Data Protection Quiz - FADP Regulations

Questions and Answers

What is the maximum cost one may incur for a request for information?

200 CHF

400 CHF

150 CHF

300 CHF (correct)

What is the general deadline within which a request for information must be responded to?

45 days

15 days

30 days (correct)

60 days

Which of the following is NOT a recognized form of submitting a request?

Verbally with consent

In writing

Electronically

By third party non-verbally (correct)

Who is authorized to make a request for their own data?

The data subject only

What must be done before responding to a request involving personal data?

The identity of the requester must be established

What type of applicability do some cantonal data protection laws provide for?

Mixed applicability

What is one of the key features of the electronically readable water meters used by municipality X?

They transmit encrypted data every 30 or 45 seconds.

Which entity conducts supervision over the processing of personal data under the FADP?

Cantonal data protection authority

How often does municipality X receive the current meter reading data from the electronic water meters?

Once a year

Is the measurement of water consumption dependent on the radio module being activated?

No, measurement can occur regardless of the radio module.

What is the legal basis for municipality X to introduce electronic water meters?

Applicable water regulations

What type of data is primarily transmitted from the radio water meters?

Current meter reading only

What step would differ when processing personal data by a private individual compared to a municipality?

Assessing the legal basis for processing

Which statement accurately reflects the territorial scope of GDPR in relation to personal data processing?

GDPR applies to processing related to individuals in the Union regardless of the processing location.

What differentiates data from information?

Data is unorganized facts, while information is organized and meaningful.

Which of the following best defines personal data according to the provided content?

Any information relating to an identified or identifiable natural person.

In what way is the identification of a person determined according to the context provided?

By the holder of the information and additional context.

Why is incorrect personal data still classified as personal data?

Correctness does not determine the classification of personal data.

Which example is NOT a condition under which GDPR applies?

Monitoring the behavior of individuals outside the Union.

What is required for a person to be identifiable?

It must be clear from the information that it is that particular person.

How does GDPR view the citizenship and nationality of the data subject?

They are essentially irrelevant to the processing of personal data.

What is required for information to be provided in a comprehensible form according to the DPO?

May require additional explanations for unusual file formats

Under what circumstance can the right to information be limited?

Under specific exceptions defined by the Federal Council

Who is obligated to fulfill the information requirements regarding data processing?

The controller

What does a Data Protection Impact Assessment (DPIA) evaluate?

The potential risks to the data subject's personality

What does the burden of proof concerning data transmission lie with?

The controller

What does the principle of 'data protection by design' aim to achieve?

Integrate data security measures early in the processing activities

Which entities are required to keep a record of processing activities?

Companies with more than 250 employees or those processing data significantly

When must a DPIA be carried out?

For operations likely to result in high risks to data subjects

What does the prevailing doctrine say about data ownership under the Civil Code?

It largely rejects the notion of data as material objects.

Which of the following statements is true regarding the protection of databases?

Sui generis rights for databases are independent of copyright.

In the Civil Code, what does ownership entail?

Exclusive control only over specific types of tangible items.

What is a requirement for a collection to be protected as a work under copyright law?

It must feature an individual character in its organization.

What is one criterion for the choice of law of the injured party under Art. 139 para. 3 PILA?

State where the injured party has habitual residence

Which right is specifically mentioned in Art. 13 of the Constitution?

Right to Privacy

What is the main purpose of the Act on Unfair Competition concerning data?

To protect the investment in the creation of works.

What does the FADP apply to according to Art. 2 para. 1?

Processing of personal data by both private persons and federal bodies

Which provision governs the ownership rights related to tangible assets according to the Civil Code?

Art. 641 para. 1 CC specifies rights over material goods.

Under what circumstance would the special provisions on data processing for private persons be applicable?

When a federal body engages in economic competition

What type of rights are referred to as sui generis rights in the context of databases?

Specific rights that provide unique protection to databases.

What is the definition of a 'federal body' as per Art. 5 let.i FADP?

An authority or service of the Confederation performing public tasks

What primarily distinguishes ownership of data from ownership of a data carrier?

Data ownership indicates control over its deletion and utilization.

Which article states that public bodies participating in economic competition function differently under data processing laws?

§ 2c IDG-ZH

What does the territorial scope of the EU General Data Protection Regulation cover?

Many Swiss entities in certain circumstances

What does the principle of legality refer to in the context of data processing?

Data processing must comply with established laws and regulations

Study Notes

Data Protection and Data Management

• Companies and judicial persons are not protected under the Federal Supervisory Authority.

• Chapters 1-4 of the Federal Data Protection Act (FADP) apply to private and public law.

• Chapter 1-4 of the FADP apply to private and public law.

• Ownership of data is not in the sense of the Civil Code.

• The prevailing doctrine does not consider data under ownership rights, but rather securing factual control and using contractual measures.

• Distinguish between ownership to data and data carriers (e.g. hard drives).

• Copyright protects literary and artistic intellectual creations with individual character.

• Collections are protected as works in their own right if they are intellectual creations with individual character.

• EU-Database rights are distinct from other forms of protection such as copyright.

• Copyright and EU-Database rights may both apply under specific conditions.

• Unfair competition law protects investment in a person's work.

• A person acts unfairly when taking over another's work product ready for the market or exploiting the works of others.

• A breach of manufacturing or trade secrecy occurs under specific circumstances.

• Breach of manufacturing trade secrecy is defined under the Act on Unfair Competition.

• Breach of manufacturing or trade secrecy is also a criminal offence (Art. 162 Criminal Code)

• Important topics in contracts regarding data include Data “ownership”, protection of Know-How and confidentiality, rights of use, type of data, compilation, quantity of records, availability, and completeness.

• Federal Act on Data Protection (FADP): Purpose is to protect natural persons' personality and fundamental rights.

• Territorial scope is determined by Swiss law or cantonal law.

• General data protection law sector-specific data protection law (e.g., private/public law).

• A Private International Law (PILA) governs private law aspects and criminal code governs criminal law aspects.

• A person whose personal data is processed has rights of personality and fundamental rights.

• Incorrect personal data is still considered personal data.

• Identifiability of a person is relevant to the holder of the information.

• Anonymization and pseudonymization mean that identifiability is removed from personal data.

• Sensitive personal data includes data on religious/philosophical/political views; health/relationships; racial/ethnic background; genetic data; biometric data; administrative/criminal procedures and sanctions; and social assistance measures.

• Automated processing of data to evaluate personal aspects like performance at work, economic situation, health, preferences, interests, reliability, behaviour, location, etc. is considered profiling

• High-risk profiling poses high risk to personality or fundamental rights of the data subject.

• Disclosure (transmitting or making personal data accessible).

• Controller is a person/federal body determining processing purpose/means.

• Processor is a person/federal body processing data for the controller.

• Data storage providers offer services, storing data.

• Company ABC wishes to get information about users.

• A U.S. citizen traveling in Europe will not be subject to European data laws in all cases.

• A Taiwanese bank with customers holding German citizenship processes data not under European data protection.

• The Federal Data Protection Act (FADP) defines when data processing by private persons is permitted (preventing unlawful breaches).

• A person is allowed to process data if not prohibited (consistent with EU legislation of permitted processing of data).

• A violation of personality rights can occur if data is processed contrary to articles 6 and 8; contrary to the wishes of the data subject; or data is disclosed to third parties without reason.

• Consent needs to be explicit for processing sensitive personal data and for high-risk profiling.

• There should be a legal basis for processing data and only processing of sensitive personal data may be permitted with overriding interest.

• Breach of data subject's personality rights may also be justified by consent and/or overriding private or national interest.

• Data subjects may have grounds to challenge the processing.

• Overriding interests must be weighed between controller and interest of data subject.

• Federal agencies have a legal/statutory basis for processing data.

• Federal bodies may process data with explicit legal basis and if the rights of the data subject are not at risk.

• Disclosure by Federal bodies requires a statutory basis.

• Federal bodies have their own, specific obligations for handling requests for information.

• Cantonal data protection law features unique details from the Federal Act (e.g., public bodies, private persons).

• Some cantons may have their own data privacy laws which may differ from the Federal one (i.e., some cantons have special Data laws.)

• EU regulations and data protection laws have global reach and consistency.

• Data protection in Swiss law has special provisions for private and public entities.

• Data processing (automatic analysis of personal data) may entail high risk which would require assessment.

• Data protection impact assessments (DPO) help determine if processing risks are sufficiently protected (e.g., ensuring suitability and proportionality measures).

• Specific regulations may apply to data concerning specific sectors and/or circumstances.

• Principles (lawfulness, good faith, proportionality), principles and obligations regarding time.

• Personal data accuracy, and principles of compliance.

• Requirements (form, costs, etc.) exist concerning the data processing.

• Privacy notices or data protection notices may need to fulfil certain legal requirements for transparency.

• Data protection by design (and default) and considerations concerning the risks from data processing (and risk assessments).

• Data security breaches need notification to the supervisory authority and data subject (proportionate to risk).

• Specific aspects of data processing by processors (or any private person).

• Requirements for data portability (Art. 28 and 29 FADP).

• Processing of data beyond national borders, including special cases.

• Laws in particular regions or countries have certain considerations relevant to the process.

Description

Test your knowledge on data protection laws and regulations, specifically focusing on the Federal Act on Data Protection (FADP). This quiz covers various aspects, including request submission, data handling, and municipal practices. Assess your understanding of how personal data is managed in accordance with relevant laws.