Data Protection Law Quiz

Questions and Answers

Which article of the Federal Data Protection Act (FADP) addresses exceptions such as consent?

• Art. 17 FADP (correct)
• Art. 16 para 2 FADP
• Art. 30 FADP
• Art. 40 FADP

The term 'pseudonymization' is irrelevant in the context of data protection law.

False (B)

What is the primary purpose of data protection law under the FADP?

To protect personal data and privacy of individuals.

According to the Swiss Civil Code, ownership to data is referred to as '__________'.

Eigentum

Match the articles with their relevant themes:

Art. 5 FADP = Definitions in data protection law Art. 16 para 2 FADP = Exceptions to data processing rules Art. 30 FADP = Special provisions on data processing by private persons Art. 40 FADP = General provisions applicable to data processing

What is the primary criterion for determining if personal data is subject to the EU's regulations?

Processing activities related to individuals in the Union (B)

Citizenship and nationality of the data subject are crucial in determining the application of the GDPR.

False (B)

What is the difference between data and information?

Data is raw and unorganized facts, while information is processed and organized data that is meaningful.

Personal Data means any information relating to an ______ person.

identified or identifiable natural

Match the following terms with their definitions:

Personal Data = Any information related to an identified or identifiable natural person Sensitive Personal Data = Data that requires special protection due to its nature Data Subject = An individual whose personal data is processed Processing = Any operation performed on personal data

Which of the following best describes incorrect personal data?

Data that can still be considered personal data (C)

The effort involved in identifying someone is a relevant factor in determining if that person is identifiable.

True (A)

What is the primary obligation of a person processing personal data according to Art. 6 para. 4 FADP?

To ensure the data is accurate (C)

Processing personal data is prohibited unless it is allowed under the Swiss legal framework.

False (B)

What must a person who processes personal data ensure according to Art. 6 para. 5 FADP?

The correctness of the data.

A violation of personality rights exists if personal data are processed contrary to the principles set out in Articles 6 and ____.

8

Match the following data protection concepts with their descriptions:

Data Accuracy = Ensuring data is correct and updated Personality Rights = Rights related to an individual's personal data Sensitive Data Disclosure = Releasing highly confidential personal information Data Subject Consent = Permission given by the data subject for processing their data

Which of the following is NOT a reason for a violation of personality rights according to Art. 30 para. 2 FADP?

Transferring personal data to another country (C)

The list of Art. 30 para. 2 FADP regarding violations of personality rights is exhaustive.

False (B)

In what scenarios are breaches of personality rights considered unlawful?

When they are not justified by consent, overriding interests, or law.

The FADP system on data processing is largely similar to the ____ system.

GDPR

What is required for the valid consent of a data subject?

It must be given voluntarily (B)

Consent for data processing cannot be revoked once given.

False (B)

What is generally considered not a breach of personality rights according to FADP?

If the data subject makes the personal data generally accessible.

Breach of personality rights can be justified by __________ of the data subject.

consent

Match the following grounds for justification with their descriptions:

Consent = Must be explicit and can be revoked Overriding Interest = Balancing the interests of data controller and data subject Law = Legal basis requiring or authorizing data processing

Which of the following is NOT a situation that requires explicit consent?

General data processing by a large organization (B)

The justification of personal data processing can be easily affirmed in all cases.

False (B)

What article outlines the requirement for explicit consent in certain cases?

Article 31 and Article 6 of the FADP

Data processing must fulfill the requirements laid out in Article __________ of FADP.

31

Which of the following could potentially justify a breach of personality rights?

Public interest that is overriding (B)

What is required for federal bodies to process sensitive personal data?

A statutory basis in a formal law (B)

Federal bodies may process personal data without any legal basis if the data subject's consent is obtained.

False (B)

According to Art. 36 FADP, what is necessary before any disclosure of data by federal bodies?

A statutory basis

Federal bodies may process personal data if the Federal Council has authorised the processing because it considers the data subject's rights not to be at _____.

risk

Match the following provisions with their descriptions:

Art. 33 FADP = Control procedures and responsibilities regulation Art. 34 FADP para 1 = Statutory basis required for processing Art. 34 FADP para 4 = Overriding public and private interest Art. 36 FADP = Disclosure of personal data requires a statutory basis

Which of the following is a circumstance under which federal bodies may process data without explicit consent?

If it is authorized by the Federal Council (B)

Profiling is permitted under certain conditions without a statutory basis according to Art. 34 FADP.

True (A)

What must be considered if the processing purpose poses serious risks for fundamental rights?

A statutory basis in a formal law is required.

