Employee Monitoring Laws in Switzerland: nLPD, Labour Code Article 26, and What Employers Can Lawfully Monitor

What Is Switzerland's Legal Framework for Employee Monitoring?

Employee monitoring laws in Switzerland rest on three interconnected legal sources that every employer must apply simultaneously. The Swiss Code of Obligations (OR) Article 328b governs what employee data employers may process at the employment relationship level. The Swiss Labour Act (ArG) and its implementing Ordinance 3 Article 26 impose a categorical prohibition on behavior surveillance systems. The revised Federal Act on Data Protection (nLPD, or nDSG in German) establishes data processing obligations, employee rights, and enforcement mechanisms. Together these three instruments create a framework that is GDPR-compatible but adds one unique restriction that has no direct GDPR equivalent.

Switzerland is not an EU member state, which means GDPR does not apply directly to Swiss employers monitoring employees within Switzerland. Swiss employers apply the nLPD instead. However, Swiss companies processing personal data of employees who are EU residents, or transferring monitoring data to EU countries, must simultaneously satisfy GDPR requirements. The European Commission recognized Switzerland as an adequate jurisdiction under GDPR's adequacy mechanism, meaning Swiss data protection standards are considered equivalent to the EU's baseline, though that status does not exempt Swiss employers from compliance when EU residents are involved.

The nLPD entered into force on September 1, 2023, replacing a 1992 law that had not kept pace with modern workplace monitoring practices. The revised act introduced data protection impact assessments, strengthened individual rights, created mandatory breach notification obligations, and aligned terminology with GDPR. The Federal Data Protection and Information Commissioner (FDPIC, also referred to as EDOB from its German initials) oversees nLPD enforcement and publishes guidance on workplace monitoring.

What makes Switzerland's framework distinctive is that the behavior monitoring prohibition in ArG Ordinance 3 Article 26 sits entirely outside the nLPD. Even if a monitoring tool met every nLPD requirement for lawful data processing, it would still violate Swiss law if its purpose or effect is to continuously observe employee behavior or performance. This means compliance analysis in Switzerland always requires checking both data protection law and labour law independently.

nLPD Obligations for Swiss Employee Monitoring Programs

The nLPD (revised Federal Act on Data Protection, in force from September 1, 2023) imposes six core obligations on Swiss employers who monitor employees. These obligations apply to all monitoring programs that pass the ArG Ordinance 3 Article 26 behavior monitoring test.

1. Legal Basis for Processing

The nLPD requires a documented legal basis before processing employee personal data. For workplace monitoring, Swiss employers typically rely on one of three bases: the employment contract (processing necessary to execute the contract), a legitimate interest (employer's interest outweighs employee's privacy right), or a legal obligation (industry-specific compliance requirements). Consent is recognized under the nLPD but carries the same problems it does under GDPR: employment relationships create power imbalances that make freely given consent difficult to establish. Swiss data protection authorities and labor inspectors treat consent-based monitoring programs with greater scrutiny than legitimate interest programs supported by a documented proportionality assessment.

2. Code of Obligations Article 328b: The Employment-Specific Necessity Test

Code of Obligations Article 328b adds an employment-specific necessity test that operates separately from nLPD requirements. It states that employers may only process employee personal data that relates to the suitability of the employee for the job or that is necessary for the performance of the employment contract. This provision is significant because it creates a narrower necessity test than the general nLPD lawfulness requirement. Monitoring data that serves a general business interest but does not relate to the employee's suitability or contract performance fails the Article 328b test, even if it would pass nLPD scrutiny on its own.

3. Data Minimization and Purpose Limitation

The nLPD requires that personal data be collected only to the extent necessary for the stated purpose and used only for that purpose. For monitoring programs this means employers must specify in advance which data types they will collect and why, and then not use that data for other purposes without a new legal basis. An employer who collects application usage data for client billing purposes cannot later use the same dataset to evaluate employee productivity scores without re-establishing a separate legal basis for the productivity analysis purpose.

