Data protection revision
Part 1 – Introduction:
Requirements for Swiss companies under the revised Data Protection Act
For some time now, it has hardly been possible to surf the Internet without being spared “cookie banners”. There seems to be a lot of movement regarding data protection on the Internet and the long-awaited revision of the Swiss Data Protection Act is pending. This paper aims to clarify the applicability and terminology of the various laws, namely the Data Protection Act (DPA), the revised Data Protection Act (DSGneu), and the European General Data Protection Regulation (GDPR). In addition, it is primarily intended to serve as a guide for website operators and data protection officers, so that companies & websites can be adapted or created in a data protection-compliant manner.
First of all, it is necessary to define the term “Internet sites”. From the small web business card of a sole proprietor to private family portraits to an international airline with search and booking options, this includes every Internet presence, regardless of whether there is a business behind it or the website is operated for any other reason. It goes without saying that the data protection requirements can vary widely. Because surfing the Internet does not usually stop at the national border, it must also be clarified whether the website can really only be aligned with the Swiss DPA or whether the European DPA does apply.
As soon as the website also provides offers for persons localized in the European Union (EU), which is probably very often the case in practice, the GDPR applies. Examples would be a newsletter that is not explicitly intended only for Swiss citizens and Swiss residents; or if the surfing behavior of persons localized in the EU is monitored in the case of ongoing visitor statistics.
In principle, the more data is collected or published, the more effort is required to check its legality and, if necessary, to inform the persons concerned.
Since Internet pages are digital data, special attention must be paid to IT security, which will also be explained in detail in this paper.
Data protection: status quo in the EU
The GDPR has been in force since May 25, 2018. After a transition period of two years, all EU member states as well as data processors not established in the EU are subject to the GDPR if the data processing targets individuals located in the EU (Art. 3 GDPR).
Since the GDPR has been in force for some time, there are already many jurisdictions, fines imposed and claims for damages relating to data protection. Unfortunately, the GDPR is a very complex law, which makes its implementation in “daily business” not so easy. Furthermore, there is the problem that the fine amounts and jurisdictions differ depending on the country or federal state and thus there is still a certain legal uncertainty.
To counteract this, an independent European body, the European Data Protection Board (EDSA), has been established with the aim of harmonizing the application of the GDPR and promoting cooperation between data protection supervisory authorities in the EU. The foreign data protection supervisory authorities are responsible for imposing fines and are thus significantly involved in the interpretation of the law.
Goals of the revision of the Swiss Data Protection Act (DPA)
New technical developments result in more and more data in an ever shorter time. Just think of the smartphone: at any time and at (almost) any place, it is possible to be connected to the whole world, to shop on the Internet, to use services such as Google Maps as a navigation system, to take photos and to distribute them on various channels with one click. Data is generated with every activity, and this data is largely personal, i.e. it can be assigned to a specific person.
The DPA, which has been in force since 1992, needs updating; it dates from a time without the Internet. It is intended to strengthen data protection and improve the control options of data subjects over their data. The sense of responsibility of data processors is to be increased, e.g. with the obligation to take into account compliance with data protection regulations as early as the planning stage of new data processing.
At the same time, or perhaps mainly – because not that much has fundamentally changed with the DSGneu – an alignment with the GDPR should be made so that the Swiss DSG continues to be accepted as a law with equivalent data protection and thus an unhindered flow of data between countries can be ensured. On June 3, 2020, the European Commission should decide whether Switzerland provides an adequate level of protection for personal data.
To date, no new equivalence decision has been issued, so the decision of July 26, 2000 on adequacy remains valid. When the expected decision can be expected remains open for the time being. It may be assumed that the entry into force of the DSGneu will play a decisive role.
The DSGNeu is only intended to protect the personality and fundamental rights of natural persons about whom data is processed (Art. 1 FADP New). The protection of the data of legal persons has been abolished. Legal persons can still invoke the protection of their personality by Art. 28 ZGB. Otherwise, as already mentioned, a great deal has been taken over from the existing DPA.
The definition of terms has been aligned with the GDPR. Whereas previously the term “controller of a data collection” was used, it is now referred to as “controller” (cf. GDPR: “controller”). Where the GDPR refers to “processing of personal data”, the new GDPR continues to refer to “processing”. The terminology has been expanded to include “profiling”, “high-risk profiling” and “data breach”, which will be discussed later.
Art. 4 DSGNeu places the supervision and application of the DPA New under the authority of the Federal Data Protection and Information Commissioner (FDPIC). He must now issue rulings and take action against data controllers by means of ordinary administrative procedures, which is also an alignment with the European data protection supervisory authorities. It remains to be seen what effect international cooperation will have in the future, whether the FDPIC, like the European data protection supervisory authorities, will impose more fines and what scale will be used to calculate them.
The DSGNeu is principle-based and much less detailed than the GDPR. Nevertheless, some not very sensible regulations, partly owed to European law requirements, partly caused by political compromises, have also found their way into the DSGneu. On the whole, however, it can be said that the DSGneu is much leaner and easier to implement than the GDPR. The DSGneu will probably enter into force between the end of 2021 and summer 2022 at the earliest.
