06 Data Protection

“Privacy Protection” or “Data Protection” is the key issue of the digital world; not only because of the data protection hype concerning the Internet community Facebook. Privacy, however, is not an invention of the digital age, but was already regulated in the first Swiss Civil Code (CC) of 1907 in Art. 27 et seq. under the title “Protection of Personality”. With the advent of information technology (IT) in the 1980s, it became ever easier to collect and process data. As a result, the danger of personality violations according to the Swiss Civil Code increased enormously and the legislator felt compelled to regulate the protection of personality in the area of data processing in detail. The new Federal Act on Data Protection (FADP) entered into force on 1 July 1993 with regular delays in technological matters.

Statutory data protection only covers data relating to an identified or identifiable person, so-called personal data (Art. 3 FADP). The term “person” refers to both a natural person and a legal entity.

The data protection law is based on its principles, which can be found in Art. 4 ff. of the Data Protection Act. Even if the matter seems to be complicated, in practice it is actually simply a matter of applying the data protection principles to the data lifecycle. The data lifecycle begins with the collection or collection of data, continues with any processing of data, up to its destruction or deletion. Of the following principles, proportionality and appropriateness are particularly important in digital practice.

Principle of legality

The collection and processing of data is unlawful if it is not justified by the consent of the data subject, by an overriding private or public interest or by law. This provision can be found in Art. 13 FADP, which also lists examples of an overriding private or public interest.

Principle of transparency

The principle of transparency corresponds to the principle of good faith (Art. 2 CC). Data collection and data processing must in principle be carried out in such a way that the data subject is aware of it. This also includes informing the data subject of the purpose of the data collection. This may not then be changed without the renewed consent of the data subject (see principle of purpose limitation below).

Principle of proportionality

In accordance with the principle of proportionality, only data that is necessary and suitable for the corresponding, communicated purpose may be collected. When ordering an e-book online, a provider only needs the name (identification), possibly the date of birth (identification, contractual capability), an e-mail address (communication) and the credit card data (payment). The information e.g. of the civil status and the occupation are neither necessary, nor suitable for the completion of this business. In a current case, the Federal Data Protection and Public Relations Officer clarifies whether the sporting goods retailer Decathlon may request an e-mail address from its customers for a purely offline purchase in the shop (see Blick 07.05.2018). The prerequisite would be that an e-mail address is necessary for the pure offline purchase. This is probably not the case and thus a violation of the principle of proportionality. The principle of proportionality also means that data may only be stored for as long as is necessary for the purpose. Since there is usually sufficient storage capacity available and therefore no technical necessity for deletion, failure to delete data as actually required may be one of the most frequent violations of data protection law.

Principle of earmarking

The principle of purpose limitation means, on the one hand, that data may not be collected without purpose, i.e. for a limited period of time. On the other hand, a purpose of data collection communicated once to the data subject during data collection may not be changed without the data subject’s consent or corresponding legal basis. This means, in particular, that data may not be misused.

Principle of Integrity

Anyone who processes personal data must ensure that it is correct. He must take all reasonable measures to ensure that data is corrected or destroyed if it is inaccurate or incomplete with regard to the purpose for which it was collected or processed. Any data subject may request that inaccurate data be corrected. What this means in practice, among other things, is illustrated by a recent decision of the Federal Administrative Court within the meaning of moneyhouse.ch, commented on the blog “Juristenfutter”: https://wp.me/p8RKnD-2s.

Principle of safety

The principle of security is the actual protection of data through technical and organisational measures. These measures guarantee the confidentiality, availability, integrity and authenticity of data as well as the traceability of data processing. Here, too, the principle of proportionality applies and the measures must correspond to the state of the art. The more sensitive the data to be protected, the higher the requirements for this data protection. Since the human being is regularly the weakest link in the data protection chain, organisational measures are important in addition to technical measures. The traceability of data processing requires appropriate logging. Both are also focal points of the new EU data protection basic regulation explained below.