Processing of personal data by federal bodies requires a statutory basis in a _____.

formal law

Which of the following situations allows federal bodies to process sensitive personal data without a formal law?

When processing is essential for a task required by a formal law (A)

Flashcards

Personal Data

Any information that relates to an identified or identifiable natural person. Examples include name, address, IP address, and browsing history.

EU Establishment

The processing of personal data takes place within the EU if the processing activities are related to offering goods or services to people in the EU, or monitoring their behavior within the EU.

Data

Raw, unorganized facts. It is like the building blocks of information. Examples: numbers, symbols, or words.

Information

Data that has been processed, structured, and organized in a specific way to make it meaningful and useful. It is data that has been given context.

Identifiable

The ability to identify a person is determined from the perspective of the person holding the information. It's not just theoretical possibility, but actual likelihood of identification.

Incorrect Personal Data

Even incorrect or inaccurate personal data is still considered personal data. Accuracy doesn't change the fact that it relates to a person.

Data Subject Citizenship

The processing of personal data is not dependent on the nationality or citizenship of the data subject. Data protection applies regardless of origin.

Public Data and Privacy

The right to privacy is not violated if the data subject makes the information public and hasn't explicitly prohibited its processing.

When is Consent Needed?

Consent is required for processing sensitive data, high-risk profiling by individuals, and profiling by government bodies.

Balancing Interests

Balancing an individual's privacy rights with the interests of the data controller is key when determining if there's an overriding interest.

Legal Justification

Legal grounds, like laws or regulations, can justify data processing. This can be explicit or implied by the law.

Valid Consent

Consent must be given freely, for specific purposes, and with sufficient information provided to the data subject.

Revoking Consent

The withdrawal of consent doesn't necessarily affect past data processing that was based on consent.

Exemplary Overriding Interests

A list of exemplary overriding interests for data controllers is provided in the FADP. It's not exhaustive.

Justification with Caution

The Federal Supreme Court emphasizes that justification for processing personal data should be considered carefully and not automatically assumed.

Analyzing Personality Rights Violations

Determining if there's a violation of personality rights can be done by considering if it's personal data, who the subject is, if data is processed, and if personality rights are breached.

FADP

The Federal Data Protection Act (FADP) is the key law in Switzerland governing data protection.

Legal Basis for Processing Data

Federal bodies can only process personal data if there is a legal basis for doing so. The requirement for this basis depends on the type of personal data and the processing purpose.

Formal Law Basis

A statutory basis in a formal law is required for processing sensitive personal data, profiling, or if the processing could seriously harm someone's rights.

Substantive Law Basis

A statutory basis in a substantive law is enough for highly sensitive data and profiling if it's essential for a legal task and doesn't pose a risk to people's rights.

Derogation from Legal Basis

Federal bodies can process data even without a formal or substantive law basis if certain conditions are met, including approval from the Federal Council, consent from the data subject, or necessity to protect life or physical integrity.

Disclosure of Personal Data

Federal bodies need a legal basis to disclose personal data to others. This basis could come from formal law, substantive law, or specific exemptions mentioned in the law.

Data Accuracy Principle

The principle emphasizes that anyone handling personal data must ensure its accuracy. This includes verifying correctness, potentially updating data regularly, and implementing measures to rectify, erase, or destroy inaccurate data.

Personality Rights Protection

This principle states that individuals processing personal data must not violate the data subjects' personality rights.

Swiss Legal Principle: Data Processing

Processing data is primarily allowed, unless explicitly prohibited. This differs from EU law, where processing is typically prohibited unless permitted.

Examples of Personality Rights Violations

This list provides specific examples of situations where personality rights might be violated. However, it's not exhaustive, meaning there could be other ways personality rights are breached.

Justification for Personality Rights Breaches

Breaches of personality rights are considered unlawful unless justified by the data subject's consent, an overriding private or public interest, or legal requirements.

Data Subject's Wish for Non-Processing

The interpretation of a data subject's wish to have their personal data not processed depends on the context and situation. There's no one-size-fits-all answer.

Disclosure of Sensitive Personal Data

Disclosure of sensitive personal data refers to a loss of control over this information - it becomes accessible to a potentially broader audience, including other controllers, and potentially processors.

Data Processing by Private Persons Principle

This principle complements the general protection of personality rights by specifying what types of data processing are permissible.

Complementing Personality Rights Protection

This principle emphasizes that data processing must not violate the personality rights of individuals. It further specifies the general rules for personal data protection found in the Swiss Civil Code (Art. 28).

Data Minimization

This principle applies to both public and private companies, as well as federal agencies.

Art. 40 FADP

Applies to data processing by private persons, federal bodies, and both.

Ownership of data

This is a crucial concept related to obtaining legal protections for data.