Part 2 – Personal data:
The definition of “personal data” can be found in Art. 5 lit. b DSGneu or in Art. 4 para. 1 DSGVO. Both articles express identically that it must be data of an identified or identifiable person.
In the digital world of the Internet, personal data is not only to be found where it is actively entered and transmitted by a person, e.g., by means of a form or an order; just visiting an Internet page leaves behind an IP address, which – at least for a certain period of time – can be assigned to a device and thus probably also to a person.
However, there is legal uncertainty here – especially under the GDPR and the opinion of the data protection supervisory authorities. If the data protection supervisory authorities regularly assume that IP addresses are personal data, the ECJ, on the other hand, opposes this.
In summary, data processing concerning Internet sites is limited to the following possibilities:
Only data processing that the user leaves behind with his visit, that he actively enters or that the site operator publishes and processes, as well as data passed on to order processors (outsourcing service providers) or data that flows into the sphere of control of a third-party service provider (cf. chapter on social media and other plugins) come into question.
Art. 5 lit. c DSGneu defines personal data requiring special protection as follows:
- Data about religious, ideological, political or trade union views or activities;
- Data about health, privacy, or racial or ethnic affiliation;
- Genetic Data;
- Biometric data that uniquely identifies a natural person;
- Data on administrative and criminal prosecutions or sanctions;
- Data on social assistance measures.
If data belonging to the category of personal data requiring special protection is processed, consent must only be given if Art. 30 DPA New is fulfilled, i.e. the basic principles of the law are “not” observed during data processing. In this case, there must be explicit consent. Consent is only valid if it is given voluntarily for one or more specific processing operations after appropriate information has been provided (Art. 6(6) and (7)(a) DPA new).
Article 9 (1) of the GDPR lists the same personal data requiring special protection as in the new GDPR. However, the processing of such data is generally prohibited, only to be permitted again under Art. 9 (2) of the GDPR through a variety of exceptions. In summary, it can be said that processing is legitimate if explicit consent has been given for the specified purposes, it is processing within the framework of a foundation, association or other non-profit organization, or the personal data requiring special protection has obviously already been made public by the data subject.
If particularly sensitive personal data is collected and the processing is associated with a high risk for the data subject, a profound data protection impact assessment (DPIA; see chapter Data protection impact assessment) and a precise examination of the legal basis are essential (Art. 22 DSGneu and Art. 35 DSGVO).
Rights of the person concerned
Art. 32 DSGneu regulates the legal rights of data subjects, which are less far-reaching in relation to the GDPR (Art. 12 – 23 DSGVO), but still form a central pillar of data protection under both laws. These are the following rights:
- “Right to rectification;
- Right to erasure/forgetting;
- Right to restriction;
- Right to object;
- Right to data portability;
- Obligation to inform third parties of the exercise of these rights that has taken place.”
Requests from data subjects who want their data corrected, deleted or destroyed, or simply want information about what data is being processed, must absolutely be taken seriously and answered within a reasonable time. For the right to information, see Art. 25 – 29 DSGneu and Art. 15 DSGVO. Violations of data subject rights are viewed critically by the German data protection supervisory authorities. It cannot be ruled out that in the future we will also have to reckon with increased sanctions, after all, according to Art. 60 DSGneu – as before – the intentional violation of the right pursuant to Art. 25 et seq. DSGneu is punishable by law.
Principles and justifications for processing
In Switzerland – unlike in the EU – no justification is required for processing personal data, but rather the so-called processing principles must be adhered to. The processing principles correspond materially to the previous law, they have only been slightly redesigned in terms of language. In principle, the processing of personal data must be lawful, carried out in good faith and be proportionate.
Purposefulness is also very central: personal data may only be obtained for a specific purpose that is recognizable to the data subject, and only the minimum amount of data necessary should be collected (Art. 6 DSGneu). This should be easy to implement in practice and must definitely be taken into account.
Example: If the customer’s date of birth is collected when an order is placed in the online store, this should firstly only be optional information and secondly the date of birth should only be collected if an action corresponding to the purpose is carried out on the birthday, e.g. a voucher is sent by e-mail.
In Art. 5 (1) GDPR we find the same processing principles: Transparency, purpose limitation, fairness, data minimization, limited storage periods, data accuracy and data security. Important to know: Article 5 (2) of the GDPR requires proof of compliance with the processing principles, the so-called “accountability principle”.
Art. 6 DSGVO regulates the lawfulness of processing. If data is to be processed, one of the following justifications is required:
- Consent of the data subject;
- For the performance of a contract or in the context of pre-contractual measures;
- To comply with a legal obligation;
- To protect vital interests of a person;
- Based on a public interest;
- To protect the legitimate interests of the controller or a third party.
