Que­sti­on Hut­ter (04.1064): Dis­clo­sure and use of cus­to­mer data by a hig­her level of trade

Que­sti­on Hut­ter (04.1064): Dis­clo­sure and use of cus­to­mer data by a hig­her level of trade

Sub­mit­ted text

In a let­ter dated Janu­ary 14, 2004, the Fede­ral Data Pro­tec­tion Com­mis­sio­ner sta­ted that no fur­ther mea­su­res were requi­red with regard to a report from mer­chants at a lower level of trade con­cer­ning the dis­clo­sure of cus­to­mer data by the upper level of trade, as no serious vio­la­ti­on of data pro­tec­tion regu­la­ti­ons could be identified.

I ask the Fede­ral Council:

1. is he of the opi­ni­on that the dis­clo­sure of cus­to­mer data by an upper tra­ding level in a ver­ti­cal dis­tri­bu­ti­on system, wit­hout the express con­sent of the cus­to­mers, is not a serious breach of data pro­tec­tion law and that no mea­su­res are necessary?

2. is it of the opi­ni­on that the use of cus­to­mer data for a pur­po­se quite dif­fe­rent from that for which it must be pas­sed on to an upper tra­ding level in a ver­ti­cal dis­tri­bu­ti­on system does not con­sti­tu­te a serious breach of data pro­tec­tion law? This in par­ti­cu­lar in view of the fact that cus­to­mer data are ther­eby taken away from an inde­pen­dent entre­pre­neur wit­hout compensation?

3. does it con­sider that the respon­se to a noti­fi­ca­ti­on to the DPO within three and a half months on a mat­ter which, for the noti­fiers, is of the utmost importance for the sur­vi­val of their busi­nesses, has been suf­fi­ci­ent­ly rapid?

4. in its view, is it cor­rect for under­ta­kings – the­se are exclu­si­ve­ly small and medi­um-sized under­ta­kings – to be refer­red to pro­ce­e­dings befo­re the civil court in mat­ters of such fun­da­men­tal importance, which cle­ar­ly fall within the data pro­tec­tion officer’s remit?

State­ment of the Fede­ral Council

The initi­al situa­ti­on: In the con­text of the reor­ga­nizati­on of its agen­cy net­work, a car importer infor­med the cus­to­mers of a pre­vious agen­cy of its car brand that the brand agen­cy of its pre­vious gara­ge was with­drawn. At the same time, a new brand repre­sen­ta­ti­ve was pro­po­sed to the car owners. In the same let­ter, the car importer poin­ted out that the car owners could object to the trans­fer of their cus­to­mer data to the new brand repre­sen­ta­ti­ve. The que­sti­on aro­se as to whe­ther the car importer was entit­led to use the cus­to­mer data of its repre­sen­ta­ti­ve or to pass it on to a new repre­sen­ta­ti­ve, or whe­ther it had ther­eby vio­la­ted the Fede­ral Data Pro­tec­tion Act (FADP; SR 235.1).

The Fede­ral Data Pro­tec­tion Com­mis­sio­ner sta­ted the fol­lo­wing in his cla­ri­fi­ca­ti­on of the facts:

1. the gara­ge owner (pre­vious brand repre­sen­ta­ti­ve) has, with the con­sent of the car owners con­cer­ned, for­ward­ed their cus­to­mer data to the car importer for mar­ke­ting purposes.

2. the car importer infor­med the affec­ted car owners in wri­ting about the plan­ned trans­fer of cus­to­mer data to the new brand repre­sen­ta­ti­ve and the chan­ge of pur­po­se in data processing.

3. the importer has given the car owners the opti­on of oppo­sing the trans­fer of their cus­to­mer data to the new brand repre­sen­ta­ti­ve. If the data sub­jects do not make use of this opti­on, this is tan­ta­mount to impli­cit con­sent to the trans­fer of data.

4 The dis­clo­sure of cus­to­mer data by the importer to be asses­sed here was in prin­ci­ple in com­pli­ance with the DPA.

5 The DPA does not give the pre­vious brand repre­sen­ta­ti­ve any rights to tho­se cus­to­mer data that the lat­ter dis­c­lo­sed to the car importer in com­pli­ance with data pro­tec­tion law (i.e. with the con­sent of the data subjects).

