Data Protection and Data Management PDF

Data Protection and Data Management 1 General Chapter 1 till 4 applies only to private and public law. 2 Ownership Ownership of Data in the sense of the Civil Code? ▪Digital economy desires to assign rights regarding data ▪ Discussion: Introduction of ownership rights (e.g. in the sense of the Civil Code) to data? ▪ In short, ownership grants comprehensive and exclusive control over a material object (Art. 641 para. 1 CC: “The owner of an object is free to dispose of it as he or she sees fit within the limits of the law.”) ▪ Extension of the traditional concept of “objects" to data? ▪ Tangibility (tangibility)? ▪ Subject to human control? Art 641 – nur materielle Güter ▪ Puropose and Scope – Companies and judicial persons are not protected 2.1 Ownership in the sense of Civil Code? ▪ Prevailing doctrine rejects the idea of subsuming data under ownership rights in the sense of Art. 641 para. 1 CC. ▪ Introduction of a "lex-data"? ▪ Or rather: Securing factual control and contractual measures (in particular: securing access, utilization and deletion of data) ▪ Distinguish between ownership to data and ownership to a data carrier (e.g. harddrive) 3 Copyrights «Works are literary and artistic intellectual creations with individual character, irrespective of their value or purpose.» (Art. 2 para. 1 Copyright Act). «Collections are protected as works in their own right insofar as they are intellectual creations with individual character with regard to their selection and arrangement.» (Art. 4 para. 1 Copyright Act). − Data = Works? − Database = Collected Works? 4 EU-Database Rights − The protection of databases is a sui generis right − Specific property right for databases that is unrelated to other forms of protection such as copyright. − The copyright and the sui generis right may both apply if the conditions of protection for each right are fulfilled. − Substantial limits 5 Unfair Competition − Certain protection based on unfair competition law (Act on Unfair Competition) Exploiting the works of others (Art. 5 let. c. UCA) is meant to protect the investment − A person acts unfairly in particular if they: − another person's work product that is ready for the market − by means of technical reproduction processes − without any reasonable effort of their own − take over and exploit − High hurdle in order for the protection to apply in the context of data. Please read BGE 134 III 166 6 Breach of Manufacturing or Trade Secrecy Definition ▪ Informationen concerning the manufacturing of products or other information that is relevant to an enterprise ▪ Onlyknown to a limited circle of persons and not easily accessible (objectively secret) ▪ Factual will to maintain secrecy ▪ Legitimate interest to secrecy Breach of manuracturing or trade secrecy (Art. 6 UCA) Breach of manufacturing or trade secrecy (Art. 162 Criminal Code) ▪ Manuracturing or Trade secret; ▪ i) breach of statutory or contractual duty not to reval ▪ ii) any person expliting such a breach for themselves or for third parties 7 Important Topics in Contracts concerning Data − Data “ownership” − Protection of Know-How / confidentiality − Rights of use − Subject matter − Type of data (content and formats) − Compilation and organization of the data − How can data be processed? − Scope of the data / quantity of data records − Availability − Completeness and accuracy − Type of contract and services owed − Access, exploitation, processing and deletion − Data protection¨ 8 Structure FADP Purpose Art. 1 FADP: Purpose “This Act has the purpose of protecting the personality and fundamental rights of natural persons whose personal data is processed.” Applicable Laws Various levels Territorial scope of application: Is Swiss law applicable? Federal law or cantonal law? (Personal and material scope of application) In the case of federal law: special provisions on data processing by private persons and by federal bodies General data protection law - sector-specific data protection law Art. 3 FADP – territorial scope "This Act applies to circumstances that have an effect in Switzerland, even if they were initiated abroad." “For rights under private law, the Federal Act of 18 December 1987 on Private International Law applies.” “In addition, the provisions on the territorial scope of application of the Criminal Code are reserved.” Federal Act on Private International Law Principle Art. 33 PILA Applicable law: Law at the person's domicile Particularly relevant for data protection: Art. 139 PILA (cf. Art. 139 para. 3 PILA) Choice of law of the injured party: - habitual residence of the injured party* - establishment or habitual residence place of residence of the tortfeasor - state, in wich the result of the infringement occurs * provided that the tortfeasor had to expect the result would occur in that state E.g. Constitution Art. 13 Right to Privacy ( 1) Every person has the right to privacy in their private and family life and in their home, and in relation to their mail and telecommunications. (2) Every person has the right to be protected against the misuse of their personal data Legal Basis and Scope of application Personal and material scope of application FADP : Art. 2 para. 1 FADP This Act applies to the processing of personal data of natural persons by: a. private persons; b. federal bodies. Partly different provisions apply for private persons and for federal bodies (e.g. principle of legality) Is federal law or cantonal law applicable? Art. 2 para. 1 FADP (see above) E.g. § 3 para. 1 lit. c IDG-ZH "Public bodies are (...) organisations and persons under public and private law, insofar as they are entrusted with the fulfilment of public tasks." Privatpersonen und Bundesorgane – FADP Öffentliche Kantonale Organe – Kantonales Datenschutzgesetz If federal law is applicable: − Are the special provisions on data processing by private persons or on data processing by federal bodies applicable? − Definition of "federal body" Art. 5 let. i FADP: "an authority or service of the Confederation or a person entrusted to carry out public tasks on behalf of the Confederation." − Art. 40 FADP "Private law activities by federal bodies": "If a federal body acts under private law, the provisions