Video surveillance is becoming crucial for businesses: whether to protect employees, prevent criminal activity, or secure assets. However, it often creates tension between legitimate security interests and the protection of individuals’ privacy rights. Switzerland has strict legal requirements that companies must comply with. This guide provides a practical overview: what is allowed, what is required, and what companies should avoid.
Legal Framework: Which Laws Apply?
In Switzerland, the following laws are particularly relevant:
- The revised Federal Data Protection Act (revFADP, in effect since 2023)
- Ordinance 3 to the Labour Law (ArGV 3, Art. 26)
- The Swiss Code of Obligations (personality rights, Art. 328 CO)
- The Criminal Code (e.g. Art. 179 ff.)
In practice, the guidelines from the Swiss Federal Data Protection and Information Commissioner (FDPIC) are especially important.
For more details, read our article: “Video Surveillance in Switzerland: Legal Foundations and Current Laws”.
Data Protection Obligations for Companies Using Video Surveillance
Key responsibilities include:
- Duty to inform:
Employees, customers, suppliers, etc. must be clearly informed (e.g. via signage), including contact details, purpose, and any data transfers. - Purpose limitation:
Recordings may only be used for clearly defined security purposes, not for general monitoring. - Proportionality:
Surveillance is only permissible if no milder alternative is available. - Transparency & signage:
Surveillance areas must be clearly marked. A simple camera symbol is not enough. - Data security:
Only authorized personnel may access footage. Storage must be secure, and unnecessary data must be deleted. - Documentation and Data Protection Impact Assessment (DPIA):
Required especially where there is a high risk (e.g., large-scale surveillance or sensitive areas).
Where Can Surveillance Data Be Stored? Switzerland, Abroad, and Cloud Solutions
Storing video surveillance data is allowed on servers in Switzerland and under certain conditions also abroad (e.g. in the cloud with providers like Google or AWS). Key conditions according to Art. 16 ff. revFADP:
- Data security:
Data must be encrypted, protected against unauthorized access, and only accessible to authorized personnel. - Adequate data protection level:
Data may be transferred to countries that the FDPIC recognizes as having an equivalent level of protection (e.g. EU countries). For others (e.g. the USA), additional safeguards, such as standard contractual clauses, are required. - Cloud services:
Providers like Google Cloud, AWS, etc. may be used if they operate servers in Switzerland/the EU or meet all legal data protection requirements via contracts and safeguards. - Transparency & documentation:
Use of cloud providers, storage locations, and protection mechanisms must be documented and disclosed in the company’s privacy policy. - Responsibility:
The company remains legally responsible for protecting the data, regardless of storage location.
The safest option is storing data in Switzerland to avoid additional contractual or verification steps. Companies using cloud or foreign storage must conduct careful due diligence.
What Needs to Be Documented in Practice?
- Camera locations, technical specifications, and access permissions
- Retention periods (typically 24–72 hours depending on purpose), storage locations, access logs
- Responsibilities: who is internally or externally accountable?
- A data protection concept, especially for multiple locations or complex systems
Common Mistakes and How to Avoid Them
- Lack of or insufficient information for data subjects
- Hidden cameras in sensitive areas (changing rooms, restrooms) – strictly prohibited
- No deletion plan for outdated footage
- Misuse for purposes like employee performance monitoring
- No legal basis for private surveillance of public areas
You can find practical details on what’s allowed at the workplace in our article “Workplace Video Surveillance in Switzerland: What’s Allowed and What’s Not”.
What Applies to Outdoor and Public Areas?
- Outdoor cameras must not record public spaces (e.g., streets or neighboring properties).
- Blanket surveillance of large public areas is not permitted.
- Cameras must have privacy filters or technical limitations to restrict the field of view.
- On customer parking lots, surveillance is allowed if a legitimate security interest exists, and individuals are informed.
Conclusion: Data Protection Is not a Barrier, but Part of the Solution
Careful planning, thorough documentation, and transparent communication create trust among employees and customers. Data protection and security do not contradict each other: those who use video surveillance thoughtfully and legally protect both people and assets.
Sheriff Security supports companies with the compliant implementation and ongoing operation of video surveillance systems.
FAQs
How long can I store video recordings?
Typically no longer than 24 to 72 hours: only longer in justified cases and always as short as necessary.
Is a sign saying “video surveillance” enough?
No. You must include contact details, purpose, and make additional information easily accessible (e.g. via QR code).
Do employees need to be explicitly informed?
Yes, they must be directly and fully informed: a sign at the entrance is not sufficient.
What happens in case of misuse or data breaches?
Violations can lead to sanctions under the revFADP and potentially civil or criminal consequences.
When is a Data Protection Impact Assessment (DPIA) required?
Whenever there is a high risk to individuals’ rights, such as in large-scale or sensitive area surveillance.
Where can video surveillance data be stored?
Preferably in Switzerland but also in countries with equivalent data protection (e.g. EU, EEA). For others (like the US), additional safeguards are mandatory. Cloud storage is permitted if legal requirements are met.
