Data Protection Principles and Responsibilities

Questions and Answers

Who is considered the controller in the given examples?

• Company ABC (correct)
• Cloud storage provider
• Service provider XYZ
• Insurance seller

The cloud service provider offers a fully customizable service to its customers.

False (B)

What is one illegal behavior associated with personal data processing?

Hacking and gaining unauthorized access to personal data.

Personal data must be processed __________ according to Art. 6 para 1 FADP.

lawfully

Match the following terms with their definitions:

Controller = Determines the purpose of processing personal data Processor = Handles personal data on behalf of another Good Faith = Processing must be done with honest intentions Lawfulness = Compliance with legal standards in data processing

Which principle stipulates that personal data processing must be done sincerely and honestly?

Good Faith (C)

Company ABC has direct access to all personal data used in their market research.

False (B)

What must processors do according to the given principles?

Process personal data in accordance with the instructions of the controller.

Which of the following is NOT a ground for justification of breach of personality rights?

Explicit prohibition by the data subject (D)

Consent must always be expressly given for all types of data processing.

False (B)

What is the significance of Article 6 para. 6 FADP regarding the revocation of consent?

Consent is revocable at any time.

A balance of interests is required when considering _____ or _____ interests over the interests of the data subject.

private, public

Which law provides grounds for justifying data processing?

Article 31 FADP (D)

What is the primary objective of data security?

To prevent unauthorized access to personal data (D)

The consent given for data processing cannot be revoked once it has been given.

False (B)

Data protection by design focuses solely on technical measures.

False (B)

Which article addresses personal data and its processing under the FADP?

Article 5 FADP

What measures must be taken to ensure a level of data security appropriate to the risk?

Suitable technical and organizational measures

Personal data shall be protected by adopting __________ measures.

technical and organizational

Match the following obligations with their corresponding articles in DPO:

Art. 4 DPO = Obligation to obtain consent Art. 5 DPO = Obligation of data minimization Art. 6 DPO = Obligation for processing or legitimate interest Art. 7 DPO = Obligation to guarantee data accuracy

Which of the following can trigger the obligation addressed in Art. 4 DPO?

Processing of personal data (D)

Different obligations apply to different kinds of controllers and processors as per DPO.

True (A)

What is the penalty for willfully violating the minimum data security requirements?

A fine not exceeding CHF 250,000

Which of the following is NOT a duty of a controller under the FADP?

Automatically process personal data without consent (D)

The risk-based approach in data protection law requires that all data must be processed equally regardless of the potential risk.

False (B)

What body do controllers and processors consult for data protection issues in Switzerland?

FDPIC

A __________ is a person or entity that determines the purposes and means of processing personal data.

controller

Match the following concepts with their definitions:

DPIA = A process to assess the impact of data processing on privacy Data breach = An incident that leads to unauthorized access to personal data Processor = An entity that processes data on behalf of the controller FADP = Swiss Federal Act on Data Protection

Which article of the FADP primarily addresses the duty to provide information?

Article 19 (C)

The terms 'controller' and 'processor' can be used interchangeably in data protection law.

False (B)

What is the primary purpose of a Privacy Notice?

To inform data subjects about the processing of their personal data.

What is the maximum fine for intentional violations under the FADP?

CHF 250,000 (D)

Only intentional violations of the FADP are punishable.

True (A)

What must financial institutions do after a data breach according to the FDPIC?

Update their security measures

Controllers must maintain a record of their processing activities for ______ and ______.

What is the primary responsibility of controllers under the FADP?

To implement appropriate data security measures (A)

Processors are allowed to process data based on verbal instructions from controllers.

False (B)

What must controllers do according to Article 19 FADP?

Inform data subjects about processing activities

Controllers and processors must formalize their relationship through __________.

Data Processing Agreements (DPAs)

Which of the following is NOT a requirement for processors under Article 9 of the FADP?

They can process data based on any instructions (A)

Match the following articles of the FADP with their associated responsibilities.

