Digital business in Switzerland: overview

A Q&A guide to digital business in Switzerland.

The Q&A gives a high level overview of matters relating to regulations and regulatory bodies for doing business online, setting up an online business, electronic contracts and signatures, data retention requirements, security of online transactions and personal data, licensing of domain names, jurisdiction and governing law, advertising, tax, liability for content online, insurance, and proposals for reform.

To compare answers across multiple jurisdictions, visit the Digital Business Country Q&A tool.

This Q&A is part of the global guide to digital business law. For a full list of jurisdictional Q&As visit www.practicallaw.com/digital-business-guide.

Contents

Regulatory overview

1. What are the relevant regulations for doing business online (for business-to-business and business-to-customer)?

Switzerland has no law tailored for doing business online. Generally, contracts made through online channels are governed by the same provisions as standard "offline" contracts. Some e-commerce specific regulations are found among others in the Unfair Competition Act, the Telecommunications Act, and the Code of Obligations. The distinction between business-to-business and business-to-customer transactions is marginal. There is no separate body of laws or rules for B2B deals, but for B2C contracts some restrictions apply in terms of consumer protection. Where such restrictions apply, they are mentioned in the answers to the respective questions below.

 
2. What legislative bodies are responsible for passing legislation in this area? What regulatory and industry bodies are responsible for passing regulations and codes in this area?

There is no legislative or regulatory body dedicated to passing legislation on doing business online. However, legislative and regulatory bodies in other fields, such as data protection or unfair competition, may regulate e-commerce issues where they concern their respective fields.

 

Setting up a business online

3. What are the common steps a company must take to set up an existing/new business online?

From a legal perspective, there are no e-commerce specific requirements in setting up a business online.

 
4. What are the relevant types of parties that an online business can expect to contract with?

An online business contracts with partners providing hosting, web development and domain name services as well as, depending on the products which are to be sold, shipment providers. For shipments not exceeding the dimensions of a letter of up to 50 grams, the Swiss Post still holds a statutory monopoly. Everything else can be shipped by any suitable shipment provider.

 
5. What are the procedures for developing and distributing an app?

In Switzerland, as in most countries, the development and distribution of apps (applications on mobile devices such as smartphones, smartwatches or tablets) is almost exclusively dictated by the procedures implemented by the market leaders, Apple and Google, with their respective app stores. There are no statutory requirements applying specifically to development and distribution of such apps. However, even for in-app purchases, the regulations on electronic offers (see Question 7) need to be complied with. For such purchases, scholars deem the widely used two-step procedure to meet the regulatory requirements:

  • Step 1: click on product/service with price tag.

  • Step 2: confirm ordering chosen item for stated price.

 

Running a business online

Electronic contracts

6. Is it possible to form a contract electronically? If so, what are the requirements for electronic contract formation? Please comment on the enforceability of click-wrap, browse-wrap and shrink-wrap contracts.

There are no special requirements concerning the formation of contracts online (but see Question 7 for rules on offering products online). Swiss law allows for contracts to be concluded electronically, which requires a manifestation of the parties' mutual assent. The parties' declaration must contain the contract's essential elements. The content of the acceptance must be identical to the offer, which requires that the customer is informed in detail about the offered product and the price. The intention to enter into a contract can be manifested for example by clicking on a "Yes" icon (in so-called "click-wrap" agreements). There is no specific provision of law or judicial practice on whether already the use of a website can be interpreted as consent of the user to certain terms and conditions which are available on that site ("browse-wrap" agreements). Therefore, the validity of such agreements would need to be assessed on an individual basis, taking into consideration the actual implementation on the website in question and the general contract law principles of exchange of mutual assent as described above. Generally, trying to enforce certain rights merely based on providing terms and conditions on a website without implementing further measures to obtain the user's (implicit) consent will prove difficult.

It is not clear whether the presentation of products on a website is considered an offer or an invitation to bid. According to prevailing opinion, such presentations do not constitute an offer but merely represent catalogues of offered products, that is, offers to bid. Therefore, generally it is the customer who makes an offer by sending in a completed order form or by clicking on the corresponding icon ("Buy" or "I agree"). Only under particular circumstances can a website presentation be considered a binding offer (for example, when the presentation is an offer that contains all the essential contract elements (including the price) in such a way that the customer can accept it just by clicking "Yes"). If a seller does not want the website presentation to be considered a binding offer, then this should be explicitly stated on the website.

No right of withdrawal

There is no equivalent to EU customers' mandatory withdrawal rights provided for in Directive 97/7/EC on the protection of consumers in respect of distance contracts (Distance Selling Directive) for online sales in Switzerland, and none is currently planned (see Question 40).

 
7. What laws govern contracting on the internet?

Contracting on the internet is generally governed by the same provisions as forming contracts "offline". However, the Unfair Competition Act sets out certain rules a company or person offering goods or services by means of electronic commerce has to abide by. Under those rules, the company or person offering must:

  • Disclose its identity and contact details in full (including an e mail address), in a clear manner.

  • Outline the technical steps necessary to conclude the contract. In other words, the offeror must explain to his customer the purchase procedure he implemented (for example, step 1: confirmation of shopping basket, step 2: provision of payment details, step 3: review of order and payment details, step 4: purchase, step 5: confirmation of order; in practice this is done in most cases by displaying a flowchart).

  • Provide the opportunity and technical means to identify and correct input errors before the order is placed (see step 3 above as an example).

  • Confirm the order without delay by way of electronic communication (for example, a confirmation e-mail).

These rules apply irrespective of the goods or services purchased and without distinction between business-to-business and business-to-customer transactions. However, breaching these rules does not necessarily lead to a contract being unenforceable or void. Rather, the contracts legal force has to be assessed independently on a case by case basis with particular regard to defects in consent. If such defects are present, the contract can, in certain circumstances, be contested.

