Data Protection and GDPR Overview

Questions and Answers

What does the term 'FADP' refer to?

• Federal Act on Data Protection (correct)
• Federation of Authorized Data Providers
• Federation of Act on Data Processing
• Federal Authority for Data Protection

Private law activities conducted by federal bodies are exempt from data processing provisions.

False (B)

What does GDPR stand for?

General Data Protection Regulation

Data is defined as raw, unorganized ______.

facts

Match the following terms with their definitions:

Data = Processed and organized facts Information = Raw, unorganized facts FADP = Federal Act on Data Protection GDPR = General Data Protection Regulation

Which of the following best describes the territorial scope of the GDPR?

Applies to EU entities and those processing data of subjects located in the EU (A)

The citizenship and nationality of the data subject matter in the context of GDPR.

False (B)

What does the term 'data subject' refer to?

The individual to whom the personal data relates (D)

Pseudonymization makes it impossible to re-identify data subjects.

False (B)

What type of data requires extra protection and includes health information?

Sensitive Personal Data

The process of making personal data accessible to a third party is known as ______.

Disclosure

Match the following terms with their correct definitions:

Anonymization = Irreversible removal of identifiers from data Controller = Entity determining the processing of data Processor = Third party handling data on behalf of the controller Sensitive Personal Data = Data requiring extra protection

What is a fundamental characteristic of data protection law for public bodies?

Public bodies operate under a principle of legality. (B)

Data protection applies equally to both public and private bodies.

False (B)

Name one provision that applies only to private persons.

Codes of Conduct

Federal Bodies must adhere to the principles of data protection defined in Article ______ of the FADP.

6

Match the following provisions to their applicability:

Privacy by Design = Applies to both Federal Bodies and Private Persons Codes of Conduct = Applies only to Private Persons Data Protection Advisors = Art. 10 (Private), Art. 10 para. 4 (Federal) Cross-Border Disclosure of Data = Applies to both Federal Bodies and Private Persons

Which of the following is a provision that does NOT apply to Federal Bodies?

Codes of Conduct (Art. 11 FADP) (D)

The principles outlined in Article 6 FADP are the same for both Federal Bodies and Private Persons.

True (A)

In which article of the FADP is 'Privacy by Design' mentioned?

Article 7

Article ______ of the FADP addresses exceptions for private controllers regarding data protection impact assessments.

22

Which of the following is a method for securing rights to data?

Factual control and contractual rights (A)

The Federal Data Protection Act (FADP) only applies to federal bodies.

False (B)

What is the primary purpose of the Federal Data Protection Act (FADP)?

To protect the personality and fundamental rights of natural persons.

The FADP applies to the processing of __________ data of identified or identifiable natural persons.

personal

Match the following principles with their descriptions:

Safeguarding privacy = Ensuring confidentiality and respect for individual rights Promoting transparency = Encouraging open communication about data handling practices Fair processing = Ensuring that data is collected and used in a lawful manner Accountability = Holding entities responsible for their data protection practices

What does the material scope of the FADP cover?

Processing of personal data (D)

The territorial scope of the FADP includes processing initiated outside of Switzerland.

True (A)

What is one example of a situation where GDPR applies to entities outside the EU?

Offering goods or services to individuals in the EU.

Cantonal data protection laws, like Zurich’s IDG-ZH, apply to __________ and municipal authorities.

cantonal

Which aspect of GDPR is concerned with monitoring behavior within the EU?

Territorial scope (B)

Which of the following is a condition for federal bodies to process sensitive personal data?

There must be a statutory basis in a formal law. (D)

Federal bodies can process personal data without having a statutory basis in any circumstances.

False (B)

What kind of processing requires a statutory basis in a formal law for federal bodies?

Processing of sensitive personal data, profiling, or when it may lead to serious violation of fundamental rights.

A statutory basis in a __________ law is sufficient for particularly sensitive personal data.

substantive

Match the following provisions to their descriptions:

Art. 33 FADP = Regulates control procedures and responsibilities Art. 34 FADP = Establishes the legal basis for data processing Art. 36 FADP = Concerns disclosure of personal data Art. 34 para. 4 FADP = Allows processing under overriding interests

Which of the following is NOT a requirement for derogation under Art. 34 para. 4 FADP?

