Published on 27 February 2024
Data protection
The protection of the individual and the basic rights of natural persons about whom armasuisse processes personal data is very important to us. As an employee, contractor, etc., you can be sure that armasuisse is protecting your personal data according to the provisions of the Data Protection Act and likewise demands this from its business partners.
You can request information from armasuisse on whether personal data about you is being processed. This information is free of charge and is usually provided within 30 days.
Enquiries should be directed in writing to the following address:
Swiss Federal Department of Defence,
Civil Protection and Sport DDPS
Federal Office for Defence Procurement armasuisse
Data Protection Officer
Guisanplatz 1
CH-3003 Bern/Switzerland
dsgvo@ar.admin.ch- Federal Act of 25 September 2020 on Data Protection (in german)
- Ordinance of 31 August 2022 on Data Protection (in german)
- Ordinance of 31 August 2022 on Data Protection Certifications (in german)
- Federal Act of 3 October 2008 on Military Information Systems and other Information Systems in the DDPS (in german)
- Ordinance of 3 March 2023 on Military Information Systems (in german)
- Government and Administration Organization Act of 21 March 1997
- Government and Administrative Organization Ordinance of 25 November 1998
- Ordinance on the Processing of Personal Data and Data of Legal Entities when Using the Federal Electronic Infrastructure of February 22, 2022 (in german)
- Information Security Act of December 18, 2020 (in particular Chapter 3, Section 5, Chapter 4, Section 7) (in german)
- Information Security Ordinance of November 8, 2023 (in particular Section 9 and Annex 1) (in german)
- Federal Personnel Act of March 24, 2000 (in german)
- Ordinance on the Protection of Personal Data of Federal Personnel of November 22, 2017 (in german)
- Directives on the organization of data protection in the DDPS dated 18 December 2023 (in german)
FAQ
Personal data can come, for example, from internal or external employees, customers, suppliers, business partners or third parties.
Personal data is all information that is related to a certain or an identifiable natural person. This might be, for example, name, email address, home address, date of birth, OASI number, bank data or IP address.
Sensitive personal data is data on religious, ideological, political or trade union views or activities; data on health, the private sphere or the affiliation to a race or ethnic group; genetic data; biometric data, data on administrative or criminal prosecutions or sanctions; and data on social support.
The processing of personal data describes any handling of personal data, regardless of the means and procedures used, in particular the procurement, storage, retention, use, change, disclosure, archiving, deletion or destruction of data
The responsibility for the legally compliant processing of personal data lies with the responsible federal body (armasuisse) and its employees responsible for data, who decide either alone or together with others on the purpose and means of processing.
Personal data must be processed according to the following principles:
Legality: Federal bodies require a legal basis to process personal data. An exception is possible if the person concerned has consented to the processing in an individual case or has made their personal data generally accessible and has not expressly prohibited processing.
Proportionality: The processing of personal data must be objectively suitable and necessary to fulfil the task (“as much as necessary, as little as possible”). A sensible relationship must exist between the pursued purpose and the processing of data.
Purpose limitation: Personal data may only be procured for a particular purpose identifiable to the person concerned; it may only be processed such that it is consistent with this purpose.
Limited retention periods: Personal data is destroyed or anonymised as soon as it is no longer required for the purpose of processing..
Accuracy of data: Anyone processing personal data must make sure that it is correct. He or she must take all appropriate measures to ensure that the data which is incorrect or incomplete with regard to its purpose of procurement or processing is corrected, deleted or destroyed.
Transparency: The controller informs the person concerned appropriately about the procurement of personal data; this duty to provide information also applies if the data cannot by procured from the person concerned. Anyone can request information from the controller on whether personal data about them is being processed.
Data security: The controller ensures a level of data security appropriate to the risk through suitable technical and organisational measures. They take this into account from planning (“privacy by design”). The controller is obligated, by means of suitable default settings, to ensure that the processing of personal data is restricted to the minimum level required for the intended use, if the person concerned does not decide otherwise («Privacy by Default»).Particular caution is required in the processing of data by third parties, known as processors (such as assessment centres, software manufacturers, cloud services), and the use of online services (such as ChatGPT, DeepL). There is an increased risk here that personal data under armasuisse’s responsibility is illegally disclosed abroad, used for marketing purposes, shared with other people or insufficiently protected.
The processors must contractually guarantee to armasuisse that they will comply with the Data Protection Act and ensure data security. Personal data may only be transmitted to third parties with the prior approval of armasuisse. armasuisse must be informed as soon as possible about violations of data security. Compliance with these requirements can be audited by armasuisse or a company appointed by it. If necessary, additional measures can be taken.
Private persons can be faced with fines of up to CHF 250,000 in the event of intentional violation against the provisions of data protection law.