DSV: no minimum data security requirements, no corresponding criminal liability, other comments.

David Vasella

September 19, 2022

English

English Deutsch Français

Authority(ies):

Federal Council

Branch(es):

Laws:

DSG 61, FDPO

Tags:

AGB, Editing regulations, Processing directory, Buses, FDPA revision, Duty to inform, Media break, Sanctions, Criminal Law

Hannes Meyle, Anne-Sophie Morand and David Vasella

At its meeting on August 31, 2022, the Federal Council approved the new Data Protection Regulation (DSV) and the new regulation on data protection certifications (VDSZ). adopted. The Federal Council has thus made use of its authority to issue implementing regulations for the revised Data Protection Act (nDSG).

The draft regulation (draft FDPO) provided for numerous provisions that went further than the nDSG in terms of content and would have had drastic effects (we have reported). The e‑VDSG was therefore subject to harsh criticism during the consultation process. The Federal Council has not taken the criticism into account in all points, but some important improvements have been achieved. For an overview, we have already published a Comparison table available here as PDF provided.

This article deals with the content of the DSV and explains key points of the final version of the DSV and the main changes compared to the E‑VDSG.

Data security (Section 1, Art. 1 – 6 DPA)

The intentional Violation of the minimum requirements to data security may, pursuant to Art. 61 lit. c nDSG upon request, with a fine of up to CHF 250,000. be punished. The Federal Council was thereby instructed to determine the minimum requirements for data security (Art. 8 para. 3 nDSG). The corresponding provisions in the DPA are therefore of great importance for data controllers and order processors. However, a closer look shows that Art. 1 – 6 DPA do not specify any corresponding requirements, because the DPA is not aligned with the nDSG on this point, but is based on the current concept of data security under the DPA.

The DSV does not contain any minimum requirements for data security within the meaning of the nDSG

Art. 8 and Art. 5 lit. h nDSG define data security more narrowly than Art. 7 DSG

The Federal Council is mandated under Art. 8 para. 3 nDSG, Minimum requirements of “data security to enact. What data security is, defines Art. 5 lit. h with the legal definition of the Data security breach:

a breach of security that results in personal data being inadvertently or unlawfully lost, deleted, destroyed, or altered, or disclosed or made available to unauthorized persons;

In comparison to Art. 5 lit. h nDSG, the today’s DSG a much broader understanding of data security as a basis. Art. 7 DSG:

1 Personal data must be protected against unauthorized processing by appropriate technical and organizational measures.
2 The Federal Council shall issue more detailed provisions on the minimum requirements for data security.

Accordingly, the current FADP understands data security as the totality of measures against unauthorized processing, while the new FADP understands it only as measures against data loss or other security breaches in the true sense, i.e. in the sense of security.

The nDSG has not, of course, abandoned the concern that data protection compliance be proactively ensured in general, but no longer sees this as part of data security, but of the principle of Privacy by Design according to art. 7 para. 1 and 2 nDSG. Art. 7 para. 1 nDSG (and not Art. 8 para. 1 nDSG) therefore also largely corresponds to Art. 7 para. 1 DSG:

Art. 7 para. 1 DSG1 Personal data must be protected against unauthorized processing by appropriate technical and organizational measures.

Art. 7 para. 1 nDSG1 The controller is obliged to design the data processing technically and organizationally in such a way that the data protection regulations are complied with, in particular the principles according to Article 6. He takes this into account from the planning stage.

The legislator was aware of this Change of the concept of data security conscious. The message on Art. 8 nDSG (data security):

Article [8] obligates both the controller and the processor to provide an appropriate security architecture for their systems and to protect them, for example, against malware or data loss. Article 7(1), on the other hand, aims to ensure compliance with data protection regulations by technical means, e.g., that data processing remains proportionate.

The legislator has Data security thus deliberately distinguished from general data protection and assigned the latter to the principle of Privacy by Design. Incidentally, the message on Art. 8 nDSG explicitly refers to Art. 32 DSGVO (“Security of processing”) in this context – and not to Art. 5 (“Principles of processing of personal data”).

Lack of distinction between data security and data protection in DSV

Unfortunately, the Federal Council has nevertheless based on today’s VDSG. This probably seemed obvious, since Art. 7 para. 2 FADP already provides that the Federal Council shall issue “more detailed provisions on the minimum requirements for data security”. On this basis, the Federal Council had in the FDPO in the 4th section, issue provisions on TOMs, logging, processing regulations, and disclosure of data.

So the Federal Council has now unceremoniously Data security provisions of the current VDSG – with adjustments (see our Comparison table, PDF) – as minimum rules worthy of punishment determined and says about it:

With the provisions on data security, the Federal Council fulfills the legal mandate pursuant to Article 8 paragraph 3 nDSG. The penal provision in Article 61 letter c nDSG) is also linked to these minimum requirements. The level of security that must be maintained so that the criminal standard is not violated is determined by the principles and criteria of this section.

However, the Federal Council did not consider or deliberately neglected the new, conceptually narrower understanding of data security in the NDSG. As explained, it is no longer about unauthorized processing at all, but solely about preventing a breach of security.

