Switzerland

The Data Protection Act (DPA) provides that personal data must be protected against unau-thorized processing through appropriate technical and organizational measures (Article 7 DPA). This entails a duty to ensure an appropriate level of data protection (confidentiality, availability and integrity of the data), having particular regard to protecting a system against unauthorized or accidental destruction, accidental loss, technical faults, forgery, theft, un-lawful use, unauthorized alteration, copying, access, or any other unauthorized processing of personal data (Article 8 ODPA).
At present, there is no explicit obligation under Swiss law to report security-relevant inci-dents or to inform affected individuals. However, the current draft bill for a revised DPA con-tains a provision imposing data breach notification duties under certain circumstances (simi-lar to the EU General Data Protection Regulation, GDPR).
Notably, there are reporting obligations for certain industries (e.g. financial institu-tions/banks and telecommunication service providers) based on sector specific laws (cf. Question 3 below).