The employment relationship generates a substantial volume of personal data: personnel files, payroll records, health information, performance evaluations, IT usage logs. Since the revised Federal Act on Data Protection (nFADP) entered into force on 1 September 2023, Swiss employers face heightened requirements when processing this information. Yet many SMEs remain unaware of the full extent of their obligations.
This article walks through the key points every HR department needs to understand.
Legal Framework: Art. 328b CO and the nFADP
Swiss employment law addresses employee data protection through two complementary instruments. Article 328b of the Code of Obligations (CO) establishes the foundational principle: an employer may only process data relating to an employee insofar as such data concerns the employee's suitability for the job or is necessary for the performance of the employment contract.
The nFADP reinforces this framework by introducing:
- The principle of data minimisation: collect only what is strictly necessary for the stated purpose
- The concept of sensitive personal data (health status, religious beliefs, political opinions, biometric data) subject to stricter rules
- An obligation to maintain a record of processing activities for organisations above a certain threshold
- Strengthened rights for data subjects (access, rectification, portability, objection)
Both instruments apply simultaneously. Any data processing must comply with both the CO requirements and the nFADP.
Common HR Data: What You Can β and Cannot β Collect
Personnel Files
A personnel file typically contains: CV, certificates, employment contract, amendments, performance reviews, disciplinary records, and significant correspondence. These data are legitimate provided they are directly linked to the employment relationship.
The following must not be kept in the personnel file:
- Information about political or trade union activities
- Private information unrelated to the role
- Informal notes that were never communicated to the employee
Every employee has the right to inspect their personnel file at any time (Art. 25 et seq. nFADP).
Salary and Financial Data
Remuneration data, bonuses, social security deductions, and banking details are necessary for contract performance. Their processing is justified by that contractual necessity. However, access must be strictly limited to authorised individuals (HR management, executive leadership, accounting).
Health Data
Health data constitutes a sensitive category under the nFADP. It may only be processed under specific conditions:
- Explicit consent from the employee (subject to the limitations described below)
- Necessity for contract performance (e.g. workplace adaptations for medical reasons)
- Legal obligation (e.g. notification to accident insurance)
An employer may request a medical certificate to justify an absence, but may not as a rule require disclosure of the diagnosis. Processing must be limited to the information strictly necessary for managing the absence.
Performance Data
Annual appraisals, objectives, feedback, and development plans are legitimate. They must, however, be communicated to the employee and kept in the official personnel file β not in informal personal notes that would fall outside the scope of the right of access.
Recruitment: What Data You May Collect
The recruitment phase is particularly sensitive. Art. 328b CO applies from the very first contact: only information necessary to assess a candidate's suitability for the role may be collected.
Permitted
- CV, cover letter, diplomas, professional references
- Aptitude tests directly related to the position
- Criminal record check for sensitive roles (asset management, work with minors), provided a legal basis or explicit consent exists
Problematic
- Questions about marital status, family situation, or number of children
- Questions about religious or political beliefs
- Questions about health status (except where medical requirements are intrinsic to the role)
- Questions about whether a candidate is pregnant or plans to become pregnant
Social Media and Background Checks
Viewing a candidate's public LinkedIn profile is generally accepted, as the candidate has made that space publicly accessible in a professional context. However, searching private social media profiles (Facebook, Instagram) or using data aggregation services to build a comprehensive profile goes well beyond the scope of Art. 328b CO.
Data of unsuccessful candidates must be destroyed within a reasonable period after the end of the selection process, unless the candidate has consented to retention for future opportunities.
Monitoring During Employment
Email and Internet Monitoring
An employer may monitor the professional use of IT systems, but only under strict conditions. Monitoring must:
- Be disclosed to employees in advance (IT policy, acceptable use policy)
- Serve a legitimate purpose (IT security, protection of confidential data)
- Be proportionate: systematic monitoring of all emails is disproportionate
Accessing the content of employees' personal emails β even from a corporate address β is in principle prohibited, except in serious cases and through a regulated procedure.
GPS and Location Tracking
GPS tracking of company vehicles may be lawful for operational or safety reasons. It must however:
- Be documented in internal policy
- Not be used to track every private journey
- Respect the principle of proportionality
Video Surveillance
Video surveillance in the workplace is subject to very strict conditions. It is only permissible for security reasons or protection against theft β not for monitoring employee performance. Rest areas, sanitary facilities, and changing rooms are entirely excluded. Employees must be informed, and the retention period for recordings must be limited (generally 72 hours unless an incident has occurred).
Working Time Records
Working time recording is a legal obligation for many employers (ArGV 1 / OLT 1). The resulting data must be retained for five years. Its use must remain limited to its original purpose and must not be used for behavioural profiling.