If the Federal Council had considered how the nDSG conceives of data security, it would have had to triage between the provisions of the VDSG, which regulate data security in the strict sense, and the provisions that pursue general data protection concerns. This is because Art. 7 nDSG – Privacy by Design – does not give the Federal Council any competence to legislate.

The Federal Council has omitted to do so. It has therefore exceeded its regulatory competence by not taking into account that the principle of privacy by design in the nDSG has incorporated a large part of data security under today’s law and the competence to execute the data security requirements is much narrower.

No regulation of data security in the DSV

Thus, in classifying the provisions of Art. 1 – 6 DPA, it is necessary to proceed as follows:

First it must be asked in each case whether the corresponding provision serves data security under the new law or the principle of privacy by design.
Second a distinction must be made between a general specification – which the Federal Council may also carry out without express legal authorization, but only in concrete terms – and the specification of actual minimum requirements within the meaning of Art. 8 para. 3 and Art. 61 lit. c nDSG. Minimum requirements answer the “what” (concrete measures as the result of a consideration), a general specification of data security answers the “how” (procedure for consideration).
Third In the case of minimum data security requirements within the meaning of the NDSG – if they exist – the question is whether they are formulated in such concrete terms that they can withstand Article 1 of the Criminal Code and the unwritten constitutional principle of “nulla poena sine lege (certa)”.

A corresponding investigation leads to the conclusion that Art. 1 – 6 DPA do not contain minimum requirements for data security. All of these provisions are programmatic in nature or serve the principle of privacy by design.

In detail:

Art. 1 DSV (Principles)

This provision establishes principles to be followed by the controller and the processor when establishing an adequate level of protection and determining appropriate measures for this purpose. This provision is the Data security The explanatory report rightly states that this is the case. However, it contains programmatic principles and No concrete requirements to data security, let alone any Minimumrequirements. This provision is not justiciable in this sense, because Article 1 FADP does not contain any minimum requirements, even when viewed in the most favorable light, but only general instructions for the controller’s procedure when determining security measures. As already mentioned, the Federal Council may make such a specification, but not on the basis of Art. 8 (3) nDSG.

Goes the responsible not as provided by Art. 1 DPA If the user does not determine the need for protection, for example. lege artis or does not take relevant factors into account in the risk assessment or does not review its measures on an ongoing basis, Therefore, this does not indicate a violation of minimum requirements to data security:

On the one hand, Art. 1 DSV does not provide for any minimum requirements regarding the “what”, but only specifies the “how”.
On the other hand, a controller or order processor can also take strong measures without reflection and thereby achieve adequate security. This is even often the case when a robust security measure is applied to a system in which different categories of data are processed with different security measures.

Overall, it is therefore not apparent how a violation of Art. 1 DPA could be punishable under Art. 61 lit. b in conjunction with. Art. 8 para. 3 nDSG could be punishable.

Art. 2 DSV (Objectives)

This provision formulates security objectives – according to a common, but not the only classification – and is thus primarily to be assigned to data security as defined in Art. 8 nDSG. These protection goals are taken up again in Art. 3 DPA.

However, Art. 2 lit. d provides for the protection goal of the Traceability before. Strictly speaking, this is not necessarily a data security measure within the meaning of Art. 8 in conjunction with Art. 5 lit. Art. 5 lit. g nDSG, because it does not – not directly in any case – serve to prevent personal data from being unintentionally or unlawfully lost, deleted, destroyed or modified, or from being disclosed or made accessible to unauthorized persons. Indirectly, traceability may serve these goals, because otherwise breaches that have occurred can only be remedied with difficulty in the true sense. In itself, however, traceability is more about accountability.

However, the objectives of the DSV thus correspond to those of the Information Security Act (see Art. 6 para. 2 ISG; cf. here), as requested in the consultation procedure. However, Art. 2 DPA is of a programmatic and non-justiciable nature. A requirement for specific TOMs cannot be derived from it, and certainly not an Minimumrequirement. Here, too, it is therefore not apparent how a violation could be punishable.

Art. 3 DSV (TOMs)

Art. 3 FADP contains requirements for technical and organizational measures (TOMs) and thus specifies data security. The provision is based on the protection goals according to Art. 2 DPO, confidentiality, availability, integrity and traceability. However, Art. 3 DPA also contains no minimum requirements, but merely concretizes these protection goals.

Minimum requirements could be inferred from Art. 3 at most because, according to Art. 3 DPA, confidentiality, availability, integrity and traceability “.to ensure”. The current Art. 9 VDSG, on the other hand, states that measures are to be taken “that suitable are”, the protection goals “to meet”. If the word “ensure” were to be understood absolutely, every violation of a protection goal would be proof that a corresponding measure was missing. However, this cannot be what is meant. The risk-based approach is undisputed, the word “ensure” in this sense to be interpreted as “strive”.

However, Art. 3 DSV is thus also programmatic in nature. Art. 3 is to be read together with Art. 1 and 2 DPA as a whole, which concretizes the concept of data security. However, minimum security requirements are not specified. Overall, therefore, Art. 3 DPA cannot be punitive either.

Furthermore, data controllers and processors do not have to structure their technical and organizational measures (TOMs) according to the structure of Art. 3 DPA. Cf. e.g. the explanatory report:

It is quite conceivable that not every protection goal is relevant in every case. However, if a protection goal is not relevant in a case, the controller and processor must be able to justify why this is the case.