4. Privacy Notice Before Monitoring Begins

The nLPD requires employers to inform employees before collecting their personal data. A compliant monitoring privacy notice must state the identity of the data controller, the categories of data collected, the specific monitoring purposes, the legal basis relied upon, the retention periods, who has access to the data, and the employee's rights including access, correction, and deletion. Swiss practice recommends delivering this notice through the employment contract, a standalone monitoring policy attached to the contract, or a works agreement where employee representation bodies exist. The notice must be given before monitoring begins, not after deployment.

5. Data Protection Impact Assessment for High-Risk Processing

The nLPD introduced a Data Protection Impact Assessment (DPIA) obligation for processing that carries a high risk to the rights and freedoms of data subjects. Employee monitoring that involves systematic data collection, automated analysis of employee behavior, or large-scale processing of productivity data meets this threshold. A Swiss DPIA must document the processing purpose, the types of data collected, the risks identified, and the measures taken to reduce those risks. The EDOB may be consulted when a DPIA identifies residual risks that cannot be fully mitigated internally.

6. Data Subject Rights

Under the nLPD, employees have the right to access the monitoring data held about them, request correction of inaccurate data, request deletion when the processing purpose no longer applies, and object to processing based on legitimate interest. Employers must respond to access requests within 30 days. Providing employees with self-service access to their own monitoring data through an employee dashboard is both a practical way to reduce the volume of formal access requests and a transparency measure that supports the nLPD's accountability principle.

How Swiss Employee Monitoring Rules Compare to GDPR

Swiss employee monitoring law and GDPR share the same foundational principles but differ in three specific areas that matter practically for employers managing cross-border workforces or evaluating software designed with GDPR compliance in mind.

Where Swiss Law and GDPR Align

Both frameworks require a documented legal basis for processing employee data, proportionality between the monitoring purpose and the data collected, advance notification of employees before monitoring begins, a data protection impact assessment for high-risk processing, and recognition of data subject rights including access, correction, and deletion. Software built to satisfy GDPR compliance principles and data minimization requirements will generally address most nLPD obligations with limited additional work.

Where Swiss Law Is Stricter: The Article 26 Categorical Prohibition

GDPR imposes a proportionality requirement but does not contain any provision that explicitly prohibits behavior monitoring systems as a category. Under GDPR, behavior monitoring could theoretically be justified through a legitimate interest assessment if the employer could demonstrate proportionality. Under Swiss law, ArG Ordinance 3 Article 26 closes that door. A Swiss employer cannot justify continuous behavioral surveillance through any balancing test. The prohibition is not subject to override by consent, legitimate interest, or contractual necessity. This makes Swiss law stricter than GDPR specifically in the behavioral surveillance dimension.

Where GDPR Is Stricter: Enforcement Mechanism and Penalty Scale

GDPR's administrative fine structure, with maximum penalties of 20 million euros or 4% of global turnover, is considerably more severe than the nLPD's individual-focused criminal fines capped at CHF 250,000. GDPR supervisory authorities across EU member states issue large fines regularly. The EDOB's enforcement approach has historically focused on recommendations and guidance rather than financial penalties, though the nLPD's 2023 entry into force signals a more active enforcement posture going forward. For multinational employers, GDPR enforcement risk currently exceeds Swiss enforcement risk in monetary terms, but Swiss labour law violations carry additional consequences through cantonal labour inspectorates.

Practical Implications for Cross-Border Employers

A monitoring configuration designed to satisfy Swiss ArG Ordinance 3 Article 26 will typically be more conservative than one designed solely for GDPR compliance, because the behavioral observation prohibition is absolute in Switzerland. Employers who configure monitoring to Swiss standards first will find that GDPR requirements are generally also met, with the addition of any country-specific national provisions required in EU jurisdictions — including Germany's strict monitoring rules requiring works council approval — where they operate.

How eMonitor Supports Swiss Employee Monitoring Law Compliance

eMonitor is built around output monitoring principles that align with what Swiss law explicitly permits under ArG Ordinance 3 Article 26. The platform's default configuration tracks time worked, application categories, and task output without deploying the continuous behavioral observation that Swiss law prohibits. Swiss employers can activate the monitoring capabilities they need while avoiding prohibited configurations through eMonitor's granular control settings.

