Data Protection Principles and Responsibilities

Questions and Answers

Who is considered the controller in the given examples?

Company ABC (correct)

Cloud storage provider

Service provider XYZ

Insurance seller

The cloud service provider offers a fully customizable service to its customers.

False

What is one illegal behavior associated with personal data processing?

Hacking and gaining unauthorized access to personal data.

Personal data must be processed __________ according to Art. 6 para 1 FADP.

lawfully

Match the following terms with their definitions:

Controller = Determines the purpose of processing personal data Processor = Handles personal data on behalf of another Good Faith = Processing must be done with honest intentions Lawfulness = Compliance with legal standards in data processing

Which principle stipulates that personal data processing must be done sincerely and honestly?

Good Faith

Company ABC has direct access to all personal data used in their market research.

False

What must processors do according to the given principles?

Process personal data in accordance with the instructions of the controller.

Which of the following is NOT a ground for justification of breach of personality rights?

Explicit prohibition by the data subject

Consent must always be expressly given for all types of data processing.

False

What is the significance of Article 6 para. 6 FADP regarding the revocation of consent?

Consent is revocable at any time.

A balance of interests is required when considering _____ or _____ interests over the interests of the data subject.

private, public

Which law provides grounds for justifying data processing?

Article 31 FADP

What is the primary objective of data security?

To prevent unauthorized access to personal data

The consent given for data processing cannot be revoked once it has been given.

False

Data protection by design focuses solely on technical measures.

False

Which article addresses personal data and its processing under the FADP?

Article 5 FADP

What measures must be taken to ensure a level of data security appropriate to the risk?

Suitable technical and organizational measures

Personal data shall be protected by adopting __________ measures.

technical and organizational

Match the following obligations with their corresponding articles in DPO:

Art. 4 DPO = Obligation to obtain consent Art. 5 DPO = Obligation of data minimization Art. 6 DPO = Obligation for processing or legitimate interest Art. 7 DPO = Obligation to guarantee data accuracy

Which of the following can trigger the obligation addressed in Art. 4 DPO?

Processing of personal data

Different obligations apply to different kinds of controllers and processors as per DPO.

True

What is the penalty for willfully violating the minimum data security requirements?

A fine not exceeding CHF 250,000

Which of the following is NOT a duty of a controller under the FADP?

Automatically process personal data without consent

The risk-based approach in data protection law requires that all data must be processed equally regardless of the potential risk.

False

What body do controllers and processors consult for data protection issues in Switzerland?

FDPIC

A __________ is a person or entity that determines the purposes and means of processing personal data.

controller

Match the following concepts with their definitions:

DPIA = A process to assess the impact of data processing on privacy Data breach = An incident that leads to unauthorized access to personal data Processor = An entity that processes data on behalf of the controller FADP = Swiss Federal Act on Data Protection

Which article of the FADP primarily addresses the duty to provide information?

Article 19

The terms 'controller' and 'processor' can be used interchangeably in data protection law.

False

What is the primary purpose of a Privacy Notice?

To inform data subjects about the processing of their personal data.

What is the maximum fine for intentional violations under the FADP?

CHF 250,000

Only intentional violations of the FADP are punishable.

True

What must financial institutions do after a data breach according to the FDPIC?

Update their security measures

Controllers must maintain a record of their processing activities for ______ and ______.

What is the primary responsibility of controllers under the FADP?

To implement appropriate data security measures

Processors are allowed to process data based on verbal instructions from controllers.

False

What must controllers do according to Article 19 FADP?

Inform data subjects about processing activities

Controllers and processors must formalize their relationship through __________.

Data Processing Agreements (DPAs)

Which of the following is NOT a requirement for processors under Article 9 of the FADP?

They can process data based on any instructions

Match the following articles of the FADP with their associated responsibilities.

Art. 8 FADP = Shared responsibility for data security Art. 9 FADP = Process data on documented instructions Art. 22 FADP = Conduct Data Protection Impact Assessments Art. 24 FADP = Notification of data breaches

Data can be disclosed to any country without restrictions.

False

What must processors implement to ensure data protection?

Technical and organizational measures

Which of the following is a responsibility of cantonal authorities under the FADP?

Enforcing compliance with data protection regulations

Failure to provide access or cooperate with investigations is considered a criminal offense under the FADP.

True

Controllers and processors must maintain a record of their processing activities to ensure ______ and ______.

accountability; transparency

Match the following criminal offenses with their corresponding articles in the FADP:

Failure to provide access = Art. 60 Breach of professional confidentiality = Art. 62 Non-compliance with FDPIC decisions = Art. 63

What is required for most offenses under the FADP to be actionable?

Formal complaints

Criminal liability under the FADP applies to both intentional and unintentional violations.

False

What must a financial institution do after a data breach?

