An e-commerce website must process the data collected about its customers transparently and securely.
Federal Data Protection Law
An e-commerce website is subject to the Federal Data Protection Law if sensitive data is collected about customers (name, address, payment information).
The Law provides in particular for the following:
- Personal data must be processed only for the purpose indicated at the time of collection.
- This information may not be forwarded outside Swiss borders, except where this complies with statutory exceptions.
- Personal data must be protected against any processing not authorized by the appropriate technical and organizational measures.
Data protection recommendations
As far as data protection is concerned, traders are strongly recommended to adopt the following practices:
- Provide a data protection declaration on the e-commerce website (see below).
- Implement user authentication techniques (e.g. SuisseID) and data encryption (secure connection, https).
- Only ask customers for essential information. Irrelevant questions generate mistrust.
- Clearly indicate the personal data used and the purpose.
- Give the user the right to limit the use made of their data and with whom it is shared (consumer profile, advertising).
The remit of the Federal Data Protection and Information Commissioner (FDPIC) is to explain the Data Protection Law and offer its recommendations in this area.
Data protection declaration on an e-commerce site
On an e-commerce website, a data protection declaration is used to communicate the methods put in place to protect user privacy. To win customer confidence, traders are recommended to have such a document and display it in an easily accessible part of the website.
The data protection declaration must contain the following points as a minimum:
- To which legal provisions is the service-provider’s practice subject in terms of data processing?
- Which personal data is collected and for what purpose?
- Which personal data is communicated to third parties and for what purpose?
- What choices is the user offered in terms of the processing of their data?
- What rights (particularly right of access and right of correction) do users have?
- Which department is responsible for answering questions about data processing?
- Which security measures are applied to protect personal data?