The processing is necessary for business reasons. (C)

Federal bodies must always acquire consent from the data subject to process personal data.

False (B)

What is required for the disclosure of data by federal bodies?

A statutory basis.

Processing of personal data must adhere to the __________ required by the Federal Council.

regulations

Processing of personal data may take place without a statutory basis when:

It is necessary to protect life or integrity. (D)

Flashcards

FADP (Federal Data Protection Act)

A public authority or service of the Confederation, or a person entrusted with public tasks on behalf of the Confederation.

Private Law Activities by Federal Bodies

When a federal body acts under private law, the same data protection rules apply as for private individuals.

Information

Data that has been processed, organized, structured or presented in a specific context to make it meaningful or useful.

Data

Raw, unorganized facts.

Territorial Scope of GDPR

The GDPR applies to Swiss entities that have an establishment within the EU or process personal data of individuals within the EU, regardless of where the processing takes place.

Offering Goods or Services in the EU

The GDPR rule that applies to data processing activities with the aim of offering goods or services to data subjects in the EU.

Monitoring Behavior in the EU

The GDPR rule that applies to data processing activities related to monitoring behavior of individuals within the EU.

Data Processing

Any operation or set of operations performed on personal data, such as collection, storage, use, or deletion.

Data Subject

The individual to whom the personal data relates.

Controller

The entity or person that determines the purpose and means of data processing.

Processor

A third party handling data on behalf of the controller.

Sensitive Personal Data

Data requiring extra protection, such as health information, religious beliefs, or biometric data.

Principle of Legality

The principle that any government action must have a legal basis. This ensures transparency and accountability, preventing arbitrary actions.

Stricter Rules for Public Bodies

Regulations that are stricter for government bodies compared to private entities due to their authoritative nature, lack of choice for individuals, and the need for legal justification for all actions.

Data Protection as a Fundamental Right

The right to privacy is protected from unwarranted government intrusion. This ensures personal autonomy and freedom.

General Provisions for Federal Bodies

Public bodies are subject to many of the same data protection provisions as private individuals and entities, including key principles like data minimization, purpose limitation, and data security.

Provisions Applying Only to Federal Bodies

Federal bodies have specific data protection provisions tailored to their unique circumstances. These may include rules on data retention, data sharing between agencies, and the role of data protection officers.

Provisions Applying Only to Private Persons

Examples include codes of conduct, representatives for data subjects, and specific provisions on data processing for private entities.

Processing by Processors

The FADP outlines how to handle data protection when data is processed by an entity other than the 'controller,' such as an external company hired to manage databases or software.

Data Security

This ensures that data is only used for its intended purpose, minimizes risks, and protects individuals' rights.

Privacy by Design

Data privacy should be built into the design phase of any system or process, minimizing potential risks and ensuring compliance from the outset.

Joint Data Processing

When multiple bodies (federal, cantonal, or private) process personal data together, the Federal Council sets rules for controlling this process and assigning responsibilities.

Statutory Basis for Data Processing

Federal bodies are allowed to process personal data only if a legal basis exists, meaning it's allowed by a specific law.

Strict Legal Basis for Sensitive Data Processing

Processing of sensitive personal data, conducting profiling, or actions that might severely harm someone's rights requires a statutory basis in a formal law, which is a higher level of legal authority.

Less Strict Legal Basis for Sensitive Data & Profiling

Processing sensitive personal data or profiling may only require a statutory basis in a substantive law, which is less formal, if it's essential for a task specifically mandated by a formal law and poses low risks to individuals.

Overriding Statutory Basis for Data Processing

The requirement for a statutory basis can be overridden if certain conditions are met. For example, the Federal Council may authorize processing if individuals' rights are not at risk.

Disclosure of Personal Data by Federal Bodies

Federal bodies can disclose personal data only if authorized by a specific law. This law must be evaluated for its level of formality and whether it falls under specific exceptions for processing sensitive data.

Joint Data Processing: Control and Responsibility

When several organizations work together to process personal data, the Federal Council defines responsibilities and controls.

Federal Council's Role in Joint Data Processing

The Federal Council establishes specific rules for controlling and assigning responsibility for processing personal data in joint data processing.