Art. 8 FADP = Shared responsibility for data security Art. 9 FADP = Process data on documented instructions Art. 22 FADP = Conduct Data Protection Impact Assessments Art. 24 FADP = Notification of data breaches

Data can be disclosed to any country without restrictions.

False (B)

What must processors implement to ensure data protection?

Technical and organizational measures

Which of the following is a responsibility of cantonal authorities under the FADP?

Enforcing compliance with data protection regulations (B)

Failure to provide access or cooperate with investigations is considered a criminal offense under the FADP.

True (A)

Controllers and processors must maintain a record of their processing activities to ensure ______ and ______.

accountability; transparency

Match the following criminal offenses with their corresponding articles in the FADP:

Failure to provide access = Art. 60 Breach of professional confidentiality = Art. 62 Non-compliance with FDPIC decisions = Art. 63

What is required for most offenses under the FADP to be actionable?

Formal complaints (B)

Criminal liability under the FADP applies to both intentional and unintentional violations.

False (B)

What must a financial institution do after a data breach?

Update its security measures

Flashcards

Controller (FADP)

A private person or federal body that decides the purpose and means of processing personal data.

Processor (FADP)

A person or body that processes data on behalf of a controller, but doesn't decide the purpose.

Lawfulness (data processing)

Data processing must be legal and comply with all data protection laws.

Good Faith (data processing)

Data processing must be conducted honestly and with good intentions.

Purpose Limitation (data processing)

The purpose for processing data must be clearly established and justified.

Data Minimization (data processing)

Data should be processed only if it's necessary to achieve the stated purpose.

Accuracy (data processing)

Processed data should be accurate and up-to-date.

Storage Limitation (data processing)

Data should be kept only as long as necessary for the stated purpose.

Right of Access (Art. 13 FADP)

The ability of a data subject to receive confirmation from a data controller as to whether or not personal data concerning them is being processed, and if so, to access that data.

Privacy Notices

A document that informs individuals about the processing of their personal data, covering topics such as the purpose and legal basis for processing, the identity of the controller, and the rights of the data subject.

Data Protection Impact Assessment (DPIA)

A structured process mandated by data protection regulations to assess and mitigate potential risks associated with the processing of personal data.

Scope of Applicability (FADP)

The scope of application of the Federal Data Protection Act (FADP) regulates which entities and data processing activities fall under its jurisdiction.

Scope of Applicability (GDPR)

The scope of application of the General Data Protection Regulation (GDPR) defines which entities and data processing activities are subject to its provisions.

Scope of Applicability (IDG Kanton Zürich)

The scope of application of the Data Protection Act of the Canton of Zurich (IDG Kanton Zürich) determines which entities and data processing activities are subject to its rules.

Ownership (Eigentum)

A legal concept in Swiss Civil Code, defining the exclusive rights and control over a physical object.

Consent as Justification for Data Processing

A defense against a breach of personality rights claim, allowing for data processing when the individual has given explicit permission. This consent must be specific to the type of data processing, adequately informed, and freely given.

Overriding Private or Public Interest

When the public or private interest outweighs the individual's right to data protection, allowing for data processing, even without consent. This involves a careful balancing of interests.

Law as Justification for Data Processing

A legal basis justifying data processing, which is explicitly required, authorized, or tacitly assumed by law.

Profiling

A type of processing that involves analyzing an individual's personal information to predict their behaviour or preferences.

Sensitive Personal Data

A category of sensitive personal data that requires explicit consent for processing. Examples include: health information, religious beliefs, political opinions, and biometric data.

Revocability of Consent

The data subject's power to withdraw their consent for data processing at any time.

Data Minimization and Purpose Limitation

The right to restrict the processing of personal data based on the principles of data minimization and purpose limitation.

Data Subject

An individual whose personal information is being processed.

Data Security

Ensuring that appropriate technical and organizational measures are in place to protect personal data against unauthorized access, use, disclosure, alteration, or destruction, taking into account the risk involved. It ensures data is secure even when faced with potential threats.

Data Protection by Design

A proactive design approach that integrates data protection considerations at every stage of a system's development, ensuring data is protected by default and by design. It minimizes risks and promotes data security throughout the system's lifecycle.