Consumer protection

Business-to-customer offers are further regulated. For every product, its actual price (including VAT, if applicable, and any other kind of mandatory surcharges) must be indicated in Swiss francs in a clear and easily readable manner. In some cases, this obligation encompasses not only the actual price for the specific offered item, but also additional information, such as standardised prices (for example, price per litre). The State Secretariat for Economic Affairs has published non-binding guidelines on price indication in various industries, which can be accessed on its website (www.seco.admin.ch/ themen/00645/00654/04362).

 
8. Are there any limitations in relation to electronic contracts?

Contracts requiring a special form

Swiss law generally does not prescribe a special form when entering into contracts. However, exceptions are made for certain subject matters, such as assignment (requiring written form) or real estate deals (requiring a public deed). While the issuance of a public deed is not possible by electronic means, agreements requiring written form can be entered into electronically by using a so called "authenticated electronic signature" (see Questions 12 and 13). In certain regulated industries additional restrictions may apply. For example, medicinal products cannot generally be sold online and shipped to consumers unless those consumers have provided the seller with their prescription beforehand. According to the Supreme Court, this applies even for non-prescription medicinal products, that is, those that can be bought in any pharmacy or drugstore without consulting a physician first (decision 2C_853/2014 and 2C_934/2014 of 29 September 2015).

Age verification

Due to the very nature of the internet, e-businesses often do not know with whom they are dealing, and parties can easily adopt fictitious identities. In this context, it is important to note that children under age 18 do not have legal capacity to act. Therefore, a contract entered into with a child is void unless the parents give their consent. Such contracts cannot be enforced. Payments made or products delivered in connection with a void contract can generally be reclaimed.

 
9. Are there any data retention requirements in relation to personal data collected and processed via electronic contracting?

There are no data retention requirements applying specifically to personal data collected and processed via electronic contracts. In terms of documenting concluded contracts, the general rules on corporate book keeping prescribe a retention period of ten years for books and records relevant to presenting the assets, financing and earning positions. For the requirements regarding storage of personal data in general, see Question 16.

Apart from the data documenting the conclusion of a contract, it is advisable to store data records of the customer's agreement to mass advertisement, since without his consent, such advertisement can be considered unfair competition (see Question 31).

 
10. Are there any trusted site accreditations available?

There are no trusted site accreditations, which are available exclusively in Switzerland. In practice, some online businesses use international accreditations, but most do not have any kind of independent accreditation. The "Swiss Online Garantie" seal, which is sometimes seen, is not an independent accreditation but rather denotes membership in the Association of Swiss Mail Order Businesses, which has set out rules applicable to their members' online sales activities, regarding matters like a right of withdrawal for customers and payment or return policy issues.

 
11. What remedies are available for breach of an electronic contract?

In case of breach of a contract concluded online, the same remedies as in traditional contracting are available (for example, taking civil action for enforcement).

E-signatures

 
12. Does the law recognise e-signatures? To what extent and when are e-signatures used in electronic contracting? Are they required in most transactions, or very few?

Applicable legislation

The Code of Obligations sets out the principles governing e-signatures and refers to the Electronic Signatures Act (ESA) for the technical details, which in turn refers to its respective Ordinance.

Definition of e-signatures

An electronic signature is defined as electronic data which is joined or linked logically to other electronic data and which serves to verify such other data.

Format of e-signatures

The ESA distinguishes three levels of e-signatures:

  • Regular e-signatures.

  • Advanced e-signatures.

  • Authenticated e-signatures. The authenticated e-signature is deemed equivalent to a handwritten signature and can only be obtained from a recognised authority. A list of all such authorities in Switzerland is available on the competent federal authority's website (www.seco.admin.ch/sas/00229/05092/ index.html?lang=en).

For the practical use of e-signatures in Switzerland, see Question 13.

 
13. Are there any limitations on the use of e-signatures?

Legal limitations

Authenticated e-signatures are treated like handwritten signatures. Therefore, e-signatures cannot be used where the law sets out additional formal requirements, for example, in case of a will (which must be handwritten in its entirety) or real estate deals (requiring a public deed).

Additionally, authenticated e-signatures are only available for natural persons, not for legal entities (see Question 40 regarding a pending reform).

Practical limitations

Although e-signatures have been introduced over ten years ago, their use in Switzerland is very limited. Only a small percentage of the population actually got an authenticated electronic signature to date. This may be explained by Swiss law's freedom of form, enabling parties to contract without formal requirements in most cases, as well as the relatively complicated application of authenticated e-signatures and finally by online businesses' strict prepayment policy, shifting the risk to the customer who needs to trust that the other party will indeed fulfil its contractual obligations. Since payment is already received, online businesses generally do not have the need to verify the other customer's identity, apart from cases where they want to ensure that the other party is already of sufficient age to avoid payment reclamations (see Question 8) or similar issues (see Question 30).

 

Implications of running a business online

 

Cyber security/privacy protection/data protection

14. Are there any laws that regulate the collection or use of personal data? To whom do the data protection laws apply?

Laws

The processing of personal data (see Question 15) by private parties is regulated by the Federal Act on Data Protection (DPA) and the Swiss Federal Ordinance on Data Protection (DPO).

In addition, several other federal laws contain provisions on data protection, especially employment laws and laws which apply in regulated industries (such as financial markets and telecommunications), which further address the collection and processing of personal data:

  • The Code of Obligations sets out restrictions on the processing of employee data, and Ordinance 3 to the Swiss Federal Employment Act limits the use of surveillance and control systems by the employer.