Legal Basis: Formal vs. Substantive Law

The legal basis for processing personal data is governed by specific laws tailored to the type of data being processed and the risks involved.

Importance of a Legal Basis in Data Processing

Processing personal data, especially sensitive data, must have a clear legal foundation to protect individuals' rights and ensure transparency.

Purpose of the FADP (Federal Data Protection Act)

The Federal Data Protection Act aims to ensure individuals' rights are protected when their personal information is processed. This includes safeguarding their privacy and ensuring transparent and fair data handling.

Territorial Scope of FADP

The FADP applies to processing activities that have an effect in Switzerland, even if the data is processed outside of the country.

Material Scope of FADP

The FADP covers the processing of any type of information that relates to an individual who can be identified, either directly or indirectly.

Personal Scope of FADP

The FADP applies to all individuals and federal authorities in Switzerland.

Cantonal Data Protection Laws

Swiss cantonal laws, such as the Zurich IDG-ZH, have similar data protection principles as the FADP but are tailored to the specific needs of public administrative bodies.

Applicability of GDPR within the EU

The GDPR applies to entities established within the EU that process personal data, regardless of where the data is processed.

Applicability of GDPR outside the EU

Even if an entity is outside the EU, they must comply with the GDPR if they offer goods or services to individuals in the EU or monitor their online behavior.

Who does the FADP apply to?

The FADP applies to private individuals and federal bodies, including those contracted to perform public duties.

Alternative Data Protection Methods

Organizations can secure rights to data through contracts that specify how the data is used, accessed, and deleted.

Study Notes

Data Protection and Data Management

• Companies and judicial persons are not protected under Art. 1 to 4 of the Federal Data Protection Act (FADP).
• Chapter 1 to 4 of the FADP applies only to private and public law.
• Ownership of data is not covered by the Civil Code. Prevailing doctrine does not consider data as an object under ownership rights under Art. 641 para. 1.
• Ownership rights concerning data are not currently established under Swiss Civil Code.

Copyrights

• Works are literary and artistic intellectual creations with individual character, irrespective of their value or purpose (Art. 2 Copyright Act).
• Collections are protected as works in their own right (Art. 4 Copyright Act) if they are intellectual cretions with individual character in regard to their selection and arrangement.
• Data does not equal Works or Collected Works in terms of copyright.

EU-Database Rights

• The protection of databases is a sui generis right, unrelated to other forms of protection (e.g., copyright).
• Both Copyright and the sui generis right may apply if the conditions are met.
• Copyright and the sui generis right may both apply if the conditions for each right are fulfilled.

Unfair Competition

• Exploiting works of others is unfair (Act on Unfair competition).
• A person acts unfairly if they exploit another's work product.
• Actions may include using technical reproduction processes without reasonable effort.
• High hurdle for protection applications in data context.

Breach of Manufacturing or Trade Secrecy

• Information concerning manufacturing or enterprise products is considered an undisclosed trade secret.
• Information must be only known to limited circle of persons and not easily accessible for it to be considered a trade secret.
• Breach of manufacturing or trade secrecy is regulated by Art. 6 of the Act on Unfair Competitions and Art. 162 of the Criminal Code.
• The breach is described as (i) breach of statutory or contractual duty not to reveal or (ii) any person exploiting such a breach for themselves or for third parties.

Important Topics in Contracts concerning Data

• Data Ownership
• Protection of Know-How/Confidentiality
• Rights of Use
• Subject Matter in Contracts concerning Data
• Type of data, content, and formats.
• Compilation and organization of the data.
• Scope and quantity of data records.
• Availability, completeness, accuracy of the data.
• Type of contract and services owed.
• Access, exploitation, processing, and deletion.
• Data protection.

Structure FADP

• Purpose of the FADP: To protect the personality and fundamental rights of natural persons whose personal data is processed, according to Art. 1 FADP.

Territorial Scope

• This Act applies to circumstances that have an effect in Switzerland, even if they were initiated abroad.
• For rights under private law, the Private International Law of 18 December 1987 applies.
• The relevant law is the law at the person's domicile.
• The choice of law of the injured party, habitual residence of injured party, or establishment location is considered.
• The law of the state where the result occurred may also apply.