With regard to the grounds for justification, the FADP New goes less far with Art. 31 FADP New. As already mentioned, in Switzerland no justification is normally required, provided that no other norm of Swiss law is violated which aims to protect the personality. However, the processing must not involve the disclosure of personal data that requires special protection (Art. 6(7)(a) DPA new), nor is the processing permissible if the data subject objects (Art. 31(1) DPA new). In these two cases, consent must also be obtained from the data subject in Switzerland.
In the GDPR, the issue of consent is complicated. Consent is only valid after prior information, for the specific case and if it is voluntary and unambiguous. In addition, there is a so-called prohibition of tying: for example, you may not link the consent to something else. Furthermore, a reference to the right and the possibility of revocation is mandatory; the revocation is valid at any time (Art. 9 GDPR). All in all, this is difficult to implement with legal certainty. In practice, this means, for example, that pre-ticked checkboxes (also so-called checkboxes) may not be used.
Art. 6 (6) and (7) DPA New define what legally valid consent looks like. In principle, consent in the DPA new continues to correspond to the concept as it is valid and provided for throughout Swiss law. Pre-ticked checkboxes are therefore permissible. Nevertheless, it is recommended not to pre-tick the checkboxes, so that a disagreement between user and site operator can be prevented. The prohibition of tying mentioned in the last paragraph does not exist according to Art. 7 (3) DSGneu.
Part 3 – Data processing
Data protection impact assessment
Article 22 of the new FADP stipulates the application of a DIA. This is always necessary if processing may entail a high risk to the personality or fundamental rights of the data subject. Before each project in the company, therefore, consideration must be given to what data is processed, how, where, by whom and for what purpose, and if necessary, passed on.
Furthermore, the storage periods and the security of the storage media must also be considered. Does the foreseen data processing involve a high risk for the personality of the data subjects?
The DPA must therefore contain a description of the planned processing (several processing operations may be combined), an assessment of the risks to the personality or fundamental rights of the data subject, and the measures to be taken to protect the personality and fundamental rights (Art. 22 (3) DPA New). According to Art. 22 (2) DPA new, a high risk is defined in particular when using new technologies, from the type, scope, circumstances and purpose of the processing.
The DIA is regulated in Art. 35 GDPR and is in principle very similar to Art. 22 GDPR new. Art. 35 (7) GDPR contains the minimum requirements, which – in contrast to the GDPR new – must also contain the legal basis (see points 19 and 20). Again, if the website is already aligned with the GDPR, further adjustments are unnecessary.
The obligation to notify processing operations with a presumably high risk is different. Under the GDPR, these must always be reported to the competent data protection supervisory authority. In the DSGneu (Art. 23 (4) DSGneu), the consultation of a data protection advisor (standardized by (10) DSGneu) is possible instead of the consultation of the FDPIC.
Appointment of a data protection officer
In contrast to the GDPR, the new GDPR does not require the appointment of a data protection officer (Art. 37 et seq. GDPR). However, the law does provide for the possibility of appointing a data protection advisor (Art. 10 DPA new), but this does not bring any practical legal advantages. Only according to Art. 23 (4) DPA new, data processing projects that continue to pose a high risk despite a DIA and the determination of measures can be submitted to the data protection advisor instead of the FDPIC.
According to Art. 12 DSGneu, a register of processing activities must be kept, this applies to the controller as well as any processors. Art. 12 (5) DSGneu states the exceptions to this obligation for companies that employ fewer than 250 employees and whose data processing involves only a low risk of violations of the personality of the data subject. According to Art. 30 (1) DPA, the register of processing activities must contain the following information:
- The name and contact details of the controller;
- The purposes of the processing activity;
- Description of the categories of data subjects and categories of personal data;
- Categories of recipients;
- If applicable, transfer of personal data to a third country or to an international organization;
- If possible, the envisaged time limit for the erasure of the different categories of data;
- If possible, a general description of the technical and organizational measures pursuant to Art. 32(1) GDPR.
These requirements of the GDPR can be adopted in the DSGneu, but must be explicitly supplemented by the listing of export countries and their legal basis for processing.
Sensitization of employees
It is of central importance that all persons in charge as well as all employees are trained and sensitized on the topic of data protection. Art. 62 DSGneu (“Breach of professional secrecy”) in fact introduces a new “professional secrecy” for all those who process data.
Whereas this type of professional secrecy was previously only mandatory for certain professions (e.g. lawyers, doctors, bankers, etc.), this duty of confidentiality now applies to all professionals who obtain personal data in the course of their work, insofar as knowledge of this data is necessary for the exercise of their profession. This is to ensure the protection of clients (data). A breach of this duty of confidentiality can be personally punished with a fine of up to CHF 250,000. This regulation does not exist in the GDPR.
Part 4 – Data security:
Data security measures
Art. 8 DSGneu and Art. 8 VDSG contain provisions on general data security. The aforementioned article states that appropriate technical and organizational measures should ensure data security commensurate with the risk. The measures must make it possible to avoid breaches of data security. The Federal Council will still have to define a standard for minimum data security requirements. This will be done as part of the new ordinances.