on data processing by private persons apply." − (E.g. on cantonal level: Canton of Zurich: § 2c IDG-ZH: " This act does not apply to the extent that public bodies participate in economic/commercial competition and do not act as a sovereign (" … und dabei nicht hoheitlich handeln ") For the processing of date, the FADP analogolously applies." However, supervision is still conducted by the the cantonal data protection authority. Please read BGE 122 I 153 («Schlössli») and (at least) recitals 3.2.1 to 3.2.3 of BVwGer A 5921_2020 («SwissPass») as follow-up 9 Further Complexity Additional complexity: EU General Data Protection Regulation − Applicable also to many Swiss entities («Territorial scope»: Art. 3 para. 1 und 2 GDPR), e.g. − EU establishment («(…) processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. ») − Processing of personal data of data subjects who are in the Union (…) where the processing activities are related to: − the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or − the monitoring of their behaviour as far as their behaviour takes place within the Union. − Cf. EDSA: Guidelines 3/2018 on the territorial scope of the GDPR − Citizenship and nationality of the data subject is irrelevant! Examples 1. 2. 3. 4. 5. 10 Terminology / Definitions Data vs. Information − Data = raw, unorganized facts (Latin "something given") − Information = data that has been processed, organized, structured or presented in a specific context to make it meaningful or useful. − "The numbers have no way of speaking for themselves. We speak for them. We imbue them with meaning." Nate Silver − Computers need data; people need information − Data are building blocks; information provides meaning and context Art. 5 FADP «Definitions» of personal Data Inter alia - Personal Data: means any information relating to an identified or identifiable natural person / Types of personal data - Sensitive Personal Data - Data Subject - Processing - Profiling Personal Data What about legal entities? Relating to a natural person / identified, identifiable, Information Whose ability to identify the person is relevant? − Whether the person is identifiable has to be determined from the point of view of the holder of the information (the context and the point of view is relevant) Incorrect personal data is still personal data − "A person is identified if it is clear from the information itself that it is precisely this person. The person is identifiable if it can be inferred on the basis of additional information. However, not every theoretical possibility of identification is sufficient for identifiability. If the effort involved is so great that, according to general life experience, it cannot be expected that an interested party will take it upon themselves, there is no identifiability (…). The question must be answered depending on the specific case, (…)" (Please read BGE 136 II 508, E.3.1 to 3.8) Anonymization and pseudonymization Anonymization - In short: Identifiability of person is irreversibly removed (not just "without name") 10.1 More definitions Art. 5 let. c FADP Sensitive personal data means: 1. data relating to religious, philosophical, political or trade union-related views or activities, 2. data relating to health, the private sphere or affiliation to a race or ethnic-ity, 3. genetic data, 4. biometric data that uniquely identifies a natural person, 5. data relating to administrative and criminal proceedings or sanctions, 6. data relating to social assistance measures; Is this list exhaustive? yes What about the definition of «special personal data» in § 3 IDG? A picture of a person with glasses could be sensitive – data regarding health What do you think should be the deciding factor? - Data as such? - Should the context of use or the purpose of the processing have an influence? 10.2 Profiling Art. 5 let. f FADP Profiling: "means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that nat-ural person's performance at work, economic situation, health, personal pref-erences, interests, reliability, behaviour, location or movements; " (Cumulus and Supercard) Art. 5 let. g FADP High risk profiling: "means profiling that poses a high risk to the data subject's personality or fundamental rights by matching data that allow an assessment to be made of essential aspects of the personality of a natural person" Processing (Art. 5 lit. d FADP) a) Gerald Hufnagel is a fitness instructor at a fitness studio called Powerhouse AG, Zurich. Powerhouse AG has the contact information of Gerald, salary data and banking information, as well as employee evaluations. – Powerhouse AG is processing Geralds data b) Powerhouse AG has various members who work out at its fitness studio and pay a yearly membership fee. – Powerhouse AG is processing their members data c) Some of these members try obtaining payments from their health insurance towards the membership fees of Powerhouse AG. – The health insurance is processing the members data d) Powerhouse AG files its tax return with the cantonal tax authority of Zurich. – no personal data involved Please identify potential “processing”. Data subject (Art. 5 lit. b FADP) a) Gerald Hufnagel is a fitness instructor at a fitness studio called Powerhouse AG, Zurich. Powerhouse AG has the contact information of Gerald, salary data and banking information, as well as employee evaluations. b) Powerhouse AG has various members who work out at its fitness studio and pay a yearly membership fee. c) Some of these members try obtaining payments from their health insurance towards the membership fees of Powerhouse AG. d) Powerhouse AG files its tax return with the cantonal tax authority of Zurich. Please identify potential “data subjects”. Disclosure (Art. 5 lit. e FADP) – transmitting personal data or making it accessible Controller (Art. 5 lit. j FADP) – a private person who or federal body which, alone or jointly with others, determines the purpose the means of the processing personal data For example: Controller gives personal data to a processor for example to an insurance seller Controller gives personal data to a processor for example to an insurance seller which outsources the order to an other insurance seller - processor / processor Processor (Art. 5 lit. k FADP) 10.3 Example A large cloud storage provider offers its customers the ability to store large volumes of personal data. The service is completely standardised, with customers having little or no ability to customise the service. The terms of the contract are determined and drawn up unilaterally by the cloud service provider, provided to the customer on a “take it or leave it basis”. Company X decides to make use of the cloud provider to store personal data concerning its customers. Who is the controller? Company ABC wishes to understand which types of consumers are most likely to be interested in its products and contracts a service provider, XYZ, to obtain the relevant information. Company ABC instructs XYZ on what type of information it is interested in and provides a list of questions to be asked to those participating in the market research. Company ABC receives only statistical information (e.g., identifying consumer trends per region) from XYZ and does not have access to the personal data itself. 11 Principles – important for exam Lawfulness Principle Personal data must (only) be processed lawfully Art. 6 para 1 FADP Examples of unlawful behaviour? Violation of a norm that directly or indirectly aims to protect the personality (BVGer A-3548/2018 v.19. März 2019 E. 5.4.2) For example: hacking and getting access to personal data Good Faith Principle The processing must be carried out in good faith (Art. 6 para 2. FADP) Proportionality – Geeignet, Erforderlich und Zumutbar Principle The processing must be proportionate Art. 6 para 2 FADP − Public Bodies: Constitutional basis (Art. 5 para. 2 Constitution) − Private Persons: Made applicable also to private persons by Art. 6 para. 2 FADP Proportionate data processing − is suitable for achieving the purpose pursued − is necessary to achieve the purpose, and − The purpose / processing is in reasonable proportion to the burden posed on the data subject (proportionality in the narrower sense; appropriateness) Consequences of this principle, e.g. − Retention period (Art. 6 para. 4 FADP) − Data avoidance − Data minimisation/data economy Assessment of proportionality has to be made on a case by case basis Examples - Video cameras for security purposes (e.g. prevention of vandalism or theft)? - Proportionality in terms of time? - List of grades in a Gymnasium … To be discussed: - Monitoring of field staff using GPS instead of manual scheduling and expense reporting (BGE 130 II 425) - Conclusion: The manner of processing must be proportionate - Data retention policy – for how long do we have legal obligation to retain the data? – in general 10 years BGE 138 II 362, E. 9.2, 10 and 14 (Google Street View) Purpose limitation Principle Personal data may only be collected for a specific purpose that the data subject can recognize; personal data may only be further processed in a manner that is compatible with this purpose Art. Para 3 FADP Recognizable purpose results from: − Law − Circumstances (What purposes could/must be assumed in good faith due to the circumstances?) − Information during data collection − (i.e. according to FADP: "recognisable" Binding purpose limitation for data processors, i.e. purpose must be recognisable or only processed in a way that is compatible with the recognisable purpose (broader than before) What could the effect of this principle be, e.g. on − Retaining or collecting data for purposes not yet known? You need no purpose − Data Protection Notices Transparency about the purpose of data processing of private controllers? − Archiving? − Anonymization Proportionality regarding time Principle They shall be destroyed or anonymised as soon as they are no longer required for the purpose of processing. (Art. 6 para. 4 FADP ) What is the reason for this principle? Or: What other principles could this be an expression of? Data accuracy Principle Any person who processes personal data must satisfy themselves that the data are accurate. (…) (Art. 6 para. 5 FADP) Art. 6 para. 5 FADP − Obligation to verify the correctness − May imply an obligation to update data or carry out periodic reviews − Obligation to introduce appropriate measures for the rectification, erasure or destruction of certain data 12 Special Provisions on Data Processing by Private Persons 12.1 General Principle 12.1.1 When is data processing by private persons permitted? Principle Any person who processes personal data must not unlawfully breach the data subjects' personality rights. (Art. 30 para. 1 FADP) -Complements and further specifies general protection of personality rights Art. 28 Civil Code Swiss legal general rule: Processing personal data is allowed unless it its prohibited Under EU: Processing personal data is prohibited unless it is allowed What does Art. 28 Civil Code state? Did you already discuss Art. 28 Civil Code in a different class? Is the system of the FADP on this issue identical to the system of the GDPR? System of permission and possible justification This principle is further specified as follows (Art. 30 para. 2 FADP): A violation of personality rights exists in particular if: Liste ist nicht abschliessend − a. personal data are processed contrary to the principles set out in Articles 6 and 8; − b. personal data are processed contrary to the express wishes of the data subject; − c. sensitive personal data is disclosed to third parties. - d. any other reason Is the list of Art. 30 para. 2 FADP exhaustive or not? How do you reach your conclusion on this question? Not exhaustive When are breaches of personality unlawful? If they are not justified by consent, overriding private or public interest or law Does data subject have to substantiate/justify their wish that their personal data not be processed? Depends on the context Expression of wish that personal data not be processed is subject to interpretation What is «disclosure» of sensitive personal data? - Loss of control? - Disclosure to additional controller - What about processors? Art. 30 para. 3 FADP "In general no breach of personality rights arises if the data subject makes the personal data generally accessible and has not explicitly prohibited any processing.« Context has to be taken into account! 