Update August 7, 2016: The judgment was published in sic! 2016, 387 ff., with the keyword “Whistleblowing Reporting Office”.
The BVGer obliges the Swiss Federal Audit Office to declare its data files in connection with the reports it receives as a whistleblowing reporting office in accordance with DPA 11a II, and it must draw up processing regulations in accordance with DPA 21. The concept of data collection was the main point of contention.
The judgment is final; the Federal Supreme Court has responded to the SFAO’s appeal (see the NZZ) did not occur (1C_66/2015).
5.4.1 According to the message, the data collection should be a set of data relating to more than one person. The data collection can be organized and structured in very different ways. The decisive factor is that the data belonging to a particular person can be found (Federal Council Message of 23 March 1988 on the FADP, BBl 1988 II 413, 447 et seq. [hereinafter: Message on the FADP]). In the doctrine, in connection with the criterion of accessibility, the view is sometimes expressed that data collection is a comparably open definition, so that even data sets that were not created as data collections per se and do not have their own recognizable purpose, such as the hard drive of a PC or the Internet per seHowever, data that can be indexed by person on the basis of the technical possibilities are to be qualified as data collections. In this sense, any electronic data carrier, such as a hard disk, a floppy disk or a CD-ROM, would qualify as a carrier medium of a data file, provided it serves to store personal data and personal access is possible by means of a corresponding program, which is the standard case with office programs. Thus, a collection of electronically stored text documents regularly constitutes a data file within the meaning of the FADP. Therefore, only disorganized and scattered files of paper documents could not be considered data collections (cf. Blechta, BSK DSG/BGÖ, n. 81 on Art. 3 FADP).
This broad understanding of the legal definition of Art. 3(g) DPA is rightly criticized in the literature: With today’s search programs, it is usually possible to search the contents of all hard disks for a person’s name, for example. Moreover, it is also likely that personal data is present on numerous hard disks. However, it will hardly have been the intention of the legislator – nor does it correspond to the meaning and purpose of the Data Protection Act – that with a broad interpretation of the term, numerous data sets, such as the hard disks of computers, are considered to be data collections, with the consequence that these are subject, for example, to the right of information under Art. 8 FADP or – as here – to the obligation to register under Art. 11a FADP. (cf. Rosenthal, Handkommentar DSG, para. 82 on Art. 3 DSG). Rosenthal therefore wants the term to be understood more narrowly and therefore sets out the following requirements that must be met cumulatively in order to speak of a data collection within the meaning of the FADP: It must be personal data of more than one person act. These must held and – by necessity – from the more than one data set exist to be considered a collection. Furthermore, the categories of personal data that occur in the data collection must be pre to define in a general-abstract way. The individual records must have a thematic, logical context and the collection a certain Resistance have. Finally, the personal data must be broken down by data subject. accessible be. A data collection then only covers data files to the extent that they are factually subject to a Unified rule (cf. Rosenthal, Handkommentar DSG, para. 83 ff. on Art. 3 DSG).
5.4.2 Whether these criteria should be adhered to in the final analysis can be left open at this point.; as will be seen, the present is so or otherwise to be assumed from data collections within the meaning of the law.