If this standard is not complied with, a fine of up to CHF 250,000 may be imposed. Art. 7 DSGneu states that data processing must be technically and organizationally designed in such a way that all data protection regulations are complied with. Thus, the DSGneu gives birth to two new buzzwords: “Privacy by Design” and “Privacy by Default”. The latter means that all default settings should be selected in such a way that the greatest possible data protection is guaranteed “by default”.
“Privacy by design” means that the greatest possible data protection must be taken into account in the design of the website and in everything that involves data processing (processing procedures, access rights and responsibilities, etc.). However, these two points are not subject to fines.
Art. 25 GDPR summarizes Art. 6 and 7 DSGneu under the title “Data protection through technology design and through data protection-friendly default settings”. According to the GDPR, “privacy by default” means a standard limitation of data processing to a minimum and no publication without the consent of the data subject. In its basic features, the DSGneu is the same as the DSGVO with regard to data security measures and no harmonization is required.
Protection against data loss and criminal attacks
Since data connected to the Internet via servers is also always a target for hackers and malware (malware is software such as viruses, worms, ransomware, etc. that penetrate computer systems and cause disruptions or damage), all considerations and measures must also be taken in this regard to ensure data security. Malware can also be used for extortion purposes, which is happening more and more frequently in recent times.
The data is encrypted by hackers and only released when a horrendous ransom is paid, on average USD 178,245. Therefore, it is also essential to always have up-to-date backup copies that are guaranteed to be inaccessible to hackers, e.g. offline on external hard drives. From what has been said, it is clear that installing a firewall and antivirus software alone may not be enough in many cases.
Accordingly, it is advisable to consult a professional IT security service provider to ensure the best possible protection against data loss and criminal attacks and to avoid violations that could result in fines.
Another important point is the encryption of data, whether on the website using HTTPS (English for “secure hypertext transmission protocol”) or in e-mail traffic with the so-called TLS encryption (Transport Layer Security) or on the server passwords with a hash value. It is essential to ensure that unauthorized persons do not have access to the decryption key and that the encryption is strong enough to be considered secure.
If these encryptions are missing, the system is much more vulnerable to data loss and criminal attacks. This would also be a violation of Art. 32 GDPR or the standard of data security measures to be determined by the Federal Council. It can be assumed that the encryption options mentioned will be counted as part of this standard and therefore these adjustments should definitely be made now. Finally, it should be emphasized that IT security is not a state, but a process that must be continually expanded and adapted.
The Internet page is made accessible to the world when it is located on a web server that is connected to the Internet and can be accessed via domain (www.das-ist-der-domainname.ch) from another device that is also connected to the Internet. The web server that provides the Internet page can either be “in-house” or, as is probably more common in practice, be provided by a service provider (known as a “hoster”).
Two points must not go unmentioned on this topic. On the one hand, the order processing contract (Art. 8 DSGneu and Art. 28 DSGVO; marg. no. 62) with the hoster must be considered, as the hoster processes personal data on behalf of the website operator, and on the other hand, the hoster must also comply with the minimum requirements for data security, as explained in the last chapter. There are huge differences in the quality of the service providers here, and a careless selection can backfire on the person responsible for data processing or the website operator.
Part 5 – Website:
Cookies are small text files that can be stored on the computer when an Internet page is called up in order to save information. A distinction must be made between the information required for the website to function properly (so-called “first-party cookies”; these allow, for example, the shopping cart of an online store to be stored) and other cookies (so-called “third-party cookies”), which do not contribute anything to the functionality of the website but do allow user data to be analyzed (so-called “user tracking”; see also the section “Social media and other plug-ins”).
The DSGneu does not provide for a regulation analogous to the EU Directive. However, the duty to inform (Art. 17 DPA new) must not be forgotten, which is why cookies must at least be mentioned in the DSE. Since, according to Art. 30 DPA, personal data may not be processed in a manner that violates personal rights and, according to Art. 6 DPA, may only be processed in accordance with the principles, which, with regard to cookies, can only be done with a cookie banner that complies with the law, we believe that the right to object should also be guaranteed.
Measure visitor statistics
Visitor statistics can be used to monitor the surfing behavior of site visitors, which inevitably leads to the collection of personal data. This includes data such as the number of page views, the number of visitors to a particular web page, the length of time visitors spend on the site, the search engines and search terms used, and the types of browsers used.
Here, the first question of principle also applies: Is it really necessary for business purposes to observe the surfing behavior of site visitors? Where no data is collected, there is no further work to be done and there is no risk of coming close to the edge of legality. If the site visitors – in this case probably customers – have to be observed for marketing purposes in order to improve offers, it is imperative to point out that this data is being collected and to enable the right to object or, in practice, to deactivate the tracking cookie or pixel.
