What is Personal Data?
Definition
The definition of personal data can be found in both the Swiss Federal Act on Data Protection (FADP) and the General Data Protection Regulation (GDPR). The GDPR defines personal data as:
"Any information relating to an identified or identifiable natural person (hereinafter ‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more specific characteristics that express the physical, physiological, genetic, psychological, economic, cultural, or social identity of that natural person."
According to case law from the European Court of Justice (ECJ), personal data also includes IP addresses if there is a legal possibility of identification. This means that if a website operator can request the disclosure and identification of a subscriber based on the IP address from an Internet service provider through a legal process, the criterion for personal data is met. The relevant judgment in Patrick Breyer vs. Federal Republic of Germany can be found here.
In Switzerland, dynamic IP addresses are also considered personal data if there is a legal possibility of identification, as established in a Swiss Federal Supreme Court ruling in cases where Logistep AG was identified.
Personal Data under the FADP
According to the GDPR, the term “personal data” includes any information relating to an identified or identifiable natural person. An identifiable person is someone who can be identified directly or indirectly by reference to an identifier such as a name, an identification number, location data, or online identifiers.
The Swiss Data Protection Act (FADP) defines "personal data" similarly. It includes all information relating to a specific or identifiable person. This covers not only direct identifiers such as names or identification numbers but also information that can be used to determine or identify an individual, such as location data or other specific characteristics.
One key difference, however, is that Swiss data protection law includes specific provisions and exceptions that may differ from the GDPR. These differences involve aspects such as the processing of personal data for specific purposes and the transfer of personal data abroad.