On March 4, 2025, the criminal authorities in Zurich imposed a fine of CHF 600 on an in-house counsel of TX Group for violating the right of access to personal data.
The decision, initiated and made public by attorney Martin Steiger, highlights how the initial response—indicating only two sets of data—led to the sanction.
A later reference to grounds for exclusion was not sufficient, as the first communication was deemed decisive.
The authority applied Art. 60, para. 1, let. a of the Federal Act on Data Protection (FADP), without investigating the intent or decision-making authority of the lawyer.
The indication in the response to the data subject that the data controller “could not be found” was considered sufficient to constitute the offense. According to the judge, it was enough that there was a mere risk that the recipient might form a misleading impression of completeness, without requiring a specific intent to deceive.
Thus, similarly to what is established for unfair competition, it is sufficient that the communication may create a misunderstanding for the data subject, even in the absence of fraudulent intent.
The measure targets the individual, not the company, although the latter could also be held liable. Since the fine was below the threshold of CHF 5,000, no entry was made in the criminal record.
Are your procedures for handling access requests fully compliant with the provisions of the FADP (Articles 8 and 9)?