There are three possible types for visitor statistics:
- The statistics run on the control panel at the hosting provider. Here it must be checked whether the statistics can be switched off or whether data protection adjustments can be made. This statistic is often forgotten because it is not installed by the site operator itself, but automatically evaluates the visitor data on the web server;
- The statistic runs on the web server (external or internal hosting), but is installed by the site operator and must be adapted correctly in terms of data protection law;
- The statistics are hosted by a third-party provider and the entire data flow goes through them. In the case of the widely used Google Analytics, this is particularly worthy of consideration, as no adequate protection of the data is guaranteed. It must therefore be a third-party service that is based in a country that is on the list of countries with adequate data protection (see chapter Data transfer to the EU / Third countries).
71% of all Swiss websites still use Google Analytics. The trend is decreasing, the information that there are more privacy-friendly alternatives is spreading slowly but surely. Since the use of Google Analytics in Switzerland will only become dangerous once the new Data Protection Act comes into force, with the corresponding sanctions of up to CHF 250,000, there is still time to make the switch.
Legally secure alternatives are offered by all tools where the anonymization of user data (e.g., with encryption of the IP address) can be set, where an “opt-out” (unsubscribe from the tracking function) can be made by the user on the website (most easily regulated in the DSE or in the cookie banner), and where the data flow does not go via insecure third countries. Alternatives to Google Analytics are: Matomo, Open Web Analytics, etc.
Social media and other plugins
If social media plugins are integrated (e.g. Facebook, Twitter, Instagram, etc.), streaming services are used to facilitate the playback of videos (e.g. YouTube, Vimeo, etc.), libraries are embedded (e.g. jQuery, MooTools, Angular, AnyChart, etc.) or payment services are used in online stores (e.g. Paypal, PostFinance, Klarna, etc.), it must always be remembered that these are third-party services. This also applies in particular to cloud services.
User data therefore flows into the sphere of influence of third parties via the website. On the one hand, information must be provided about this (see chapter on data protection) and on the other hand, it must not be a third-party provider that refuses to guarantee data protection or is based in an insecure third country. This is not yet an issue in the DSGneu, but under the DSGVO and with the invalidity of the EU-US Privacy Shield, it is even more of an issue and has not yet been 100% clarified (see chapter Data Transfer to the EU / Third Countries).
Fonts, Images & Forms
In the case of the popular “Google Fonts”, which can be easily integrated into an Internet page, it is important to note the two different integration modes. In the “online mode”, the browser establishes a connection to the Google server and various browser and device data as well as the user’s IP address are transmitted. This is therefore a data transfer of personal data to the USA. As described in the following chapter Data transfer to the EU / third countries, this is a problem for websites subject to the GDPR, but not (yet) for websites subject to the DSGneu.
A simple solution can remedy this problem and is also recommended for Swiss websites: Google fonts can also be used in “offline mode”, i.e. they are downloaded from Google and then hosted locally on the same server as the website. This also applies to the integration of libraries. This eliminates unnecessary transfer of personal data.
According to the DSG – and this does not change with the DSGneu – some points have to be considered when publishing photos, as far as they depict persons, without distinction whether it is a current photo or one from long ago.
There is always a lifelong right to one’s own image, regardless of copyright considerations. In addition, there are some opinions that a photograph of a person may already fall into the category of personal data requiring special protection, since it could possibly provide information about their race, religion or health. When publishing pictures of minors, the consent of their legal guardians must also be obtained. Photographs may only be published with the consent of the persons depicted or if an overriding public or private interest justifies the publication, whereby this justification may only be assumed with restraint.
This justification could be assumed in the case of reporting on public events of greater significance or in the case of media reports in compliance with the journalistic duty of care. In the case of group photos (usually of six or more people), personal rights must also be taken into account; no person may stand out from the group photo (in a disadvantageous way).
The context must therefore be strongly considered here. If the persons in a photo are so small or blurred that they cannot be recognized, it is no longer “personal data” and the image may be published without consent. With regard to consent – as is generally the case – it is only valid if it is given voluntarily and after appropriate information. Also, the withdrawal of consent is in principle possible at any time. This can be problematic with regard to the rapid dissemination in digital media. If necessary, persons depicted or other personal data can be made unrecognizable before publication so as not to violate any personal rights with regard to data protection. These regulations also apply in accordance with the GDPR.
With an order or contact form, as well as with certain chat bots, personal data is also collected. In principle, the principle of data minimization (Art. 5 para. 1 lit. c DSGVO) or appropriateness of data collection as well as that of encrypted transmission applies again.
Privacy: Email Newsletter
Newsletters are a popular tool to provide website visitors with news or to send cost-effective advertisements. When sending advertisements, special attention must be paid to Art. 3 (1) UWG. There are two procedures for this: Opt-in and double opt-in. In the case of (single) opt-in, the registration process is limited to the fact that, in addition to providing name and e-mail address, a checkbox must be clicked, which indicates that the registration is made with the corresponding consent. Theoretically, incorrect user data could be entered here, which would result in a person receiving unwanted advertising against their will.
The double opt-in procedure is more recommendable. In addition to activating a checkbox, a link sent by e-mail must be confirmed, which verifies the correctness of the data entered. The e-mail address entered is therefore only included in the e-mail distribution list once this active confirmation has taken place.