  • Statutory secrecy obligations, such as the banking secrecy (set out in the Swiss Federal Banking Act (Banking Act)), securities dealer secrecy (set out in the Swiss Federal Stock Exchange and Securities Dealer Act (Stock Exchange Act)), the financial market infrastructure secrecy (set out in the Swiss Federal Act on Financial Market Infrastructures and Market Conduct in Securities and Derivatives Trading (Financial Market Infrastructure Act)) and telecommunications secrecy (set out in the Telecommunications Act), apply in addition to the DPA.

  • The Banking Act, the Stock Exchange Act and the Swiss Federal Act on Combating Money Laundering and Terrorist Financing in the Financial Sector stipulate specific duties to disclose information.

  • The Swiss Federal Act regarding Research on Humans, the Swiss Federal Act on Human Genetic Testing and the Swiss Federal Ordinance on Health Insurance set out specific requirements for the processing of health-related data.

Application of the DPA

The DPA applies to any processing of personal data (see Question 15) by federal bodies and private persons (that is, natural persons or legal entities) if either:

  • The data subjects concerned are resident in Switzerland.

  • The owner of the data collection has its registered seat or business establishment in Switzerland.

  • The effect of any damaging act occurs in Switzerland. "Processing" is defined in the DPA as any operation with personal data irrespective of the means applied and the procedure. In particular, processing includes the collection, storage, use, revision, disclosure, archiving or destruction of personal data.

  • The DPA is not applicable to:

    • Data not allowing any identification of an individual person or entity, for example, by anonymisation, pseudonymisation or encryption.

    • Personal data that is processed by a natural person exclusively for personal use and is not disclosed to third parties.

    • Deliberations of the Federal Parliament and parliamentary committees.

    • Pending civil proceedings, criminal proceedings, international mutual assistance proceedings and proceedings under constitutional or administrative law, with the exception of administrative proceedings of first instance.

    • Public registers based on private law.

    • Personal data processed by cantonal and communal bodies.

    • Personal data processed by the International Committee of the Red Cross.

 
15. What data is regulated?

Only the processing of personal data is encompassed in the Federal Act on Data Protection's (DPA) scope. Personal data is defined as all information relating to an identified or identifiable person (natural person or legal entity). A person is identifiable if a third party having access to the data on the person is able to identify such person with reasonable efforts.

In addition, the DPA lists "sensitive personal data" and "personality profiles" as special categories of personal data which are subject to stricter processing conditions.

Sensitive personal data is data on:

  • Religious, ideological, political or trade union-related views or activities.

  • Health, the intimate sphere or racial origin.

  • Social security measures.

  • Administrative or criminal proceedings and sanctions.

A personality profile is a collection of personal data that permits an assessment of essential characteristics of the personality of a natural person.

Data of a non-personal nature (that is, anonymised data or business data not relating to persons) is generally not regulated, although there can be additional regulations applying in certain industries (see Question 14).

 
16. Are there any limitations on collecting or using personal data? Are there any specific limitations on storage of personal data in the cloud?

Limitations

Personal data must always be processed (which includes collection and usage) lawfully. The processing is lawful if it is either:

  • Processed in compliance with the general principles set out in the Federal Act on Data Protection (DPA).

  • Non-compliance with the general principles is justified (see below). The general principles apply to personal data and sensitive personal data alike. However, the reasons that serve as justification to process sensitive personal data in violation of these principles are more limited.

The general principles are:

  • The processing must be carried out in good faith and must be proportionate.

  • The collection of personal data and, in particular the purpose of its processing, must be evident to the data subject.

  • Personal data may only be processed for the purpose indicated at the time of collection, which is evident from the circumstances, or which is provided for by law.

  • Anyone who processes personal data must ensure its accuracy.

  • Personal data must be protected against unauthorised processing through adequate technical and organisational measures (see Question 18).

  • Personal data must not be transferred outside Switzerland if the privacy of the data subjects would thereby be seriously endangered, in particular due to the absence of legislation that guarantees adequate protection (see below, Storing personal data in the cloud).

  • Absent sufficient justification, sensitive personal data or personality profiles must not be disclosed to third parties.

  • Absent sufficient justification, personal data must not be processed against the explicit will of the data subject.

Non-compliance with these principles constitutes a violation of the data subject's privacy unless the processing is justified by any of the following:

  • The data subject's consent.

  • The law (for example, a duty to disclose information as required under the Banking Act, the Stock Exchange Act or the Anti-Money Laundering Act).

  • An overriding private or public interest.

Pursuant to the DPA, an overriding interest of the person processing the personal data can, in particular, be considered if that person:

  • Processes personal data directly related to the conclusion or the performance of a contract and the personal data is that of the contractual party.

  • Processes personal data about competitors without disclosing it to third parties.

  • Processes personal data that is neither sensitive personal data nor a personality profile in order to verify the creditworthiness of the data subject provided that such data is only disclosed to third parties if it is required for the conclusion or the performance of a contract with the data subject.

  • Processes personal data on a professional basis exclusively for publication in the edited section of a periodically published medium.

  • Processes personal data for purposes not relating to a specific person, in particular for the purposes of research, planning statistics and so on, provided that the results are published in such a manner that the data subject may not be identified.

  • Collects personal data on a person of public interest, provided the data relates to the public activities of that person.

The disclosure of personal data to third parties is generally lawful under the same conditions. However, there must always be a justification for the disclosure of sensitive personal data to third parties, even if such disclosure is made in compliance with the general principles.

Storing personal data in the cloud

Personal data must be protected by appropriate technical and organisational measures against unauthorised processing regardless of where it is stored. Anyone processing personal data must ensure the protection against unauthorised access availability and the integrity of the data. As long as the cloud (that is, its servers) is located within Switzerland, there are no additional rules specifically applying to cloud storage.