Update its security measures

Study Notes

Data Protection and Data Management

• Companies and judicial persons are not protected under Art. 1-4 of the Federal Data Protection Act (FADP).
• Chapters 1-4 of the FADP apply to private and public law.
• Ownership of data in the sense of the Civil Code is not a recognized concept for data.
• The prevailing legal doctrine does not consider data to be material objects under ownership rights (Art. 641 CC).
• There is a discussion on whether data should fall under ownership rights.
• The concept of 'tangibility' and 'subject to human control' is discussed but not established as a formal concept for property rights in relation to data.

Copyrights

• Literary and artistic creations are protected under copyright law.
• Collections are also protected if they are intellectual creations.
• Data is not automatically considered a work under copyright law.
• Database rights are considered a sui generis right, independent of Copyright.
• The copyright and sui-generis rights can both apply if conditions are met.

Unfair Competition

• Protecting investment in the works of others is regulated under this law.
• Unfair competition can arise in exploiting the work product of others.
• Protection includes those whose work is ready for the market through technical reproduction.
• Unfair competition protection has a high hurdle for application to data.

Breach of Manufacturing or Trade Secrecy

• Confidentiality concerning the manufacturing of products or other information is protected.
• The information must be known to a limited number of people and not readily accessible.
• An intentional breach of manufacturing or trade secrets is criminal.

Important topics in contracts concerning Data

• Data ownership/protection is a crucial consideration in contracts.

• Contracts should cover Know-How protection.
• Contractual limits should be defined for data use.
• Contracts concerning data should outline processes for handling the data, such as storage and deletion.
• Contract terms should cover access, exploitation, processing, and deletion protocols, and data protection.

Scope of Application

• The Federal Act on Data Protection (FADP) protects the personality and fundamental rights of natural persons whose personal data is processed. 

• The FADP applies to private persons and federal bodies.

• Specific provisions apply to private or federal entities.
• Data protection law applies outside of Swiss borders, affecting entities and circumstances.

• Private international law provisions govern law application.

• Territorial scope of the law and in what cases it applies is also discussed.

Data Terminology and Definitions

• Raw data is unorganized information.
• Information is organized, structured, or presented data in specific contexts to make it meaningful.
• Data is a component and information is a result of data processing.
• Data is a building block, and information is the result.

Legal Entities

• The ability to identify a person is relevant for data protection law.
• The holder of data is considered the evaluator of identifiability.
• Incorrect personal data is still considered as personal data.
• The effort to identify a person has to be considered in relation to the overall context of processing.
• Anonymization involves removing the person's identity permanently.
• Pseudonymization involves replacing identifiability with a pseudonym.

Profiling

• Art. 5 let. f FADP defines profiling.
• Art. 5 let. g FADP defines high risk profiling.
• Profiling is an automated data processing of personal data to assess human aspects.

• Profiling can include performance at work, economic status, health, preferences, interests, reliability, behaviour, location.
• High risk profiling poses a risk to a data subject's personality and fundamental rights due to assessments made of essential aspects of their personality based on their data.

Data subject disclosure and justification

• Data subjects have the right, when data is processed, to ask for the specific purposes.
• Processing must be justified by consent, overriding public or private interest, or law.
• Specific grounds for justifying processing involve explicit consent for sensitive data processing, and high-risk profiling by private persons or federal bodies. 

• The principle of overriding private or public interest must be applied cautiously.

Overriding Private or Public Interest

• This ground for justifying data processing, under Art. 31 FADP, balances the interest of the data subject against that of the controller, and allows for data processing in exceptional cases.

Data Protection Law for Federal Agencies

• The processing of data by federal bodies is generally limited to situations where a statutory basis exists.

• Federal bodies have broader exceptions than private individuals.

• There are more strict rules for processing of data by federal bodies as they usually act in an authoritative capacity.
• Specific provisions exist for data processing by federal bodies.

• Legal basis for the processing of personal data by federal bodies.

• Possible objection rights of data subjects.

Cantonal Data Protection Law

• Cantonal laws have basic features similar to federal law, with some differences.
• Cantonal laws have specific scope and application.
• Laws and rules may differ depending on the specific Canton.
• Differences in regulations for specific cantons may exist.

Cross-Border Disclosure of Personal Data

• Data transmission to foreign states is regulated by appropriate legal status in those locations.

• A decision by the Federal Council determines the level of protection in another country whether or not there are valid international treaties in place.
• Standard Data Protection Clauses (SDPC) for data transfers.

• Binding corporate rules (BCR) are another form of safeguard.

Description

Test your knowledge on data protection laws and principles such as the FADP. This quiz covers key aspects of personal data processing, including the roles of controllers and processors, legal justifications, and principles like consent and fairness. Perfect for students and professionals in data privacy.