Data Protection Law Quiz

Questions and Answers

Which article of the Federal Data Protection Act (FADP) addresses exceptions such as consent?

Art. 17 FADP (correct)

Art. 16 para 2 FADP

Art. 30 FADP

Art. 40 FADP

The term 'pseudonymization' is irrelevant in the context of data protection law.

False

What is the primary purpose of data protection law under the FADP?

To protect personal data and privacy of individuals.

According to the Swiss Civil Code, ownership to data is referred to as '__________'.

Eigentum

Match the articles with their relevant themes:

Art. 5 FADP = Definitions in data protection law Art. 16 para 2 FADP = Exceptions to data processing rules Art. 30 FADP = Special provisions on data processing by private persons Art. 40 FADP = General provisions applicable to data processing

What is the primary criterion for determining if personal data is subject to the EU's regulations?

Processing activities related to individuals in the Union

Citizenship and nationality of the data subject are crucial in determining the application of the GDPR.

False

What is the difference between data and information?

Data is raw and unorganized facts, while information is processed and organized data that is meaningful.

Personal Data means any information relating to an ______ person.

identified or identifiable natural

Match the following terms with their definitions:

Personal Data = Any information related to an identified or identifiable natural person Sensitive Personal Data = Data that requires special protection due to its nature Data Subject = An individual whose personal data is processed Processing = Any operation performed on personal data

Which of the following best describes incorrect personal data?

Data that can still be considered personal data

The effort involved in identifying someone is a relevant factor in determining if that person is identifiable.

True

What is the primary obligation of a person processing personal data according to Art. 6 para. 4 FADP?

To ensure the data is accurate

Processing personal data is prohibited unless it is allowed under the Swiss legal framework.

False

What must a person who processes personal data ensure according to Art. 6 para. 5 FADP?

The correctness of the data.

A violation of personality rights exists if personal data are processed contrary to the principles set out in Articles 6 and ____.

8

Match the following data protection concepts with their descriptions:

Data Accuracy = Ensuring data is correct and updated Personality Rights = Rights related to an individual's personal data Sensitive Data Disclosure = Releasing highly confidential personal information Data Subject Consent = Permission given by the data subject for processing their data

Which of the following is NOT a reason for a violation of personality rights according to Art. 30 para. 2 FADP?

Transferring personal data to another country

The list of Art. 30 para. 2 FADP regarding violations of personality rights is exhaustive.

False

In what scenarios are breaches of personality rights considered unlawful?

When they are not justified by consent, overriding interests, or law.

The FADP system on data processing is largely similar to the ____ system.

GDPR

What is required for the valid consent of a data subject?

It must be given voluntarily

Consent for data processing cannot be revoked once given.

False

What is generally considered not a breach of personality rights according to FADP?

If the data subject makes the personal data generally accessible.

Breach of personality rights can be justified by __________ of the data subject.

consent

Match the following grounds for justification with their descriptions:

Consent = Must be explicit and can be revoked Overriding Interest = Balancing the interests of data controller and data subject Law = Legal basis requiring or authorizing data processing

Which of the following is NOT a situation that requires explicit consent?

General data processing by a large organization

The justification of personal data processing can be easily affirmed in all cases.

False

What article outlines the requirement for explicit consent in certain cases?

Article 31 and Article 6 of the FADP

Data processing must fulfill the requirements laid out in Article __________ of FADP.

31

Which of the following could potentially justify a breach of personality rights?

Public interest that is overriding

What is required for federal bodies to process sensitive personal data?

A statutory basis in a formal law

Federal bodies may process personal data without any legal basis if the data subject's consent is obtained.

False

According to Art. 36 FADP, what is necessary before any disclosure of data by federal bodies?

A statutory basis

Federal bodies may process personal data if the Federal Council has authorised the processing because it considers the data subject's rights not to be at _____.

risk

Match the following provisions with their descriptions:

Art. 33 FADP = Control procedures and responsibilities regulation Art. 34 FADP para 1 = Statutory basis required for processing Art. 34 FADP para 4 = Overriding public and private interest Art. 36 FADP = Disclosure of personal data requires a statutory basis

Which of the following is a circumstance under which federal bodies may process data without explicit consent?

If it is authorized by the Federal Council

Profiling is permitted under certain conditions without a statutory basis according to Art. 34 FADP.

True

What must be considered if the processing purpose poses serious risks for fundamental rights?

A statutory basis in a formal law is required.

Processing of personal data by federal bodies requires a statutory basis in a _____.

formal law

Which of the following situations allows federal bodies to process sensitive personal data without a formal law?