Right to information

Pursuant to Art. 8 FADP, any person may request information from the controller of a data file as to whether and which data on him or her are recorded and processed. According to Art. 1 of the Data Protection Ordinance, this information must be provided within 30 days at the latest. Pursuant to Art. 34 FADP, the failure to provide information or the failure to provide it in good time is one of the few offences punishable by criminal law (see also below). In practice, it is therefore urgently recommended to define and publish a contact point in a company for such enquiries and to prepare the systems in such a way that the relevant data can be retrieved within a short time. Details can be found in Art. 8 FADP.

Transfer of personal data abroad

According to Art. 6 FADP, personal data may only be transferred abroad if the level of data protection in the country in question is similar to that in Switzerland. For this purpose, the Federal Data Protection and Information Commissioner (FDPIC) draws up a list of the states which, from a Swiss perspective, have a sufficient level of data protection (see www.edoeb.admin.ch/dam/edoeb/de/dokumente/2017/04/staatenliste.pdf.download.pdf/staatenliste.pdf).

Da insbesondere die EU das Datenschutzniveau des sehr wichtigen Handelspartners USA als nicht genügend hoch erachtet, haben die EU und die Schweiz mit den USA eine spezielle Lösung geschaffen. Im Abkommen «Privacy Shield» haben die EU, die Schweiz und die USA datenschutzrechtliche Standards definiert. Wenn US-Unternehmen diesem Abkommen beitreten, verpflichten sie sich, die entsprechenden Standards einzuhalten. Damit ist bei der Übermittlung von Personendaten an diese Unternehmen das von Art. 6 FADP verlangte ähnlich hohe Datenschutzniveau gewährleistet. Welche US-Unternehmen dem Abkommen beigetreten sind, kann unter folgendem Link abgerufen werden: www.privacyshield.gov/list.

Legal consequences of violation of data protection principles

One shortcoming of the current Swiss Data Protection Act is that its violators have practically no legal consequences to fear. With a few exceptions, violations of the provisions, in particular the principles of the Data Protection Act, are not punishable by law (see Art. 34 f. FADP). Otherwise, data subjects must assert their rights by civil action in accordance with Art. 28 CC (violation of personality). However, since such a procedure is associated with a high cost risk, this is very rarely the case. The option of the Federal Data Protection and Information Commissioner (FDPIC) (see www.edoeb.admin.ch) is more effective. Pursuant to Art. 29 FADP, the FDPIC can investigate violations of the Data Protection Act on its own initiative or upon notification and issue corresponding recommendations. If these recommendations are not followed or rejected, the FDPIC can submit them to the Federal Administrative Court for a decision. Finally, the FDPIC can appeal a decision of the Federal Administrative Court to the Federal Supreme Court. Corresponding cases, such as the one concerning “Street View” against Google, can be found at the following link: www.edoeb.admin.ch/edoeb/de/home/datenschutz/dokumentation/weiterzuege.html.

EU General Data Protection Regulation (GDPR)

On 25 May 2018, the European Union replaced the previous Data Protection Directive with the new General Data Protection Regulation (GDPR), which, as a regulation (in contrast to the Directive), not only harmonises the data protection laws of the EU Member States, but now harmonises them. This means that the GDPR is directly applicable without being transposed into national law (self-executing).

The regulation has serious consequences for companies. In addition to claims for damages by those affected, infringements can result in fines of up to 4% of global turnover (!) and penalties of up to EUR 20 million for errant managers, data protection officers and other decision-makers. The official explanations (recitals) of the EU Data Protection Regulation point out that the term “company” must be understood analogously to the term in EU antitrust law. In EU antitrust law, the term “company” can effectively be understood as an entire group or holding company, even if only one subsidiary is effectively responsible. This is the case if the parent company controls the subsidiary. In this case, fines of up to 4% would apply to the entire group or holding turnover!

Swiss companies are not immune. According to the so-called market location or impact principle, the Ordinance also applies to Swiss companies if their data processing serves the purpose of offering goods or services – for a fee or free of charge – to affected persons in the EU. The Regulation also applies to Swiss companies if they or their agents observe data subjects in the EU.