In case the cloud is located outside of Switzerland, the process of storing constitutes an international data transfer. Personal data may only be transferred outside Switzerland if the privacy of the data subject is not seriously endangered, in particular due to the absence of legislation that guarantees adequate protection in the jurisdiction where the receiving party resides. The Federal Data Protection and Information Commissioner (FDPIC) published on its website a list of jurisdictions which provide adequate data protection (www.edoeb.admin.ch/themen/00794/00827/index.html?lang=en). The EEA countries and Andorra, the Faroe Islands, Guernsey, the Isle of Man, Jersey, Monaco, Canada, Argentina, Uruguay, Israel and New Zealand are generally considered to provide an adequate level of data protection as regards personal data of individuals (however, many do not with regard to personal data of legal entities), while the laws of all other jurisdictions do currently not provide adequate data protection.

In the absence of legislation that guarantees adequate protection, personal data may only be transferred outside Switzerland if:

  • Sufficient safeguards, in particular contractual clauses, ensure an adequate level of protection abroad.

  • The data subject has consented in the specific case.

  • The processing is directly connected with the conclusion or the performance of a contract and the personal data is that of a contractual party.

  • Disclosure is essential in the specific case in order either to safeguard an overriding public interest or for the establishment, exercise or enforcement of legal claims before the courts.

  • Disclosure is required in the specific case in order to protect the life or the physical integrity of the data subject.

  • The data subject has made the personal data generally accessible and has not expressly prohibited its processing.

  • Disclosure is made within the same legal person or company or between legal persons or companies that are under the same management, provided those involved are subject to data protection rules (for example, binding corporate rules) that ensure an adequate level of protection.

In cases of safeguards like contractual clauses or binding corporate rules, the FDPIC must be notified of such safeguards. The FDPIC can review the safeguards, during a period of 30 days. The data transferor does not have to wait for the result of the FDPIC's review or obtain approval. Moreover, if personal data is transferred outside Switzerland on the basis of safeguards that have been pre-approved by the FDPIC (for example, the FDPIC's model data transfer agreements), the FDPIC must only be informed about the fact that such safeguards form the basis of the data transfers.

Until fall 2015, the US-Swiss Safe Harbour Framework used to be considered to provide adequate protection for the transfer of personal data from Switzerland to the US. In its decision of 6 October 2015, the CJEU held that the US-EU Safe Harbour Framework does not provide adequate protection for personal data. Even though that decision only concerns the US-EU Safe Harbour Framework and is not directly applicable to Switzerland, the FDPIC soon declared that also the US-Swiss Safe Harbour Framework cannot be considered to provide adequate protection going forward. Until Switzerland reaches a new agreement with the US, other safeguards, such as contractual clauses or binding corporate rules, need to be implemented in order to lawfully transfer personal data from Switzerland to the US. Judging from past experience, any new agreement will likely be based on the US-EU Privacy Shield but would have to take into account particularities of Swiss data protection laws such as the protection of personal data of legal entities. No plan of action or timeline has been communicated by Swiss authorities yet.

 
17. Is the use of cookies allowed? If so, what conditions apply to their use that impact system design?

The use of cookies is generally permissible, provided that the operator of the website (or other online service), which installs the cookies on the user's computer (or other device) informs the user about:

  • The use of cookies.

  • The purpose of the use.

  • The user's right to refuse cookies.

There is no statutory requirement or judicial practice concerning form, but prevailing opinion considers such information to be sufficient if it is placed on a data protection or Q&A sub-page or similar. The cookie banners or pop-ups, which are often seen on websites of other European countries nowadays, seem to be dispensable, although this has not yet been subject to judicial review.

 
18. What measures must be taken by contracting companies or the internet providers to guarantee the security of internet transactions?

There are no regulations on what security measures must be taken specifically in internet transactions (see Question 21 regarding payment regulations). However, in most cases the Federal Act on Data Protection (DPA) will apply due to transmission of information which is linked to the customer (a person or legal entity). Such information, being personal data, must be protected by appropriate technical and organisational measures against unauthorised processing. In particular, the personal data must be protected against the following risks:

  • Unauthorised or accidental destruction.

  • Accidental loss.

  • Technical faults.

  • Forgery, theft or unlawful use.

  • Unauthorised alteration, copying, access or other unauthorised processing.

The technical and organisational measures must be adequate and must be reviewed periodically. In particular, the following criteria must be taken into account:

  • The purpose of the data processing.

  • The nature and extent of the data processing.

  • An assessment of the possible risks to the data subjects.

  • The current state of the art (especially currently available technology).

In relation to automated data processing, the owner of the data collection must take the appropriate technical and organisational measures to achieve, in particular, the following goals:

  • Data access control: unauthorised persons must be denied access to facilities in which personal data is being processed.

  • Personal data carrier control: preventing unauthorised persons from reading, copying, altering or removing data carriers.

  • Transport control.

  • Disclosure control: data recipients to whom personal data is disclosed by means of devices for data transmission must be identifiable.

  • Storage control.

  • Access control: the access by authorised persons must be limited to the personal data that they require to fulfil their task.

  • Input control: in automated systems, it must be possible to carry out a retrospective examination of what personal data was entered at what time and by which person.

 
19. Is the use of encryption required or prohibited in any circumstances?

There are no specific requirements apart from all personal data having to be protected against unauthorised processing through adequate technical measures. This includes encryption, where it is considered to be state-of-the-art, for example, in storing users' passwords.

 
20. Can government bodies access or compel disclosure of personal data in certain circumstances?

Authorities in civil, criminal or public procedures can compel parties to such procedures or even non-involved third parties to disclose personal data. However, only criminal authorities can access such data by themselves, though some statutory limitations apply (for example, attorney-client privilege).

 
21. Are there any regulations in relation to electronic payments?

There are no specific requirements applying to e-payments only. However, since with most payment methods personal data is transmitted, the Federal Act on Data Protection (DPA) and its regulations apply (see Question 18).