Controller

The entity that determines the purposes and means of processing personal data. They are responsible for the security of the data they process.

Processor

The entity processing personal data on behalf of the controller. They process data according to instructions from the controller and are responsible for maintaining data security.

Data Minimisation

A set of practices that minimizes the collection and use of personal data by limiting data acquisition and processing to what is absolutely necessary for a specific purpose. This principle promotes data security by reducing the amount of sensitive data at risk.

Risk-Based Approach

The requirement for data security to be proportional to the risk involved, ensuring higher security measures for more sensitive data.

Technical Measures

The obligation to implement technical measures like encryption, firewalls, and access controls to protect data from unauthorized access and breaches.

Organizational Measures

The obligation to implement organizational measures like data access policies, staff training, and data breach response protocols to protect data from unauthorized access and breaches.

Administrative Process

This involves formal procedures where both involved parties have the opportunity to present their perspectives. The data controller can explain their actions and make efforts to comply before any sanctions are applied.

Criminal Provisions

This refers to legal consequences for intentionally breaking specific rules of data protection. The consequences apply to individuals or companies.

Offenses

These are specific actions that go against the data protection laws. Examples include not cooperating with investigations or disclosing confidential data.

Enforcement

Enforcement of the FADP is the duty of the government authorities at the cantonal level (similar to state or regional levels). They have the power to impose fines for violations, up to a limit of CHF 250,000 for each violation.

Limitations

The main focus is placed on actions done intentionally. Actions done by mistake might not result in criminal charges.

Right to Information

A person's request to a company for information about how their personal data is handled. This includes knowing the reason for the data collection and how it's used.

FDPIC Investigation

The FDPIC, a body responsible for data protection, investigates when a breach of data protection rules happens. They look into the cause and, if needed, demand changes to prevent similar incidents in the future.

Criminal Provision Application

The employer faces consequences under the law when an employee misuses confidential data. This situation highlights the responsibility of employers to train and set clear guidelines for data handling.

Importance of Controller-Processor Distinction (FADP)

The FADP determines the obligations and liability for data controllers and processors based on their roles in data processing.

Controller Responsibilities (FADP)

The FADP requires controllers to implement appropriate security measures, inform data subjects, perform DPIAs for high-risk processing, and consult the FDPIC if high risks remain.

Processor Responsibilities (FADP)

Processors must only process data according to instructions from the controller, implement agreed-upon security measures, and adhere to the data processing agreement.

Shared Responsibilities of Controllers and Processors (FADP)

Controllers and processors share responsibility for data security and are both obligated to report any data breaches affecting personal data.

Processing Based on Instructions (FADP)

The FADP mandates that processors only process data based on documented instructions from controllers. This prevents unauthorized use of data.

Security Measures for Processors (FADP)

Processors must implement technical and organizational measures to protect data, ensuring its confidentiality, integrity, and availability. This could involve encryption or access controls.

Data Processing Agreements (DPAs) (FADP)

Controllers and processors must formally outline their data processing relationship in a legally binding agreement, specifying processing scope, security measures, and subcontractor responsibilities.

Subcontracting by Processors (FADP)

Processors require prior permission from controllers to engage subcontractors. This ensures the controller retains control over the data even when it's handled by a third party.

Study Notes

Data Protection and Data Management

• Companies and judicial persons are not protected under Art. 1-4 of the Federal Data Protection Act (FADP).
• Chapters 1-4 of the FADP apply to private and public law.
• Ownership of data in the sense of the Civil Code is not a recognized concept for data.
• The prevailing legal doctrine does not consider data to be material objects under ownership rights (Art. 641 CC).
• There is a discussion on whether data should fall under ownership rights.
• The concept of 'tangibility' and 'subject to human control' is discussed but not established as a formal concept for property rights in relation to data.

Copyrights

• Literary and artistic creations are protected under copyright law.
• Collections are also protected if they are intellectual creations.
• Data is not automatically considered a work under copyright law.
• Database rights are considered a sui generis right, independent of Copyright.
• The copyright and sui-generis rights can both apply if conditions are met.