It is clear that this does not reverse the burden of proof, neither in civil nor in administrative nor in criminal proceedings. The Federal Council would not have had the authority to do so.

Art. 4 DSV (logging)

The assignment of Art. 4 DPA to data security or to Privacy by Design is not easy at first glance. “Logging” sounds technical and thus like data security, but it would be a fundamental misunderstanding to assign all technical measures to data security in the strict sense – even Privacy by Design, i.e. compliance with data protection law in general, can be secured with technical measures.

According to the explanatory report, the Logging primarily a matter of accountability rather than data security:

Logging constitutes a measure within the meaning of Article 3 DPA. This takes into account the fact that Swiss law, unlike the GDPR, does not provide for a general “accountability obligation”. Moreover, logging is also recommended by certain European data protection authorities. Furthermore, logging is a classic, preventive means of ensuring cybersecurity.

This is also reflected in the fact that, according to Art. 4, logging is not required when

the preventive measures the data protection not ensure…, in particular if … otherwise it cannot be determined retrospectively whether the data were processed for the purposes for which they were obtained or disclosed.

So it’s about purpose limitation and, in general, about ensuring “data protection.” This is not a question of data security. That this is the goal of Art. 4 DPA is also clear from a historical perspective. Art. 4 DPA takes over today’s Art. 10 FADP, as the explanatory report states:

Logging is governed by Article 10 of the VDSG, which also applies to federal bodies due to the reference in the first sentence of Article 20(1) of the VDSG. Article 4 adopts this regulation in amended form.

Art. 10 VDSG was amended by the Federal Office of Justice in the Commentary on the VDSG explained as follows:

In particular, the aim is to control that the data are not used for unforeseen or incompatible purposes. The Risk of misappropriation increases when the information system in which the data is stored is made accessible to a large number of users or is physically or visually linked to other data collections. It is not necessary to log everything. In this context, the principle laid down in Art. 8 must also be taken into account and the principle of proportionality must be applied (Art. 4 para. 2 FADP and Art. 8 para. 2 FADP). The protocols are used to verify compliance with data protection regulations.

The legislative history of Art. 4 DPA thus also clearly shows that logging is intended to ensure purpose limitation – and not data security in the strict sense. Thus, logging is not a data security issue, and failure to log cannot be a criminal offense.

It cannot be ruled out, however, that the logging as a measure of traceability may indirectly be also data security in the true sense of the term. However, criminal liability would then require a law enforcement agency to prove in an individual case that the Logging has been necessary for data security in the actual sense and that the person responsible or the order processor or the persons acting on their behalf were aware of this, at least in outline.

Art. 5 and 6 DSV (Processing Regulations)

The processing regulations are also taken over from the VDSG (Art. 11 for private persons and Art. 21 for federal bodies). This is again a matter of not about data security, but about accountability. The Federal Council states this explicitly in the explanatory report:

Processing regulations had to be drawn up by the “controller of an automated data file subject to notification” under Article 11a (3) FADP, who was not exempt from the obligation to notify his data files on the basis of Article 11a (5) letters b‑d FADP (Art. 11 (1) FADP). Since the notification obligation for private data controllers (Art. 11a FADP) no longer exists in the nDSG, Article 11 FADP cannot be adopted unchanged. According to the principle of accountability provided for in the GDPR, the controller must be able to demonstrate compliance with the principles of data processing (Art. 5 para. 2 GDPR). Swiss law does not know a general accountability or “accountability”, but the obligation to create a processing regulation fulfills the same purpose.

Although the obligation to prepare the processing regulations is linked to a increased risk an, but that does not make this duty a safety duty, it merely shows that the risk-based approach not only applies to data security in the strict sense of the wordbut with proactive compliance in general. This is also shown by the message on Art. 7 nDSG (including Privacy by Design):

Paragraph 2 specifies the requirements for the precautions according to paragraph 1. These must in particular … be appropriate. … The standard expresses the risk-based approach.

The Federal Council overlooks this when it refers to data security – and not accountability – at this point in the explanatory report without further elaboration.

Further comments on individual provisions

Art. 1 Principles

Risk-based approach

According to Art. 1 para. 1 FADP, the technical and organizational measures with regard to the risk for the personal data specifically processed must be appropriate be. This requires an assessment of the need for protection. Art. 1 (2) DPA contains criteria for this, and Art. 1 (3) DPA contains criteria for assessing the risk. Art. 1 DPA refers to the risk for the Personal databut certainly means the risk for the persons concerned. This is a big difference, because a high risk for harmless data can mean a low risk for data subjects. In the criteria of Art. 1 DPA, the risk-based approach in prospective compliance (see also here) expresses: security measures must be adequate, not less, but also not more. The explanatory report:

The need for protection is assessed on the basis of the type of data processed and the purpose, nature, scope and circumstances of the data processing. In particular, this involves the level of protection that must be ensured in view of the risk to the personal and fundamental rights of the data subjects. The higher the need for protection, the stricter the requirements for the measures.

Importance of costs

In the consultation, the regulation of Art. 1 (4) DPO was also discussed, according to which the “implementation costs”, among other things, must be taken into account when determining the technical and organizational measures. More precisely: Art. 1 DPO requires “appropriate” data security. For this, “appropriate” measures are to be determined. In turn, the costs play a role in this.

