Newsletter: Criminal Liability for False or Incomplete Responses to Data Access Requests – How to Address the Risk

Background

The revised Swiss Federal Act on Data Protection (FADP) came into force on September 1, 2023. One of its key objectives is to strengthen the rights of individuals whose personal data is being processed. A cornerstone of this framework is the right to information under Article 25 FADP, which is designed to promote transparency and enable individuals to assert additional legal claims if appropriate. However, this right is not without limitations — it may be restricted, for example, to protect overriding third-party interests, or it may be inapplicable where a request is obviously unjustified (Art. 26 FADP et seq.).

Importantly, under the revised FADP to willfully provide false or incomplete information in response to such requests constitutes a criminal offense and may attract a fine of up to CHF 250,000 (Art. 60 para. 1 lit. a FADP). Notably, liability does not attach to the organization itself, but to the individual — such as an HR professional or legal counsel — who processes the request. This provision, which has no equivalent in EU law in this form, was controversial. Much like compliance officers in the area of anti-money laundering, data protection officers have expressed understandable concern over the potential for personal criminal sanctions.

Two recent cases — discussed on the blog datenrecht.ch by David Vasella (posts of June 12 and 13, 2025) — highlight the emerging issues in this area.

Trigger for the Current Discussion

In the first case, a large media company received an information request. The in-house counsel initially replied that the  personal data of the data subject who requested access had been located in two datasets, but not in the systems of another of the company's media outlets. The data subject who requested access objected, and the response was subsequently revised to indicate that additional data existed, but was protected under a special privilege available to media companies (Art. 27 FADP).

On March 4, 2025, following a complaint by the data subject, the local Zurich authority (Statthalteramt Bezirk Zürich) imposed a fine of CHF 600 on the in-house counsel, along with CHF 430 in procedural costs. The in-house counsel was found to have willfully given an initial incorrect information, and to have created an impression of completeness, which he later had to correct. It appears that an appeal to the penalty order has been filed, and the decision has not yet entered into legal force.

In the second case, the Solothurn public prosecutor decided in April 2025 not to initiate criminal proceedings after a company failed to respond to a data access request within the 30-day period set by Art. 25 para. 7 FADP.

How to Minimize Criminal Liability Risks

In larger organizations, responses to data access requests typically involve multiple departments. For example, HR or legal staff may need to rely on input from various internal sources. The data subject who requests access may have interacted with several business units, and company restructurings often result in personal data being spread across different systems.

This complexity increases the risk of incorrect or incomplete responses. However, criminal liability only arises in cases of intentional misconduct, including conditional intent (Art. 60 para. 1 lit. a FADP). Conditional intent exists where the responsible individual realizes the information may be incorrect but refrains from further verification. If reasonable efforts are made and there are no indications of inaccuracy, the offense is not fulfilled.

In the Zurich case, the person targeted by the criminal complaint was found to have knowingly given the impression that the initial response was complete although this statement later had to be corrected. It remains to be seen whether this very strict standard will stand up to review on appeal.

To mitigate the risk of criminal liability, the following measures are advisable:

1. Avoid Unconditional Assertions of Completeness:

The Federal Data Protection and Information Commissioner (FDPIC) provides individuals looking to receive information on the processing of their personal data with a model letter. This model letter contains a request for confirmation that the information provided is complete and correct. While this desire for transparency is understandable, the FADP does not mandate such assurances. To avoid the risk of criminal liability, it is instead advisable to explicitly point out that no guarantee can be given for the completeness and accuracy of the information provided. Internal templates should reflect this caveat and be customized as necessary.

2. Limit Information Where Justified:

A full or partial refusal to disclose information due to legal confidentiality or protection of sources in the meaning of Art. 26 FADP et seq. is not punishable. However, unjustified refusals may prompt an intervention by the Federal Data Protection and Information Commissioner (Art. 51 para. 3 lit. g FADP) or, if it prevents the data subject from exercising his or her civil remedies, possibly even damages claims. Any refusal, restriction, or delay should be briefly explained to provide context and ensure transparency.

3. Internal Awareness and Training:

Handling data access requests requires clear internal processes and training. Organizations should define the relevant responsibilities, educate staff on the scope and limits of the right to information, and support employees to allow them to correctly identify and compile relevant data.

The Employer's Duty of Care

In accordance with the duty of care arising under labor law (Art. 328 OR), employers must in principle support employees who face criminal proceedings as a result of their professional duties.

1. Reimbursement of Expenses:

While the fine itself cannot be paid or insured by the company, employees are entitled to the reimbursement of  costs and expenses, for example legal fees, provided that they acted appropriately and within the scope of their duties (Art. 327a para. 1 CO).

2. Administrative Support:

Employers should offer reasonable assistance to employees facing criminal proceedings. This may in particular include organizing legal representation and supplying relevant internal documentation relevant for the employee's defense.

3. Insurance Coverage:

Criminal fines are not insurable and are typically not covered by D&O insurance. Apart from this, D&O insurance generally only applies to executives. As FADP fines for willfully providing false or incomplete information typically target operational staff rather than executives, D&O coverage for legal fees will only be available if specific coverage extensions were agreed. Given the limited scope and manageable risk of such fines, extending D&O coverage to the various employees potentially involved in the handling of data access requests will rarely be justified. By contrast, extending insurance coverage to senior management with broader data protection responsibilities may well be appropriate, for example to grant them protection in the event of a cyberattack.

Conclusion

While the broader implications of these recent cases may be limited, they underscore the growing importance of data protection enforcement in Switzerland. The introduction of criminal liability for certain violations of the FADP means that organizations have to clearly define internal processes for the handling of data access requests, and that they adequately train and support the employees involved with these tasks.