About the questions:

1 No: The FADP does not impo­se any spe­cial for­mal requi­re­ments on a decla­ra­ti­on of con­sent. The con­sent of the data sub­ject, e.g. for the dis­clo­sure of cus­to­mer data, can be expli­cit or impli­cit. The requi­re­ments that the con­sent of the data sub­ject must meet in a spe­ci­fic indi­vi­du­al case are deter­mi­ned in par­ti­cu­lar by the sen­si­ti­vi­ty of the per­so­nal data pro­ce­s­sed. In the pre­sent case, the upper tra­ding level infor­med the cus­to­mers about the inten­ded dis­clo­sure of cus­to­mer data and gave them the oppor­tu­ni­ty to object to this dis­clo­sure within a cer­tain peri­od of time.

The cus­to­mer data in que­sti­on was not per­so­nal data requi­ring spe­cial pro­tec­tion. Accor­din­gly, the cus­to­mers’ express con­sent to the dis­clo­sure of their data was not neces­sa­ry. The tacit con­sent of a cus­to­mer can right­ly be regard­ed as valid con­sent within the mea­ning of the FADP.

2 If the lower level of trade for­wards the cus­to­mer data it has coll­ec­ted to the upper level of trade in com­pli­ance with data pro­tec­tion, the lower level of trade shall have no claims based on the DPA to be able to co-deter­mi­ne the data pro­ce­s­sing of the upper level of trade in the future.

Accor­ding to the Data Pro­tec­tion Act, only the data sub­jects, i.e. in this case the cus­to­mers, have rights to influence the pro­ce­s­sing by the data pro­ces­sor. From a data pro­tec­tion per­spec­ti­ve, the­r­e­fo­re, only the cus­to­mer can pro­hi­bit the dis­clo­sure of his or her infor­ma­ti­on to a new dis­tri­bu­tor, but not the lower tra­ding level. With the customer’s con­sent, dis­clo­sure by the upper tra­ding level is also per­mis­si­ble, even if it repres­ents a chan­ge in the ori­gi­nal pur­po­se of the processing.

The time requi­red to respond to an inquiry depends on the cla­ri­fi­ca­ti­on of the facts neces­sa­ry in the indi­vi­du­al case, on the one hand, and on the gene­ral workload in the Secre­ta­ri­at of the Fede­ral Data Pro­tec­tion Com­mis­sio­ner, on the other. The FADP (Art. 26) assu­res the Fede­ral Data Pro­tec­tion Com­mis­sio­ner that he can per­form his duties inde­pendent­ly. For this rea­son, the Fede­ral Coun­cil does not com­ment in prin­ci­ple on the dura­ti­on of fact-fin­ding inve­sti­ga­ti­ons car­ri­ed out by the Fede­ral Data Pro­tec­tion Commissioner.

The Fede­ral Data Pro­tec­tion Com­mis­sio­ner ack­now­led­ged his com­pe­tence from the out­set inso­far as the data pro­tec­tion aspects of the mat­ter were con­cer­ned. This is demon­stra­ted by the fact that he imme­dia­te­ly initia­ted the cla­ri­fi­ca­ti­ons of the facts pro­vi­ded for in the FADP and car­ri­ed out a com­pre­hen­si­ve assess­ment in terms of data pro­tec­tion law.

The Fede­ral Data Pro­tec­tion Com­mis­sio­ner does have the pos­si­bi­li­ty to issue recom­men­da­ti­ons based on his inve­sti­ga­ti­ons and to bring a case befo­re the Fede­ral Data Pro­tec­tion Com­mis­si­on for a decis­i­on (Art. 29 para. 3 – 4 FADP). In the pre­sent case, the Fede­ral Data Pro­tec­tion Com­mis­sio­ner did not con­sider it appro­pria­te to issue a recom­men­da­ti­on. Howe­ver, accor­ding to Artic­le 15 FADP, data sub­jects may also assert their rights under civil law.

Aut­ho­ri­ty

Area

Topics

Rela­ted articles

Sub­scri­be