The Concept of “costs was criticized in the consultation as being too narrow. The explanatory report now states the following:

The term “costs” is to be understood in a broad sense. It is not limited to financial costs, but also includes the necessary human and time resources.

So far so good – but:

Responsible parties and order processors may in particular not exempt from the obligation of adequate data security on the grounds that it involves excessive costs; rather, they must in any case be able to ensure adequate data security.

This is wrong. If this were so, i.e., if costs did not matter until adequate safety was achieved, costs would never matter; for more than adequate safety is never required, and until then costs would be of no consequence. They could only be a factor in selecting possible measures of equal effect. The explanatory report even says so, but that would be a matter of course that needs no regulation.

Correctly, the costs are already in determining the appropriateness of the data security achieved a factor. This is recognized in the GDPR, and the Federal Council explicitly does not want any data security requirements that exceed those of the GDPR (Explanatory Report: “[…] so that Swiss companies that […] ensure data security that is compliant in accordance with the GDPR can also assume that they meet the minimum requirements in Switzerland.”). As a result, it is therefore not a violation of data security – and cannot be punishable – if the controller or the order processor also take the costs, among other things, into account when determining the appropriate data security and the appropriate measures.

Also discussed was the Review of the safety measures. The DPA no longer requires, as the E‑DPA does, that the measures be reviewed “at appropriate intervals” but that they be reviewed “over the entire processing period.” According to the explanatory report, this means:

The need for review depends in particular on the hazard situation […]: The higher it is, the more frequently the measures must be regularly reviewed. The new formulation goes in the direction of a constant review. However, it leaves the person responsible and the order processor a large margin of discretion. A review may also be necessary if there has been a breach of data security or if the processing of personal data has been adapted.

However, failure to check the measures cannot in itself constitute a breach of the minimum data security requirements and accordingly cannot lead to a fine (see above).

Art. 4 – 6 Logging and processing regulations

Preliminary remarks

It has already been stated above that the logging obligations and the processing regulations are not about data security issues, but about general obligations under data protection law (accountability or privacy by design). Independent of their legal nature, these obligations presuppose increased risks in each case, namely that

particularly sensitive personal data is processed automatically on a large scale, or
high-risk profiling is performed.

In the case of logging, a negative condition is that the “preventive measures cannot guarantee data protection”.

What is “automated processing”?

It is initially unclear what a automated processing of personal data. The explanatory report does not address this requirement, although the question was already raised in the consultation process. It is therefore probably necessary to refer back to the nDSG. However, this leaves open in particular whether it is sufficient if the processing in question is with the help of computer-aided techniques is made or whether the processing Exclusively automated must be carried out. Unfortunately, the Explanatory Report does not provide any practical examples or further information.

However, the interpretation of a restrictive element must not lead to the fact that this element does not in fact restrict. The use of a computer cannot therefore be sufficient, because index cards with patient data are certainly not processed exclusively by hand on a large scale. It is therefore necessary to have a Exclusively automated processing require.

Processing of personal data worthy of protection on a large scale

Also the factual requirement of the Processing of personal data worthy of protection “on a large scaleas required by Art. 4 DSV, is not determined. The explanatory report states in connection with Art. 5 DSV that the only “isolated processing of sensitive personal data is not covered, and that “in particular ‘traditional’ SMEs” are not affected. However, with regard to Art. 24 (exception for the processing list, see below), the explanatory report goes on to state that processing of data requiring special protection is considered extensive if it involves large amounts of data or a large number of persons. This should also apply here (whatever that means in the end).

… “preventive measures do not ensure data protection”.

The logging obligation of Art. 4 para. 1 DPA also presupposes, as does the current VDSG, that “.the preventive measures do not guarantee data protection” can. The fact that this proves that the issue is not data security but general data protection and thus privacy by design has already been explained above.

The explanatory report then states that this feature is “of secondary importance”, “as preventive measures rarely ensure data protection”. That is an astonishing statement. If it means that preventive measures can never guarantee compliance with data protection with absolute certainty, that is of course correct – after all, the risk-based approach applies. But then what is the point of the element of fact that data protection is not guaranteed?

After all, Art. 4 Par. 1 states that logging must take place in particular, “if it cannot otherwise be determined after the fact whether the data were processed for the purposes for which they were obtained or disclosed”. One must interpret this probably simply in such a way that a logging is required with other conditions if it is within the framework of an overall consideration from a privacy by design point of view sensibly necessary is.

In doing so, the person responsible – the order processor can hardly carry out this weighing himself – has a great deal of discretion.

Logging with federal bodies

A stricter regulation applies to federal bodies: according to Art. 4 (2) DPA, federal bodies and their commissioned processors (also private order processors(which, as an auxiliary person, do not themselves become a federal body, but which are here selectively subjected to the same regulation) for any automated processing, at least the storage, modification, reading, disclosure, deletion and destruction of the data.

According to Art. 4 Par. 3, the scope of the logging obligation is determined by whether the personal data in question is publicly accessible or not:

In the case of publicly accessible personal data, according to Art. 4 para. 1 and 2 FADP, “at least the storage, modification, deletion and destruction of the data must be recorded”.
In all other cases, the reading and announcement must also be recorded.