Data Security

A critical principle that ensures data is protected from unauthorized access, use, disclosure, alteration, or destruction.

Exception to consent

Art. 16 para 2 FADP provides details, it covers the processing of data without explicit consent.

Study Notes

Data Protection and Data Management

• Federal Data Protection Act (FADP) governs data processing by private and public entities.
• Chapter 1 of FADP covers the purpose, scope, and supervisory authority.
• Ownership of data isn't recognized in the sense of the Civil Code. Rather, controlling and contractual measures are used to secure access, utilization, and deletion.
• Copyright law protects individual works and collections of intellectual creations based on selection and arrangement.
• EU database rights are a form of protection distinct from copyright related to databases; both protections can coexist.
• Unfair competition law (UCA) protects investments in works of others.
• Breach of manufacturing or trade secrecy is defined as unauthorized disclosure of confidential information concerning the manufacturing and trade secret (e.g. Art. 6 UCA and 162 Criminal Code).
• Contracts concerning data often include data "ownership", data use, and confidentiality provisions.
• Data protection law at various levels includes federal, cantonal, and communal regulations.
• Federal law is applicable in cases involving private and public entities and their processing of personal data.
• Data protection encompasses specific provisions pertaining to private persons and federal bodies.

Data vs. Information

• Data is raw, unorganized facts.
• Information is data that has been processed, organized, structured, or presented in a specific context to make it meaningful or useful.
• Data is like building blocks; information is the resulting meaningful context.
• Computers need data; people need information.

Personal Data

• Personal data is any information relating to an identified or identifiable natural person.
• This includes sensitive personal data relating to religious, philosophical, political, or trade union activities; health, private sphere, or affiliation to a race or ethnic group; genetic data; biometric data uniquely identifying a natural person; data related to administrative and criminal proceedings; data relating to social assistance measures.
• Legal entities are not considered personal data, but information related to them might be considered depending on the specifics of the case.
• Incorrect personal data is still personal data.
• Identifiability depends on the context and perspective of the information holder. The effort required to identify the individual is a critical factor.

Profiling

• Profiling is automated processing of personal data to evaluate specific aspects of a natural person (e.g., performance at work, economic situation, preferences, interests, reliability, behavior, location, or movements).
• High-risk profiling specifically poses a risk to personality or fundamental rights by matching data allowing essential aspects of the personality to be assessed.
• Legal examples concern a fitness instructor's contract information, salary details, banking information, and employee evaluations handled by a fitness studio.

Data Disclosure

• Disclosure of personal data by federal bodies requires a legal basis in formal or substantial law.
• Objections to disclosures are regulated by law.
• Considerations for data disclosures include tasks, public interest, overriding interests, and possible legal obligations.

Principles of Data Processing

• Lawfulness: Processing must have a legal basis.
• Good faith: Processing must be carried out in good faith.
• Proportionality: Processing must be proportionate to the purpose.
• Purpose Limitation: Processing must be for a relevant and identified purpose.
• Data Accuracy: Data must be accurate.
• Data Minimization: Collect only necessary data.
• Storage Duration: Data must not be stored longer than necessary.
• Integrity and Confidentiality: Data must be protected against unauthorized access.

Data Protection Impact Assessment (DPIA)

• If the processing of personal data is likely to pose a high risk to the personality or fundamental rights of the data subject, a DPIA is required.
• The DPIA assesses the potential risks and measures to mitigate them.
• The FDPIC may consult the controller if objections to the planned processing are deemed necessary.

Data Security

• Data security includes technical and organizational measures to protect personal data.
• Measures should correspond to the nature, extent, and risk of the data processing.
• Risk-based approach is crucial in assessing security risks.

Cross-Border Disclosure

• Cross-border disclosure is possible if the receiving country has adequate data protection standards, based on treaties, specific guarantees, or standard contractual clauses (SCCs).
• U.S. is not on the list of countries that have adequate data protection.
• Data transfer to countries deemed inadequate may require consent, which is usually required to proceed.

Special Provisions of Data Processing by Private Persons

• Private individuals are allowed to process data if not prohibited.
• Breaches to data privacy can occur due to a violation of principles, contrary requests or disclosure to third parties.
• Consent must be explicitly given for specific kinds of processing: data concerning sensitive information, high-risk profiling by a private individual and profiling by a federal body, overriding the private or public interest; or law.

Description

Test your knowledge of data protection laws, specifically the Federal Data Protection Act (FADP) and GDPR. This quiz covers key concepts, definitions, and regulations pertaining to personal data and privacy rights. Assess your understanding of exceptions, obligations, and the relationship between data and information.