datenrecht.ch

DSK: Pro­gress report on the GDPR; pro­po­sal of faci­li­ta­ti­ons and tightenings

The Con­fe­rence of Inde­pen­dent Data Pro­tec­tion Super­vi­sors of the Fede­ral Govern­ment and the Sta­tes (Data Pro­tec­tion Con­fe­rence, DSK) has on Novem­ber 6, 2019 a Report on the expe­ri­ence gai­ned in the appli­ca­ti­on of the GDPR adopted. The DSK comes to the fol­lo­wing con­clu­si­ons and recom­men­da­ti­ons, among others:

  • The GDPR has pro­ven its­elf in prin­ci­ple. In some are­as, howe­ver, que­sti­ons ari­se about the Ever­y­day sui­ta­bi­li­ty (e.g., with regard to the obli­ga­ti­on to pro­vi­de infor­ma­ti­on). Here, the aut­ho­ri­ties are in favor of indi­vi­du­al faci­li­ta­ti­ons in the off­line area, espe­ci­al­ly for ver­bal or tele­pho­ne cont­acts or when taking an order or a busi­ness card or ente­ring an appoint­ment. Here, staged infor­ma­ti­on should suf­fice. The aut­ho­ri­ties pro­po­se to add a new para­graph to Art. 13 GDPR to be inser­ted, with wor­ding stron­gly remi­nis­cent of “reco­gniza­bi­li­ty” as defi­ned in the Swiss Data Pro­tec­tion Act:

    The infor­ma­ti­on refer­red to in para­graphs 1 and 2 shall be only on demand the data sub­ject, inso­far as the con­trol­ler car­ri­es out data pro­ce­s­sing ope­ra­ti­ons that the data sub­ject, accor­ding to the spe­ci­fic cir­cum­stances expec­ted or must expect and

    1. both the dis­clo­sure of data to other enti­ties and the trans­fer to third count­ries are excluded,
    2. no data are pro­ce­s­sed that are sub­ject to Art. 9 DS-GVO fall,
    3. the data is not pro­ce­s­sed for direct mar­ke­ting pur­po­ses, and 4. neither pro­fil­ing nor auto­ma­ted decis­i­on-making takes place.
      The data sub­ject shall be infor­med of this possibility.
  • The prin­ci­ple of Data Pro­tec­tion by Design is hard­ly ever imple­men­ted in prac­ti­ce: “The DS-GVO should the­r­e­fo­re also obli­ge soft­ware manu­fac­tu­r­ers to com­ply with this design prin­ci­ple that pro­mo­tes data pro­tec­tion. In prac­ti­ce, this applies in par­ti­cu­lar to manu­fac­tu­r­ers of com­plex soft­ware such as ope­ra­ting systems, data­ba­se manage­ment systems, stan­dard Office packa­ges or very spe­cia­li­zed appli­ca­ti­ons. The DSK the­r­e­fo­re pro­po­ses to include a new legal defi­ni­ti­on of “manu­fac­tu­rer” and to add it to Art. 24 GDPR express­ly sub­ject to cor­re­spon­ding obli­ga­ti­ons, by a new Art. 24 para. 4:

    4) The Manu­fac­tu­rer deve­lo­ps and designs its pro­ducts, ser­vices and appli­ca­ti­ons, taking into account the right to data pro­tec­tion and the sta­te of the art, in such a way that it ensu­res that con­trol­lers and pro­ces­sors are able to com­ply with their data pro­tec­tion obli­ga­ti­ons wit­hout having to make unre­a­sonable chan­ges to tho­se pro­ducts, ser­vices and appli­ca­ti­ons. He sup­ports them in dra­wing up the inven­to­ry of pro­ce­s­sing acti­vi­ties (Art. 30), in noti­fy­ing a per­so­nal data breach (Art. 33) and in noti­fy­ing data sub­jects (Art. 34) by pro­vi­ding them, upon request, with all the neces­sa­ry infor­ma­ti­on to do so.
    Accor­din­gly, the manu­fac­tu­rer should also be able to be the addres­see of enforce­ment mea­su­res and lia­bi­li­ty claims (amend­ments to Art. 79 and 82).

  • The Data Pro­tec­tion Con­fe­rence calls for a tigh­tening of the legal frame­work for the Pro­fil­ing, becau­se the “pro­cess of pro­fil­ing as such from most of the norms of the DS-GVOThe data pro­tec­tion law does not cover the use of data, e.g. for auto­ma­ted decis­i­on-making, so that an assess­ment can usual­ly only be made accor­ding to the gene­ral facts of Art. 6 DS-GVO takes place”.
  • With regard to the right to infor­ma­ti­on, it would be desi­ra­ble to cla­ri­fy whe­ther and to what ext­ent a “Right to copy” exists.
  • At the Data breach noti­fi­ca­ti­on a cor­re­spon­ding obli­ga­ti­on to noti­fy the aut­ho­ri­ties should also app­ly if a breach of data secu­ri­ty has been estab­lished, but is only suspec­ted and it is not cer­tain whe­ther this also results in a breach within the mea­ning of Art. 12 No. 4 GDPR (e.g., unaut­ho­ri­zed access). In this case, howe­ver, a report­ing obli­ga­ti­on should only app­ly if the secu­ri­ty breach leads to a “high” risk for the per­sons concerned.
  • At the Ear­mar­king The que­sti­on ari­ses whe­ther a fur­ther pur­po­se that is com­pa­ti­ble with the ori­gi­nal pur­po­se needs its own legal basis or – as a result of com­pa­ti­bi­li­ty – can be based direct­ly on the legal basis of the initi­al pur­po­se. Here the DSK cla­ri­fi­ca­ti­on that the secon­da­ry pur­po­se needs its own legal basis. For this pur­po­se, reci­tal 50 sen­tence 2 should be dele­ted (“In this case, no sepa­ra­te legal basis is requi­red other than that for the coll­ec­tion of the per­so­nal data”).
  • For the Direct mail should be in the GDPR a sepa­ra­te legal basis or balan­cing of inte­rests must be included.
  • At Pro­fil­ing the legal frame­work needs to be tigh­ten­ed up: “To this end, the pro­hi­bi­ti­on of auto­ma­ted indi­vi­du­al decis­i­on-making in Art. 22 should be DS-GVO be exten­ded to include data pro­ce­s­sing for pro­fil­ing pur­po­ses. The only legal basis for pro­fil­ing – in addi­ti­on to a spe­cial legal basis – is to be con­sent or a con­tract. This ensu­res that pro­fil­ing only takes place if the data sub­ject is awa­re of it and cons­ents to it.”

The­re is a list of other pro­po­sed chan­ges in the document.

Aut­ho­ri­ty

Area

Topics

Rela­ted articles

Sub­scri­be

Sub­scri­be to news →