12.1.2 Breach of personality rights and justification Breach of personality rights can be justified by -Consent of the data subject Ground for justification – Consent but only if you need it as a ground for justification or Art. 6 Abs. 7 Fedap The Consent must be explicitly given for: - Processing sensitive personal data - High- risk profiling by a private person or - Profiling by a federal body -Overriding private or public interest -Law See Art. 31 para. 1 FADP - Federal Supreme Court: The provision should be "interpreted in such a way that justification of the processing of personal data is not generally excluded, contrary to the principles of Art. 4, 5 I and 7 I FADP, but that justification grounds can only be affirmed with great caution in specific cases." (BGE 136 II 508, E. 5.2.4) 12.1.3 Grounds for Justification: Consent Consent (cf. Art. 31 para. 1 and Art. 6 para. 6 and 7 FADP) − Validity of the consent Specific processing(s) requires adequate information Must be given voluntarily − What applies if data subject is a subordinate? − Consent is revocable at any time − Does revocation of consent affect past processing that was made based on consent? – Meaning of Art. 6 para. 6 and Art. 6 para. 7 FADP 12.1.4 Overriding Private or Public Interest Further Grounds for Justification (Art. 31 FADP) Overriding private or public interest − Balancing of interests between the interests of the data controller and the interests of the data subject − Exemplary list of overriding interests of controller in Art. 31 para. 2 FADP − Are they always applicable? „May“ have an overriding interest (…) (BVGE-2009-44 (A-3908/2008) of 4 April 2009 – KSS, E.5) 12.1.5 Further grounds for justification Law (Art. 31 FADP) Legal basis that expressly requires, authorizes or at least tacitly presupposes data processing. BGE 136 II 508 (Logistep) What steps would to take to solve a case in the field of data protection (involving private persons)? Art. 2 FADP - Personal and material scope Art. 5 let. a FADP - is it personal data or not? Art. 5 let. b FADP - who is the subject? Art. 5 let. d FADP - is personal data processed? Art. 30 FADP - is there a violation of personality? o Personal data processed contrary to the principles of Art. 6 and 8 o Personal data processed contrary to the express and wishes of the subject o Is sensitive personal data disclosed to third parties Art. 31 FADP - are there grounds of justifications o Consent o Overriding private or public interest o law 13 Exercise Municipality X has decided and implemented a change from conventional water meters to electronically readable devices. In brief, the new electronic or magnetic-inductive radio water meters work as follows: The water meters measure the amount of water consumed and store the following hourly values locally in a data logger for 252 days: alarm status, current meter reading, maximum and minimum measured flow rate. The measured values are then encrypted and transmitted by radio every 30 or 45 seconds, which is why they are also referred to as radio water meters. The data can be received by a password-protected readout device from the water supplier from a certain distance (walk-by, drive-by). For this purpose, a person drives through the neighborhood in a car and receives the corresponding data on the readout device; in the municipality, this happens once a year according to the facts established by the lower court. Only the current meter reading is transmitted and not all hourly values for the last 252 days. The measurement of water consumption and communication are independent of each other: water consumption can also be measured without or with a deactivated radio module. Once a year, a single consumption value is transmitted to the mobile device and then used for billing. Assume that the municipality X is permitted to introduce both mechanical and electronic radio water meters in accordance with the applicable water regulations, i.e. that there is a legal basis for this. Does the municipality X process personal data? Is this processing proportionate? What is your assessment of the case initially? How would you approach this case? What are the different steps? 13.1.1 Basics Data Protection Law / Public Law − Fundamental right: Art. 13 para. 2 Constitution «Every person has the right to be protected against the misuse of their personal data. BGE 147 I 346 13.1.2 Special provisions for data processing by federal bodies / cantonal data protection law Data Protection Law / Public Law − Data protection as a fundamental right? − Defence against interference of the state in privacy − Stricter rules for public bodies than for private persons because: − State acts authoritatively − Lack of choice − Principle of legality − All governamental action must be made on a legal basis Which provisions in the FADP apply to Federal Bodies? Look at the system/structure of the FADP and answer the following questions: - Which general provisions apply to Federal Bodies? - Which provisions do not apply to Federal Bodies? - Which provisions do only apply to Federal Bodies Examples of General Provisions Important examples for provisions that are the same for Federal Bodies and Private Persons − Definitions (Art. 5 FADP): Repetition − Principles (Art. 6 FADP) and Data Security (Art. 8 FADP): Repetition − Many other provisions, e.g. − Privacy by Design (Art. 7 FADP) − Processing by Processors, e.g. Records of Processing Activities − Cross-Border Disclosure of Data − Duties of the Controller and Processor Provisions applying only to Private Persons Examples of provisions that only apply to Private Persons − Codes of Conduct (Art. 11 FADP) − Representative (Art. 14 and 15 FADP) − Special Provisions on Data Processing by Private Persons (Art. 30 et seqq. FADP) − Always make sure that a provision does not explicitly mention it (only) applies to private persons, e.g. − Art. 10 para. 1 to 3 FADP deal with Data Protection Advisors for Private Persons, whereas Art. 10 para. 4 FADP (and Art. 25 et seqq. DPO) deals with Data Protection Advisors for Federal Bodies − Art. 22 para. 4 and 5 contain exceptions to obligations for data protection impact assessments for private controllers (and not Federal Bodies) − Etc. Examples of provisions that only apply to Federal Bodies