This confirmation e-mail can again explain which data was collected and for what purpose. The disadvantage of this variant is the greater effort for the user and the confirmation e-mail runs the risk of disappearing in a spam folder or being overlooked. From a legal point of view, this variant is clearly the safer one. This is because the confirmation serves on the one hand as an indication for the user, and on the other hand it ensures absolutely active and conscious consent.
The unsubscribe link at the end of every e-mail sent must be an absolute standard, as well as a reference to the correct sender, i.e. an indication of the imprint at the end of the newsletter. If the user changes his mind, he can revoke his consent at any time and with a single click.
In Switzerland, a fine of CHF 660 was imposed in 2019 for sending unsolicited advertising (spam). With the DSGneu, where fines of up to CHF 250,000 will be possible, an increase in reports against spam and an increase in fines can be expected. In the EU, fines are regularly issued for unsolicited e-mail advertising and their amount is considerably more painful, since according to the GDPR these fines should be “effective, proportionate and dissuasive” (Art. 83 GDPR).
Automated individual decisions
The new DPA introduces the term “profiling” and replaces the old term “personality profile”, which according to the new DPA only covers automated processes. Automated individual decisions are likely to occur relatively rarely in practice with regard to websites, but they should not go unmentioned. These are decisions that are made solely by the computer on the basis of collected data about a person, without these being checked again by a human being.
There is a duty to inform in the case of an automated individual decision pursuant to Art. 21 (1) DSGneu, if a legal consequence is associated with it or the data subject would be significantly affected. Thus, the data subject shall be given the opportunity, upon request, to state his or her position and to have the automated individual decision reviewed by a natural person (Art. 21 (2) DSGneu). This obligation to provide information may be waived if the automated individual decision is made in the manner desired by the data subject (e.g., in an online store when concluding a purchase contract) or on the basis of the data subject’s consent.
An exciting decision on the subject of / automated individual decisions / profiling (at that time still “creating personality profiles”) was issued in a ruling by the Federal Administrative Court on April 18, 2017; the defendant (Moneyhouse AG) was obliged by the ruling, among other things, to “delete all links on the website www.moneyhouse.ch that enable the creation of personality profiles of persons who have not consented to this in accordance with the law”.
It is not entirely clear in the GDPR whether automated individual decisions are prohibited in principle or whether they merely give rise to a right of the data subject to review by a human person. There is a right not to be subject to a decision based solely on automated processing (Art. 22(1) GDPR), but this does not apply if the decision is necessary for the conclusion or performance of a contract between the data subject and the controller, is based on a legal provision or is made with the data subject’s explicit consent (Art. 22(2) GDPR).
Part 6 – Information requirements
The imprint: Mandatory?
The imprint obligation – in contrast to the data protection declaration – depends on whether it is a website with purchase offers, e.g. an online store. In this case, Art. 3 Para. 1 lit. s No. 1 UWG applies: Anyone who “offers goods, works or services in electronic commerce” must “provide clear and complete information about his identity and his contact address, including that of the electronic mail.” Likewise, there is an imprint obligation for newsletter distribution (Art. 3 para. 1 lit. o UCA) and for media (Art. 322 para. 1 StGB).
An imprint is considered complete if the name and address, including e-mail address, of the person responsible for the page are given. This information must be up-to-date, and it must be possible to deliver letters. In the case of legal entities, it is also necessary to state the company name as it appears in the commercial register, optionally with the company identification number (UID) or the VAT number (value added tax).
The imprint should make it easier for the site visitor to contact the site operator. For this reason, it is recommended to include a telephone number, possibly also a contact form.
If it is not an e-commerce offer, an imprint is still recommended. Art. 19 DSGneu states the duty to inform, which always comes into play when obtaining personal data. This can be implemented in the imprint and / or in the DSE.
If the website is subject to the GDPR, information on the commercial register entry (if available), the legal form, any data protection supervisory authority and VAT must be provided.
Just like the DSE or, if applicable, the General Terms and Conditions (GTC; no obligation to publish online, but possibly recommended, if available at all), the imprint must be linked in such a way that it is accessible from every page, e.g. in the footer.
The collection of personal data triggers a duty to inform the data subject and is regulated in Art. 13 ff. GDPR with a minimum content. This duty to inform can be ensured by means of DSE. In the DSGneu, this duty to inform is newly introduced, but the minimum content compared to the DSGVO is shorter. In one point, however, the DSGneu goes further than the GDPR: All countries to which data is exported must be listed (Art. 19 (4) DSGneu).
In 99% of all cases, a DSE is required. And even in the one percent where really no data is collected, it would be advisable to inform the site visitor that no data is collected. The requirements for a legally valid DSE are different according to DSGneu and DSGVO.
However, both have the principle of transparency in common: the purpose of the processing must be recognizable for the site visitor and which personal data is collected, how, for what and by whom the data is processed and, if applicable, where the personal data is transmitted. It is particularly important to mention all third-party providers as described in the section on social media and other plugins. According to the new DPA, the legal basis for exports to unsafe countries must also be mentioned.