This provision, i.e. Art. 4 para. 3 DPA, should only refer to processing by federal bodies (para. 2) and not also to that by private parties (para. 1).

Furthermore, in the case of federal bodies – but only in their case – a Transitional provision (Art. 46 DPA): Insofar as processing by a federal body is not Schengen-relevant, the special logging obligation of Art. 4(2) DPA does not apply until 1 September 2026 or after the end of the system’s life cycle (whichever comes first). In the meantime, the logging regime for private individuals applies.

Scope of the logging obligation

Art. 4 (4) FADP regulates the minimum information that must be provided by logging, namely the identity of the processor and any recipients, as well as the type, date and time of processing. Software and system providers will have to provide corresponding functions so that data controllers and order processors can comply with data protection regulations.

Art. 4 Para. 5 contains specifications on the Storage and accessibility of the logs. In contrast to the wording of the current VDSG, the retention period is no longer exactly one year, but “at least” one year; logs may therefore also be retained for longer.

Unfortunately, the following was retained special ban on misappropriation: Logs may only be used to “verify the application of data protection rules or to maintain or restore the confidentiality, integrity, availability and traceability of data”. This also does not serve data security and Remains contrary to federal law. The legislator has no competence to restrict the general principles – namely the freedom of the controller to determine the purpose of processing through transparency. Logs may therefore continue to be used for other purposes, contrary to the text of the ordinance, e.g. in the context of an internal investigation.

Editing regulations

The content of the Editing regulations for private persons and for federal bodies follows from Art. 5 para. 2 DPA and 6 para. 2 DPA. According to these, the regulations must “in particular Information on the internal organization, the data processing and control procedure, and the measures taken to ensure data security contain”.

The explanatory report (p. 28) further provides that the processing regulations shall be “to be designed as a documentation or manual and should also serve the responsible person”; The therein referred Commentary of the Federal Office of Justice on the VDSG, para. 6.1.4, further states:

These regulations contain information on the internal Organization of the owner of the data collection, as well as about the structure in which the data collection or automated processing system is embedded. It describes above all the Data processing and control procedures, thus contains the documents concerning the Planning, elaboration and operation of the data collection and the used Information Technology Resources

and:

The regulations must also specify the procedure for exercising the Right to information and the right to Data output or transmission contain. The control procedures must make it possible to Access permissionsto determine the type and scope of access. Finally, it is of crucial importance that the processing regulations also include the technical and organizational measures to ensure appropriate data security is included.

This also makes it clear that a controller or order processor must not necessarily several regulations must result, e.g. one per risky machining activity. Rather, it can be a single set of regulations are sufficient – in fact, it often makes more sense to maintain only one, because the content of the regulation may only be represented across edits.

In addition, the content required for the processing regulations overlaps with the Processing directory (Art. 12 nDSG). The report on the E‑VDSG also stated that certain information could be copied from the processing directory. The explanatory report on the DSV addresses overlaps between the Processing directoryThe Commission does not elaborate on the possible obligation to keep minutes and the obligation to draw up processing regulations, even though the duplication of efforts and the resulting additional workload were criticized on several occasions during the consultation process.

Against this background, a processing regulation of private persons could be seen as a Overview document be designed, which refers to existing documents, directives and guidelines. Refers. Unity of documents cannot be required here, just as it cannot be required for the processing directory, which in turn can refer to other documents.

As already stated, the failure to create processing regulations is not a data security measure and therefore also not punishable (see above).

Processing by order processors (Art. 7 DPA)

Art. 7 FADP regulates the prerequisites of order processing pursuant to Art. 9 nDSG. An intentional breach of the requirements of Art. 9 nDSG can be punished with a fine according to Art. 61 lit. b nDSG. Fined up to CHF 250,000 be

After the provisions on commissioned processing in the e‑DPA had been strongly criticized in the consultation process as going beyond the statutory regulations, Art. 7 DPA now merely confirms what is already common practice against the background of Art. 28 (2) DPA and was already stated in the dispatch on the nDSG: The commissioning of subcontracted processors is in a general or specific way to approve (Art. 7 para. 1 DPA). In the case of a general authorization, the data controller must be informed and may contradict (Art. 7 para. 2 DPA). Art. 7 DPA does not contain any formal requirements for this.

Disclosure of personal data abroad (Art. 8 – 12 FADP)

The disclosure of personal data to countries without an adequate level of data protection is one of the issues that currently poses particularly great challenges for companies in terms of data protection law – especially if they want to comply with all official and court rulings (see https://datenrecht.ch/auslandsbekanntgabe/). This applies all the more since intentional violations of the corresponding Art. 16 and 17 nDSG pursuant to Art. 61 lit. a nDSG fined are. Companies will have to continue to follow developments at the Swiss and European level closely – and with due calm.

However, Art. 10 para. 1 DPA is welcome:

1 If the person responsible or the processor provides personal data to by means of standard data protection clauses abroad in accordance with Article 16 paragraph 2 letter d FADP, it shall meet reasonable Measures to ensure that the recipient complies with these

The measures to safeguard the standard contractual clauses need only be “appropriate”. This clearly leaves the Recognize risk-based approach to transfers abroad: If the measures to safeguard the standard contractual clauses need only be adequate, a residual risk that the recipient’s compliance with the standard clauses will be undermined by its local law may be accepted, as long as this risk has been adequately mitigated. This is an explicit commitment to the risk-based approach also for transfers abroad, which is welcome (on this data-rights.ch/edoeb-doubt-risk-based-approach).