Work-Hours-Only Activation

eMonitor activates monitoring when employees clock in and stops when they clock out. This means no personal data is collected outside scheduled work hours, which satisfies both the nLPD data minimization principle and removes the risk of capturing home environment data about family members during non-work periods. The work-hours-only boundary also addresses the EDOB's proportionality guidance on home office monitoring specifically.

Application Category Tracking: Output Without Behavioral Observation

eMonitor's productivity classification engine records which application categories were active during work hours and for how long, without continuous behavioral observation. Managers see time allocation across productive, non-productive, and neutral categories derived from application usage, which measures output patterns rather than observing moment-by-moment conduct. This approach falls squarely in the permitted zone under ArG Ordinance 3 Article 26 because it measures work results rather than surveilling employee behavior.

Configurable Screenshot Intervals with Blur

For organizations where periodic screenshots are justified by a specific compliance or QA purpose, eMonitor supports configurable screenshot frequency and blur options that protect personal content visible on screen. Blur ensures that personal information on screen is not captured, directly addressing the nLPD requirement to minimize personal data collection and the EDOB's concern about home monitoring capturing third-party data.

Employee-Facing Dashboards for nLPD Access Rights

eMonitor includes employee-facing dashboards where workers can view their own time logs, application usage data, and productivity summaries. This proactive transparency mechanism fulfills the nLPD's data subject access right in a way that reduces the administrative burden of formal access requests and supports the trust-based workplace culture that Swiss labour law is designed to protect.

Role-Based Access Control

Access to monitoring data in eMonitor is restricted by role. Direct managers see their team's data. Broader access requires administrative authorization. This role-based structure supports the nLPD's data minimization and access control requirements and aligns with the proportionality principle that monitoring data should be visible only to those with a documented operational need for it.

Switzerland's AI Regulation Bill: What Employers Should Expect by 2026

Switzerland's Federal Council is developing an AI governance framework expected to produce concrete legislative proposals by late 2026. While the bill is not yet enacted, its draft direction carries implications for monitoring software that uses AI components, particularly products that generate automated productivity scores, engagement risk assessments, or attrition predictions from employee monitoring data.

The draft framework focuses on high-risk AI applications in employment contexts. Systems that use AI to make or influence decisions about employee performance, productivity classification, or continued employment status are expected to face transparency and documentation obligations. These include requirements to inform employees when AI is involved in evaluating their work output, to document the data sources and logic behind AI-generated scores, and to provide a mechanism for employees to contest automated assessments.

What This Means for Monitoring Software Users

Employers currently using AI-powered monitoring tools should take three preparatory steps. First, document which monitoring features involve automated decision-making or AI scoring, and what data those features process. Second, review whether the AI components in use generate outputs that influence employment decisions, since that is where regulatory attention is likely to concentrate. Third, ensure that the existing monitoring program's privacy notice discloses the use of automated analysis, even before the formal AI bill requirements take effect, because nLPD transparency obligations already require disclosure of automated processing that significantly affects individuals.

The EDOB publishes commentary on upcoming regulatory developments through its official website (edoeb.admin.ch). Employers with Swiss operations should treat EDOB guidance as authoritative ahead of formal legislation, since EDOB positions typically anticipate the direction of formal regulatory action.

Related Employee Monitoring Compliance Guides

Switzerland's ArG Ordinance 3 Article 26 behavior monitoring prohibition is one of the strictest national provisions in Europe. For a broader view of how monitoring law differs across jurisdictions, these guides cover the key national frameworks that international employers most frequently need to navigate alongside Swiss requirements.

• Employee Monitoring Laws in Norway: Norway applies GDPR alongside the Norwegian Working Environment Act, which includes employee data protection provisions with similarities to Switzerland's dual-framework approach. See the full guide at /compliance/employee-monitoring-laws-norway.
• GDPR Employee Monitoring Compliance: For employers who operate in both Switzerland and EU member states, the GDPR compliance guide covers lawful bases, DPIA requirements, country-specific national additions, and common enforcement mistakes across the EU. See the full guide at /compliance/gdpr-employee-monitoring-compliance.
• Employee Monitoring Laws Worldwide Map: A jurisdiction-by-jurisdiction reference covering the US, EU, UK, Asia-Pacific, and the Americas, with framework summaries and key legal references for each region. See the full guide at /compliance/employee-monitoring-laws-worldwide-map.