Art. 33 to 42 FADP mark in the book 13.2 Control and responsibility Control and responsibility (Art. 33 FADP) Where a federal body processes personal data jointly with other federal bodies, with cantonal bodies or with private persons, the Federal Council shall regulate control procedures and responsibilities Legal basis (Art. 34 FADP) "Federal bodies may only process personal data if there is a statutory basis for doing so" (para. 1) A staturory basis in a formal law is required (para. 2) if − Processing of sensitive personal data; − Profiling; − The purpose or manner of processing may lead to serious violation of the data subject’s fundamental rights A statutory basis in a substantive law is sufficient for particularly sensitive personal data and for profiling (para. 3) if − Processing is essential for a task required by a formal law, and − Processing purpose poses no particular risks for fundamental rights of data subject Legal Basis Art. 34 para 4 FADP – overriding public and private interest In derogation from paragraphs 1-3, federal bodies may process personal data if one of the following requirements is satisfied: − The Federal Council has authorised the processing because it considers the data subject‘s rights not to be at risk. − Data subject has consented to the processing in the specific case or has made their personal data generally accessible and has not explicitly prohibited processing. − The processing is necessary in order to protect the life or physical integrity of the data subject or a third party and it is not possible to obtain the data subject's consent within a reasonable period of time. Disclosure of personal data (Art. 36 FADP) Every disclosure of data by Federal Bodies requires a statutory basis (para. 1) − Reference to Art. 34 FADP − Statutory basis in a formal law required? − Statutory basis in a substantive law sufficient? − Derogation of Art. 34 para. 1 FADP in Art. 34 para. 2 to 5 FADP for certain cases. Read Art. 34 FADP after class. Objection to the disclosure of data (Art. 37 FADP) This is a legal entitlement of the person concerned − Requirements (para. 1) − Legal: Showing legitimate interest − Factual: Knowledge of the (planned) disclosure of data − Limitations and exceptions (para. 2 and 3) − Legal duty to disclose − Granting of objection jeopardises fulfilment of federal body’s task − Overriding public interest in the context of the principle of publicity (FOIA) Take the Federal Act on Health Insurance (https://www.fedlex.admin.ch/eli/cc/1995/1328_1328_1328/de ) Are Health Insurance companies Federal Bodies in the sense of the FADP? If so, to what extent? Can you find the provisions serving as a legal basis for data processing and disclosure of data? Additional special provisions − Automated data processing as part of pilot trials (Art. 35 FADP) − Offering documents to the Federal Archives (Art. 38 FADP) − Data processing for purposes not related to specific persons (Art. 39 FADP) − Rights and procedures (Art. 41 FADP) − Procedure for disclosing official documents that contain personal data (Art. 42 FADP) 13.3 Cantonal Data Protection Law − Cantons have their own cantonal law − Basic features of cantonal data protection law do not differ from federal data protection law − Nevertheless, there are, of course, differences − Requirements from European regulations − Guidelines of the Conference of the Cantons Current revisions of cantonal data protection law − Some cantons have revised their data protection laws (e.g. AG, ZH) − Some cantons are still under revision (or not) − Occasionally: "special data protection law" - analogue to Schengen-FADP (e.g. BE) Scope of applicability, e.g. in the IDG-ZH − Cantonal authorities and administrations − Municipial authorities and administrations − But also private persons, to the extent they have been entrusted to carry out (cantonal or municipial) public tasks Please read § 3 para. 1 IDG-ZH for further details Examples: - Public schools - Cantonal Churches - Hospitals (to the extent they have have a cantonal basic care mandate), - Privatized utilities, e.g. electricity supply Example: Principles in the IDG-ZH − Principle of legality − Proportionality − Purpose Limitation − Data accuracy − Data security Please discuss: Is this similar to the principles in the FADP? Read § 7, 8 and 9 IDG-ZH: Where do you find the principles mentioned above? Relevance of FADP for Cantonal Public Bodies − Some cantonal data protection laws provide for "mixed" applicability: − E.g. § 2c IDG-ZH: “This law does not apply, to the extent public bodies participate in economic competition without acting in a sovereign capacity. For processing personal data the FADP applies analogously. Supervision is conducted by the cantonal data protection authority.” − Example: ZKB 13.4 Exercise Municipality X has decided and implemented a change from conventional water meters to electronically readable devices. In brief, the new electronic or magnetic-inductive radio water meters work as follows: The water meters measure the amount of water consumed and store the following hourly values locally in a data logger for 252 days: alarm status, current meter reading, maximum and minimum measured flow rate. The measured values are then encrypted and transmitted by radio every 30 or 45 seconds, which is why they are also referred to as radio water meters. The data can be received by a password-protected readout device from the water supplier from a certain distance (walk-by, drive-by). For this purpose, a person drives through the neighborhood in a car and receives the corresponding data on the readout device; in the municipality, this happens once a year according to the facts established by the lower court. Only the current meter reading is transmitted and not all hourly values for the last 252 days. The measurement of water consumption and communication are independent of each other: water consumption can also be measured without or with a deactivated radio module. Once a year, a single consumption value is transmitted to the mobile device and then used for billing. Assume that the municipality X is permitted to introduce both mechanical and electronic radio water meters in accordance with the applicable water regulations, i.e. that