Have you always wondered? The answer is: YES. An IP address is personal data under Swiss law, and must therefore be treated with care before being passed on to third parties.
Reminder: what is an IP address?
An IP (Internet Protocol) address is a series of numbers that uniquely identifies a device on a network, such as the Internet. It works like a postal address, enabling devices to communicate with each other.
What does Swiss law say?
Under the New Federal Act on Data Protection (nFADP), personal data is defined as any information relating to a person who is identified or identifiable, even with difficulty. An IP address, while not directly identifying a person on its own, can indirectly identify an individual when combined with other information, such as that provided by the Internet service provider.
Dynamic vs. static IP addresses
- Static IP addresses (which do not change) are considered personal data, as they are always linked to a physical or legal person.
- Dynamic IP addresses (which change regularly) are more complicated to link directly to an individual. However, they can be traced via an ISP’s connection logs, enabling identification, and should therefore be considered as personal data.
Passing on IP addresses: yes, but with consent
Since nLPD comes into force in September 2023, consent is required to transmit personal data abroad if no agreement exists between Switzerland and the destination country. It is important to note that, in many cases, the company processing the data in the destination country must have established this agreement, which is far from happening systematically.
However, it is possible to share IP addresses with the user’s consent. For your website, make sure you do not transfer personal data abroad without this consent. For example, in addition to cookies deposited on the browser, foreign third-party services such as Google Analytics or YouTube video integration will automatically collect the IP address of your visitors to activate their service.
It is therefore important to ask for the user’s consent before launching this type of service, and it is precisely in this sense that biskoui, our consent management platform, helps you to easily comply with the law.
Conclusion
In conclusion, since an IP address is essential for identifying and communicating devices on the Internet, it must be handled with care and responsibility.
As potentially personal data, IP addresses must be collected and used in compliance with data protection laws, such as the Swiss New Federal Act on Data Protection (nFADP). This implies guaranteeing transparency on how such data is collected, ensuring that its use is limited to the specified purposes, and taking adequate measures to protect the security of the information.
Companies and organizations must also be aware of the implications of indirectly identifying users based on their IP addresses, by putting in place clear data retention and processing policies to prevent abuse and respect users’ rights. In particular, they must ensure that they obtain users’ consent before passing on their IP addresses, in line with legal requirements on data protection.