Although the data protection principles (legality, good faith, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, accountability) remain the same, the regulation represents a quantum leap in data protection. The regulation brings a considerable additional expenditure to the enterprises. Companies must create comprehensive new structures and processes in order to comply with the requirements of the regulation. The regulation requires an extended obligation to document and provide evidence, an analysis of data protection risks, a data protection impact assessment in the case of presumably high risks, comprehensive information obligations in data collection, stricter deletion obligations and a right to be forgotten, considerable reporting and notification obligations in the case of data protection violations, stronger data protection through technology and default settings, a list of processing activities, additional responsibility for data protection officers in the company, comprehensive rights of those affected, in particular the rights to information, correction, deletion and even the right to be forgotten.

The EU data protection regulation not only creates additional costs for companies, but also makes it easier for them to do business in certain areas. For example, the data of legal entities are no longer subject to data protection (in the future probably also in Switzerland), which considerably relieves the B2B sector. In the future, however, data relating to legal entities will not be “fair game”, but will still be protected by the general protection of personality and in particular by the principles of fair trading law (UCA in Switzerland). The question arises, however, as to whether the EU Data Protection Ordinance applies to data relating to natural persons working for or in a company. Shortly after the Regulation was introduced, there is still no case law on this subject. However, research shows that a majority of commentators assume that the EU Data Protection Regulation applies to this data. Since, in particular in connection with communication with companies, data of natural persons are probably practically always involved, the question arises as to how useful it is to distinguish between data of legal entities and data of natural persons. However, the question is probably not of practical importance, as sooner or later the EU Data Protection Regulation will be implemented by all companies.

Swiss companies operating on the EU market, in particular collecting data or observing market participants, are advised to deal with the new EU data protection basic regulation and to take appropriate precautions within the company. The influx of data protection experts is likely to be unavoidable.

However, corresponding data protection precautions are not just a tribute to the EU. Under the indirect pressure of the EU data protection reform, but also under the direct pressure of the revision of Data Protection Convention 108 of the Council of Europe, of which Switzerland is also a member and which in turn is based on the EU Regulation, a revision of the Data Protection Act (DPA) is also in the pipeline in Switzerland, which in turn is based on the EU Regulation and the Council of Europe Convention. Even if future Swiss data protection is likely to be less rigid, e.g. less drastic fines will probably be imposed, data protection is moving in the direction of the EU regulation. Swiss companies that are already raising their data protection to the new level of the EU should therefore also be well prepared for the future level in Switzerland.

Concrete data protection measures

While the data protection principles are still relatively easy to understand, the devil lies in the details of data protection and its practical implementation.

An important basis for this and for fulfilling the documentation requirements is the creation of a processing directory. In particular, the processing directory should contain the following information:
– Name and contact details of the data protection officer (company)
– Purpose of data processing
– Categories of data subjects
– Categories of personal data processed
– Categories of recipients of personal data
– Information on data transfer abroad and its legal basis
– Information as to when or at least according to which criteria the personal data will be deleted
– General information on technical and organisational measures for data protection

The processing directory may be kept on paper or in electronic form.

In any case, it is advisable to appoint a data protection officer. The data protection officer should ensure a continuous data protection audit, the taking of necessary measures and advice in matters of data protection. The data protection officer may be external to the company or internal to the company. The internal data protection officer has the advantage that he is close to what is happening. To this end, an agreement must be reached with the employer to ensure that the data protection officer is free and independent in his or her activities vis-à-vis the employer and that the employer is unable to exert appropriate repression. The data protection officer must be given a corresponding description of his duties. The data protection officer fulfils his obligations if he carefully fulfils these tasks. However, he is not responsible for data protection. These are the company or its executive bodies themselves.

Irrespective of the data protection impact assessment provided for in the GDPR for high risks, a risk analysis should always be carried out with regard to possible data protection violations and the necessary measures taken.

Existing agreements with third parties, in particular with contract processors (third parties who process data for the company), must be continuously checked for compatibility with data protection regulations and adjusted if necessary.

Since people are generally the weakest link in data protection, it is elementary to regularly sensitize and train employees in data protection issues.

Within the framework of the GDPR, the rights of the persons concerned have been strengthened. They have a right to information, as provided for in Art. 8 FADP, as well as a “right to be forgotten” or a right to deletion. To this end, it must be ensured that the system allows access to an overview of the relevant data.

