The protection of personal data and transparency in the context of digital technologies are main important for businesses and internet users. With the increasing reliance on tracking technologies and online profiling, the Federal Data Protection and Information Commissioner (FDPIC) has published its guidelines to clarify legal obligations and best practices for data controllers.
The document, dated January 22, 2025, has published on the FDPIC website.
Please find below a summary of the main requirements for data controllers.
1. Information Obligations
Data controllers must ensure that users are adequately informed about the collection and use of their data through cookies and similar technologies. The FDPIC distinguishes between:
- First-level notices, which must be clear, concise, and immediately provided to the user, such as using the cookie banner.
- Second-level notices, which provide more detailed information on data management and must also be easily accessible, for example, on a dedicated privacy policy page.
A cookie banner is always required when non-essential cookies are used, i.e., those employed for marketing, advanced analytics, or user experience personalization. In such cases, the banner must:
- Clearly indicate the presence and purpose of cookies.
- Allow users to accept or refuse cookies with equal ease.
- Provide a link to the second-level notice for further details (it is recommended to keep the cookie policy separate from the general website privacy policy).
If the website only uses essential cookies for technical operation, a cookie banner is not mandatory, but users must still be informed through a dedicated notice (e.g., a second-level cookie policy).
2. High-Risk Profiling
The FDPIC highlights that certain data processing activities may constitute high-risk profiling, particularly when:
- Data is collected from multiple sources to create a detailed user profile.
- The collected information significantly influences user behavior, such as in automated decision-making.
- Special categories of data data is used, such as health information, political preferences, or sexual orientation.
In such cases, the data controller must:
- Conduct a Data Protection Impact Assessment (DPIA) before implementing profiling.
- Ensure that users are explicitly and thoroughly informed about the use of their data.
- Obtain explicit consent before starting data processing.
If processing poses a high risk to individuals’ rights and freedoms, consultation with the FDPIC may be required before proceeding. Alternatively, companies with a Data Protection Officer (DPO) may seek their advice.
3. Consent and Right to Object
For non-essential cookies, informed and specific consent from users is required. Additionally, users must have an easily exercisable right to object.
- Users must be able to refuse or withdraw consent as easily as they provided it.
- Consent banners must be clear, without pre-selected options that could lead to involuntary acceptance.
The FDPIC highlights the benefits of using Cookie Management Platforms (CMPs) to ensure compliance with data protection regulations. CMPs should:
- Allow users to view and modify their preferences at any time.
- Ensure that consent is properly recorded and demonstrable in case of audits.
- Provide granular consent options, enabling users to select which cookie categories to accept or reject.
Furthermore, the FDPIC emphasizes that CMPs must be designed transparently and accessibly, avoiding deceptive techniques (dark patterns) that trick users into giving consent unintentionally. To maximize compliance, it is recommended to use certified CMPs that adhere to the latest European and Swiss regulations. However, the use of CMPs remains optional, as the FDPIC does not impose it on data controllers.
4. Verification of Legal Basis
The use of cookies must be based on a legitimate legal basis as required by law. Specifically:
- Explicit consent: required when cookies collect personal data that is not strictly necessary for service provision, such as third-party cookies used for advertising profiling.
- Overriding legitimate interest of the data controller: applicable when cookies are essential for proper website functionality or improving the user experience (e.g., cookies that store products in an e-commerce shopping cart).
5. Data Minimization and Proportionality
In accordance with the principles of privacy by design and privacy by default, the data collected must be proportionate to the declared purpose. Specifically:
- Essential cookies must be strictly limited to ensuring the proper operation of the website.
- Data should be retained only for the necessary duration.
- A data minimization policy should be implemented, avoiding the indiscriminate collection of information.
Conclusion
These comprehensive guidelines (22 pages) focus primarily on the use of cookies and similar technologies, providing clear directives on ensuring user rights compliance. The FDPIC emphasizes the importance of transparency, reminding us that:
“Die Bearbeitung von Personendaten muss transparent, verhältnismäßig und rechtmäßig erfolgen” (“The processing of personal data must be transparent, proportionate, and lawful”).
The summarized requirements confirm the FDPIC’s interpretative approach to applying the Swiss Data Protection Act (FADP) to real-world digital challenges.
For further guidance on implementing these measures in your company, our team of consultants is available to support you.