The minimum requirements for the DSE according to Art. 14 GDPR:
- “Contact details of any company or external data protection officer;
- Contact details of any EU data protection representative;
- Purposes for which personal data are processed;
- Duration for which the personal data will be stored, or at least the criteria for determining the duration;
- Legal basis for the data processing, for example the overriding legitimate interests of the website operator pursuant to Art. 6 para. 1 lit. f DSGVO;
- Recipients of the procured personal data;
- Intended transfer of personal data to a third country and to what extent adequate data protection is guaranteed there;
- Information about any automated decision-making including profiling;
- Clarification of the extent to which the provision of personal data is mandatory, for example for legal reasons or for the performance of certain contracts;
- Right to information, right to rectification or deletion and right to data portability;
- Right to restriction of data processing as well as right to object to data processing;
- Right of revocation after consent has been given;
- Right to lodge a complaint with a data protection supervisory authority.”
The DSE can be placed e.g. in the footer, this corresponds to the common practice. In any case, the DSE should be linked from every page, even in the cookie banner. A common mistake is that the DSE must be consented to (e.g. in an ordering process), because this is purely informational and does not require consent, unlike a contract or the GTCs.
When drafting the DSE, care must be taken to ensure that it is simple and easy to understand, or specifically following the wording of the GDPR: “in a precise, transparent, comprehensible and easily accessible form in a clear and simple language” (Art. 12(1) GDPR). Page-long DSEs are read less frequently. It is important to limit yourself to the essential information, but to list all of it correctly.
It can be assumed that sanctions will be imposed in the future due to insufficient DSEs in accordance with DSGneu, so it is essential to ensure a legally valid DSE. On the basis of the DSGVO, the very high fine against Google (EUR 50 million) was pronounced in 2019 due to opaque data protection regulations and the lack of a legal basis for personalized advertising.
Part 7 – Order processing
Requirements for Swiss companies under the revised Data Protection Act
If personal data is not processed by the company itself but by an outsourcing service provider, this service provider is referred to as a “processor” or “order processor”. New in the DSGneu is the adoption from the DSGVO of the terms “controller / processor” (Art. 5 lit. j and k DSGneu). A commissioned data processing contract (ADV) between the controller and the processor must ensure that the processor carries out the data processing in the same way as the controller would do it himself.
An external hoster, for example, is a processor and usually already provides an ADV. This is the hallmark of at least a trustworthy hoster that complies with data protection law. Article 28 (3) of the GDPR defines the minimum content of an ADV:
- “Nature and purpose of processing;
- Nature of personal data; group of data subjects;
- Scope of authority to give instructions;
- Obligations and rights of the controller;
- Obligations of the processor:
- Processing according to documented instructions;
- Maintaining confidentiality or secrecy;
- Taking appropriate measures for own security of processing;
- Lawful use of subcontractors;
- Assisting the controller in responding to requests from data subjects;
- Assisting the Controller in complying with its obligations under Articles 32 to 36 of the GDPR;
- Taking appropriate measures for the security of processing (Art. 28 III 2 lit. f GDPR in conjunction with Art. 32 GDPR);
- Notification of personal data breaches to data protection supervisory authorities (Art. 28 III 2 lit. f GDPR in conjunction with Art. 33 GDPR);
- Notification of the data subject of a personal data breach (Art. 28 III 2 lit. f GDPR in conjunction with Art. 34 GDPR);
- Conducting a data protection impact assessment (Art. 28 III 2 lit. f DSGVO in conjunction with Art. 35 DSGVO);
- Consultation of data protection supervisory authorities in the case of high-risk processing (Art. 28 III 2 lit. f DSGVO in conjunction with Art. 36 DSGVO);
- Deletion or return after termination of the order;
- Provision of information and enabling of reviews.”
According to the new DPA, these minimum requirements can be adopted, even if the content requirements must be less detailed. For this, they must be explicitly supplemented by the country list for data exports. Art. 26 GDPR requires the contractual definition of the responsibilities of joint controllers, which is not so under the DSGneu. This also results in different liability: According to the GDPR, the liability of processors is limited, whereas under the GDPR new, everyone who participates in a personal data breach is held liable.
However, the demarcation between controller and processor is not always easy, there are different opinions and in the EU there are already some court decisions on this. The EDSA has recently published a guideline on this, which, however, still leaves certain questions open. It is therefore important to check very carefully whether all the necessary contracts are in place, whether the responsibilities are precisely regulated and to bear in mind that fines can now also be imposed in Switzerland for missing ADVs.
Part 8 – Data transfer
Data transfer to the EU / third countries
While the FADP is currently still responsible for approving data exports abroad, the disclosure of personal data abroad will now be standardized in accordance with Art. 16 FADP New. What is new here is that the Federal Council is responsible for deciding whether a country offers adequate data protection; it will presumably follow the same decisions of the European Commission or the previous country list of the FDPIC.