It is also to be welcomed that the obligation currently still applicable pursuant to Art. 6 FADP, according to which the controller must inform the FDPIC about guarantees and data protection rules pursuant to Art. 6(2)(c) and (g) FADP, has not been included in the FADP.

Another new feature is that it is no longer the FDPIC but the Federal Council determines which states or organizations demonstrate adequate data protection (Art. 16 para. 1 nDSG). Art. 8 DPA contains the necessary criteria for assessing the adequacy of data protection and conceptual clarifications.

Art. 9 DPA now regulates the required content for data protection clauses and specific guarantees. Art. 10 DPA contains requirements for standard data protection clauses, although in practice the standard data protection clauses adopted by the EU Commission are mainly used anyway. Art. 11 DPA newly regulates the requirements for binding corporate data protection rules (also referred to as “Binding Corporate Rules”) and Art. 12 DPA codes of conduct and certifications.

Obligations of the controller (Art. 13 – 15 DPA)

Modalities of the information obligation

An essential and practically relevant innovation under the nDSG is the introduction of a general duty to inform (Art. 19 ff. nDSG). Art. 13 FADP does not further specify this duty, but merely states in general terms:

The data controller must provide the data subject with the information about the acquisition of personal data in precise, transparent, understandable and easily accessible form Communicate

Thus, the DSV does not say anything new. How exactly these requirements are to be understood and whether the adjectives “precise” and “comprehensible” have independent meaning remains open, even after the consultation procedure and corresponding criticism. According to the explanatory report, however, the person responsible must

When choosing the form of information, ensure that the data subject always obtains the most important information at the first level of communication when obtaining his or her personal data receives. If the communication takes place via a website, for example, good practice may be that all essential information is available at a glance, e.g. in the form of an organized overview. To obtain further information, the data subject can then click on this information displayed first, whereupon a window opens with more detailed information.

This is nothing new, but it leaves the subject of the Media Break if general terms and conditions or any other printed document refer to a data protection declaration on the Internet. The explanatory report continues in this regard:

It should be noted, however, that communication via a website is not always sufficient: The data subject must know that he or she will find the information on a particular website. In the case of a telephone conversation, the information can also be communicated verbally and, if necessary, supplemented by a link to a website. In the case of recorded information, the data subject must have the opportunity to listen to more detailed information.

From this it becomes clear: It is sufficient, e.g. from GTC to a privacy policy on the Internet even if the GTC do not anticipate any further information, e.g. on the purpose of processing or the rights of the data subject, and even if the GTC do not contain a QR code, because even without this the data subject knows, based on the reference, “that she can find the information on a specific website”. The media disruption is thus generally permissible or harmless.

Further, the DSV did not adopt the regulation of pictograms, so that companies can use pictograms such as Privacy Icons may continue to use without additional hurdles. Articles 14 – 17 of the e‑Data Protection Act, which provided for information obligations that went beyond the nDSG, were also deleted. Likewise, the lapse of attributing information obligations to order processors has been remedied.

Retention of the privacy impact assessment

Art. 14 DSV specifies the Duration of storage of the data protection impact assessment on At least two years after the data processing has ended. The explanatory report points out that for the implementation of the data protection impact assessment, the FDPIC may make use of its competence to develop working instruments as recommendations of good practice.

Data security breach notification

Art. 24 nDSG now regulates the duty of the data controller to report data security breaches to the FDPIC if they are likely to result in a high risk to the personality or fundamental rights of the data subjects. Art. 15 FADP specifies in more detail the Minimum requirements of such messages. According to this, the following information is required in any case:

Type of Injury;
consequences, including any risks, for the persons concerned;
Measures taken or envisaged to remedy the defect and mitigate the consequences, including any risks;
Name and contact details of a contact person;
As far as possible, time and duration of the breach, categories and approximate number of personal data and persons concerned

Essentially, these disclosures correspond to the minimum information according to Art. 33 para. 3 DSGVOwith the exception of the levies on the time and duration of the breach, which Art. 15 DPA requires, but not Art. 33 GDPR. It would have been better to follow the GDPR more closely here. However, the “nature” of the breach within the meaning of Art. 33 GDPR may be understood to include time and duration. If contract processing agreements (CPA) require the information pursuant to Art. 33(3) GDPR in the case of notifications by contract processors, which is often the case, an adaptation based on Art. 15 GDPR is therefore not necessary.

If not all information can be provided at the same time, Art. 15(2) DPA now allows the controller (like Art. 33(4) DPA) to provide the information staggered to report.

The explanatory report goes on to state with regard to the notification to the FDPIC:

the FDPIC is currently working on the development of a web-based reporting interface, probably in the form of an interactive form. As part of this project, the FDPIC is also currently examining the possibility of a joint reporting portal together with other federal bodies

In the event that the data controller is obliged pursuant to Art. 24 para. 4 nDSG to provide a Notification to the data subject (if it is necessary for the protection of the individual or if the FDPIC so requires), Art. 24(3) DPA obliges the controller to inform the individual “in plain and intelligible language”. It should also be noted that there is an obligation to notify the data breaches to the document (a standardized data entry form is suitable for this) and for at least Two years to be retained from the time of notification (Art. 15 (4) DPA). For companies that have already established processes for reporting data security breaches in accordance with the GDPR, there is therefore little new. All others must ensure corresponding processes until the entry into force of the nDSG and the FADP.