there is a legal basis for this. Does the municipality X process personal data? Is this processing proportionate? How would you approach the following case? What are the different steps? How do they differ from the steps you take, if personal data is processed by a private person? What is your assessment of the case? BGE 147 I 346 14 Legal Rights / Claims Data Processing by Federal Bodies 14.1 Legal Rights and Procedures Art. 41 FADP − Legal claims/rights − Refraining from unlawful data processing − Redressing the consequences of unlawful data processing − Declairing the unlawfulness of data processing − Correction, deletion or destruction of data − Restriction of data processing − Dispute notice in the absence of evidence of (in)correctness − Notification to third parties Legal Rights Private persons as controllers - Right to information (see later): Decision in simplified proceedings (Art. 243 para. 2 lit. d ZPO) - Correction of inaccurate personal data (unless statutory provision prohibits amendment or personal data are processed for archiving purposes in the public interest; Art. 32 para. 1 FADP) - Actions pursuant to Art. 28 etc. Civil Code (injunction, removal, declaratory judgement, damages, restitution of profits, satisfaction) - According to Art. 32 para. 2 FADP "in particular" o Prohibit specific data processing o Prohibit specific disclosures to third parties o Request the deletion or destruction of personal data Furthermore - Dispute notice (Art. 32 para. 3 FADP) - Notification and publication (Art. 32 para. 4 FADP) - Procedure according to Civil Procedural Code 15 Notification by the Data Subject to the FDPIC 15.1 Rights and legal consequences Supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC) Pursuant to Art. 49 et seq. FADP - Investigations o Ex officio or upon notification if there are sufficient indications o Opportunity principle («Opportunitätsprinzip») o Possible resources an issue - Administrative measures by the FDPIC (Art. 51 FADP) o The FDPIC may, e.g. issue an order that the processing be modified, suspended or terminated, wholly or in part, and the personal data deleted or destroyed, wholly or in part. o Procedure: Investigation procedure pursuant to Art. 50 and 51 APA (VwVG) - Other tasks pursuant to Art. 56 ff. FADP 15.2 Criminal liability Criminal provisions - Art. 60 to 66 FADP o Art. 60 FADP: Violation of obligations to provide access and information or to cooperate o Art. 61 FADP: Violation of duties of care o Art. 62 FADP: Violation of professional duty of confidentiality o Art. 63 FADP: Disregarding Decisions o Criminal liability therefore limited to certain specific obligations Criminal provisions - Similarities o Responsibility for enforcement of criminal provisions: cantons (not FDPIC: the FDPIC can file a complaint: Art. 65 FADP) o All offences only punishable for intent o Maximum fine of up to CHF 250,000 in each case o Complaint required (except Art. 63 FADP: disregarding decisions) o Possible offenders qualified: private persons 15.3 Rights to information / access right You have to distinguish: - Right to information under the FADP - Right to information under the Federal Act on Freedom of Information in the Administration (FoIA) - Other access rights, e.g. rights to access to files («Akteneinsichtsrecht») under procedural laws The following comments cover the right to information under the FADP Where do you find the legal basis for the right to information under the FADP? - General provision: Art. 25 FADP - Limitations to right to information: Art. 26 FADP - Limitation on the right to information for the media: Art. 27 FADP - Specific Provisions: - Modalities: Art. 16 DPO - Responsibilities: Art. 17 DPO - Time limits/deadlines: Art. 18 DPO – 30 days - Exceptions to the exemption from costs: Art. 19 DPO - As already pointed out in the first lecture: Read the FADP and the DPO; some of what you need to know is already in there … "Any person may request information from the controller on whether personal data relating to them is being processed." (Art. 25 para. 1 FADP) (Purpose: Check and enforce transparency / compliance with DPA) Recurring themes − Qualification as a request for information − Is the person requesting the information authorized to request the information? − Is the person/body to whom the request is addressed under an obligation to provide the information? − Modalities (a) Form of the request; (b) Deadline; (c) form of the reply/providing the information (d) Costs max. 300 CHF − Subject matter of the request and the reply − Limitations Question: Can you identify (some) of the recurring themes mentioned above in the sample request for information? Generally: No proof of interest or justification required − However, one may request reasons if abuse of rights is suspected or it is possibly "obviously unjustified" in accordance with the restriction of Art. 26 para. 1 let. c FADP − Form or request: In writing or electronically (Art. 16 para. 3 DPO) or verbally with the consent of the controller (Art. 16 para. 1 DPO): fulfilled in this case Authorized: − Each person for their own data where they are a data subject − Waiver not possible in advance − Can not be transferred (but PoA is possible) − But: Identification requirement (Art. 16 para. 5 DPO) − Take appropriate measures to identify the data subject − Data subject is obliged to cooperate − Is an ID required in every case? Responsible: − Art. 25 para. 1 and 4 FADP: Controller also for processing by processors − If several controllers process personal data jointly, the data subject may assert their right to information against each controller. (Art. 17 para. 1 DPO) − If the request relates to data processed by a processor, the processor shall assist the controller in providing the information, unless the processor is responding to the request on behalf of the controller. (Art. 17 para. 2 DPO) Deadline − Generally, within 30 days of receipt of the request (Art. 18 DPO) − Possibility of extending the deadline: state the deadline within which the information will be provide Costs? − Generally free of charge (Art. 25 para. 6 FADP) − Exceptions by the Federal Council in Art. 19 DPO Content of the information - Read Art. 25 para. 2 FADP - Limitations of the right to information o Read Art. 26 and 27 FADP o Refuse, restrict or delay o Mustnotify (Art. 18 para. 3 DPO) Form of information − In writing Or − in the form in which the data is available (Art. 16 para. 2 DPO) − Can be transmitted electronically (Art. 16 para. 3 DPO) (burden of proof that data has been transmitted lies with the controller) − Information must be provided in a comprehensible form (Art. 16 para. 4 DPO) - For example, an additional explanation may be required for unusual file formats Question: How could a process (of a company) look that addresses answering to information requests? 