Question Hutter (04.1064): Disclosure and use of customer data by a higher level of trade
Submitted text
In a letter dated January 14, 2004, the Federal Data Protection Commissioner stated that no further measures were required with regard to a report from merchants at a lower level of trade concerning the disclosure of customer data by the upper level of trade, as no serious violation of data protection regulations could be identified.
I ask the Federal Council:
1. is he of the opinion that the disclosure of customer data by an upper trading level in a vertical distribution system, without the express consent of the customers, is not a serious breach of data protection law and that no measures are necessary?
2. is it of the opinion that the use of customer data for a purpose quite different from that for which it must be passed on to an upper trading level in a vertical distribution system does not constitute a serious breach of data protection law? This in particular in view of the fact that customer data are thereby taken away from an independent entrepreneur without compensation?
3. does it consider that the response to a notification to the DPO within three and a half months on a matter which, for the notifiers, is of the utmost importance for the survival of their businesses, has been sufficiently rapid?
4. in its view, is it correct for undertakings – these are exclusively small and medium-sized undertakings – to be referred to proceedings before the civil court in matters of such fundamental importance, which clearly fall within the data protection officer’s remit?
Statement of the Federal Council
The initial situation: In the context of the reorganization of its agency network, a car importer informed the customers of a previous agency of its car brand that the brand agency of its previous garage was withdrawn. At the same time, a new brand representative was proposed to the car owners. In the same letter, the car importer pointed out that the car owners could object to the transfer of their customer data to the new brand representative. The question arose as to whether the car importer was entitled to use the customer data of its representative or to pass it on to a new representative, or whether it had thereby violated the Federal Data Protection Act (FADP; SR 235.1).
The Federal Data Protection Commissioner stated the following in his clarification of the facts:
1. the garage owner (previous brand representative) has, with the consent of the car owners concerned, forwarded their customer data to the car importer for marketing purposes.
2. the car importer informed the affected car owners in writing about the planned transfer of customer data to the new brand representative and the change of purpose in data processing.
3. the importer has given the car owners the option of opposing the transfer of their customer data to the new brand representative. If the data subjects do not make use of this option, this is tantamount to implicit consent to the transfer of data.
4 The disclosure of customer data by the importer to be assessed here was in principle in compliance with the DPA.
5 The DPA does not give the previous brand representative any rights to those customer data that the latter disclosed to the car importer in compliance with data protection law (i.e. with the consent of the data subjects).
About the questions:
1 No: The FADP does not impose any special formal requirements on a declaration of consent. The consent of the data subject, e.g. for the disclosure of customer data, can be explicit or implicit. The requirements that the consent of the data subject must meet in a specific individual case are determined in particular by the sensitivity of the personal data processed. In the present case, the upper trading level informed the customers about the intended disclosure of customer data and gave them the opportunity to object to this disclosure within a certain period of time.
The customer data in question was not personal data requiring special protection. Accordingly, the customers’ express consent to the disclosure of their data was not necessary. The tacit consent of a customer can rightly be regarded as valid consent within the meaning of the FADP.
2 If the lower level of trade forwards the customer data it has collected to the upper level of trade in compliance with data protection, the lower level of trade shall have no claims based on the DPA to be able to co-determine the data processing of the upper level of trade in the future.
According to the Data Protection Act, only the data subjects, i.e. in this case the customers, have rights to influence the processing by the data processor. From a data protection perspective, therefore, only the customer can prohibit the disclosure of his or her information to a new distributor, but not the lower trading level. With the customer’s consent, disclosure by the upper trading level is also permissible, even if it represents a change in the original purpose of the processing.
The time required to respond to an inquiry depends on the clarification of the facts necessary in the individual case, on the one hand, and on the general workload in the Secretariat of the Federal Data Protection Commissioner, on the other. The FADP (Art. 26) assures the Federal Data Protection Commissioner that he can perform his duties independently. For this reason, the Federal Council does not comment in principle on the duration of fact-finding investigations carried out by the Federal Data Protection Commissioner.
