The duty to provide information pursuant to Art. 19 ff. FADP is an important part of the principle of transparency pursuant to Art. 6 para. 3 FADP. The data subject must know which data relating to them is collected and processed and for what purpose. It goes without saying that this must be done before the data is collected.
The provider or responsible party will generally fulfil their duty to provide information by a privacy policy. The law does not contain any formal requirements in this regard. There is also no specific requirement as to where the relevant information must be published. It must simply be accessible to the data subject before the data is collected. Publication on a website is now considered best practice. Like general terms and conditions (GTC), privacy policies must also be clear and comprehensible. The corresponding rule of ambiguity and unusualness should also apply to the interpretation of privacy policies, based in this context on the principle of transparency. While the EU General Data Protection Regulation (GDPR) comprehensively regulates the content of privacy policies (s. below), Art. 19 FAPD prescribes only a limited amount of information. The identity and contact details (electronic and physical) of the controller, the purpose of the processing and the categories of recipients (not necessarily the individual recipients) to whom personal data may be disclosed must be communicated. If the data is not obtained from the data subject, the controllers must communicate the categories of personal data processed at the time of disclosure, but no later than one month after receiving the data. If the relevant legal requirements are met, the controllers must also provide information about any data protection advisor in accordance with Art. 10 FADP or a Swiss representative in accordance with Art. 14 FADP. If disclosure abroad is planned (in particular storage on foreign servers or in foreign clouds), the relevant countries or groups of countries (e.g. EU; individual countries must at least be identifiable) must be named, including the corresponding data protection guarantees in accordance with Art. 16 para. 2 FADP or exceptions in accordance with Art. 17 FADP. More information must only be provided if this minimum information is not sufficient for the data subject to assert their rights under the FADP or if transparent data processing is not yet guaranteed (Art. 19 para. 2 FADP).