A violation of the data export regulation can now be sanctioned (Art. 61 lit. a DPA New). If a third country offers an adequate level of data protection, a data transfer is unproblematic. Nevertheless, the data subjects must be informed. If a third country does not offer an adequate level of data protection, the data transfer is much more complicated. The data exporter must then ensure that the exported data is well protected by means of suitable contractual measures (e.g., standard contract clauses of the EU).
In the EU, the following applies: Art. 44 – 50 GDPR regulate data transfers to third countries, which is prohibited unless it is on the European Commission’s list of countries with adequate data protection based on Art. 45 Directive (EU) 2016/679 (see footnote 1) or has been explicitly regulated and approved with a directive such as the ePrivacy Shield or a Standard Contract Clause (SCC: Standard Contract Clauses).
The EU-US relationship has a long and turbulent history with regard to data exchange. Politicians in the EU as well as in Switzerland have tried several times to enable personal data to be exported to the USA by means of international treaties. The first agreement, namely the Safe Harbor Agreement of 2015, was declared insufficient by the ECJ in the “Schrems I” ruling.
The follow-up solution for the overturned Safe Harbor agreement was called the EU-US Privacy Shield. Only recently, in July 2020, the Privacy Shield was also declared unsuitable by the ECJ in the “Schrems II” ruling. Currently, only the SCC remain to justify a data export to the USA, which are also used.
With regard to these SCCs, there will still be a lot to decide in the near future with jurisdictions in the EU, but especially by the data protection supervisory authorities as well as the EDSA. Max Schrems, Austrian data protection activist, fights for privacy protection, which is enshrined in EU data protection laws. This conflicts with U.S. surveillance laws, which require monitoring or allow unrestricted data access by U.S. authorities. A company like Microsoft, which is based in the US but hosts data for customers in the Netherlands, can still do so legally without violating the GDPR.
Part 9 – Data breach notification obligation
By way of introduction, the function of the EU data protection supervisory authorities and the FDPIC, which is the Swiss data protection supervisory authority, will be explained. What both have in common is that they must be notified of any breach of data protection, that they investigate processing operations (as referred to in the GDPR) or processing operations (as referred to in the DSGneu) and that they can issue orders to stop, restrict or adapt data processing.
The definition of “data breach” is the same in the GDPR and the GDPR and means that personal data is unintentionally or unlawfully lost, deleted, destroyed or altered, or disclosed or made accessible to unauthorized persons (Art. 5 lit. h GDPR). According to the GDPR, such breach notifications must be reported to the competent data protection supervisory authority within 72 hours (Art. 33 f. GDPR).
In the new FADP, Art. 24 FADP (“Notification of data security breaches”) introduces the requirement to submit a data breach notification. Only if there is a “high risk” of negative consequences for the data subject must a data breach be notified to the FDPIC, which requires an assessment on a case-by-case basis. In Switzerland, we do not have the 72-hour deadline (legal wording: “as soon as possible”) or the obligation to log the breach, which is certainly the more sensible regulation than in the GDPR, where each of these notifications of a data breach must also be made to the data subject (Art. 33(5) GDPR).
According to the new FADP, a notification must only be made to the data subject if it is necessary for his or her protection, e.g., if he or she must change a password in order to restore the breached protection of an account because the access data has been tapped by unauthorized persons. The notification to the FDPIC or the data protection supervisory authority must at least state the nature of the data security breach, its consequences and the measures taken or planned.
In any case, processors must immediately report data breaches to the client, regardless of whether the breach involves a high risk, so that the client can and must decide how to deal with the data breach. The DSGneu does not provide for any legal sanctions for violations of the notification and information obligations, which in practice will probably mean that by no means all incidents are likely to be reported.
Part 10 – Sanctions & Damages
Compared to the DSGneu, the level of sanctions for violations of the GDPR is on a completely different level: Fines of up to EUR 10 million or 20 million or 2% or 4% of the annual turnover achieved worldwide, whichever is the higher, can be pronounced (Art. 83 (5) and (6) DSGVO). Here it becomes clear that the fine is directed at companies.
Although the maximum sanction of CHF 250,000 (Art. 60 et seq. DSGneu) in the DSGneu appears to be low in comparison to the DSGVO, it is put into perspective when one considers that it is not the company but a private individual that is fined.
A certain protection against punishment is provided by the fact that only intentional violations are fined (also includes contingent intent). Because fines cannot be insured and a penalty order is an unattractive thing, the importance of correct compliance with the DSGneu and the DSGVO should be emphasized here once again.
The topic of damages should not go unmentioned. According to DSGneu and the GDPR (according to which this is even a big issue, because numerous penalties for damages have already been pronounced), in addition to the above-mentioned sanctioning, there is always the possibility of a claim for damages (Art. 82 GDPR).
According to Art. 32 para. 2 DPA new – this refers to Art. 28 ff. Civil Code – in addition to damages, compensation and restitution of profits as well as concrete measures regarding data processing (correction, deletion, prohibition of disclosure, prohibition of data processing) can be demanded under civil law.