Additional rules may apply regarding certain subject matters, for example, if the online business introduces its own e-currency, takes deposits from customers or engages in stock market activities.

For rules on purchasing procedures based on online offering of goods and services, see Question 7.

 
22. If the site is aimed at children, are there any specific rules or guidance that apply?

Children under age 18 do not have legal capacity to act. A contract entered into with a child is void unless the parents give their consent. Such contracts cannot be enforced. Payments made or products delivered in connection with a void contract can generally be reclaimed. Therefore, suitable measures should be implemented to ensure that – if products are sold on such sites – the ordering party is either of age or has obtained the necessary consent. Depending on the subject of the site, additional restrictions need to be taken into account. For example, minors under the age of 16 are protected under the Criminal Code from exposure to pornographic content (see Question 31).

 

Linking

23. Are there any limitations on linking to a third party website and other practices such as framing, caching, spidering and the use of metatags?

Hyperlinking

There are no court decisions to date regarding permissibility of hyperlinking without the target page owner's consent. It is, however, recognised that a simple hyperlink from one website to the homepage of another website does not normally raise concern, even if the content of the latter is copyright protected, as the use of such hyperlink may be equated to the use of footnotes to refer to other sites. Generally speaking, no permission is required to make a hyperlink to the homepage of another site because the website owner is deemed to have given an implied licence to link by posting his material on the internet.

Deep linking

Deep linking is more problematic than hyperlinking because it connects a user directly to secondary material on another website, bypassing that website's homepage which usually identifies the owner of the website. Some authors believe that deep linking might infringe a website owner's moral rights, namely his right to recognition of authorship or his right to the integrity of the work. It is more likely, however, that under certain circumstances deep linking constitutes unfair competition, especially for commercial websites. By avoiding the linked site's homepage, a deep link bypasses the website owner's revenue-producing advertising and corporate information which are usually located on the homepage. Deep links can, therefore, harm the website owner's commercial interests.

Framing/inline linking

Framing, that is using browser software to "frame" content from another online source, is problematic because the user sees the original website content which can be copyright protected, framed by a different website, with a different URL, and possibly with different logos and advertising. Similarly, in-line links create a reference to content from another website such that secondary material appears to be content originating from the first site.

It is recognised that the practices of framing and inline-linking constitute acts of reproduction, because a copy of the material is made in the user's computer memory. It may also give a user the impression that third-party offers presented within the frame come from the linking party whose frame surrounds the offer. The author's right to recognition of authorship, the right to the integrity of the work or the right to determine the manner in which the work is exploited may be infringed. Furthermore, such misleading presentation may constitute unfair competition according to some authors.

Caching/spidering

Caching is exempted from copyright protection, if it is only ephemeral or ancillary and does not have its own economic significance. Spidering, that is using automated algorithms ("spiders" or "bots") to gather information about publicly available websites, is permissible as well, as long as no copies of copyrighted material are made.

Keyword advertising/metatags

The Court of Appeal of the canton of Thurgau ruled that a business buying a competitor's trade mark in Google's AdWords system does not necessarily infringe trademark or unfair competition law (decision of 7 September 2011 in case PO.2010.8). However, the ruling only concerned preliminary measures and the question has not been decided by the Supreme Court. The permissibility of the use of competitors' trademarks as metatags is not clear. Scholars are divided on this question without one opinion prevailing. The Commercial Court of Aargau ruled in 2001 that such use is not generally inadmissible but rather its legitimacy depends on further circumstances in each specific case (decision of 10 April 2001 in case OR.2000.00033).

 

Domain names

24. What regulations are there in relation to licensing of domain names?

Domain names are regulated by the Telecommunications Act and the Ordinance on Internet-Domains (IDO). Subject to regulation are the:

  • ccTLD ".ch".

  • gTLD ".swiss", which is administered by Swiss Federal Authorities and open for public registration since January 2016.

  • Any other gTLD obtained by a Swiss public body (for example, the ".zuerich" domain, assigned to the canton of Zurich).

During a recent reform, the previous Swiss system of a single entity combining the functions of registrar and registry has been abolished. Nowadays, there still is only one registry, the Switch foundation, but the market for registrars is open. While for a ".ch" domain, residency is not a requirement, registration of ".swiss" TLDs (top-level domains) is available exclusively for persons or entities either seated in or having a sufficient connection to Switzerland, and Swiss citizens abroad.

The ".ch" domains are dealt out on a first-come-first-served basis. There is no review for trade mark infringements. The owner of such an infringed trade mark must take civil action to delete or transfer the domain in question.

For ".swiss" domains, other distribution criteria apply, which are set out in detail in the IDO.

 
25. Do domain names confer any additional rights (in relation to trademarks or passing off) beyond the rights that are vested in domain names?

Domain names do not confer additional rights.

 
26. What restrictions apply to the selection of a business name, and what is the procedure for obtaining one?

Under Swiss law, the most commonly used forms for corporate business activity are:

  • Corporations (Aktiengesellschaft) (AG).

  • Limited liability companies (Gesellschaft mit begrenzter Haftung)(GmbH or LLC).

For both, the same rules in selecting a business name apply. The entities can choose their business names freely, provided that the name indicates their legal form and is neither untruthful nor misleading.

 

Jurisdiction and governing law

27. What rules do the courts apply to determine the jurisdiction for internet transactions (or disputes)?

The Swiss Federal Private International Law Act (PILA) governs jurisdiction of Swiss courts in international matters, provided that no treaties are applicable (the most prominent of which is the Lugano Convention on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters 2007 (New Lugano Convention)).

Generally, the courts of the defendant's domicile have jurisdiction under PILA, unless specific provisions provide otherwise. In case of contracts, the Swiss courts at the place of performance have jurisdiction if the characteristic obligation is performed in Switzerland.