16 Duties of the Controller and of the Processor 16.1 Example of duties of the Controller and of the processor 16.2 Record of processing activities Only Companies with more than 250 employees and also if they are only working 50% Exception Art. 12 para 5 FADP 16.3 What is a record of processing activities? 16.4 Information obligation Who has an obligation to inform? Controller 16.5 Information obligation Exception Art. 20 FADP 16.6 Privacy notices They do not need to be accepted – es reicht wenn die vorgelegt werden 16.7 Data Protection by design and data protection by default − Connection to - Risk based approach - Data security (Art. 8 FADP) - Data protection impact assessment (Art. 22 FADP) 16.8 Data protection impact assessment What is a DPIA and when does it have to be carried out? Exception in para 3 ff. What is DPIA? 1. The Controller 2. Processing that is likely to result in a high risk 3. Processing that is likely to result in high risk to the data subjects personality Must be DPIA be carried out? Procedure and content Consultation of the FDPIC? Notification of data security breaches Other topics Data Processing by Private Controllers with Registered Office or Domicile Abroad (Art. 14 and 15 DPA) Data Protection Officer (Art. 10 DPA) Code of Conduct (Art. 11 DPA) and Certification (Art. 13 DPA) 17 Data security Information security and Data Protection Art. 8 FADP − Para. 1: "The controller and the processor shall guarantee a level of data security appropriate to the risk by taking suitable technical and organisational measures." − Para. 2: "The measures must make it possible to avoid breaches of data security." − What is a breach of data security according to Art. 5 lit. h FADP? − Distinguish data security from "Data protection by design" (Art. 7 FADP), which covers further precautions to prevent data breaches − "shall guarantee a level of data security appropriate to the risk by taking suitable technical and organisational measures" − What is it that shall be protected? Personal data − Obviously risk-based approach (see later on how to proceed) − What are technical measures? What are organisational measures? Can you think of examples? Read Art. 4 DPO and summarize it for your colleagues − In particular, please address the following: − What obligation is addressed in Art. 4 DPO? − What triggers this obligation? − To whom does the obligation apply? Are there different obligations for different kinds of controllers/processors? − What is the content of the obligation? Specifically? Read Art. 5 DPO and summarize it for your colleagues − In particular, please address the following: − What obligation is addressed in Art. 4 DPO? − What triggers this obligation? − To whom does the obligation apply? Are there different obligations for different kinds of controllers/processors? − What is the content of the obligation? Specifically? Read Art. 6 DPO and summarize it for your colleagues − In particular, please address the following: − What obligation is addressed in Art. 4 DPO? − What triggers this obligation? − To whom does the obligation apply? Are there different obligations for different kinds of controllers/processors? − What is the content of the obligation? Specifically? Inter alia: − Minimum requirements in the DPO: Art. 1 to 6 DPO - On complaint, willful violation of the minimum data security requirements issued by the Federal Council in accordance with Art. 8 para. 3 are punishable by a fine not exceeding CHF 250,000 (Art. 61 lit. c FADP) − What do you think of this? Processing by processors Art. 5 and 9 FADP − What is processing by processors? − See definitions of controller (Art. 5 let. j FADP) and processor (Art. 5 let. k FADP) – Whether someone is controller or processor has an influence on − scope of their information obligations; − their position/duties in the event of requests for information; − the obligation to conclude a data processing agreement − other obligations … − Is the party bound by instructions of the controller? − Who decides on the modalities of the processing- with regard to the elements mentioned in Art. 5 lit. f FADP? − What applies in a group of companies? What applies within the same legal entity? − No group privilege − Local branches of a company? Generally permitted, if certain requirements are met − Data processing agreement required (if no legal basis) − Form not regulated by law; practice: in writing (for reasons of proof) − No content explicitly specified in FADP, but for possible content cf. Lukas Lezzi, in: Bieri / Powell (Ed.), OFK-DSG, Art. 9 N 22 seq Requirements (Art. 9 para. 1 and 2 FADP) − Bound by instructions − Cura in eligendo, instruendo and custodiendo Processing by processors: no statutory or contractual confidentiality obligations − Contractual confidentiality obligations − Interpretation of the provisions − Statutory confidentiality regulations such as − Official secrecy (Art. 320 Criminal Code) $ − Professional confidentiality (Art. 321 Criminal Code) − Banking secrecy (Art. 47 Banking Act) – Etc − Scope of permitted involvement of processors is disputed … − Various expert opinions / legal opinions (e.g. Processing by processors: ensuring processor guarantees data security − The controller must (in particular) ensure that the contractor guarantees data security (Art. 9 para. 2 FADP)¨ − What does that mean in practice? 