Health Data: Specific Rules
Health data warrants particular attention. The nFADP classifies it as sensitive personal data, which means:
- Processing only where an explicit legal basis exists
- Enhanced security measures (restricted access, encryption)
- Physical or logical separation from the rest of the personnel file
In practice:
- The occupational physician processes medical data under professional secrecy and shares with the employer only the necessary information (fitness or unfitness for work, restrictions)
- The employer must not retain diagnoses in the HR file
- Sickness absences may be recorded for administrative purposes (duration, frequency) but not the underlying medical causes
Remote Work and Data Protection
Widespread remote working creates new challenges. HR data processed at home must be protected to the same standard as in the office:
- Secure connections (VPN) for accessing HR systems
- No printing of documents containing personal data on unsecured personal printers
- Clean desk policy adapted to the home environment
- Encryption of work devices
If remote work monitoring tools are used (screenshots, keystroke activity measurement), the same monitoring rules apply as described above: prior disclosure, proportionality, legitimate purpose.
The Limited Value of Consent in Employment Law
In data protection law, consent is a valid legal basis. In the employment context, however, it loses much of its value.
The power imbalance between employer and employee makes consent structurally problematic: an employee may reasonably fear consequences if they withhold it. Data protection authorities therefore consider that consent cannot validly legitimate processing that is not independent of the employment relationship.
In practice: do not rely on consent as the basis for HR processing when another legal basis is available (contractual necessity, legal obligation, legitimate interest). Reserve consent for situations where it is genuinely free, informed, and revocable without consequence (e.g. voluntary participation in a wellness programme).
Internal HR Privacy Policy
The nFADP requires data subjects to be informed about how their data is processed. For employees, this translates into an HR privacy notice (or processing notice) that must cover:
- Categories of data processed
- Purpose of each processing activity
- Legal bases
- Recipients of the data (payroll providers, insurers, authorities)
- Retention periods
- Employee rights and how to exercise them
- Any international transfers
This document must be provided to every new employee at onboarding and made available to all existing employees.
Data Retention After Termination
The end of an employment contract does not mean the immediate deletion of all data. Statutory retention periods apply:
| Data Type | Retention Period |
|---|---|
| Accounting documents (payslips, expense claims) | 10 years (CO Art. 958f) |
| AVS notifications, social insurance declarations | 10 years |
| Employment contracts | 10 years after contract end |
| Working time data | 5 years (ArGV 1 / OLT 1 Art. 46) |
| Performance appraisals | 5β10 years depending on context |
| Application documents (hired candidates) | Duration of contract + 10 years |
| Application documents (rejected candidates) | 6 months maximum, unless consent given |
| Health data processed for insurance purposes | Per insurer requirements |
Beyond these periods, data must be erased or anonymised.
Cross-Border HR Data Transfers
Many Swiss companies use HR tools hosted outside Switzerland (applicant tracking systems, HRIS, cloud payroll platforms). The nFADP governs these transfers:
- Transfers to countries recognised as adequate by the FDPIC: permitted without additional formalities (EU/EEA and a small number of other countries)
- Transfers to other countries: require appropriate safeguards (standard contractual clauses, binding corporate rules)
Since 15 September 2024, Switzerland recognises an adequate level of protection for US recipients certified under the Swiss-U.S. Data Privacy Framework (DPF). If your HRIS is hosted with a US provider, verify whether it is Swiss-U.S. DPF certified. If it is not, appropriate safeguards such as standard contractual clauses or equivalent contractual protections remain required.
Practical HR Checklist
| Action | Priority |
|---|---|
| Draft and distribute the HR privacy notice | High |
| Inventory all HR tools and their sub-processors | High |
| Review contracts with service providers (payroll, HRIS, insurers) | High |
| Document retention periods and schedule deletions | High |
| Train HR staff on data protection obligations | High |
| Review recruitment forms (remove unnecessary questions) | Medium |
| Document IT monitoring rules and communicate them | Medium |
| Review third-country transfer arrangements | Medium |
| Establish a procedure for responding to employee access requests | Medium |
| Secure access to personnel files (paper and digital) | High |
| Schedule an annual review of the HR privacy policy | Low |
In Summary
Employee data protection is not a topic reserved for large corporations. Every SME with staff processes sensitive personal data and must do so in compliance with the nFADP and Art. 328b CO. The stakes are real: criminal sanctions and supervisory measures (e.g. FDPIC orders), reputational damage, employment disputes.
The key lies in one straightforward principle: collect only what is necessary, protect what is collected, delete what is no longer needed.
Want to check your website's data protection compliance beyond HR obligations? Analyse your cookies and trackers for free with PrivaScan β results in seconds, no installation required.