the processing of personal data about children. The Swiss Civil Code grants children capable of judgement (which is usually considered to be the case when they turn 13) more rights to decide their own data protection rights than under the GDPR.