Especially for companies hosting personal data, the right to data transfer is likely to be a challenge. This is because data subjects now have the right to have their data stored in a format that allows it to be transferred to other companies. In addition, data subjects can request direct transfer between the companies concerned. This means that companies must guarantee appropriate interoperability. An example of this is the case where an Apple customer wants to transfer his data from an iOS application (Apple) to an Android application (Google) because he is switching from an iPhone to a smartphone with the Android operating system.

Finally, data protection communication is, because it is visible to the outside world, an essential element of concrete data protection measures. A data protection regulation can be drawn up for internal communication. External communication takes place via a data protection declaration.

Structure and content of a data protection declaration

Since the FADP does not contain any concrete provisions for a data protection declaration, but the GDPR does, and it makes sense that Swiss companies also orient themselves on it in current data protection measures, explicit reference is made to it here.

The content of a data protection declaration is essentially derived from the information duties of the data protection officer, i.e. the company, pursuant to Art. 12 et seq. GDPR. Specific information must be provided in relation to the respective data collection or data processing. It is important that a data protection declaration is formulated clearly and comprehensibly, otherwise it may have no legal effect at all.

In advance, a company must inform the public that it is responsible for data preparation and processing. It must publish its contact details as well as the contact details of any data protection officer (internal or external).

Subsequently, the persons concerned must be informed of which personal data is collected and for what purpose. This information also includes the legal basis on which the data collection and subsequent data processing takes place. The legal basis can essentially be the consent of the data subject, the necessity for the handling of a legal relationship (e.g. purchase contract), a law or legitimate interests of the company or a third party, provided that the interests or fundamental rights and freedoms of the data subject do not prevail.

If the legal basis for data processing ceases to exist, the corresponding personal data must be permanently erased without delay by appropriate technical means. This must also be stated in the data protection declaration.

If personal data is not processed by the company itself but transferred to third parties for this purpose, information must be provided about these recipients or categories of recipients.

If personal data are transferred abroad, this must be declared in particular in the data protection declaration and information must be provided on how the high level of data protection in Switzerland and the EU is guaranteed abroad.

The data subjects must also be informed of their rights with regard to the collection and processing of their personal data. According to the GDPR, this includes in particular the following rights:
– Right of access
– Right to rectification
– Right to deletion
– Right to limitation of processing
– Right to object to the processing
– Right to data transferability
– Right to complain to the supervisory authorities
– Right to revoke consent

Finally, data subjects must be informed as to whether the provision or collection of their personal data is required by law, by contract, whether the data subject is required to provide the personal data, and what the possible consequences of not providing the data would be (e.g. limited use of a website if cookies are refused).

Monitoring of employees’ Internet activities

When employees surf the Internet or send e-mails, the corresponding activities are usually logged by the system in so-called log files. This logging and, above all, any personal evaluation is only permissible within the framework of data protection and its principles. Furthermore, pursuant to Art. 26 of Ordinance 3 to the Labour Code (ArGV 3 on Health Protection), no monitoring and control systems intended to monitor the conduct of employees may be used.

In principle, so-called marginal data, which provide information on who did what and when, may be recorded in the aforementioned sense and in advance anonymously. The employer has a correspondingly overriding interest in protecting himself against responsibilities towards third parties and damage to his reputation, particularly in order to guarantee the security of the system. In addition, within the framework of the right to issue instructions under labour law pursuant to Art. 321d of the Swiss Code of Obligations, he may issue rules concerning the use of the IT infrastructure, which he may also monitor anonymously in advance in this context. Due to the data protection principle of transparency, however, the employer must inform about this logging, e.g. within the framework of employee regulations. The usage regulations can then also be mentioned in it. If a concrete suspicion arises from the anonymised logging, the employer may now evaluate the same marginal data on a personal basis under these conditions.

In any case, monitoring programs installed on the employee’s own computer which allow, for example, access to e-mails or screenshots, are not permitted.

The Federal Data Protection and Information Commissioner (FDPIC) publishes a comprehensive guide to monitoring employees’ Internet and e-mail usage at the following link: www.edoeb.admin.ch/edoeb/de/home/datenschutz/arbeitsbereich/ueberwachung-am-arbeitsplatz/internet–und-e-mail-ueberwachung.html.