The Federal Data Protection Commissioner acknowledged his competence from the outset insofar as the data protection aspects of the matter were concerned. This is demonstrated by the fact that he immediately initiated the clarifications of the facts provided for in the FADP and carried out a comprehensive assessment in terms of data protection law.
The Federal Data Protection Commissioner does have the possibility to issue recommendations based on his investigations and to bring a case before the Federal Data Protection Commission for a decision (Art. 29 para. 3 – 4 FADP). In the present case, the Federal Data Protection Commissioner did not consider it appropriate to issue a recommendation. However, according to Article 15 FADP, data subjects may also assert their rights under civil law.
The initial situation: In the context of the reorganization of its agency network, a car importer informed the customers of a previous agency of its car brand that the brand agency of its previous garage was withdrawn. At the same time, a new brand representative was proposed to the car owners. In the same letter, the car importer pointed out that the car owners could object to the transfer of their customer data to the new brand representative. The question arose as to whether the car importer was entitled to use the customer data of its representative or to pass it on to a new representative, or whether it had thereby violated the Federal Data Protection Act (FADP; SR 235.1).
The Federal Data Protection Commissioner stated the following in his clarification of the facts:
1. the garage owner (previous brand representative) has, with the consent of the car owners concerned, forwarded their customer data to the car importer for marketing purposes.
2. the car importer informed the affected car owners in writing about the planned transfer of customer data to the new brand representative and the change of purpose in data processing.
3. the importer has given the car owners the option of opposing the transfer of their customer data to the new brand representative. If the data subjects do not make use of this option, this is tantamount to implicit consent to the transfer of data.
4 The disclosure of customer data by the importer to be assessed here was in principle in compliance with the DPA.
5 The DPA does not give the previous brand representative any rights to those customer data that the latter disclosed to the car importer in compliance with data protection law (i.e. with the consent of the data subjects).
About the questions:
1 No: The FADP does not impose any special formal requirements on a declaration of consent. The consent of the data subject, e.g. for the disclosure of customer data, can be explicit or implicit. The requirements that the consent of the data subject must meet in a specific individual case are determined in particular by the sensitivity of the personal data processed. In the present case, the upper trading level informed the customers about the intended disclosure of customer data and gave them the opportunity to object to this disclosure within a certain period of time.
The customer data in question was not personal data requiring special protection. Accordingly, the customers’ express consent to the disclosure of their data was not necessary. The tacit consent of a customer can rightly be regarded as valid consent within the meaning of the FADP.
2 If the lower level of trade forwards the customer data it has collected to the upper level of trade in compliance with data protection, the lower level of trade shall have no claims based on the DPA to be able to co-determine the data processing of the upper level of trade in the future.
According to the Data Protection Act, only the data subjects, i.e. in this case the customers, have rights to influence the processing by the data processor. From a data protection perspective, therefore, only the customer can prohibit the disclosure of his or her information to a new distributor, but not the lower trading level. With the customer’s consent, disclosure by the upper trading level is also permissible, even if it represents a change in the original purpose of the processing.
The time required to respond to an inquiry depends on the clarification of the facts necessary in the individual case, on the one hand, and on the general workload in the Secretariat of the Federal Data Protection Commissioner, on the other. The FADP (Art. 26) assures the Federal Data Protection Commissioner that he can perform his duties independently. For this reason, the Federal Council does not comment in principle on the duration of fact-finding investigations carried out by the Federal Data Protection Commissioner.
The Federal Data Protection Commissioner acknowledged his competence from the outset insofar as the data protection aspects of the matter were concerned. This is demonstrated by the fact that he immediately initiated the clarifications of the facts provided for in the FADP and carried out a comprehensive assessment in terms of data protection law.
The Federal Data Protection Commissioner does have the possibility to issue recommendations based on his investigations and to bring a case before the Federal Data Protection Commission for a decision (Art. 29 para. 3 – 4 FADP). In the present case, the Federal Data Protection Commissioner did not consider it appropriate to issue a recommendation. However, according to Article 15 FADP, data subjects may also assert their rights under civil law.