In its ruling of 6 October 2025, the Federal Administrative Court upheld the FDPIC’s decision on the ‘Pfarrer-Check’ database and clarified the application of the revised Data Protection Act (DPA) to publicly accessible personal data.
The decision provides important clarity for operators of online platforms, directories and campaign websites when dealing with personal data from the internet.
An overview of the Federal Administrative Court ruling A-2941/2024
In its ruling of 6 October 2025, A-2941/2024, the Federal Administrative Court upheld the decision of the Federal Data Protection and Information Commissioner (FDPIC) in the so-called ‘Pfarrer-Check’ case. In the court’s opinion, the public recording of over 6,000 church officials in an online database without their consent violates the revised Federal Act on Data Protection (FADP).
Facts of the ‘Pfarrer-Check’ case
The association ‘Bürgerforum Schweiz’ operated a publicly accessible database on its website containing personal data on over 6,000 individuals from the church community. The database contained names, places of residence and postcodes, employers or religious denominations, fields of activity, positions and a status (‘recorded’, “requested”, ‘responded’) in connection with a questionnaire on religious views.
According to the operator, the purpose of the database was to enable a distinction to be made between ‘genuine’ and ‘watered-down’ churches. In its ruling of 9 April 2025, the FDPIC ordered the deletion of the entries published without the consent of the persons concerned. The association lodged an appeal against this ruling, which the Federal Administrative Court did not admit.
Applicable law & procedure
The court first confirmed that the revised Federal Data Protection Act (FADP, in force since 1 September 2023) is applicable. The decisive factor is the date on which the formal investigation was opened; mere informal preliminary investigations and responses to enquiries do not constitute a pending investigation within the meaning of transitional law.
The complainant alleged that the lower court had violated her right to inspect the files by only making the reports available to her in anonymised form. However, the court considered the EDÖB’s action to be lawful: the public interest in effective data protection supervision outweighs the operator’s interest in the identity of the whistleblowers.
Key material points (data protection principles and justification)
Proportionality
In the court’s opinion, publishing the status ‘recorded’ or ‘requested’ was neither appropriate nor necessary to achieve the purpose stated by the association (distinguishing between “genuine” and ‘fake’ churches). The information that someone has received a questionnaire but has not answered it leaves room for interpretation without offering any objective added value for the purpose of data processing.
Limitation of Purpose
The individuals concerned had published their contact details on their institutions’ websites so that they could be contacted in connection with their professional activities. The mere fact that the data is publicly accessible does not mean that it may be used for any purpose, in particular for an evaluative campaign database. The court qualifies the use for the ‘Pfarrer-Check’ as a change of purpose that was not apparent to the persons concerned.
Transparency
The persons concerned must be actively and clearly informed about the actual data processing. This did not happen. In particular, the persons concerned were not sufficiently informed that their data would be published even if they did not complete the questionnaire. A mere reference to the operator’s website does not satisfy the transparency requirements of the DPA. Active, comprehensible information about the nature, purpose and scope of the data processing is required.
Justification
The court denies the existence of a justification within the meaning of Article 31 of the FADP. Neither was there valid consent, nor could the association invoke a legal basis or an overriding public interest. A self-defined ‘public interest’ without any basis in law or the constitution is not sufficient to justify serious violations of privacy.
The appeal to Article 31 para. 2 of the FADP (person of public interest) is also unsuccessful. In weighing up the interests, the court considers the status ‘requested’ to have a high potential for infringement because it allows negative speculation about the attitude and integrity of the person concerned, while the status ‘recorded’ only has a medium intensity.
The court therefore concludes that the complainant has unlawfully infringed the personality rights of the persons concerned.
Significance of the judgment in practice
Since the new FADP came into force, the FDPIC has already carried out numerous low-threshold interventions and issued more than 14 formal investigations in the form of rulings. Only four of these rulings have been challenged before the Federal Administrative Court to date. The decision thus shows that the courts fundamentally support the FDPIC’s approach and consistently enforce the basic principles of data protection law, even in the case of publicly accessible online data.
The decision sends a clear signal to operators of online databases, directories, campaign and rating platforms: even if data is publicly accessible, proportionality, purpose limitation, transparency and a viable obligation to justify remain central.
Our experts in data protection and ICT law assist organisations in the legally compliant design of online platforms, websites and projects under the revised DPA.
Get in touch with us for an initial consultation on matters of Data Protection.