When processing is essential for a task required by a formal law

Study Notes

Data Protection and Data Management

• Federal Data Protection Act (FADP) governs data processing by private and public entities.
• Chapter 1 of FADP covers the purpose, scope, and supervisory authority.
• Ownership of data isn't recognized in the sense of the Civil Code. Rather, controlling and contractual measures are used to secure access, utilization, and deletion.
• Copyright law protects individual works and collections of intellectual creations based on selection and arrangement.
• EU database rights are a form of protection distinct from copyright related to databases; both protections can coexist.
• Unfair competition law (UCA) protects investments in works of others.
• Breach of manufacturing or trade secrecy is defined as unauthorized disclosure of confidential information concerning the manufacturing and trade secret (e.g. Art. 6 UCA and 162 Criminal Code).
• Contracts concerning data often include data "ownership", data use, and confidentiality provisions.
• Data protection law at various levels includes federal, cantonal, and communal regulations.
• Federal law is applicable in cases involving private and public entities and their processing of personal data.
• Data protection encompasses specific provisions pertaining to private persons and federal bodies.

Data vs. Information

• Data is raw, unorganized facts.
• Information is data that has been processed, organized, structured, or presented in a specific context to make it meaningful or useful.
• Data is like building blocks; information is the resulting meaningful context.
• Computers need data; people need information.

Personal Data

• Personal data is any information relating to an identified or identifiable natural person.
• This includes sensitive personal data relating to religious, philosophical, political, or trade union activities; health, private sphere, or affiliation to a race or ethnic group; genetic data; biometric data uniquely identifying a natural person; data related to administrative and criminal proceedings; data relating to social assistance measures.
• Legal entities are not considered personal data, but information related to them might be considered depending on the specifics of the case.
• Incorrect personal data is still personal data.
• Identifiability depends on the context and perspective of the information holder. The effort required to identify the individual is a critical factor.

Profiling

• Profiling is automated processing of personal data to evaluate specific aspects of a natural person (e.g., performance at work, economic situation, preferences, interests, reliability, behavior, location, or movements).
• High-risk profiling specifically poses a risk to personality or fundamental rights by matching data allowing essential aspects of the personality to be assessed.
• Legal examples concern a fitness instructor's contract information, salary details, banking information, and employee evaluations handled by a fitness studio.

Data Disclosure

• Disclosure of personal data by federal bodies requires a legal basis in formal or substantial law.
• Objections to disclosures are regulated by law.
• Considerations for data disclosures include tasks, public interest, overriding interests, and possible legal obligations.

Principles of Data Processing

• Lawfulness: Processing must have a legal basis.
• Good faith: Processing must be carried out in good faith.
• Proportionality: Processing must be proportionate to the purpose.
• Purpose Limitation: Processing must be for a relevant and identified purpose.
• Data Accuracy: Data must be accurate.
• Data Minimization: Collect only necessary data.
• Storage Duration: Data must not be stored longer than necessary.
• Integrity and Confidentiality: Data must be protected against unauthorized access.

Data Protection Impact Assessment (DPIA)

• If the processing of personal data is likely to pose a high risk to the personality or fundamental rights of the data subject, a DPIA is required.
• The DPIA assesses the potential risks and measures to mitigate them.
• The FDPIC may consult the controller if objections to the planned processing are deemed necessary.

Data Security

• Data security includes technical and organizational measures to protect personal data.
• Measures should correspond to the nature, extent, and risk of the data processing.
• Risk-based approach is crucial in assessing security risks.

Cross-Border Disclosure

• Cross-border disclosure is possible if the receiving country has adequate data protection standards, based on treaties, specific guarantees, or standard contractual clauses (SCCs).
• U.S. is not on the list of countries that have adequate data protection.
• Data transfer to countries deemed inadequate may require consent, which is usually required to proceed.

Special Provisions of Data Processing by Private Persons

• Private individuals are allowed to process data if not prohibited.
• Breaches to data privacy can occur due to a violation of principles, contrary requests or disclosure to third parties.
• Consent must be explicitly given for specific kinds of processing: data concerning sensitive information, high-risk profiling by a private individual and profiling by a federal body, overriding the private or public interest; or law.

Description

Test your knowledge of data protection laws, specifically the Federal Data Protection Act (FADP) and GDPR. This quiz covers key concepts, definitions, and regulations pertaining to personal data and privacy rights. Assess your understanding of exceptions, obligations, and the relationship between data and information.