Federal Act
on Data Protection
(Data Protection Act, FADP)

¹ The con­trol­ler shall no­ti­fy the FD­PIC of any breach of data se­cur­ity that is likely to lead to a high risk to the data sub­ject's per­son­al­ity or fun­da­ment­al rights as quickly as pos­sible.

² In the no­ti­fic­a­tion, it shall as a min­im­um spe­cify the nature of the breach of data se­cur­ity, its con­sequences and the meas­ures taken or planned.

³ The pro­cessor shall no­ti­fy the con­trol­ler of any breach of data se­cur­ity as quickly as pos­sible.

⁴ The con­trol­ler shall in­form the data sub­ject if this is re­quired for their pro­tec­tion or if the FD­PIC so re­quests.

⁵ It may lim­it, delay or dis­pense with the pro­vi­sion of in­form­a­tion to the data sub­ject if:

a.

there is a reas­on for do­ing so pur­su­ant to Art­icle 26 para­graph 1 let­ter b or para­graph 2 let­ter b or the pro­vi­sion of in­form­a­tion is pro­hib­ited by a stat­utory duty of con­fid­en­ti­al­ity;

b.

the pro­vi­sion of in­form­a­tion is im­possible or re­quires dis­pro­por­tion­ate ef­fort; or

c.

the pro­vi­sion of in­form­a­tion to the data sub­ject is equally guar­an­teed by mak­ing a pub­lic an­nounce­ment.

⁶ A no­ti­fic­a­tion made pur­su­ant to this Art­icle may only be used against the per­son re­quired to no­ti­fy in crim­in­al pro­ceed­ings with that per­son's con­sent.