For consumers, different rules apply. Consumer contracts are defined as contracts for goods and services that are for current personal or family consumption and are not connected with the professional or business activity of the consumer. Mandatory provisions regarding consumer contracts apply to internet business-to-consumer transactions irrespective of the channels used and cannot be excluded by contractual agreement. The Swiss courts of the consumer's domicile or ordinary residence or of the offeror's domicile or ordinary residence have jurisdiction, at the discretion of the consumer which cannot be waived in advance. The offeror can take civil action against the consumer in accordance with the general contractual rules set out above (that is, the consumer's domicile or ordinary residence, or the place of performance).

 
28. What rules do the courts apply to determine the governing law for internet transactions (or disputes)?

The governing law in international transactions is determined by the Swiss Federal Private International Law Act (PILA), which sets out separate rules for every kind of dispute. Contractual disputes are governed by the law chosen by the parties. Failing such a choice, the contract is governed by the law of the state with which it has the closest connection. Such a connection is deemed to exist with the state of the ordinary residence (or in case of business activities, the place of business) of the party performing the characteristic obligation. The governing law for the sale of chattel is determined by the Hague Convention on the Law applicable to International Sales of Goods of 15 June 1955, which also foresees the contract to be governed by the law of the parties' choice.

With regard to consumer contracts, the choice of law is excluded. They are governed by the law of the state of the consumer's ordinary residence in any of the following circumstances:

  • The supplier received the order in that state.

  • The contract was entered into after an offer or advertisement in that state and the consumer performed the acts required to enter into the contract in his state.

  • The consumer was induced by the supplier to go abroad for the purpose of delivering the order.

An online business contracting with a Swiss consumer will in most cases fall under the first two groups above. Accordingly, contracts with Swiss consumers concluded by electronic means are generally governed by Swiss law.

For selling goods in Switzerland to customers based outside of Switzerland, which are not consumers, the UN Convention on Contracts for the International Sale of Goods of 1980 (CISG) applies, although the parties can exclude its application.

 
29. Are there any alternative dispute resolution/ online dispute resolution (ADR/ODR) options available to online traders and their customers? What remedies are available from the ADR/ODR methods? Are there any requirements to notify customers of the availability of these methods?

There are no e-commerce specific statutory alternative or online dispute resolution methods available.

 

Advertising/marketing

30. What are the relevant rules on advertising goods/services online/via social media?

Statutory law

There is no law that exclusively regulates advertising on the internet. However, the Swiss Federal Act against Unfair Competition (UCA) contains general principles on what constitutes unfair advertising. As a general principle, advertisements cannot be inaccurate or misleading. For example, unnecessarily disparaging other products, using inapplicable titles or job titles or taking measures to intentionally cause confusion about products is deemed unfair. Comparative advertising is permitted if it follows the general principles of being accurate and not misleading.

Soft law

More detailed provisions are contained in soft law. In 1966, the advertising industry established the widely respected Swiss Commission for Fairness (Lauterkeitskommission). Its guidelines on fairness in commercial communication apply to all kinds of commercial communications and contain specific provisions on:

  • Using the term "Swiss" or academic titles.

  • The duty to declare the company name in the advertisement.

  • Comparative advertisement.

  • Separation between editorial and commercial information.

In its function as a monitoring organisation, the Commission handles complaints from both competitors and consumers. In handling such complaints, the Commission applies its own guidelines, the rules of the International Chamber of Commerce and, if existing, bilateral agreements (for example, the agreement between the Commission and the cigarette industry) and specific codes of conduct (for example, the code signed by the Swiss alcoholic beverages industry).

 
31. Are there any types of services or products that are specifically regulated when advertised/sold online (for example, financial services or medications)? 

Flight tickets

With respect to flight tickets sold to consumers in Switzerland for flights leaving from a Swiss or EU airport, Swiss law prescribes that the offeror has to indicate the actual price, including flight fare, all taxes, fees, surcharges and other remuneration, which are inevitable and foreseeable at the time of purchase. All of these charges must be indicated separately as well. Any optional surcharges, such as for additional luggage or specials meals, must be offered in a clear and unambiguous way and can only be provided on an opt-in basis.

Gambling

With respect to gambling, under the Swiss Federal Act on Gambling Houses (GHA), the use of a telecommunication network such as the internet for carrying out games of chance is prohibited. The GHA expressly bans the operation of internet-based gambling services in Switzerland. As compared to physical (offline) casinos that can be operated under a licence from the supervisory authority, the Federal Commission of Gambling Houses (FCGH), internet gambling activities are not eligible for authorisation. Violation of this prohibition can result in fines (of up to CHF1 million), imprisonment (of up to one year) and/or the seizure or confiscation of the proceeds resulting from illegal activities. In recent years, the FCGH has taken criminal actions against several individuals who operated online gambling houses from Switzerland.

Adult content

With respect to adult content, under the Criminal Code it is prohibited to offer, display, transfer, make available or disseminate through radio or television any documents, audio or video recordings, pictures or presentations with pornographic content to minors under 16 years of age. The usual precaution used by ISP is to verify the age of website visitors. The Swiss Federal Supreme Court held in two decisions in 2005 that an "adult checker", where a visitor either simply clicks on a button confirming that he is 16 years old or older, or enters his date of birth (which cannot be further verified by the service provider lacking name and address of the visitor), is not sufficient for the purposes of youth protection. Both decisions related to content providers.

Medication/ financial services

Sale of medication and provision of financial services are generally heavily regulated, including advertisement for such products and services. Those regulations are mostly not specific for online trade but apply to it in the same manner they apply to traditional channels.

Depending on the product or services sold, additional regulations may apply.

