Skip to content Skip to footer



Loading Results

Sensitive personal data

What should you consider?

Philipp Rosenauer
Head Data Privacy | ICT | Implementationᐩ, PwC Switzerland

Claudia Jung
Data Privacy | ICT | Implementationᐩ, PwC Switzerland

The term “sensitive personal data” has been an important topic during the pandemic, be it in relation to the COVID-App or to measures at the workplace. How is sensitive data different from non-sensitive personal data and what needs to be considered in their processing?

What type of personal data qualifies as sensitive data?

  • Ethnicity, origin, and race
  • Political opinions
  • Health data
  • Biometric data
  • Genetic data
  • Religion and philosophical beliefs
  • Sexual orientation

How is sensitive personal data handled under Swiss Data Protection?

With the revised Federal Act on Data Protection (revFADP), biometric and genetic data have been added. The Swiss revFADP follows a different concept than the European General Data Protection Regulation (GDPR). In principle, no legal ground is required, but you need to provide a “justification” to lawfully process sensitive personal data. Unlike its European counterpart, “sensitive personal data” under the revFADP also includes data on administrative or criminal proceedings and sanctions, data on social security measures and data on the intimate sphere. Switzerland follows a “risk-based approach”. This means that the higher the risks for the data subjects, the stricter the general data processing principles must be. Hence, the processing of sensitive personal data must meet higher standards.

What should you consider when processing sensitive data?

If there are reasons that sensitive data is stored and processed, it must be ensured that no unauthorised person can access the data. Employees who work with sensitive data are also obliged to maintain confidentiality. The data must be protected in such a way that access is only granted to those employees who must work with it. This applies to both electronic and physical data. On the one hand, if the data is in electronic form, security can be ensured by encrypting the data. On the other hand, paper documents must be kept safe and out of reach of unauthorised persons.

In short, what should I avoid?

You should avoid collecting sensitive personal data to the best possible extent. Unless not needed for the relationship with your client or for work purposes regarding your employee, you should not process personal sensitive data. However, if you need to do so, you should strengthen your data protection principles and implement appropriate technical and organisational measures. 

Do you have any questions?


Contact us

Dr. Günther Dobrauz

Dr. Günther Dobrauz

Partner and Leader Legal, PwC Switzerland

Tel: +41 58 792 14 97

Philipp Rosenauer

Philipp Rosenauer

Partner Legal, PwC Switzerland

Tel: +41 58 792 18 56

Claudia Liliane Jung

Claudia Liliane Jung

Senior Manager | Data Privacy | ICT | Implementationᐩ, PwC Switzerland

Tel: +41 58 792 4728

Adrien Tharin

Adrien Tharin

Director | Co-Head of FinTech, Blockchain and Digital Assets, PwC Switzerland

Tel: +41 58 792 92 24

Lorena Rota

Lorena Rota

Data Privacy | ICT | Implementationᐩ, PwC Switzerland

Tel: +41 58 792 2750

Anna Maria Tonikidou

Anna Maria Tonikidou

Senior Associate | Data Privacy | ICT | Implementationᐩ, PwC Switzerland

Tel: +41 58 792 46 89