Rights of the data subject (Art. 16 – 22 DPA)

Access right

According to Art. 16(1) DPA, a request for information may be made “in writing” and, with the consent of the data controller, also orally. See the explanatory report:

“In writing” within the meaning of Article 16(1) DPA includes any form that provides the Proof by text enable. However, the so-called simple written form according to Articles 13 – 15 of the Code of Obligations is not meant.

Requests for information can then also be made by e‑mail.

With regard to the right to information, one of the issues raised in the consultation was the Documentation requirement of the grounds for denial, restriction, or deferral and criticized the three-year retention requirement. In the DSV, this obligation has now been dropped.

Also criticized was Art. 21 (3) E‑Data Protection Act, according to which requests for information To be forwarded to order processors if the person responsible is not able to provide the information himself. This has also been dropped. Art. 17 DPA now rather and sensibly stipulates that the processor has to assist the controller in providing the information, which in Order processing agreements is usually agreed anyway (but does not have to be expressly agreed according to the DSV).

At the shared responsibility - whose term remains undefined – the DPA now states that the order processor must exercise his rights in the case of each of the jointly responsible can assert. This is correct and raises the question of whether a privacy statement must name all of the jointly responsible parties. This is probably not the case: if a data protection declaration only specifies one contact point in the case of joint responsibility, the data subject is already served. This in no way invalidates the DSV requirement; on the contrary, the DSV now clarifies that the data subject is not bound by the one-stop shop offer.

The requirement that the controller must take appropriate measures to protect the data subject has been retained. identify. What this means in detail is open, but in any case the person concerned has a duty to cooperate here.

Art. 23 E‑VDSG was then clarified with regard to the exceptions from the Free of charge. Unfortunately, the maximum cost sharing remains at CHF 300as is already the case under the current VDSG. This is disproportionate to the possible effort required of the person responsible. In this context, it should be remembered that Art. 2 of the Civil Code also applies without restriction in data protection law, and one group of cases of abuse of rights is the blatant disproportion of interestsi.e. if the interest of the entitled party in exercising the right is not in reasonable proportion to the disadvantages suffered by the other party. As far as can be seen, this group of cases has not been applied in the area of the right to information. However, if the cost sharing is set at such a low amount, this is more likely to lead to a disproportion of interests, which in turn is more likely to lead to an abuse of rights of a request for information.

Art. 19 (3) DPA stipulates in connection with costs that the controller must inform the data subject of the amount of the contribution before providing information, and if the data subject then fails to confirm his request within ten days, it is deemed to be withdrawn. Accordingly, the 30-day period of Article 18(1) DPA starts to run after the cooling-off period has expired.

Data output and transfer (portability)

Art. 28 f. of the NDSG provides for the right to “issue and transfer data” (portability). In the draft ordinance, reference was made only by analogy to the provisions on the right of access. Due to the criticism in the consultation, the DPA now contains more specific provisions in Art. 20 – 22, which, however, are not too helpful – the legislator apparently does not really know how to deal with the portability right either: Art. 20 defines the “Scope of the claim” on data portability:

Data covered is data “knowingly and willingly made available” (e.g., according to the explanatory report, “contact information via an online form” or “likes”) and
Data collected by the Controller in the course of the use of a service or device (“observed data”, according to the Explanatory Report, e.g., “search queries, activity logs, history of a website usage”),
but not data generated by the responsible person through his own evaluation (“derived data”; e.g., “the assessment of a user’s health status, user or risk profiles, credit risk analysis, etc.”).

Art. 21 then concerns technical questions:

A “common electronic format” is one that allows transmission “with reasonable effort” to be transferred and reused, but does not require responsible parties to adopt or maintain compatible data processing systems;
a “disproportionate effort for the transfer […] to another responsible person” shall (arguably: only) exist if the transfer is technically impossible (a bold statement – impossible and disproportionately effortful are of course two different things).

Special provisions for data processing by private persons

Art. 23 Data protection advisor and data protection consultant

Private data controllers can appoint a data protection advisor. Art. 25 E‑DPA had specified tasks and requirements for this purpose, including an obligation to check the processing of data. This was criticized in the consultation, and the Federal Council has now deleted Art. 25 DPA (which does not mean that the data protection advisor does not have an auditing obligation due to his function, analogous to Art. 39 (1) b GDPR).

However, the data protection advisor now has the Right to inform the highest management or administrative body “in important cases. This is a sensible regulation that corresponds to corporate governance principles (cf. e.g. para. 75 f. of the FINMA RS Corporate Governance – Banks) and is also found in the GDPR. However, the limitation to the important cases is questionable. In any case, the assessment of when an important case exists is the responsibility of the data protection advisor and not the controller itself.

If a private controller appoints a data protection advisor, which remains voluntary, it need not do so to the FDPIC reportbut if it does not do so, it cannot benefit from the exception – notification of the DPA in case of high net risks. Federal bodies must always notify the FDPIC of the data protection advisor (Art. 27(2) FADP).

Also interesting is the regulation of the Publication of the privacy advisorPrivate data controllers must publish their contact details if they wish to make use of the exemption, although the DPA does not specify how this is to be done. Federal bodies must publish the appointment of the data protection advisor, namely (Art. 27 DPA) “on the Internet”. This publication will often be in a privacy statement (even though federal bodies are usually not required to have a privacy statement), and this may apparently be published on the Internet. This is further evidence that the Internet is considered accessible and that a media breach is accordingly harmless (see above).

Art. 24 Exemption from the obligation to keep a processing list

Art. 12 nDSG regulates the obligation of a data controller and processor to maintain a processing directory. Paragraph 5 states that the Federal Council may provide for exemptions from this obligation for companies that employ less than 250 employees and whose data processing entails a low risk of violations of the personality of the data subjects. According to the explanatory report, this concerns employed persons and not RTD:

Companies and other organizations under private law with fewer than 250 employees on January 1 of a year (regardless of the degree of employment) and natural persons from the obligation … to keep a register of processing activities.

Thus, the vast majority of SMEs benefit from this exemption, unless they are

process personal data requiring special protection on a large scale or
Perform high-risk profiling.

“Extensive” means the following according to the explanatory report:

Extensive processing of data requiring special protection includes, in particular, data processing involving large quantities of data or a large number of persons.

Thus, it is not a question of a number of data that is large relative to the total amount of data processed, but rather a large amount of data or large number of individuals in absolute terms. If such a CounterexceptionA processing directory must be kept, but only for those processing activities that fall under such a counter-exception. Of course, SMEs, which are generally exempt from the obligation, are not prevented from voluntarily keeping a list of processing activities. In practice, however, this is often less helpful than it may seem at first (cf. our Implementation notes).

Special provisions on data processing by federal bodies

The provisions on the Privacy Advisor at federal bodies have not undergone any serious changes compared to the E‑VDSG. In general, the role of the data protection advisor at federal bodies is strengthened:

Pursuant to Art. 27, the federal body is obliged to ensure that the data protection advisor is informed about Data security breaches informed will.
The data protection advisor advises then assist the data controller with the question of whether the breach is subject to a notification obligation within the meaning of Art. 24 nDSG. The corresponding notification of data security breaches to the FDPIC was listed in the e‑DPA as a duty of the data protection advisors. Under the FADP, this is now correctly a duty of the federal body.
Art. 31 E‑VDSG, which requires the federal body to inform the data protection advisor in the case of Projects for automated data processing was deleted – this because the federal body’s duty to provide information already arises on the basis of the general advisory, support and control duties of the data protection advisors.

The Notification to the FDPIC in the case of automated processing activities pursuant to Art. 32 FADP was strongly criticized in the consultation process. Despite this, the Federal Council has incorporated the notification to the FDPIC of planned automated processing activities into the new ordinance with only a few clarifications (Art. 31 FADP).In the regulations on the Pilot testing there have been no major changes compared to the e‑DPA. Art. 33 FADP still does not specify the period within which the opinion of the FDPIC on the question of compliance with the licensing requirements under Art. 35 FADP can be expected. Such a deadline would have been welcome for planning security.

DSV: no mini­mum data secu­ri­ty requi­re­ments, no cor­re­spon­ding cri­mi­nal lia­bi­li­ty, other comments.

Content

Data secu­ri­ty (Sec­tion 1, Art. 1 – 6 DPA)

The DSV does not con­tain any mini­mum requi­re­ments for data secu­ri­ty within the mea­ning of the nDSG

Art. 8 and Art. 5 lit. h nDSG defi­ne data secu­ri­ty more nar­row­ly than Art. 7 DSG

Lack of distinc­tion bet­ween data secu­ri­ty and data pro­tec­tion in DSV

No regu­la­ti­on of data secu­ri­ty in the DSV

Art. 1 DSV (Prin­ci­ples)

Art. 2 DSV (Objec­ti­ves)

Art. 3 DSV (TOMs)

Art. 4 DSV (log­ging)

Art. 5 and 6 DSV (Pro­ce­s­sing Regulations)

Fur­ther comm­ents on indi­vi­du­al provisions

Art. 1 Principles

Risk-based approach

Importance of costs

Art. 4 – 6 Log­ging and pro­ce­s­sing regulations

Preli­mi­na­ry remarks

What is “auto­ma­ted processing”?

Pro­ce­s­sing of per­so­nal data wort­hy of pro­tec­tion on a lar­ge scale

… “pre­ven­ti­ve mea­su­res do not ensu­re data protection”.

Log­ging with fede­ral bodies

Scope of the log­ging obligation

Editing regu­la­ti­ons

Pro­ce­s­sing by order pro­ces­sors (Art. 7 DPA)

Dis­clo­sure of per­so­nal data abroad (Art. 8 – 12 FADP)

Obli­ga­ti­ons of the con­trol­ler (Art. 13 – 15 DPA)

Moda­li­ties of the infor­ma­ti­on obligation

Reten­ti­on of the pri­va­cy impact assessment

Data secu­ri­ty breach notification

Rights of the data sub­ject (Art. 16 – 22 DPA)