 
32. Are there any rules or limitations in relation to text messages/spam emails?

Automated sending of mass advertising by means of telecommunication technology, whether done by oneself or through a third party, is generally prohibited. This includes without limitation spam e-mails, texts, and other instant messages, and facsimile but not physical mail. The telecommunication service providers are under a statutory obligation to combat this type of mass advertising.

This kind of marketing is only permissible, if the sender fulfils the following criteria:

  • Obtaining consent by the recipient beforehand (opt-in).

  • Disclosing his identity in each transmission.

  • Providing a convenient way of declining further advertisements, which must be free of charge and pointed to in each transmission.

There are no formal requirements for giving consent. In practice, most online businesses use a double opt-in approach by asking for user's permission for further advertisements during sign-up or checkout procedures, using a simple check-box, followed up by an e-mail with a confirmation link.

As an exemption, consent is not required when a company sends out mass advertising to its existing customer base who already purchased goods or services from that company in the past, provided that:

  • The company advertises its own products (that is, no mailings to the company's customer base for third parties).

  • The advertised products are similar to those previously purchased by that customer.

The law does not specify for how long the company can use such customer data for mass advertising, but a period of about one year from the time of sale is generally considered adequate. The company in any case still must state its identity and provide and point to an easy and free way of declining further advertisements.

 
33. Are there any language requirements in your jurisdiction for a website that targets your particular jurisdiction or whose target market includes your jurisdiction?

Switzerland has multiple official languages (German, French and Italian). There is no explicit requirement in Swiss law that prescribes the use of one or more of Switzerland's official languages when targeting the Swiss market in general. For certain subject matters, however, such requirements exist (for example, sale of goods targeted at consumers, packaged food, medication, chemicals, and so on).

 

Tax

34. Are sales concluded online subject to taxation?

Since Switzerland does not distinguish between online and offline transactions, sales concluded online are subject to the usual taxes, such as value-added tax (VAT) as well as taxes levied on certain product categories (for example, alcohol and cigarettes). The VAT (current rate is 8% for most goods and services) must be included in the price. Under certain conditions, no Swiss VAT applies (for example, in case of export of goods or services abroad).

 
35. Where and when must online companies register for VAT and other taxes? Which country's VAT rate will apply?

Companies must register with the Federal Tax Administration within 30 days after fulfilling the statutory prerequisites for VAT liability. Swiss authorities only levy Swiss VAT.

 

Protecting an online business

Liability for content online

36. What laws govern liability for website content?

Due to Switzerland's technology neutral approach in legislation, there is no specific law governing the liability for website content, hence general liability rules apply.

 
37. What legal information must a website operator provide?

When offering goods or services online, the offeror has to provide an imprint and certain additional information (see Question 7). Apart from that, Switzerland, unlike other European countries, has not introduced a general obligation to provide imprints on websites.

 
38. Who is liable for the content a website displays (including mistakes)?

According to general rules, the author is primarily liable for any defamatory or similarly offending or infringing content. However, the Federal Supreme Court decided in a matter concerning blog hosting, that the entity providing hosting services for a blog infringing a third parties personality rights, is equally liable for removing such content (decision 5A_792/2011 of 14 January 2013). The Supreme Court held that Switzerland, unlike other states, has not implemented an exemption of liabilities (civil or criminal) for ISPs. It applied the general rules on infringement of personality rights, stating that anyone participating in such infringement can be compelled to remove the material in question. This applies regardless of the ISP's knowledge or ignorance of the infringing content. In addition, the defendant was sentenced to pay the claimant part of his legal fees. Damages were not claimed so the decision is silent in this respect, but it is generally assumed that such claims would require fault on the side of an ISP. For pending reforms regarding this matter, see Question 40.

Linking to a website containing illegal activities or services can lead to criminal liability if the target website's content is in any way endorsed by the person or company setting the link.

 
39. Can an internet service provider (ISP) shut down a website, remove content, or disable linking due to the website's content and without permission?

Since ISPs are liable for infringing content, they must shut down or remove any such content or they risk civil actions brought against them. However, in doing so they may be exposed to contractual liability towards their customers, especially in case of wrong assessment of the content's infringing nature. A party that deems its rights to be infringed will typically seek redress by claiming injunctive relief from the competent court which may issue a corresponding order without hearing the ISP in question in advance if it deems an infringement plausible and especially urgent.

 

Liability for products / services supplied online

40. Are there any rules that might apply to products or services supplied online?

There are no rules that specifically apply to liability for products or services offered online. For certain common practices such as spidering, framing and keyword advertising (see Question 23).

 

Insurance

41. How should an online business be insured?

There are no specific types of insurance which are deemed crucial to online businesses in Switzerland. Depending on the goods and services sold, different insurance policies are recommendable. Generally, a business may consider insuring against data loss or hacking, if it is relying heavily on its data stocks for revenues.

 

Reform

42. Are there any proposals to reform digital business law in your jurisdiction?

The Federal Council has recently reviewed whether the civil liability of provider needs to be specifically addressed in terms of legislation. In its report of 11 December 2015 it has concluded that there is no need for an act specifically regulating providers' liability. For some subject matters it proposed revisions, for example, for the copyright act, where introducing a notice-and-takedown procedure in case of infringement is contemplated. However, none of these proposed revisions have been enacted yet.

In 2014, the Parliament decided against a mandatory right of withdrawal regarding e-commerce transactions. Therefore no such statutory right will be introduced in the near future. For contracts concluded by telephone, a withdrawal right has been adopted and will come into force soon (the date was not known at the time of publishing this Q&A).

The Federal Council plans to revise the laws concerning e-signatures, introducing among others an electronic seal, which would also be available for use by legal entities (unlike e-signatures, which are reserved for natural persons). At the time of publishing this Q&A the proposal is currently being discussed by the Parliament.

The Federal Council has also announced a revision of the DPA that is supposed to take into account the General Data Protection Regulation of the EU. The corresponding draft is expected to be published in August 2016.