Unfair Competition

• Protecting investment in the works of others is regulated under this law.
• Unfair competition can arise in exploiting the work product of others.
• Protection includes those whose work is ready for the market through technical reproduction.
• Unfair competition protection has a high hurdle for application to data.

Breach of Manufacturing or Trade Secrecy

• Confidentiality concerning the manufacturing of products or other information is protected.
• The information must be known to a limited number of people and not readily accessible.
• An intentional breach of manufacturing or trade secrets is criminal.

Important topics in contracts concerning Data

• Data ownership/protection is a crucial consideration in contracts.

• Contracts should cover Know-How protection.
• Contractual limits should be defined for data use.
• Contracts concerning data should outline processes for handling the data, such as storage and deletion.
• Contract terms should cover access, exploitation, processing, and deletion protocols, and data protection.

Scope of Application

• The Federal Act on Data Protection (FADP) protects the personality and fundamental rights of natural persons whose personal data is processed. 

• The FADP applies to private persons and federal bodies.

• Specific provisions apply to private or federal entities.
• Data protection law applies outside of Swiss borders, affecting entities and circumstances.

• Private international law provisions govern law application.

• Territorial scope of the law and in what cases it applies is also discussed.

Data Terminology and Definitions

• Raw data is unorganized information.
• Information is organized, structured, or presented data in specific contexts to make it meaningful.
• Data is a component and information is a result of data processing.
• Data is a building block, and information is the result.

Legal Entities

• The ability to identify a person is relevant for data protection law.
• The holder of data is considered the evaluator of identifiability.
• Incorrect personal data is still considered as personal data.
• The effort to identify a person has to be considered in relation to the overall context of processing.
• Anonymization involves removing the person's identity permanently.
• Pseudonymization involves replacing identifiability with a pseudonym.

Profiling

• Art. 5 let. f FADP defines profiling.
• Art. 5 let. g FADP defines high risk profiling.
• Profiling is an automated data processing of personal data to assess human aspects.

• Profiling can include performance at work, economic status, health, preferences, interests, reliability, behaviour, location.
• High risk profiling poses a risk to a data subject's personality and fundamental rights due to assessments made of essential aspects of their personality based on their data.

Data subject disclosure and justification

• Data subjects have the right, when data is processed, to ask for the specific purposes.
• Processing must be justified by consent, overriding public or private interest, or law.
• Specific grounds for justifying processing involve explicit consent for sensitive data processing, and high-risk profiling by private persons or federal bodies. 

• The principle of overriding private or public interest must be applied cautiously.

Overriding Private or Public Interest

• This ground for justifying data processing, under Art. 31 FADP, balances the interest of the data subject against that of the controller, and allows for data processing in exceptional cases.

Data Protection Law for Federal Agencies

• The processing of data by federal bodies is generally limited to situations where a statutory basis exists.

• Federal bodies have broader exceptions than private individuals.

• There are more strict rules for processing of data by federal bodies as they usually act in an authoritative capacity.
• Specific provisions exist for data processing by federal bodies.

• Legal basis for the processing of personal data by federal bodies.

• Possible objection rights of data subjects.

Cantonal Data Protection Law

• Cantonal laws have basic features similar to federal law, with some differences.
• Cantonal laws have specific scope and application.
• Laws and rules may differ depending on the specific Canton.
• Differences in regulations for specific cantons may exist.

Cross-Border Disclosure of Personal Data

• Data transmission to foreign states is regulated by appropriate legal status in those locations.

• A decision by the Federal Council determines the level of protection in another country whether or not there are valid international treaties in place.
• Standard Data Protection Clauses (SDPC) for data transfers.

• Binding corporate rules (BCR) are another form of safeguard.

Description

Test your knowledge on data protection laws and principles such as the FADP. This quiz covers key aspects of personal data processing, including the roles of controllers and processors, legal justifications, and principles like consent and fairness. Perfect for students and professionals in data privacy.