18 Cross-border Disclosure of Personal Data DPO FADP Verordnung has a list of states that guarantee adequat level of data protection If a state is on the list, than the cross border transfer of data is allowed U.S. only for self certificated companies If it is not on the list, than may be an exception from Art. 17 FADP (consent beispielsweise) Art. 16 para 2 FADP – look up the description in the FDPIC If not an exception like consent consult art. 16 para 2 FADP 19 Exam Weeks 1 and 2 You know whether there is ownership to data in the sense of “Eigentum” according to the Swiss Civil Code and can explain what that means. You know other legal means to obtain certain similar legal protections. You know the purpose of data protection law and the Federal Data Protection Act and can explain it. You know the personal, material and territorial scope of application of the FADP, can explain it, can make examples for it and can apply it to cases. You know the personal and material scope of application of cantonal data protection laws, in particular the data protection law of the canton of Zurich. You know the territorial scope of application of the GDPR, can explain it, can make examples for it and can apply it to cases. You know the exceptions to the personal and material scope of application of the FADP and can explain and apply them. You know the structure of the FADP and the DPO. In particular you know, which provisions apply to data processing by private persons, which provisions apply to data processing by federal bodies and which provisions apply to both. You also know Art. 40 FADP, what it means and how it applies. You also know the similar provision in the data protection law of the Canton of Zurich. 19.1 Week 3 You know the definitions in Art. 5 FADP, can explain them, can make examples for them and can apply them to cases. You know in what context they are relevant. You know the term “Anonymization” and its meaning in the context of data protection law, can explain it, can make examples for it and can apply it to cases. You know the term “Pseudonymization” and its meaning in the context of data protection law, can explain it, can make examples for it and can apply it to cases. 19.2 Week 4 You know the principles of data processing (and data security) as well as their effects, can list them, explain them, make examples for them and can apply them to cases. 19.3 Week 5 You know and can explain the special provisions on data processing by private persons, make examples for them and apply them to cases (Art. 30 et seqq. FADP). In particular (but not limited to): What is a breach of a personality right? What grounds justification are there? You can solve cases involving data processing by private persons and can explain the steps you take. 19.4 Week 8 You know and can explain the special provisions on data processing by federal bodies, make examples for them and apply them to cases (Art. 34 et seqq. FADP), in particular and mainly (but not limited to) the issue of the required legal basis for such processing. You can solve cases involving data processing by federal bodies and can explain the steps you take. 19.5 Week 9 Your know the data subject’s legal rights and possible claims, can explain them and make examples for them. You know the rights of the data subject (in particular the right to information and exceptions to it under Art. 25 seqq. FADP and related provisions in the DPO), can explain and apply them, can make examples for them and answer related questions. You can explain the steps of how one could go about answering a request for information under Art. 25 FADP in practice. You know in particular (without limitation) the possibilities of investigation of violations of data protection violations by the FDPIC, the FDPIC’s powers and possible measures (Art. 49 seqq. FADP). You can explain it, can make examples and apply this to cases. You know the criminal provisions of the FDPIC, their limitations, can explain them, can make examples and apply them to cases. 19.6 Week 10 You know the obligation to maintain a record of processing activities (Art. 12 FADP and provisions in DPO) and exceptions to this obligation, can explain them and answer related questions. You know the duties of the controllers and the processors as well as exceptions to them, can list them, explain them, make examples for them and explain how they are applied and can answer related questions. This includes in particular (without limitation): duty to provide information (Art. 19 seq. FADP); DPIA; Consultation of the FDPIC; Notification of data security breaches. You know what the “risk based approach” in data protection law is, can explain it, can give examples of provisions that are a consequence of the risk based approach and can answer questions on this issue. 19.7 Week 11 Self Study You know the organization of the FDPIC, and can explain it. If German is not your native language, only read Art. 49 to 59 FADP and Art. 36 to 44 DPO. 19.8 Week 12 You know the basics of data security, in particular as mentioned in the FADP and Art. 1 to 6 of the DPO, can explain them, apply them and answer related questions. 19.9 Week 13 You know them terms and differences between “controller” and processor”, can explain them, can make examples for them and can apply them to cases. You know why the difference between those terms is important. You know how to determine which provisions of the FADP apply to controllers, which to processors and which apply to both. You know the requirements for processing by processors (in particular under Art. 9 FADP), can explain them, can make examples for them and can apply them to cases. You know the general rules and requirements for permissible cross-border disclosure of personal data, can explain them and can apply them to cases. You know the respective exceptions and how to make a cross-border disclosure of personal data permissible. 19.10 Based on reading assignments and other assignments You can give a short summary of the court cases that were mentioned in the lectures (i.e. facts and most important findings of the court) of no more than 2 or 3 minutes, as well as discuss follow-up questions concerning the issues and topics raised in these cases. You know all of the provisions of the FADP and the DPO and their content. 19.11 General Scope of aplicability GDPR Scope of aplicability of IDG Kanton Zürich Right of access Privacy notices DPIA

Data Protection and Data Management PDF

Document Details

Tags

Related

Summary

Full Transcript