For new developments regarding transfer of personal data from Switzerland to the US, see Question 16.

 

Online resources

Federal Swiss Laws

W www.admin.ch/gov/de/start/bundesrecht/systematische-sammlung.html (search engine)

www.admin.ch/opc/de/classified-compilation/national.html(classified by field)

Description. All Federal Swiss Laws in German, French and Italian, maintained by the Swiss federal authorities.

Federal Swiss Laws (in English)

W www.admin.ch/gov/en/start/federal-law/classified-compilation.html

Description. English translations of Swiss laws (where available). These versions have no legal force.

The Federal Data Protection and Information Commissioner

W www.edoeb.admin.ch/

Description. The Federal Data Protection and Information Commissioner's website, providing (non-binding) guidelines and advice on all questions regarding data protection.

The Federal Data Protection and Information Commissioner (in English)

W www.edoeb.admin.ch/index.html?lang=en

Description. The Federal Data Protection and Information Commissioner's website in English. Not all content is translated.

Swiss Accreditation Service

W www.seco.admin.ch/sas/00229/05092/index.html?lang=en

Description. Swiss Accreditation Service's website, providing a list of all certificate authorities allowed to issue authenticated e-signatures.



Contributor profiles

Lukas Morscher, Partner

Lenz & Staehelin

T +41 58 450 80 00
F +41 58 450 80 01
E lukas.morscher@lenzstaehelin.com
W www.lenzstaehelin.com

Professional qualifications. Switzerland, Lawyer, 1994

Areas of practice. Internet and e-commerce; technology, media and telecoms; outsourcing (ITO, BPO transactions).

Non-professional qualifications. Harvard Business School AMP, 2012; Doctorate in Law, 1992; Masters in Law, 1990; Masters in Economics, 1987

Recent transactions

  • Advised private individuals in all aspects of data protection and privacy, including enforcement of their 'right to be forgotten' from search engines like Google, Yahoo, Bing et al.

  • Advised Pershing LLC (a BNY Mellon company) in its provision of world-wide banking securities custody and execution services for a global banking group with major Swiss operations.

  • Advised international technology group in its Smart Watch initiatives in all related Swiss aspects, including regulatory, health, data privacy, marketing, contract, product liability, and so on.

  • Advised international footwear group in ICT, internet and related data processing matters.

  • Advised global manufacturing group in its international implementation of ICT systems, collaborative tools and cloud services.

Languages. German, English, French

Publications.

  • Lukas Morscher, Kaj Seidl-Nussbaumer (Baebler), Data Protection & Privacy – Switzerland, in: Getting the Deal Through, Law Business Research 2015, 140-147.

  • Lukas Morscher, Ole Horsfeldt (eds.), Sourcing World on International Outsourcing Transactions, Jurisdictional Comparisons, 2nd edition, Thomson Reuters London 2015.

  • Lukas Morscher, International Outsourcing Transactions, Chapter on Switzerland, in: Sourcing World (Lukas Morscher, Ole Horsfeldt eds.), 2nd edition, Thomson Reuters London 2015, 465-491.

  • Lukas Morscher, Christian Meisser, Data Protection & Privacy – Switzerland, in: European Lawyer Reference Series, 2nd edition, London 2014, 795-816.

  • Lukas Morscher, Aktuelle Entwicklungen im Technologie- und Kommunikationsrecht, in: ZBJV, volume 147, issue 3/2011, 177-221.

  • Lukas Morscher, Philipp Frech, Media and Communications in Switzerland, in: PLC Cross-Border Handbooks, Media and Communications 2009/2010, 1-11.

  • Lukas Morscher, Lara Dorigo, Software-Lizenzverträge, Erschöpfung bei Computerprogrammen und Gebrauchthandel mit Softwarelizenzen, in: Jörg/Arter (eds.), Internet-Recht und IT-Verträge, 2nd edition, Bern 2009, 17-72.

  • Lukas Morscher, Business Process Outsourcing (BPO) - Strukturelle und rechtliche Aspekte, in: ICT-Verträge – Outsourcing (Oliver Arter, Lukas Morscher eds.), Bern 2008, 19-62.

Kaj Seidl-Nussbaumer, Associate

Lenz & Staehelin

T +41 58 450 80 00
F +41 58 450 80 01
E kaj.seidl-nussbaumer@lenzstaehelin.com
W www.lenzstaehelin.com

Professional qualifications. Switzerland, Lawyer, 2014

Areas of practice.IT and e-commerce; technology, media and telecoms; IP.

Non-professional qualifications. Masters in Law, 2010

Recent transactions

  • Advised Schweizerische Mobiliar in acquiring 50% interest in Scout24 Schweiz, the leading Swiss network of online marketplaces for cars, real estate and general classifieds.

  • Advised world leading provider of healthcare products Zimmer Group in its outsourcing and extension of finance & accounting operations in more than 20 countries to US based global supplier Genpact.

  • Advised private individuals in all aspects of data protection and privacy, including enforcement of their 'right to be forgotten' from search engines like Google, Yahoo, Bing et al.

  • Advised Pershing LLC (a BNY Mellon company) in its provision of world-wide banking securities custody and execution services for a global banking group with major Swiss operations.

Languages. German, English, Norwegian

Publications

  • Lukas Morscher, Kaj Seidl-Nussbaumer (Baebler), Data Protection & Privacy – Switzerland, in: Getting the Deal Through, Law Business Research 2015, 140-147.


{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1248225973349", "objName" : "Digital business in Switzerland overview", "userID" : "2", "objUrl" : "http://uk.practicallaw.com/cs/Satellite/resource/6-618-4863?null", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "2-40e00097:15b19122c8f:-6c65", "analyticsSessionCookie" : "2-40e00097:15b19122c8f:-6c64", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }