Data Protection and Data Management

Data Protection and Data Management General ======= Ein Bild, das Text, Screenshot, Schrift enthält. Automatisch generierte Beschreibung **Chapter 1 till 4 applies only to private and public law.** Ownership ========= Ownership of Data in the sense of the Civil Code? ▪Digital economy desires to assign rights regarding data ▪ Discussion: Introduction of ownership rights (e.g. in the sense of the Civil Code) to data? ▪ In short, ownership grants comprehensive and exclusive control over a material object (Art. 641 para. 1 CC: "The owner of an object is free to dispose of it as he or she sees fit within the limits of the law.") ▪ Extension of the traditional concept of "objects\" to data? ▪ Tangibility (tangibility)? ▪ Subject to human control? Art 641 -- nur materielle Güter - Puropose and Scope -- Companies and judicial persons are not protected Ownership in the sense of Civil Code? ------------------------------------- ▪ Prevailing doctrine rejects the idea of subsuming data under ownership rights in the sense of Art. 641 para. 1 CC. ▪ Introduction of a \"lex-data\"? ▪ Or rather: Securing factual control and contractual measures (in particular: securing access, utilization and deletion of data) ▪ Distinguish between ownership to data and ownership to a data carrier (e.g. harddrive) Copyrights ========== «Works are literary and artistic intellectual creations with individual character, irrespective of their value or purpose.» (Art. 2 para. 1 Copyright Act). «Collections are protected as works in their own right insofar as they are intellectual creations with individual character with regard to their selection and arrangement.» (Art. 4 para. 1 Copyright Act). − Data = Works? − Database = Collected Works? EU-Database Rights ================== − The protection of databases is a sui generis right − Specific property right for databases that is unrelated to other forms of protection such as copyright. − The copyright and the sui generis right may both apply if the conditions of protection for each right are fulfilled. − Substantial limits Unfair Competition ================== − Certain protection based on unfair competition law (Act on Unfair Competition) **Exploiting the works of others (Art. 5 let. c. UCA)** is meant to protect the investment − A person acts unfairly in particular if they: − another person\'s work product that is ready for the market − by means of technical reproduction processes − without any reasonable effort of their own − take over and exploit − **High hurdle** in order for the protection to apply in the context of data. *[Please read BGE 134 III 166](https://www.bger.ch/ext/eurospider/live/de/php/clir/http/index.php?highlight_docid=atf%3A%2F%2F134-III-166%3Ade&lang=de&type=show_document&zoom=YES&)* Breach of Manufacturing or Trade Secrecy ======================================== **Definition** ▪ Informationen concerning the manufacturing of products or other information that is relevant to an enterprise ▪ Onlyknown to a limited circle of persons and not easily accessible (objectively secret) ▪ Factual will to maintain secrecy ▪ Legitimate interest to secrecy **Breach of manuracturing or trade secrecy (Art. 6 UCA)** **Breach of manufacturing or trade secrecy (Art. 162 Criminal Code)** ▪ Manuracturing or Trade secret; ▪ i) breach of statutory or contractual duty not to reval ▪ ii) any person expliting such a breach for themselves or for third parties Important Topics in Contracts concerning Data ============================================= − Data "ownership" − Protection of Know-How / confidentiality − Rights of use − Subject matter − Type of contract and services owed − Access, exploitation, processing and deletion − Data protection¨ Structure FADP ============== **Purpose** [Art. 1 FADP: Purpose ] "This Act has the purpose of protecting the personality and fundamental rights of natural persons whose personal data is processed." [Applicable Laws ] ![Ein Bild, das Text, Screenshot, Schrift enthält. Automatisch generierte Beschreibung](media/image2.png) [Various levels ] Territorial scope of application: Is Swiss law applicable? Federal law or cantonal law? (Personal and material scope of application) In the case of federal law: special provisions on data processing by private persons and by federal bodies General data protection law - sector-specific data protection law Ein Bild, das Text, Screenshot, Schrift, Klebezettel enthält. Automatisch generierte Beschreibung [Art. 3 FADP] -- territorial scope \"This Act applies to circumstances that have an effect in Switzerland, even if they were initiated abroad.\" "For rights under private law, the Federal Act of 18 December 1987 on Private International Law applies." "In addition, the provisions on the territorial scope of application of the Criminal Code are reserved." **Federal Act on Private International Law** **Principle** Art. 33 PILA Applicable law: Law at the person\'s domicile **Particularly relevant for data protection:** Art. 139 PILA (cf. Art. 139 para. 3 PILA) Choice of law of the injured party: \- habitual residence of the injured party\* \- establishment or habitual residence place of residence of the tortfeasor \- state, in wich the result of the infringement occurs \* provided that the tortfeasor had to expect the result would occur in that state ![Ein Bild, das Text, Screenshot, Schrift, Design enthält. Automatisch generierte Beschreibung](media/image4.png) **E.g. Constitution** [Art. 13 Right to Privacy] ( 1\) Every person has the right to privacy in their private and family life and in their home, and in relation to their mail and telecommunications. **(2) Every person has the right to be protected against the misuse of their personal data** Ein Bild, das Text, Screenshot, Schrift enthält. Automatisch generierte Beschreibung **Legal Basis and Scope of application** [Personal and material scope of application FADP : Art. 2 para. 1 FADP] This Act applies to the processing of personal data of natural persons by: a\. private persons; b\. federal bodies. Partly different provisions apply for private persons and for federal bodies (e.g. principle of legality) **Is federal law or cantonal law applicable?** Art. 2 para. 1 FADP (see above) E.g. § 3 para. 1 lit. c IDG-ZH \"Public bodies are (\...) organisations and persons under public and private law, insofar as they are entrusted with the fulfilment of public tasks.\" Privatpersonen und Bundesorgane -- FADP Öffentliche Kantonale Organe -- Kantonales Datenschutzgesetz **If federal law is applicable:** − Are the special provisions on data processing by private persons or on data processing by federal bodies applicable? − Definition of \"federal body\" Art. 5 let. i FADP: \"an authority or service of the Confederation or a person entrusted to carry out public tasks on behalf of the Confederation.\" − Art. 40 FADP \"Private law activities by federal bodies\": \"If a federal body acts under private law, the provisions on data processing by private persons apply.\" − (E.g. on cantonal level: Canton of Zurich: § 2c IDG-ZH: \" This act does not apply to the extent that public bodies participate in economic/commercial competition and do not act as a sovereign (\"... und dabei nicht hoheitlich handeln \") For the processing of date, the FADP analogolously applies.\" However, supervision is still conducted by the the cantonal data protection authority. *Please read BGE 122 I 153 («Schlössli») and (at least) recitals 3.2.1 to 3.2.3 of BVwGer A 5921\_2020 («SwissPass») as follow-up* Further Complexity ================== ![Ein Bild, das Text, Screenshot, Schrift, Zahl enthält. Automatisch generierte Beschreibung](media/image6.png) **Additional complexity: EU General Data Protection Regulation** − Applicable also to many Swiss entities («Territorial scope»: Art. 3 para. 1 und 2 GDPR), e.g. − EU establishment («(...) processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. ») − Processing of personal data of data subjects who are in the Union (...) where the processing activities are related to: − Cf. EDSA: Guidelines 3/2018 on the territorial scope of the GDPR **− Citizenship and nationality of the data subject is irrelevant!** **Examples** 1. Ein Bild, das Text, Screenshot, Schrift, Reihe enthält. Automatisch generierte Beschreibung ![Ein Bild, das Text, Schrift, Screenshot, Reihe enthält. Automatisch generierte Beschreibung](media/image8.png) 2. 3. ![](media/image12.png) 4. 5. Terminology / Definitions ========================= **Data vs. Information** − Data = raw, unorganized facts (Latin \"something given\") − Information = data that has been processed, organized, structured or presented in a specific context to make it meaningful or useful. − \"The numbers have no way of speaking for themselves. We speak for them. We imbue them with meaning.\" Nate Silver − Computers need data; people need information − Data are building blocks; information provides meaning and context **Art. 5 FADP «Definitions»** of personal Data Inter alia - Personal Data: *means any information relating to an identified or identifiable natural person / Types of personal data* - Sensitive Personal Data - Data Subject - Processing - Profiling [\ ] [Personal Data ] **What about legal entities?** Relating to a natural person / identified, identifiable, Information Whose ability to identify the person is relevant? − Whether the person is identifiable has to be determined from the point of view of the holder of the information (the context and the point of view is relevant) Incorrect personal data is still personal data − \"A person is identified if it is clear from the information itself that it is precisely this person. The person is identifiable if it can be inferred on the basis of additional information. However, not every theoretical possibility of identification is sufficient for identifiability. If the effort involved is so great that, according to general life experience, it cannot be expected that an interested party will take it upon themselves, there is no identifiability (...). The question must be answered depending on the specific case, (...)\" (Please read BGE 136 II 508, E.3.1 to 3.8) ***Anonymization and pseudonymization*** [Anonymization] \- In short: Identifiability of person is irreversibly removed (not just \"without name\") More definitions ---------------- **Art. 5 let. c FADP** Sensitive personal data means: 1\. data relating to religious, philosophical, political or trade union-related views or activities, 2\. data relating to health, the private sphere or affiliation to a race or ethnic-ity, 3\. genetic data, 4\. biometric data that uniquely identifies a natural person, 5\. data relating to administrative and criminal proceedings or sanctions, 6\. data relating to social assistance measures; Is this list exhaustive? yes What about the definition of «special personal data» in § 3 IDG? A picture of a person with glasses could be sensitive -- data regarding health [What do you think should be the deciding factor?] \- Data as such? \- Should the context of use or the purpose of the processing have an influence? Profiling --------- **Art. 5 let. f FADP** **Profiling**: \"means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that nat-ural person\'s performance at work, economic situation, health, personal pref-erences, interests, reliability, behaviour, location or movements; \" (Cumulus and Supercard) **Art. 5 let. g FADP** **High risk profiling:** \"means profiling that poses a high risk to the data subject\'s personality or fundamental rights by matching data that allow an assessment to be made of essential aspects of the personality of a natural person\" **Processing (Art. 5 lit. d FADP)** a\) Gerald Hufnagel is a fitness instructor at a fitness studio called Powerhouse AG, Zurich. Powerhouse AG has the contact information of Gerald, salary data and banking information, as well as employee evaluations. **-- Powerhouse AG is processing Geralds data** b\) Powerhouse AG has various members who work out at its fitness studio and pay a yearly membership fee. **-- Powerhouse AG is processing their members data** c\) Some of these members try obtaining payments from their health insurance towards the membership fees of Powerhouse AG. **-- The health insurance is processing the members data** d\) Powerhouse AG files its tax return with the cantonal tax authority of Zurich. **-- no personal data involved** Please identify potential "processing". **Data subject (Art. 5 lit. b FADP)** a\) Gerald Hufnagel is a fitness instructor at a fitness studio called Powerhouse AG, Zurich. Powerhouse AG has the contact information of Gerald, salary data and banking information, as well as employee evaluations. b\) Powerhouse AG has various members who work out at its fitness studio and pay a yearly membership fee. c\) Some of these members try obtaining payments from their health insurance towards the membership fees of Powerhouse AG. d\) Powerhouse AG files its tax return with the cantonal tax authority of Zurich. Please identify potential "data subjects". **Disclosure (Art. 5 lit. e FADP) -- transmitting personal data or making it accessible** **Controller (Art. 5 lit. j FADP) -- a private person who or federal body which, alone or jointly with others, determines the purpose the means of the processing personal data** [For example: ] - Controller gives personal data to a processor for example to an insurance seller - Controller gives personal data to a processor for example to an insurance seller which outsources the order to an other insurance seller - processor / processor **Processor (Art. 5 lit. k FADP)** Example ------- A large cloud storage provider offers its customers the ability to store large volumes of personal data. The service is completely standardised, with customers having little or no ability to customise the service. The terms of the contract are determined and drawn up unilaterally by the cloud service provider, provided to the customer on a "take it or leave it basis". Company X decides to make use of the cloud provider to store personal data concerning its customers. Who is the controller? *Company ABC wishes to understand which types of consumers are most likely to be interested in its products and contracts a service provider, XYZ, to obtain the relevant information. Company ABC instructs XYZ on what type of information it is interested in and provides a list of questions to be asked to those participating in the market research. Company ABC receives only statistical information (e.g., identifying consumer trends per region) from XYZ and does not have access to the personal data itself.* Principles -- important for exam ================================ ![Ein Bild, das Text, Screenshot, Schrift, parallel enthält. Automatisch generierte Beschreibung](media/image15.png) **Lawfulness** [Principle ] Personal data must (only) be processed lawfully Art. 6 para 1 FADP *Examples of unlawful behaviour? Violation of a norm that directly or indirectly aims to protect the personality (BVGer A-3548/2018 v.19. März 2019 E. 5.4.2)* *For example: hacking and getting access to personal data* **Good Faith** [Principle ] The processing must be carried out in good faith (Art. 6 para 2. FADP) **Proportionality -- Geeignet, Erforderlich und Zumutbar** [Principle] The processing must be proportionate Art. 6 para 2 FADP − Public Bodies: Constitutional basis (Art. 5 para. 2 Constitution) − Private Persons: Made applicable also to private persons by Art. 6 para. 2 FADP **Proportionate data processing** − is **suitable for achieving** the purpose pursued − is **[necessary]** to achieve the purpose, and − The purpose / processing is in reasonable proportion to the burden posed on the data subject **(proportionality in the narrower sense; appropriateness)** **Consequences of this principle, e.g**. − Retention period (Art. 6 para. 4 FADP) − Data avoidance − Data minimisation/data economy Assessment of proportionality has to be made on a case by case basis *[Examples]* \- Video cameras for security purposes (e.g. prevention of vandalism or theft)? \- Proportionality in terms of time? \- List of grades in a Gymnasium... *[To be discussed:]* \- Monitoring of field staff using GPS instead of manual scheduling and expense reporting (BGE 130 II 425) \- Conclusion: The manner of processing must be proportionate \- Data retention policy -- for how long do we have legal obligation to retain the data? -- in general 10 years **BGE 138 II 362, E. 9.2, 10 and 14 (Google Street View)** **Purpose limitation** [Principle] Personal data may only be collected for a specific purpose that the data subject can recognize; personal data may only be further processed in a manner that is compatible with this purpose Art. Para 3 FADP **Recognizable purpose results from**: − Law − Circumstances (What purposes could/must be assumed in good faith due to the circumstances?) − Information during data collection − (i.e. according to FADP: \"recognisable\" *Binding purpose **limitation** for data processors, i.e. purpose must be recognisable or only processed in a way that is **compatible** with the recognisable purpose (broader than before)* **What could the effect of this principle be, e.g. on** − Retaining or collecting data for purposes not yet known? You need no purpose − Data Protection Notices Transparency about the purpose of data processing of private controllers? − Archiving? − Anonymization **Proportionality regarding time** [Principle] They shall be destroyed or anonymised as soon as they are no longer required for the purpose of processing. (Art. 6 para. 4 FADP ) **What is the reason for this principle? Or: What other principles could this be an expression of?** **Data accuracy** [Principle] Any person who processes personal data must satisfy themselves that the data are accurate. (...) (Art. 6 para. 5 FADP) **Art. 6 para. 5 FADP** − Obligation to verify the correctness − May imply an obligation to update data or carry out periodic reviews − Obligation to introduce appropriate measures for the rectification, erasure or destruction of certain data Special Provisions on Data Processing by Private Persons ======================================================== General Principle ----------------- ### When is data processing by private persons permitted? Principle Any person who processes personal data must not unlawfully breach the data subjects\' personality rights. (Art. 30 para. 1 FADP) -Complements and further specifies general protection of personality rights Art. 28 Civil Code [Swiss legal general rule: Processing personal data is allowed unless it its prohibited] [Under EU: Processing personal data is prohibited unless it is allowed ] **What does Art. 28 Civil Code state?** Did you already discuss Art. 28 Civil Code in a different class? Is the system of the FADP on this issue identical to the system of the GDPR? System of permission and possible justification This principle is further specified as follows (Art. 30 para. 2 FADP): A violation of personality rights exists in particular if: Liste *[ist nicht abschliessend]* − a. personal data are processed contrary to the principles set out in Articles 6 and 8; − b. personal data are processed contrary to the express wishes of the data subject; − c. sensitive personal data is disclosed to third parties. \- d. any other reason **Is the list of Art. 30 para. 2 FADP exhaustive or not? How do you reach your conclusion on this question?** Not exhaustive **When are breaches of personality unlawful?** If they are not justified by consent, overriding private or public interest or law **Does data subject have to substantiate/justify their wish that their personal data not be processed?** Depends on the context Expression of wish that personal data not be processed is subject to interpretation What is «disclosure» of sensitive personal data? - Loss of control? - Disclosure to additional controller - What about processors? **Art. 30 para. 3 FADP** \"In general no breach of personality rights arises if the data subject makes the personal data generally accessible and has not explicitly prohibited any processing.« Context has to be taken into account! ### Breach of personality rights and justification Breach of personality rights can be justified by -Consent of the data subject **Ground for justification -- Consent but only if you need it as a ground for justification or Art. 6 Abs. 7 Fedap** [The Consent must be explicitly given for: ] - Processing sensitive personal data - High- risk profiling by a private person or - Profiling by a federal body -Overriding private or public interest -Law *See Art. 31 para. 1 FADP* *- **Federal Supreme Court**: The provision should be \"interpreted in such a way that justification of the processing of personal data is not generally excluded, contrary to the principles of Art. 4, 5 I and 7 I FADP, but that justification grounds can only be affirmed with great caution in specific cases.\" (BGE 136 II 508, E. 5.2.4)* ### Grounds for Justification: Consent **Consent (cf. Art. 31 para. 1 and Art. 6 para. 6 and 7 FADP)** − Validity of the consent Specific processing(s) requires adequate information Must be given voluntarily − What applies if data subject is a subordinate? − Consent is revocable at any time − Does revocation of consent affect past processing that was made based on consent? -- **Meaning of Art. 6 para. 6 and Art. 6 para. 7 FADP** ### Overriding Private or Public Interest **Further Grounds for Justification (Art. 31 FADP)** [Overriding private or public interest] − Balancing of interests between the interests of the data controller and the interests of the data subject − Exemplary list of overriding interests of controller in Art. 31 para. 2 FADP − Are they always applicable? „May" have an overriding interest (...) **(BVGE-2009-44 (A-3908/2008) of 4 April 2009 -- KSS, E.5)** ### Further grounds for justification **Law (Art. 31 FADP)** Legal basis that expressly requires, authorizes or at least tacitly presupposes data processing. **BGE 136 II 508 (Logistep)** **\ ** **What steps would to take to solve a case in the field of data protection (involving private persons)?** - Art. 2 FADP - Personal and material scope - Art. 5 let. a FADP - is it personal data or not? - Art. 5 let. b FADP - who is the subject? - Art. 5 let. d FADP - is personal data processed? - Art. 30 FADP - is there a violation of personality? - Personal data processed contrary to the principles of Art. 6 and 8 - Personal data processed contrary to the express and wishes of the subject - Is sensitive personal data disclosed to third parties - Art. 31 FADP - are there grounds of justifications - Consent - Overriding private or public interest - law Exercise ======== Municipality X has decided and implemented a change from conventional water meters to electronically readable devices. In brief, the new electronic or magnetic-inductive radio water meters work as follows: The water meters measure the amount of water consumed and store the following hourly values locally in a data logger for 252 days: alarm status, current meter reading, maximum and minimum measured flow rate. The measured values are then encrypted and transmitted by radio every 30 or 45 seconds, which is why they are also referred to as radio water meters. The data can be received by a password-protected readout device from the water supplier from a certain distance (walk-by, drive-by). For this purpose, a person drives through the neighborhood in a car and receives the corresponding data on the readout device; in the municipality, this happens once a year according to the facts established by the lower court. Only the current meter reading is transmitted and not all hourly values for the last 252 days. The measurement of water consumption and communication are independent of each other: water consumption can also be measured without or with a deactivated radio module. Once a year, a single consumption value is transmitted to the mobile device and then used for billing. Assume that the municipality X is permitted to introduce both mechanical and electronic radio water meters in accordance with the applicable water regulations, i.e. that there is a legal basis for this. Does the municipality X process personal data? Is this processing proportionate? **What is your assessment of the case initially?** **How would you approach this case?** **What are the different steps?** ### Basics **Data Protection Law / Public Law** − Fundamental right: Art. 13 para. 2 Constitution «Every person has the right to be protected against the misuse of their personal data. Ein Bild, das Text, Screenshot, Schrift, Algebra enthält. Automatisch generierte Beschreibung**BGE 147 I 346** ### Special provisions for data processing by federal bodies / cantonal data protection law **Data Protection Law / Public Law** − Data protection as a fundamental right? − Defence against interference of the state in privacy − Stricter rules for public bodies than for private persons because: − State acts authoritatively − Lack of choice − Principle of legality − All governamental action must be made on a legal basis **Which provisions in the FADP apply to Federal Bodies?** Look at the system/structure of the FADP and answer the following questions: \- Which general provisions apply to Federal Bodies? \- Which provisions **do not** apply to Federal Bodies? \- Which provisions do **only** apply to Federal Bodies **Examples of General Provisions** [Important examples for provisions that are the same for Federal Bodies and Private Persons] − Definitions (Art. 5 FADP): Repetition − Principles (Art. 6 FADP) and Data Security (Art. 8 FADP): Repetition − Many other provisions, e.g. − Privacy by Design (Art. 7 FADP) − Processing by Processors, e.g. Records of Processing Activities − Cross-Border Disclosure of Data − Duties of the Controller and Processor **Provisions applying only to Private Persons** [Examples of provisions that only apply to Private Persons] − Codes of Conduct (Art. 11 FADP) − Representative (Art. 14 and 15 FADP) − Special Provisions on Data Processing by Private Persons (Art. 30 et seqq. FADP) − Always make sure that a provision does not explicitly mention it (only) applies to private persons, e.g. − Art. 10 para. 1 to 3 FADP deal with Data Protection Advisors for Private Persons, whereas Art. 10 para. 4 FADP (and Art. 25 et seqq. DPO) deals with Data Protection Advisors for Federal Bodies − Art. 22 para. 4 and 5 contain exceptions to obligations for data protection impact assessments for private controllers (and not Federal Bodies) − Etc. **[Examples of provisions that only apply to Federal Bodies Art. 33 to 42 FADP mark in the book]** Control and responsibility -------------------------- [Control and responsibility (Art. 33 FADP)] Where a federal body processes personal data jointly with other federal bodies, with cantonal bodies or with private persons, the Federal Council shall regulate control procedures and responsibilities [Legal basis (Art. 34 FADP]) \"Federal bodies may only process personal data if there is a statutory basis for doing so\" (para. 1) A staturory basis in a formal law is required (para. 2) if − Processing of **sensitive personal data;** **− Profiling;** − The purpose or manner of processing may lead to **serious violation of the data subject's fundamental rights** A statutory basis in a substantive law is sufficient for particularly sensitive personal data and for profiling (para. 3) if − Processing is essential for a task required by a formal law, and − Processing purpose poses no particular risks for fundamental rights of data subject Legal Basis Art. 34 para 4 FADP -- **overriding public and private interest** In derogation from paragraphs 1-3, federal bodies may process personal data if one of the following requirements is satisfied: − The Federal Council has authorised the processing because it considers the data subject's rights not to be at risk. − Data subject has consented to the processing in the specific case or has made their personal data generally accessible and has not explicitly prohibited processing. − The processing is necessary in order to protect the life or physical integrity of the data subject or a third party and it is not possible to obtain the data subject\'s consent within a reasonable period of time. **Disclosure of personal data (Art. 36 FADP)** Every disclosure of data by Federal Bodies requires a statutory basis (para. 1) − Reference to Art. 34 FADP − Statutory basis in a formal law required? − Statutory basis in a substantive law sufficient? − Derogation of Art. 34 para. 1 FADP in Art. 34 para. 2 to 5 FADP for certain cases. Read Art. 34 FADP after class. **Objection to the disclosure of data (Art. 37 FADP)** This is a legal entitlement of the person concerned − Requirements (para. 1) − Legal: Showing legitimate interest − Factual: Knowledge of the (planned) disclosure of data − Limitations and exceptions (para. 2 and 3) − Legal duty to disclose − Granting of objection jeopardises fulfilment of federal body's task − Overriding public interest in the context of the principle of publicity (FOIA) **Take the Federal Act on Health Insurance (https://www.fedlex.admin.ch/eli/cc/1995/1328\_1328\_1328/de )** **Are Health Insurance companies Federal Bodies in the sense of the FADP? If so, to what extent?** **Can you find the provisions serving as a legal basis for data processing and disclosure of data?** **\ ** **Additional special provisions** − Automated data processing as part of pilot trials (Art. 35 FADP) − Offering documents to the Federal Archives (Art. 38 FADP) − Data processing for purposes not related to specific persons (Art. 39 FADP) − Rights and procedures (Art. 41 FADP) − Procedure for disclosing official documents that contain personal data (Art. 42 FADP) Cantonal Data Protection Law ---------------------------- − Cantons have their own cantonal law − Basic features of cantonal data protection law do not differ from federal data protection law − Nevertheless, there are, of course, differences − Requirements from European regulations − Guidelines of the Conference of the Cantons **Current revisions of cantonal data protection law** − Some cantons have revised their data protection laws (e.g. AG, ZH) − Some cantons are still under revision (or not) − Occasionally: \"special data protection law\" - analogue to Schengen-FADP (e.g. BE) [Scope of applicability, e.g. in the IDG-ZH ] − Cantonal authorities and administrations − Municipial authorities and administrations − But also private persons, to the extent they have been entrusted to carry out (cantonal or municipial) public tasks Please read § 3 para. 1 IDG-ZH for further details *Examples:* *- Public schools* *- Cantonal Churches* *- Hospitals (to the extent they have have a cantonal basic care mandate),* *- Privatized utilities, e.g. electricity supply* *Example: Principles in the IDG-ZH* *− Principle of legality* *− Proportionality* *− Purpose Limitation* *− Data accuracy* *− Data security* *Please discuss: Is this similar to the principles in the FADP?* *Read § 7, 8 and 9 IDG-ZH: Where do you find the principles mentioned above?* ***Relevance of FADP for Cantonal Public** **Bodies*** *− Some cantonal data protection laws provide for \"mixed\" applicability:* *− E.g. § 2c IDG-ZH: "This law does not apply, to the extent public bodies participate in economic competition without acting in a sovereign capacity. For processing personal data the FADP applies analogously. Supervision is conducted by the cantonal data protection authority."* *− Example: ZKB* Exercise -------- Municipality X has decided and implemented a change from conventional water meters to electronically readable devices. In brief, the new electronic or magnetic-inductive radio water meters work as follows: The water meters measure the amount of water consumed and store the following hourly values locally in a data logger for 252 days: alarm status, current meter reading, maximum and minimum measured flow rate. The measured values are then encrypted and transmitted by radio every 30 or 45 seconds, which is why they are also referred to as radio water meters. The data can be received by a password-protected readout device from the water supplier from a certain distance (walk-by, drive-by). For this purpose, a person drives through the neighborhood in a car and receives the corresponding data on the readout device; in the municipality, this happens once a year according to the facts established by the lower court. Only the current meter reading is transmitted and not all hourly values for the last 252 days. The measurement of water consumption and communication are independent of each other: water consumption can also be measured without or with a deactivated radio module. Once a year, a single consumption value is transmitted to the mobile device and then used for billing. Assume that the municipality X is permitted to introduce both mechanical and electronic radio water meters in accordance with the applicable water regulations, i.e. that there is a legal basis for this. Does the municipality X process personal data? Is this processing proportionate? How would you approach the following case? What are the different steps? How do they differ from the steps you take, if personal data is processed by a private person? What is your assessment of the case? **BGE 147 I 346** Legal Rights / Claims Data Processing by Federal Bodies ======================================================= Legal Rights and Procedures Art. 41 FADP ---------------------------------------- − Legal claims/rights − Refraining from unlawful data processing − Redressing the consequences of unlawful data processing − Declairing the unlawfulness of data processing − Correction, deletion or destruction of data − Restriction of data processing − Dispute notice in the absence of evidence of (in)correctness − Notification to third parties **Legal Rights** [Private persons as controllers] - Right to information (see later): Decision in simplified proceedings (Art. 243 para. 2 lit. d ZPO) - Correction of inaccurate personal data (unless statutory provision prohibits amendment or personal data are processed for archiving purposes in the public interest; Art. 32 para. 1 FADP) - Actions pursuant to Art. 28 etc. Civil Code (injunction, removal, declaratory judgement, damages, restitution of profits, satisfaction) - According to Art. 32 para. 2 FADP \"in particular\" - Prohibit specific data processing - Prohibit specific disclosures to third parties - Request the deletion or destruction of personal data **Furthermore** - Dispute notice (Art. 32 para. 3 FADP) - Notification and publication (Art. 32 para. 4 FADP) - Procedure according to Civil Procedural Code Notification by the Data Subject to the FDPIC ============================================= Rights and legal consequences ----------------------------- **Supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC)** **Pursuant to Art. 49 et seq. FADP** - Investigations - Ex officio or upon notification if there are sufficient indications - Opportunity principle («Opportunitätsprinzip») - Possible resources an issue - Administrative measures by the FDPIC (Art. 51 FADP) - The FDPIC may, e.g. issue an order that the processing be modified, suspended or terminated, wholly or in part, and the personal data deleted or destroyed, wholly or in part. - Procedure: Investigation procedure pursuant to Art. 50 and 51 APA (VwVG) - Other tasks pursuant to Art. 56 ff. FADP Criminal liability ------------------ **Criminal provisions** - Art. 60 to 66 FADP - Art. 60 FADP: Violation of obligations to provide access and information or to cooperate - Art. 61 FADP: Violation of duties of care - Art. 62 FADP: Violation of professional duty of confidentiality - Art. 63 FADP: Disregarding Decisions - Criminal liability therefore limited to certain specific obligations **Criminal provisions** - Similarities - Responsibility for enforcement of criminal provisions: cantons (not FDPIC: the FDPIC can file a complaint: Art. 65 FADP) - All offences only punishable for intent - Maximum fine of up to CHF 250,000 in each case - Complaint required (except Art. 63 FADP: disregarding decisions) - Possible offenders qualified: private persons Rights to information / access right ------------------------------------ **You have to distinguish:** - Right to information under the FADP - Right to information under the Federal Act on Freedom of Information in the Administration (FoIA) - Other access rights, e.g. rights to access to files («Akteneinsichtsrecht») under procedural laws The following comments cover the right to information under the FADP **Where do you find the legal basis for the right to information under the FADP?** - General provision: Art. 25 FADP - Limitations to right to information: Art. 26 FADP - Limitation on the right to information for the media: Art. 27 FADP - Specific Provisions: - Modalities: Art. 16 DPO - Responsibilities: Art. 17 DPO - Time limits/deadlines: Art. 18 DPO -- 30 days - Exceptions to the exemption from costs: Art. 19 DPO - As already pointed out in the first lecture: Read the FADP and the DPO; some of what you need to know is already in there... *[\"Any person may request information from the controller on whether personal data relating to them is being processed.\" (Art. 25 para. 1 FADP) ]* *[(Purpose: Check and enforce transparency / compliance with DPA)]* **Recurring themes** − Qualification as a request for information − Is the person requesting the information authorized to request the information? − Is the person/body to whom the request is addressed under an obligation to provide the information? − Modalities \(a) Form of the request; \(b) Deadline; \(c) form of the reply/providing the information \(d) Costs max. 300 CHF − Subject matter of the request and the reply − Limitations **Question: Can you identify (some) of the recurring themes mentioned above in the sample request for information?** **[Generally: ]** No proof of interest or justification required − However, one may request reasons if abuse of rights is suspected or it is possibly \"obviously unjustified\" in accordance with the restriction of Art. 26 para. 1 let. c FADP − Form or request: In writing or electronically (Art. 16 para. 3 DPO) or verbally with the consent of the controller (Art. 16 para. 1 DPO): fulfilled in this case **[Authorized: ]** − Each person for their own data where they are a data subject − Waiver not possible in advance − Can not be transferred (but PoA is possible) − But: Identification requirement (Art. 16 para. 5 DPO) − Take appropriate measures to identify the data subject − Data subject is obliged to cooperate − Is an ID required in every case? **[Responsible: ]** − Art. 25 para. 1 and 4 FADP: Controller also for processing by processors − If several controllers process personal data jointly, the data subject may assert their right to information against each controller. (Art. 17 para. 1 DPO) − If the request relates to data processed by a processor, the processor shall assist the controller in providing the information, unless the processor is responding to the request on behalf of the controller. (Art. 17 para. 2 DPO) **[Deadline ]** − Generally, within 30 days of receipt of the request (Art. 18 DPO) − Possibility of extending the deadline: state the deadline within which the information will be provide **[Costs? ]** − Generally free of charge (Art. 25 para. 6 FADP) − Exceptions by the Federal Council in Art. 19 DPO **[Content of the information]** - Read Art. 25 para. 2 FADP - Limitations of the right to information - Read Art. 26 and 27 FADP - Refuse, restrict or delay - Mustnotify (Art. 18 para. 3 DPO) **[Form of information]** − In writing **Or** − in the form in which the data is available (Art. 16 para. 2 DPO) − Can be transmitted electronically (Art. 16 para. 3 DPO) (burden of proof that data has been transmitted lies with the controller) − Information must be provided in a comprehensible form (Art. 16 para. 4 DPO) - For example, an additional explanation may be required for unusual file formats **Question: How could a process (of a company) look that addresses answering to information requests?** ![Ein Bild, das Text, Screenshot, Schrift, Dokument enthält. Automatisch generierte Beschreibung](media/image17.png) Duties of the Controller and of the Processor ============================================= Example of duties of the Controller and of the processor -------------------------------------------------------- Ein Bild, das Text, Screenshot, Schrift, Zahl enthält. Automatisch generierte Beschreibung Record of processing activities ------------------------------- ![Ein Bild, das Text, Screenshot, Schrift enthält. Automatisch generierte Beschreibung](media/image19.png) Only Companies with more than 250 employees and also if they are only working 50% Exception Art. 12 para 5 FADP What is a record of processing activities? ------------------------------------------ Ein Bild, das Text, Screenshot, Schrift, Zahl enthält. Automatisch generierte Beschreibung Information obligation ---------------------- ![Ein Bild, das Text, Screenshot, Schrift, Zahl enthält. Automatisch generierte Beschreibung](media/image21.png) Who has an obligation to inform? Controller Information obligation ---------------------- Ein Bild, das Text, Screenshot, Schrift, Zahl enthält. Automatisch generierte Beschreibung Exception Art. 20 FADP Privacy notices --------------- They do not need to be accepted -- es reicht wenn die vorgelegt werden ![Ein Bild, das Text, Screenshot, Schrift, Electric Blue (Farbe) enthält. Automatisch generierte Beschreibung](media/image23.png) Data Protection by design and data protection by default -------------------------------------------------------- Ein Bild, das Text, Schrift, Screenshot, Dokument enthält. Automatisch generierte Beschreibung − Connection to - Risk based approach - Data security (Art. 8 FADP) - Data protection impact assessment (Art. 22 FADP) Data protection impact assessment --------------------------------- ![Ein Bild, das Text, Schrift, Screenshot, Electric Blue (Farbe) enthält. Automatisch generierte Beschreibung](media/image25.png) **What is a DPIA and when does it have to be carried out?** Ein Bild, das Text, Schrift, Screenshot, Dokument enthält. Automatisch generierte Beschreibung **Exception in para 3 ff.** **What is DPIA?** ![Ein Bild, das Text, Schrift, Screenshot, Zahl enthält. Automatisch generierte Beschreibung](media/image27.png) 1. **The Controller** 2. **Processing that is likely to result in a high risk** 3. **Processing that is likely to result in high risk to the data subjects personality** **Must be DPIA be carried out?** Ein Bild, das Text, Screenshot, Schrift enthält. Automatisch generierte Beschreibung ![](media/image29.png)**Procedure and content** **Consultation of the FDPIC?** Ein Bild, das Text, Screenshot, Schrift, Dokument enthält. Automatisch generierte Beschreibung **\ ** **Notification of data security breaches** ![Ein Bild, das Text, Screenshot, Schrift enthält. Automatisch generierte Beschreibung](media/image31.png) Ein Bild, das Text, Screenshot, Schrift enthält. Automatisch generierte Beschreibung ![](media/image33.png) **Other topics** Data Processing by Private Controllers with Registered Office or Domicile Abroad (Art. 14 and 15 DPA) Data Protection Officer (Art. 10 DPA) Code of Conduct (Art. 11 DPA) and Certification (Art. 13 DPA) Data security ============= Information security and Data Protection Art. 8 FADP − Para. 1: \"The controller and the processor shall guarantee a level of data security appropriate to the risk by taking suitable technical and organisational measures.\" − Para. 2: \"The measures must make it possible to avoid breaches of data security.\" − What is a breach of data security according to Art. 5 lit. h FADP? − Distinguish data security from \"Data protection by design\" (Art. 7 FADP), which covers further precautions to prevent data breaches − \"shall guarantee a level of data security appropriate to the risk by taking suitable technical and organisational measures\" − What is it that shall be protected? Personal data − Obviously risk-based approach (see later on how to proceed) − What are technical measures? What are organisational measures? Can you think of examples? Ein Bild, das Text, Screenshot, Schrift, Design enthält. Automatisch generierte Beschreibung ![Ein Bild, das Text, Schrift, Screenshot, Design enthält. Automatisch generierte Beschreibung](media/image35.png) Ein Bild, das Text, Screenshot, Schrift, Zahl enthält. Automatisch generierte Beschreibung ![Ein Bild, das Text, Screenshot, Schrift, Zahl enthält. Automatisch generierte Beschreibung](media/image37.png) Ein Bild, das Text, Screenshot, Schrift enthält. Automatisch generierte Beschreibung **Read Art. 4 DPO** and summarize it for your colleagues − In particular, please address the following: − What obligation is addressed in Art. 4 DPO? − What triggers this obligation? − To whom does the obligation apply? Are there different obligations for different kinds of controllers/processors? − What is the content of the obligation? Specifically? **Read Art. 5 DPO** and summarize it for your colleagues − In particular, please address the following: − What obligation is addressed in Art. 4 DPO? − What triggers this obligation? − To whom does the obligation apply? Are there different obligations for different kinds of controllers/processors? − What is the content of the obligation? Specifically? **Read Art. 6 DPO** and summarize it for your colleagues − In particular, please address the following: − What obligation is addressed in Art. 4 DPO? − What triggers this obligation? − To whom does the obligation apply? Are there different obligations for different kinds of controllers/processors? − What is the content of the obligation? Specifically? **Inter alia:** − Minimum requirements in the DPO: Art. 1 to 6 DPO \- On complaint, willful violation of the minimum data security requirements issued by the Federal Council in accordance with Art. 8 para. 3 are punishable by a fine not exceeding CHF 250,000 (Art. 61 lit. c FADP) − What do you think of this? **Processing by processors Art. 5 and 9 FADP** − What is processing by processors? − See definitions of controller (Art. 5 let. j FADP) and processor (Art. 5 let. k FADP) -- Whether someone is controller or processor has an influence on − scope of their information obligations; − their position/duties in the event of requests for information; − the obligation to conclude a data processing agreement − other obligations... − Is the party bound by instructions of the controller? − Who decides on the modalities of the processing- with regard to the elements mentioned in Art. 5 lit. f FADP? − What applies in a group of companies? What applies within the same legal entity? ![Ein Bild, das Text, Screenshot, Schrift enthält. Automatisch generierte Beschreibung](media/image39.png) **Generally permitted, if certain requirements are met** Ein Bild, das Text, Screenshot, Schrift, Zahl enthält. Automatisch generierte Beschreibung − Data processing agreement required (if no legal basis) − Form not regulated by law; practice: in writing (for reasons of proof) − No content explicitly specified in FADP, but for possible content cf. Lukas Lezzi, in: Bieri / Powell (Ed.), OFK-DSG, Art. 9 N 22 seq **Requirements (Art. 9 para. 1 and 2 FADP)** **−** Bound by instructions − Cura in eligendo, instruendo and custodiendo ![Ein Bild, das Text, Schrift, Screenshot, Zahl enthält. Automatisch generierte Beschreibung](media/image41.png) **Processing by processors: no statutory or contractual confidentiality obligations** − Contractual confidentiality obligations − Interpretation of the provisions − Statutory confidentiality regulations such as − Official secrecy (Art. 320 Criminal Code) \$ − Professional confidentiality (Art. 321 Criminal Code) − Banking secrecy (Art. 47 Banking Act) -- Etc − Scope of permitted involvement of processors is disputed... − Various expert opinions / legal opinions (e.g. **Processing by processors: ensuring processor guarantees data security** − The controller must (in particular) ensure that the contractor guarantees data security (Art. 9 para. 2 FADP)¨ − What does that mean in practice? Ein Bild, das Text, Screenshot, Schrift, Zahl enthält. Automatisch generierte Beschreibung Cross-border Disclosure of Personal Data ======================================== ![Ein Bild, das Text, Screenshot, Schrift, Dokument enthält. Automatisch generierte Beschreibung](media/image43.png) - DPO FADP Verordnung has a list of states that guarantee adequat level of data protection - If a state is on the list, than the cross border transfer of data is allowed - U.S. only for self certificated companies - If it is not on the list, than may be an exception from Art. 17 FADP (consent beispielsweise) ![Ein Bild, das Text, Screenshot, Schrift, Design enthält. Automatisch generierte Beschreibung](media/image45.png) ![Ein Bild, das Text, Screenshot, Schrift enthält. Automatisch generierte Beschreibung](media/image47.png) Art. 16 para 2 FADP -- look up the description in the FDPIC Ein Bild, das Text, Screenshot, Schrift enthält. Automatisch generierte Beschreibung ![Ein Bild, das Text, Screenshot, Schrift enthält. Automatisch generierte Beschreibung](media/image49.png) Ein Bild, das Text, Screenshot, Schrift enthält. Automatisch generierte Beschreibung ![Ein Bild, das Text, Schrift, Screenshot, Design enthält. Automatisch generierte Beschreibung](media/image51.png) If not an exception like consent consult art. 16 para 2 FADP Ein Bild, das Text, Screenshot, Schrift enthält. Automatisch generierte Beschreibung Exam ==== Weeks 1 and 2 You know whether there is ownership to data in the sense of "Eigentum" according to the Swiss Civil Code and can explain what that means. You know other legal means to obtain certain similar legal protections. You know the purpose of data protection law and the Federal Data Protection Act and can explain it. You know the personal, material and territorial scope of application of the FADP, can explain it, can make examples for it and can apply it to cases. You know the personal and material scope of application of cantonal data protection laws, in particular the data protection law of the canton of Zurich. You know the territorial scope of application of the GDPR, can explain it, can make examples for it and can apply it to cases. You know the exceptions to the personal and material scope of application of the FADP and can explain and apply them. You know the structure of the FADP and the DPO. In particular you know, which provisions apply to data processing by private persons, which provisions apply to data processing by federal bodies and which provisions apply to both. You also know Art. 40 FADP, what it means and how it applies. You also know the similar provision in the data protection law of the Canton of Zurich. Week 3 ------ You know the definitions in Art. 5 FADP, can explain them, can make examples for them and can apply them to cases. You know in what context they are relevant. You know the term "Anonymization" and its meaning in the context of data protection law, can explain it, can make examples for it and can apply it to cases. You know the term "Pseudonymization" and its meaning in the context of data protection law, can explain it, can make examples for it and can apply it to cases. Week 4 ------ You know the principles of data processing (and data security) as well as their effects, can list them, explain them, make examples for them and can apply them to cases. Week 5 ------ You know and can explain the special provisions on data processing by private persons, make examples for them and apply them to cases (Art. 30 et seqq. FADP). In particular (but not limited to): What is a breach of a personality right? What grounds justification are there? You can solve cases involving data processing by private persons and can explain the steps you take. Week 8 ------ You know and can explain the special provisions on data processing by federal bodies, make examples for them and apply them to cases (Art. 34 et seqq. FADP), in particular and mainly (but not limited to) the issue of the required legal basis for such processing. You can solve cases involving data processing by federal bodies and can explain the steps you take. Week 9 ------ Your know the data subject's legal rights and possible claims, can explain them and make examples for them. You know the rights of the data subject (in particular the right to information and exceptions to it under Art. 25 seqq. FADP and related provisions in the DPO), can explain and apply them, can make examples for them and answer related questions. You can explain the steps of how one could go about answering a request for information under Art. 25 FADP in practice. You know in particular (without limitation) the possibilities of investigation of violations of data protection violations by the FDPIC, the FDPIC's powers and possible measures (Art. 49 seqq. FADP). You can explain it, can make examples and apply this to cases. You know the criminal provisions of the FDPIC, their limitations, can explain them, can make examples and apply them to cases. Week 10 ------- You know the obligation to maintain a record of processing activities (Art. 12 FADP and provisions in DPO) and exceptions to this obligation, can explain them and answer related questions. You know the duties of the controllers and the processors as well as exceptions to them, can list them, explain them, make examples for them and explain how they are applied and can answer related questions. This includes in particular (without limitation): duty to provide information (Art. 19 seq. FADP); DPIA; Consultation of the FDPIC; Notification of data security breaches. You know what the "risk based approach" in data protection law is, can explain it, can give examples of provisions that are a consequence of the risk based approach and can answer questions on this issue. Week 11 Self Study ------------------ You know the organization of the FDPIC, and can explain it. If German is not your native language, only read Art. 49 to 59 FADP and Art. 36 to 44 DPO. Week 12 ------- You know the basics of data security, in particular as mentioned in the FADP and Art. 1 to 6 of the DPO, can explain them, apply them and answer related questions. Week 13 ------- You know them terms and differences between "controller" and processor", can explain them, can make examples for them and can apply them to cases. You know why the difference between those terms is important. You know how to determine which provisions of the FADP apply to controllers, which to processors and which apply to both. You know the requirements for processing by processors (in particular under Art. 9 FADP), can explain them, can make examples for them and can apply them to cases. You know the general rules and requirements for permissible cross-border disclosure of personal data, can explain them and can apply them to cases. You know the respective exceptions and how to make a cross-border disclosure of personal data permissible. Based on reading assignments and other assignments -------------------------------------------------- You can give a short summary of the court cases that were mentioned in the lectures (i.e. facts and most important findings of the court) of no more than 2 or 3 minutes, as well as discuss follow-up questions concerning the issues and topics raised in these cases. You know all of the provisions of the FADP and the DPO and their content. General ------- - Scope of aplicability GDPR - Scope of aplicability of IDG Kanton Zürich - Right of access - Privacy notices - DPIA Week 1-2 Answer ================ **Ownership (Eigentum)** under Swiss Civil Code (Art. 641 CC) applies to material objects. Data, being intangible, does not qualify as an \"object\" in this traditional sense. While you cannot \"own\" data under the Swiss Civil Code: - **Alternative Protections**: - **Factual Control and Contractual Rights**: Parties may secure rights to data through contracts, specifying access, use, and deletion. - **Lex-Data Proposals**: Some legal scholars propose introducing specific data rights, but these are not yet codified. - **Copyright and Database Rights**: If the data forms part of a creative work or database, copyright laws or sui generis database protections may apply. - **Purpose of Data Protection Law and the FADP** The Federal Data Protection Act (FADP) aims to protect the personality and fundamental rights of natural persons whose personal data is processed. Key purposes include: - Safeguarding privacy and ensuring fair processing. - Balancing technological advancements and individual rights. - Promoting transparency and accountability in data handling. - **Scope of the FADP** 1. **Personal Scope**: - Applies to private persons and federal bodies (Art. 2 FADP). - Cantonal public bodies are regulated under cantonal laws but may analogously follow FADP when not acting in sovereign capacities. 2. **Material Scope**: - Covers the **processing of personal data**, defined as any information relating to an identified or identifiable natural person (Art. 5 FADP). 3. **Territorial Scope**: - The FADP applies to processing activities with effects in Switzerland, even if initiated abroad (Art. 3 FADP). **Example**: A Swiss company handling customer data locally or internationally must comply with the FADP. - **Cantonal Data Protection Laws (e.g., Zurich IDG-ZH)** 1. **Personal Scope**: - Applies to cantonal and municipal authorities. - Extends to private persons entrusted with public tasks. 2. **Material Scope**: - Similar principles as the FADP but tailored for public administrative bodies. **Example**: A cantonal hospital managing patient data is subject to IDG-ZH. - **Territorial Scope of the GDPR** 1. **Applicability**: - **Within the EU**: Applies to entities established in the EU processing personal data. - **Outside the EU**: Covers entities processing data of individuals in the EU if: - Offering goods or services. - Monitoring behavior within the EU. **Example**: A Swiss e-commerce site targeting EU customers must comply with the GDPR. - **Exceptions to the FADP's Scope** - **Exceptions** under Art. 2 FADP include: - Data processing for personal use. - Data already anonymized or pseudonymized. - Processing subject to sector-specific laws (e.g., financial or health regulations). - **Structure of the FADP and DPO** 1. **Provisions for Private Persons**: - Govern data processing, consent, profiling, and cross-border transfers. - Key provisions: Art. 6 (Lawfulness), Art. 30 (Personality rights), and Art. 31 (Justifications). 2. **Provisions for Federal Bodies**: - Include stricter requirements for legal bases (Art. 34). - Obligations around statutory transparency and proportionality (Art. 33-42). 3. **Common Provisions**: - Definitions (Art. 5), principles (Art. 6), data security (Art. 8), and DPIAs (Art. 22). **Art. 40 FADP**: Specifies that when federal bodies act under private law, provisions for private persons apply analogously. **Zurich IDG-ZH Comparison**: - Includes analogous principles like legality, proportionality, and purpose limitation. - Adds cantonal-level supervision and accountability mechanisms. **Example**: Art. 40 FADP would apply if a federal body operated as a private contractor in a competitive market. Week 3 ====== 1. **Definitions in Art. 5 FADP** The key definitions in **Art. 5 FADP** provide the foundation for understanding and applying data protection law. Here\'s an overview with examples and relevance: 2. **Personal Data (Art. 5(a))**: - Any information relating to an identified or identifiable natural person. - **Example**: A customer's name, address, or email is personal data. Even a photo where someone is identifiable qualifies. - **Relevance**: Determines if data processing falls under the FADP. 3. **Data Subject (Art. 5(b))**: - The individual to whom the personal data relates. - **Example**: Employees of a company are data subjects when their employment records are processed. 4. **Processing (Art. 5(d))**: - Any operation or set of operations performed on personal data, such as collection, storage, use, or deletion. - **Example**: Using customer information for marketing or deleting outdated records. 5. **Controller (Art. 5(j))**: - The entity or person that determines the purpose and means of data processing. - **Example**: A hospital deciding how to manage patient records is the controller. 6. **Processor (Art. 5(k))**: - A third party handling data on behalf of the controller. - **Example**: An IT service provider storing customer data for a retailer. 7. **Sensitive Personal Data (Art. 5(c))**: - Data requiring extra protection, such as health information, religious beliefs, or biometric data. - **Example**: Medical records of a patient. 8. **Disclosure (Art. 5(e))**: - Making personal data accessible to a third party. - **Example**: Sharing employee details with a payroll service. 9. **Anonymization** **Definition**: - Anonymization is the irreversible process of removing all identifiers from data so that it can no longer be linked to an individual. **Examples**: 1. Replacing customer names with generic IDs in a research database where re-identification is impossible. 2. Aggregating data to show total sales in a region without revealing individual transactions. **Relevance**: - Anonymized data is no longer considered personal data under the FADP and is exempt from its regulations. - Useful for statistical or research purposes while ensuring privacy. **Application**: - **Case**: A company anonymizes customer purchase data before sharing it with a market research firm. This ensures compliance with the FADP by preventing re-identification. 10. **Pseudonymization** **Definition**: - Pseudonymization is the process of replacing identifiers with pseudonyms, while still allowing re-identification through additional information (kept separately and securely). **Examples**: 1. Assigning a unique ID to each patient in a medical study while keeping the names in a separate file. 2. Masking credit card numbers with symbols (e.g., \"\*\*\*\*1234\") in a transaction record. **Relevance**: - Pseudonymized data is still considered personal data under the FADP, as it can be linked back to the individual. - Enhances privacy while enabling data utility for authorized purposes. **Application**: - **Case**: A research institution uses pseudonymization to analyze patient data for disease trends while keeping the original identifiers secured. This enables compliant data processing under the FADP. By understanding and applying these definitions, organizations can ensure their data handling practices align with FADP requirements while safeguarding privacy. Week 4 ====== 1. **Principles of Data Processing and Data Security under the FADP** The Federal Data Protection Act (FADP) outlines principles to ensure lawful, fair, and secure processing of personal data. These principles guide controllers and processors in handling data responsibly. 2. **Principles of Data Processing** 3. **Lawfulness (Art. 6 para. 1 FADP)**: - Data processing must comply with the law and not violate the rights of the data subject. - **Example**: A company cannot collect personal data through illegal means like hacking. - **Effect**: Prevents misuse of data by enforcing legal boundaries. 4. **Good Faith (Art. 6 para. 2 FADP)**: - Data processing must be conducted honestly and transparently. - **Example**: Informing customers about the purpose of collecting their data instead of misleading them. - **Effect**: Builds trust and ensures ethical use of data. 5. **Proportionality (Art. 6 para. 2 FADP)**: - Data processing must be limited to what is necessary to achieve the purpose. - **Example**: Collecting only an email address for a newsletter subscription, not full personal details. - **Effect**: Reduces unnecessary data collection, minimizing privacy risks. 6. **Purpose Limitation (Art. 6 para. 3 FADP)**: - Data may only be collected and processed for a specific, legitimate purpose recognizable to the data subject. - **Example**: A fitness app collecting step count data for health tracking should not use it for targeted advertising without consent. - **Effect**: Ensures data is not misused for unrelated purposes. 7. **Data Accuracy (Art. 6 para. 5 FADP)**: - Personal data must be kept accurate and up-to-date. - **Example**: A bank must correct outdated contact details of a customer to ensure accurate communication. - **Effect**: Improves data reliability and prevents harm from incorrect information. 8. **Data Retention (Art. 6 para. 4 FADP)**: - Data must be deleted or anonymized when no longer needed for the processing purpose. - **Example**: A company deletes job applicant data after the recruitment process is complete. - **Effect**: Prevents excessive storage and unnecessary exposure risks. 9. **Principles of Data Security** 1. **Risk-Based Approach (Art. 8 para. 1 FADP)**: - Data controllers and processors must implement technical and organizational measures appropriate to the risk. - **Example**: Encrypting sensitive health data stored on a hospital\'s servers. - **Effect**: Ensures protection is proportional to the sensitivity of the data. 2. **Avoidance of Data Breaches (Art. 8 para. 2 FADP)**: - Measures must aim to prevent breaches of data security. - **Example**: Regularly updating firewalls to guard against cyberattacks. - **Effect**: Reduces risk of unauthorized access or loss of data. 3. **Privacy by Design (Art. 7 FADP)**: - Systems and processes must incorporate data protection measures from the outset. - **Example**: Designing a website to minimize data collection, storing only essential cookies. - **Effect**: Embeds privacy protections directly into the development phase of systems. 4. **Privacy by Default (Art. 7 FADP)**: - Default settings should prioritize data protection, requiring user action to opt into additional data collection. - **Example**: Social media platforms making profiles private by default. - **Effect**: Ensures higher baseline protection for users. 10. **Applying Principles to Cases** **Case Example**: A municipality installs smart water meters that transmit consumption data annually for billing. - **Lawfulness**: Ensure legal authority to collect data under municipal regulations. - **Proportionality**: Transmit only the required billing data, not hourly usage logs. - **Purpose Limitation**: Restrict data use to billing purposes only. - **Data Security**: Encrypt data during transmission and storage to prevent breaches. By adhering to these principles, organizations can align their data processing activities with FADP requirements, safeguarding data subjects\' rights while enabling compliant operations. Week 5 ====== 1. **Special Provisions on Data Processing by Private Persons (Art. 30 et seqq. FADP)** The **Federal Data Protection Act (FADP)** includes specific provisions for data processing by private persons. These provisions focus on the protection of personality rights and outline circumstances under which processing may be justified. 2. **1. Breach of Personality Rights (Art. 30 FADP)** A **breach of personality rights** occurs if personal data is processed: 3. Contrary to the principles of data processing (Art. 6 and 8). 4. Contrary to the explicit wishes of the data subject. 5. If sensitive personal data is disclosed to third parties without justification. **Examples**: - Processing a customer's health information for marketing purposes without consent. - Sharing sensitive employee data with unauthorized third parties. **Effect**: - Violations must be addressed unless justified by consent, overriding public or private interest, or legal mandate. 6. **2. Grounds for Justification (Art. 31 FADP)** A breach of personality rights may be justified under these grounds: 1. **Consent**: - Must be freely given, informed, and specific to the data processing activity. - Revocable at any time. - **Example**: A gym collects members' contact details with explicit consent for sending newsletters. 2. **Overriding Public or Private Interest**: - Requires a balance of interests between the controller and the data subject. - **Example**: A company monitors its premises with cameras for security reasons, even if employees prefer not to be recorded. 3. **Legal Authorization**: - Processing mandated or permitted by law justifies a breach. - **Example**: A tax authority collecting financial data to enforce tax regulations. 7. **Steps to Solve Cases Involving Private Data Processing** When assessing whether private data processing is lawful, follow these steps: 8. **Step 1: Determine Applicability of the FADP** - Confirm if the case involves **personal data** as defined in Art. 5(a) FADP. - Verify that the data is processed by a private person and not exempted (e.g., purely personal use). 9. **Step 2: Identify Possible Breach of Personality Rights** - Check if the data processing complies with the principles of lawfulness, proportionality, and purpose limitation (Art. 6 FADP). - Evaluate whether the processing is contrary to the data subject's explicit wishes or involves unauthorized disclosure of sensitive data. 10. **Step 3: Assess Grounds for Justification** - **Consent**: Was valid consent obtained, and is it documented? - **Overriding Interest**: Is there a legitimate public or private interest outweighing the data subject's rights? - **Legal Basis**: Does a specific law authorize the processing? 11. **Step 4: Apply Corrective Measures** - If no justification exists, propose remedies: - **Cease Processing**: Stop the activity immediately. - **Correct or Delete Data**: Take steps to address inaccuracies or remove data. - **Secure Consent**: If possible, obtain explicit consent from the data subject. 12. **Case Example** 13. **Scenario:** A retail store uses a loyalty program to collect customers' purchase data, including sensitive information about their dietary restrictions (e.g., gluten intolerance). 1. **Identify a Breach**: - If the store shares dietary data with third-party advertisers without customer consent, this breaches personality rights under Art. 30 FADP. 2. **Assess Justification**: - **Consent**: Check if the loyalty program terms included explicit consent for sharing sensitive data. - **Overriding Interest**: Sharing data for advertising without explicit consent likely lacks justification. - **Legal Basis**: Confirm if applicable laws allow such processing. 3. **Corrective Measures**: - Stop sharing sensitive data immediately. - Notify customers and seek retroactive consent where feasible. - Update data processing policies to ensure compliance with Art. 6 and 31 FADP. By following these steps, you can analyze and resolve cases involving private data processing in compliance with the FADP. Week 8 ====== - **Special Provisions on Data Processing by Federal Bodies (Art. 34 et seqq. FADP)** Under the FADP, federal bodies are subject to stricter rules than private persons due to their authoritative role and potential lack of choice for individuals interacting with them. These provisions focus on ensuring legality, proportionality, and transparency in the processing of personal data. - **Key Provisions** - **1. Legal Basis Requirement (Art. 34 FADP)** - Federal bodies may process personal data only if there is a statutory basis for doing so. - **Types of Legal Basis**: - **Formal Law**: Required for processing sensitive personal data, profiling, or activities that may seriously infringe fundamental rights. - **Substantive Law**: Sufficient for processing essential to fulfilling a task outlined in formal law and where the risk to fundamental rights is minimal. - **Exceptions (Art. 34 para. 4 FADP)**: - Overriding public or private interests (e.g., life-threatening emergencies). - Consent of the data subject. - Data is made generally accessible without restrictions. - **2. Disclosure of Personal Data (Art. 36 FADP)** - Requires a statutory basis for disclosure. - Disclosure must align with the principles of legality, purpose limitation, and proportionality. - **3. Objection to Disclosure (Art. 37 FADP)** - Individuals have the right to object to the disclosure of their personal data, provided they show a legitimate interest and are aware of the intended disclosure. - **4. Additional Special Provisions** - Automated data processing pilot projects (Art. 35 FADP). - Offering documents to the Federal Archives (Art. 38 FADP). - Processing for non-specific purposes (Art. 39 FADP). - **Steps to Solve Cases Involving Federal Bodies** - **Step 1: Determine Applicability of the FADP** - Confirm if the federal body processes **personal data** as defined in Art. 5(a) FADP. - **Step 2: Assess the Legal Basis** - Verify if the processing has a formal or substantive statutory basis. - Determine if the data involves sensitive personal data or profiling, requiring stricter authorization. - **Step 3: Check Compliance with Principles** - Evaluate adherence to principles such as: - **Purpose Limitation**: Is the processing strictly for the intended and legally authorized purpose? - **Proportionality**: Is the data collection and use necessary and minimal? - **Transparency**: Has the data subject been informed of the processing? - **Step 4: Review for Exceptions** - Determine if exceptions apply (e.g., overriding public interest or consent). - **Step 5: Apply Corrective Measures** - If non-compliance is identified, recommend steps such as: - Cease unauthorized processing. - Notify the data subject and provide remedies. - Ensure future compliance with the FADP. - **Case Example** - **Scenario:** A federal health agency collects patient data from hospitals nationwide to monitor the spread of a contagious disease. 1. **Legal Basis**: - The agency must have a **formal law** explicitly authorizing the collection of sensitive health data. 2. **Compliance with Principles**: - **Purpose Limitation**: The data must only be used for disease monitoring, not for unrelated research. - **Proportionality**: Collect only the necessary data (e.g., patient demographics and infection status) and avoid excessive retention. 3. **Transparency**: - Patients should be informed about the data collection through public notices. 4. **Exceptions**: - If explicit patient consent is unavailable, the agency must demonstrate an overriding public interest (e.g., containing a public health crisis). 5. **Corrective Action**: - If any hospital fails to comply with secure data transmission protocols, the agency must ensure proper training and system updates. By following these steps and adhering to the FADP\'s requirements, cases involving data processing by federal bodies can be analyzed and resolved effectively. Week 9 ====== - **Data Subject's Legal Rights and Possible Claims** Under the **FADP**, data subjects have a range of rights designed to protect their personal data and ensure transparent and lawful data processing. - **1. Data Subject's Rights** - **Right to Information (Art. 25 FADP)** - **Scope**: Data subjects can request information on whether their personal data is being processed and, if so, the nature of the processing. - **Details Provided**: - Purpose of processing. - Categories of personal data. - Recipients of the data. - Source of data, if not collected directly from the data subject. - **Example**: An employee requests information from their employer on how their performance evaluations are stored and shared. - **Exceptions to the Right to Information (Art. 26 FADP)** - Information requests may be refused, restricted, or delayed if: - Disclosure risks harming national security or public order. - Disclosure adversely affects third-party rights. - The request is manifestly unfounded or abusive. - **Right to Rectification (Art. 32 FADP)** - Data subjects can request correction of inaccurate personal data. - **Example**: A customer corrects their outdated address in an online retailer's database. - **Right to Deletion and Restriction (Art. 32 FADP)** - **Deletion**: Data must be deleted when no longer needed or if processing is unlawful. - **Restriction**: Data processing can be limited under specific circumstances. - **Example**: A former patient requests the deletion of their medical records from a clinic's system after moving to another provider. - **Right to Object to Disclosure (Art. 37 FADP)** - Data subjects can object to the sharing of their data if they show a legitimate interest. - **Example**: An individual objects to a government agency sharing their tax records with another agency. - **2. Steps to Answer a Request for Information (Art. 25 FADP)** 1. **Verify the Request**: - Confirm the identity of the requester to ensure the security of personal data. - Assess if the request is valid, clear, and complete. 2. **Assess Applicability**: - Check if the request relates to personal data processed by your organization. - Review potential exceptions under Art. 26 FADP. 3. **Collect Information**: - Gather details on the purpose, scope, and recipients of the data. - Include data source and storage details, if applicable. 4. **Respond Within the Deadline**: - Provide the information in an understandable form within 30 days. - Notify the data subject if more time is needed or if an exception applies. 5. **Maintain Records**: - Keep records of the request and your response to demonstrate compliance. - **3. Investigation of Violations by the FDPIC (Art. 49 et seqq. FADP)** The **Federal Data Protection and Information Commissioner (FDPIC)** oversees compliance with the FADP. Key powers include: 1. **Investigations**: - Initiated **ex officio** or upon notification. - Triggered by sufficient indications of violations. - **Example**: A whistleblower reports a company for unauthorized sharing of customer data. 2. **Measures (Art. 51 FADP)**: - The FDPIC can order modifications, suspension, or termination of unlawful processing. - It can mandate the deletion of improperly stored data. - **Example**: The FDPIC requires a financial institution to update its security measures after a data breach. 3. **Administrative Process**: - Investigations follow formal administrative procedures (Art. 50-51 APA). - Data controllers have opportunities to respond and comply before enforcement actions. - **4. Criminal Provisions (Art. 60-66 FADP)** Criminal liability applies to intentional violations of specific obligations under the FADP. 1. **Offenses**: - Failure to provide access or cooperate with investigations (Art. 60). - Breach of professional confidentiality (Art. 62). - Non-compliance with FDPIC decisions (Art. 63). 2. **Enforcement**: - Responsibility for enforcement lies with the cantonal authorities. - Maximum fines are limited to CHF 250,000 per violation. - **Example**: A company director knowingly disregards an FDPIC order to cease unauthorized data processing and faces prosecution. 3. **Limitations**: - Only intentional violations are punishable. - Complaints are required for most offenses except those under Art. 63. - **Examples of Application** - **Right to Information:** - A customer requests details from a telecom provider about how their call records are stored and shared. The provider confirms processing, explains the purpose (billing and fraud prevention), and shares the retention period. - **FDPIC Investigation:** - A healthcare provider experiences a data breach exposing patient records. The FDPIC investigates, identifies insufficient security measures, and mandates improvements. - **Criminal Provision Application:** - An employee inappropriately accesses and shares confidential client information. The employer is fined under Art. 62 FADP for violating professional confidentiality. By understanding and applying these rights, claims, and enforcement mechanisms, organizations can ensure compliance with the FADP and protect data subjects effectively. Week 10 ======= - **Obligation to Maintain a Record of Processing Activities (Art. 12 FADP)** - **Requirement:** - Controllers and processors must maintain a record of their processing activities to ensure accountability and transparency. - **Content of the Record:** - **Controller's Record**: - Name and contact details of the controller. - Purpose of processing. - Categories of data subjects and personal data. - Recipients of the data. - Cross-border transfers. - Retention periods. - Technical and organizational security measures. - **Processor's Record**: - Name and contact details of the processor. - Name and contact details of each controller on behalf of whom data is processed. - Categories of processing carried out for each controller. - **Exceptions:** - Entities with fewer than **250 employees** are exempt unless: - The processing poses a **high risk** to the rights of data subjects. - The processing is **not occasional**. - The processing includes **sensitive personal data** or involves profiling. - **Example:** - A medium-sized online retailer processes customer orders. Although it employs fewer than 250 people, it must maintain records because it processes customer payment data, which could pose a high risk. - **Duties of Controllers and Processors** - **Controllers' Duties:** 1. **Duty to Provide Information (Art. 19 FADP)**: - Inform data subjects about the purpose, categories, recipients, and retention of their data. - **Example**: A gym informs members about using their contact details for marketing. 2. **Data Protection Impact Assessment (DPIA)**: - Required for processing likely to pose a **high risk** to individuals' rights (Art. 22 FADP). - **Example**: A social media platform assesses risks associated with using facial recognition for tagging photos. 3. **Consultation with the FDPIC**: - If the DPIA identifies unmitigated high risks, the controller must consult the FDPIC before proceeding (Art. 23 FADP). - **Example**: A healthcare provider consults the FDPIC before introducing AI diagnostics. 4. **Notification of Data Security Breaches (Art. 24 FADP)**: - Notify the FDPIC immediately if a breach risks affecting individuals\' rights. - **Example**: A hospital reports a ransomware attack exposing patient records. - **Processors' Duties:** 1. **Follow Instructions**: - Process personal data only on the controller's documented instructions. 2. **Ensure Data Security**: - Implement technical and organizational measures to protect data. 3. **Assist the Controller**: - Aid in DPIAs, breach notifications, and fulfilling data subject requests. - **Example**: An IT service provider encrypts stored data and alerts the controller about suspected breaches. - **Risk-Based Approach in Data Protection Law** - **Definition:** - A framework emphasizing proportionality and prioritization of risks to data subjects\' rights and freedoms when implementing protective measures. - **Core Elements:** 1. **Risk Assessment**: - Evaluate the likelihood and severity of harm to data subjects from processing activities. - **Example**: Assessing risks of sensitive medical data in a health database. 2. **Proportionality of Measures**: - Adopt security measures proportional to the assessed risk. - **Example**: Encrypting data for high-risk processing but only using password protection for non-sensitive records. 3. **Dynamic Compliance**: - Adapt measures as risks evolve due to technological or operational changes. - **Provisions Reflecting the Risk-Based Approach:** 1. **Art. 8 FADP**: Data security measures must be appropriate to the risk. 2. **Art. 22 FADP**: DPIAs for high-risk processing. 3. **Art. 12 FADP**: Record-keeping requirements tailored to processing scale and risk. - **Example:** - A fintech company implementing AI for credit scoring: - Conducts a DPIA to assess risks to fairness and transparency. - Introduces access controls and audit logs to prevent unauthorized use of sensitive financial data. By adhering to these obligations and principles, organizations ensure compliance with the FADP while effectively managing risks to data subjects' rights. Week 12 ======= - **Basics of Data Security Under the FADP and DPO** The FADP and the Data Protection Ordinance (DPO) emphasize the importance of ensuring data security through technical and organizational measures. These requirements are critical for protecting personal data against unauthorized access, processing, and breaches. - **Key Provisions on Data Security** - **1. Obligation to Guarantee Data Security (Art. 8 FADP)** - Controllers and processors must implement **appropriate technical and organizational measures** to ensure data security. - Measures should: - Protect against data breaches, unauthorized access, and accidental loss. - Be proportionate to the level of risk involved. - **2. Risk-Based Approach (Art. 8 para. 1 FADP)** - Security measures must align with the **risk** posed by data processing to individuals' rights and freedoms. - **Example**: Encrypt sensitive health data to protect against breaches but use less stringent controls for publicly available information. - **3. Preventive Measures (Art. 8 para. 2 FADP)** - Measures must aim to **prevent breaches of data security**. - **Example**: Regularly updating firewall and antivirus systems to block cyberattacks. - **4. Privacy by Design and Default (Art. 7 FADP)** - Controllers must integrate data protection measures into the design of systems and processes. - Default settings should prioritize data minimization and security. - **DPO Articles 1-6: Minimum Data Security Requirements** - **Art. 1 DPO: Scope** - The provisions apply to all entities processing personal data under the FADP. - **Art. 2 DPO: General Security Principles** - Controllers and processors must: - Ensure **confidentiality, integrity, and availability** of personal data. - Monitor and adapt measures as necessary. - Train staff on data protection practices. - **Art. 3 DPO: Technical and Organizational Measures** - **Examples of Measures**: - Physical security: Restricted access to data storage facilities. - Logical security: Use of passwords, encryption, and access logs. - Organizational measures: Policies for handling personal data and incident response plans. - **Art. 4 DPO: Security Obligations for Processors** - Processors must: - Follow controllers' instructions on security measures. - Regularly review and update security practices. - Notify controllers promptly in case of breaches. - **Art. 5 DPO: Data Security Breaches** - Breaches must be identified and addressed immediately. - Controllers are responsible for informing the FDPIC if the breach risks harming data subjects. - **Art. 6 DPO: Regular Audits and Risk Assessment** - Entities must conduct periodic audits to ensure compliance. - Risk assessments should evaluate the adequacy of security measures in light of evolving threats. - **Applying Data Security Principles** - **Scenario 1: Secure Customer Data in E-Commerce** 1. Implement HTTPS encryption for transactions. 2. Use multi-factor authentication (MFA) for customer accounts. 3. Store customer data on secure servers with access controls. - **Scenario 2: Responding to a Data Breach** 1. Identify the breach source (e.g., unauthorized access). 2. Contain the breach by revoking access or isolating affected systems. 3. Notify the FDPIC if the breach affects personal data. 4. Implement corrective measures, such as updating passwords and improving firewall configurations. - **Scenario 3: Designing a Privacy-Compliant Application** 1. Use **Privacy by Design** principles: - Collect only necessary user data. - Encrypt data during storage and transmission. 2. Set default settings to limit data sharing (Privacy by Default). - **Answering Related Questions** 1. **What is a data security breach under the FADP?** - A breach occurs when personal data is accessed, lost, or altered without authorization, risking harm to data subjects. 2. **What are examples of organizational measures?** - Staff training, data handling policies, incident response protocols. 3. **How do you align data security with the risk-based approach?** - Assess potential threats to data subjects and implement proportionate measures (e.g., encrypting sensitive data, regular audits). By following these guidelines, organizations can safeguard personal data effectively, ensuring compliance with the FADP and DPO while protecting individuals' rights. Week 13 ======= 1. **Controllers and Processors: Definitions and Differences** 1. **Definitions (Art. 5 FADP)** 2. **Controller (Art. 5(j))**: - The entity or individual that determines the purpose and means of personal data processing. - **Example**: A hospital managing patient records to provide healthcare services. 3. **Processor (Art. 5(k))**: - An entity or individual processing personal data on behalf of a controller. - **Example**: A cloud storage provider hosting encrypted patient records for a hospital. 4. **Key Differences** **Aspect** **Controller** **Processor** --------------------- -------------------------------------------------------------------------- ------------------------------------------------------------- **Decision-making** Determines the purpose and methods of processing. Processes data based on the controller\'s instructions. **Accountability** Primarily responsible for ensuring compliance with data protection laws. Responsible for implementing agreed-upon security measures. **Examples** Employer managing employee payroll. Payroll service provider processing salary data. 5. **Importance of the Distinction** - Determines **obligations** under the FADP. - Defines the **scope of liability** in cases of non-compliance or data breaches. - Ensures clear **contractual relationships** and delineation of responsibilities. 6. **Provisions Applicable to Controllers, Processors, or Both** 7. **Controllers:** - **Art. 8 FADP**: Responsible for implementing appropriate data security measures. - **Art. 19 FADP**: Duty to inform data subjects about processing activities. - **Art. 22 FADP**: Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing. - **Art. 23 FADP**: Consult the FDPIC in cases of unresolved high risks. 8. **Processors:** - **Art. 9 FADP**: Must process data only on documented instructions from the controller. - **Art. 9(2) FADP**: Obligated to implement data security measures specified by the controller. 9. **Both:** - **Art. 8 FADP**: Shared responsibility for ensuring data security. - **Art. 24 FADP**: Notification of data breaches affecting personal data. 10. **Requirements for Processing by Processors (Art. 9 FADP)** 11. **1. Processing Based on Instructions:** - Processors must act solely on documented instructions from controllers. - **Example**: A marketing agency must only use customer data for campaigns authorized by the controller. 12. **2. Security Measures:** - Processors must implement technical and organizational measures to ensure data protection. - **Example**: A processor encrypts all stored customer data to meet security requirements. 13. **3. Data Processing Agreements (DPAs):** - Controllers and processors must formalize their relationship through contracts detailing: - Scope of processing. - Security measures. - Subcontractor obligations. - **Example**: A software provider signs a DPA with a retailer, specifying data retention periods and breach reporting protocols. 14. **4. Subcontracting:** - Processors need prior authorization from controllers to engage subcontractors. - **Example**: A cloud provider must inform the controller before outsourcing server management to another entity. 15. **Cross-Border Disclosure of Personal Data** 16. **General Rules (Art. 16 FADP):** - Data can only be disclosed to countries that guarantee an **adequate level of data protection**. - The Swiss Federal Council maintains a list of countries meeting this standard. - **Example**: Data can be transferred to EU countries without additional safeguards due to their adequacy status. 17. **Exceptions for Non-Adequate Countries:** If a country does not guarantee adequate protection, cross-border data transfers are allowed only if: 1. **Explicit Consent**: - The data subject provides informed consent for the transfer. - **Example**: A user agrees to their data being shared with a US-based company. 2. **Safeguards in Place**: - Adequate contractual clauses (e.g., Standard Contractual Clauses or SCCs). - Binding corporate rules for intra-group transfers. - **Example**: A multinational company uses SCCs to transfer employee data from Switzerland to India. 3. **Derogations (Art. 17 FADP)**: - Transfer is necessary for: - Contract performance with the data subject. - Public interest or legal claims. - Protecting vital interests of the data subject. - **Example**: Sharing medical data during an international emergency. 18. **Steps to Ensure Compliance with Cross-Border Transfers:** 1. **Check Adequacy**: - Verify if the recipient country is on the adequacy list. 2. **Implement Safeguards**: - Use SCCs or binding corporate rules for non-adequate countries. 3. **Document Consent**: - If relying on consent, ensure it is explicit and informed. 4. **Notify Data Subjects**: - Inform individuals about the transfer, especially if to non-adequate jurisdictions. 19. **Case Applications** 20. **Scenario 1: Processor Responsibilities** A company outsources HR management to a third-party provider. The provider must process employee data only for payroll purposes, follow security protocols (e.g., encrypted transmission), and notify the controller of any breach. 21. **Scenario 2: Cross-Border Transfer** A Swiss retailer sha

Data Protection and Data Management

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue