datenrecht.ch

DSV: no mini­mum data secu­ri­ty requi­re­ments, no cor­re­spon­ding cri­mi­nal lia­bi­li­ty, other comments.

Han­nes Meyle, Anne-Sophie Morand and David Vasella

At its mee­ting on August 31, 2022, the Fede­ral Coun­cil appro­ved the new Data Pro­tec­tion Regu­la­ti­on (DSV) and the new regu­la­ti­on on data pro­tec­tion cer­ti­fi­ca­ti­ons (VDSZ). adopted. The Fede­ral Coun­cil has thus made use of its aut­ho­ri­ty to issue imple­men­ting regu­la­ti­ons for the revi­sed Data Pro­tec­tion Act (nDSG).

The draft regu­la­ti­on (draft FDPO) pro­vi­ded for num­e­rous pro­vi­si­ons that went fur­ther than the nDSG in terms of con­tent and would have had dra­stic effects (we have repor­ted). The e‑VDSG was the­r­e­fo­re sub­ject to harsh cri­ti­cism during the con­sul­ta­ti­on pro­cess. The Fede­ral Coun­cil has not taken the cri­ti­cism into account in all points, but some important impro­ve­ments have been achie­ved. For an over­view, we have alre­a­dy published a Com­pa­ri­son table available here as PDF provided.

This artic­le deals with the con­tent of the DSV and explains key points of the final ver­si­on of the DSV and the main chan­ges com­pared to the E‑VDSG.

Data secu­ri­ty (Sec­tion 1, Art. 1 – 6 DPA)

The inten­tio­nal Vio­la­ti­on of the mini­mum requi­re­ments to data secu­ri­ty may, pur­su­ant to Art. 61 lit. c nDSG upon request, with a fine of up to CHF 250,000. be punis­hed. The Fede­ral Coun­cil was ther­eby ins­truc­ted to deter­mi­ne the mini­mum requi­re­ments for data secu­ri­ty (Art. 8 para. 3 nDSG). The cor­re­spon­ding pro­vi­si­ons in the DPA are the­r­e­fo­re of gre­at importance for data con­trol­lers and order pro­ces­sors. Howe­ver, a clo­ser look shows that Art. 1 – 6 DPA do not spe­ci­fy any cor­re­spon­ding requi­re­ments, becau­se the DPA is not ali­gned with the nDSG on this point, but is based on the cur­rent con­cept of data secu­ri­ty under the DPA.

The DSV does not con­tain any mini­mum requi­re­ments for data secu­ri­ty within the mea­ning of the nDSG

Art. 8 and Art. 5 lit. h nDSG defi­ne data secu­ri­ty more nar­row­ly than Art. 7 DSG

The Fede­ral Coun­cil is man­da­ted under Art. 8 para. 3 nDSG, Mini­mum requi­re­ments of “data secu­ri­ty to enact. What data secu­ri­ty is, defi­nes Art. 5 lit. h with the legal defi­ni­ti­on of the Data secu­ri­ty breach:

a breach of secu­ri­ty that results in per­so­nal data being inad­ver­t­ent­ly or unlawful­ly lost, dele­ted, destroy­ed, or alte­red, or dis­c­lo­sed or made available to unaut­ho­ri­zed persons;

In com­pa­ri­son to Art. 5 lit. h nDSG, the today’s DSG a much broa­der under­stan­ding of data secu­ri­ty as a basis. Art. 7 DSG:

1 Per­so­nal data must be pro­tec­ted against unaut­ho­ri­zed pro­ce­s­sing by appro­pria­te tech­ni­cal and orga­nizatio­nal measures.
2 The Fede­ral Coun­cil shall issue more detail­ed pro­vi­si­ons on the mini­mum requi­re­ments for data security.

Accor­din­gly, the cur­rent FADP under­stands data secu­ri­ty as the tota­li­ty of mea­su­res against unaut­ho­ri­zed pro­ce­s­sing, while the new FADP under­stands it only as mea­su­res against data loss or other secu­ri­ty brea­ches in the true sen­se, i.e. in the sen­se of security.

The nDSG has not, of cour­se, aban­do­ned the con­cern that data pro­tec­tion com­pli­ance be proac­tively ensu­red in gene­ral, but no lon­ger sees this as part of data secu­ri­ty, but of the prin­ci­ple of Pri­va­cy by Design accor­ding to art. 7 para. 1 and 2 nDSG. Art. 7 para. 1 nDSG (and not Art. 8 para. 1 nDSG) the­r­e­fo­re also lar­ge­ly cor­re­sponds to Art. 7 para. 1 DSG:

Art. 7 para. 1 DSG1 Per­so­nal data must be pro­tec­ted against unaut­ho­ri­zed pro­ce­s­sing by appro­pria­te tech­ni­cal and orga­nizatio­nal measures.

Art. 7 para. 1 nDSG1 The con­trol­ler is obli­ged to design the data pro­ce­s­sing tech­ni­cal­ly and orga­nizatio­nal­ly in such a way that the data pro­tec­tion regu­la­ti­ons are com­plied with, in par­ti­cu­lar the prin­ci­ples accor­ding to Artic­le 6. He takes this into account from the plan­ning stage.

The legis­la­tor was awa­re of this Chan­ge of the con­cept of data secu­ri­ty con­scious. The mes­sa­ge on Art. 8 nDSG (data security):

Artic­le [8] obli­ga­tes both the con­trol­ler and the pro­ces­sor to pro­vi­de an appro­pria­te secu­ri­ty archi­tec­tu­re for their systems and to pro­tect them, for exam­p­le, against mal­wa­re or data loss. Artic­le 7(1), on the other hand, aims to ensu­re com­pli­ance with data pro­tec­tion regu­la­ti­ons by tech­ni­cal means, e.g., that data pro­ce­s­sing remains proportionate.

The legis­la­tor has Data secu­ri­ty thus deli­bera­te­ly distin­gu­is­hed from gene­ral data pro­tec­tion and assi­gned the lat­ter to the prin­ci­ple of Pri­va­cy by Design. Inci­den­tal­ly, the mes­sa­ge on Art. 8 nDSG expli­ci­t­ly refers to Art. 32 DSGVO (“Secu­ri­ty of pro­ce­s­sing”) in this con­text – and not to Art. 5 (“Prin­ci­ples of pro­ce­s­sing of per­so­nal data”).

Lack of distinc­tion bet­ween data secu­ri­ty and data pro­tec­tion in DSV

Unfort­u­n­a­te­ly, the Fede­ral Coun­cil has nevert­hel­ess based on today’s VDSG. This pro­ba­b­ly see­med obvious, sin­ce Art. 7 para. 2 FADP alre­a­dy pro­vi­des that the Fede­ral Coun­cil shall issue “more detail­ed pro­vi­si­ons on the mini­mum requi­re­ments for data secu­ri­ty”. On this basis, the Fede­ral Coun­cil had in the FDPO in the 4th sec­tion, issue pro­vi­si­ons on TOMs, log­ging, pro­ce­s­sing regu­la­ti­ons, and dis­clo­sure of data.

So the Fede­ral Coun­cil has now unce­re­mo­nious­ly Data secu­ri­ty pro­vi­si­ons of the cur­rent VDSG – with adjust­ments (see our Com­pa­ri­son table, PDF) – as mini­mum rules wort­hy of punish­ment deter­mi­ned and says about it:

With the pro­vi­si­ons on data secu­ri­ty, the Fede­ral Coun­cil ful­fills the legal man­da­te pur­su­ant to Artic­le 8 para­graph 3 nDSG. The penal pro­vi­si­on in Artic­le 61 let­ter c nDSG) is also lin­ked to the­se mini­mum requi­re­ments. The level of secu­ri­ty that must be main­tai­ned so that the cri­mi­nal stan­dard is not vio­la­ted is deter­mi­ned by the prin­ci­ples and cri­te­ria of this section.

Howe­ver, the Fede­ral Coun­cil did not con­sider or deli­bera­te­ly neglec­ted the new, con­cep­tual­ly nar­rower under­stan­ding of data secu­ri­ty in the NDSG. As explai­ned, it is no lon­ger about unaut­ho­ri­zed pro­ce­s­sing at all, but sole­ly about pre­ven­ting a breach of security.

If the Fede­ral Coun­cil had con­side­red how the nDSG concei­ves of data secu­ri­ty, it would have had to tria­ge bet­ween the pro­vi­si­ons of the VDSG, which regu­la­te data secu­ri­ty in the strict sen­se, and the pro­vi­si­ons that pur­sue gene­ral data pro­tec­tion con­cerns. This is becau­se Art. 7 nDSG – Pri­va­cy by Design – does not give the Fede­ral Coun­cil any com­pe­tence to legislate.

The Fede­ral Coun­cil has omit­ted to do so. It has the­r­e­fo­re exce­e­ded its regu­la­to­ry com­pe­tence by not taking into account that the prin­ci­ple of pri­va­cy by design in the nDSG has incor­po­ra­ted a lar­ge part of data secu­ri­ty under today’s law and the com­pe­tence to exe­cu­te the data secu­ri­ty requi­re­ments is much narrower.

No regu­la­ti­on of data secu­ri­ty in the DSV

Thus, in clas­si­fy­ing the pro­vi­si­ons of Art. 1 – 6 DPA, it is neces­sa­ry to pro­ce­ed as follows:

  1. First it must be asked in each case whe­ther the cor­re­spon­ding pro­vi­si­on ser­ves data secu­ri­ty under the new law or the prin­ci­ple of pri­va­cy by design.
  2. Second a distinc­tion must be made bet­ween a gene­ral spe­ci­fi­ca­ti­on – which the Fede­ral Coun­cil may also car­ry out wit­hout express legal aut­ho­rizati­on, but only in con­cre­te terms – and the spe­ci­fi­ca­ti­on of actu­al mini­mum requi­re­ments within the mea­ning of Art. 8 para. 3 and Art. 61 lit. c nDSG. Mini­mum requi­re­ments ans­wer the “what” (con­cre­te mea­su­res as the result of a con­side­ra­ti­on), a gene­ral spe­ci­fi­ca­ti­on of data secu­ri­ty ans­wers the “how” (pro­ce­du­re for consideration).
  3. Third In the case of mini­mum data secu­ri­ty requi­re­ments within the mea­ning of the NDSG – if they exist – the que­sti­on is whe­ther they are for­mu­la­ted in such con­cre­te terms that they can with­stand Artic­le 1 of the Cri­mi­nal Code and the unwrit­ten con­sti­tu­tio­nal prin­ci­ple of “nulla poe­na sine lege (cer­ta)”.

A cor­re­spon­ding inve­sti­ga­ti­on leads to the con­clu­si­on that Art. 1 – 6 DPA do not con­tain mini­mum requi­re­ments for data secu­ri­ty. All of the­se pro­vi­si­ons are pro­gram­ma­tic in natu­re or ser­ve the prin­ci­ple of pri­va­cy by design.

In detail:

Art. 1 DSV (Prin­ci­ples)

This pro­vi­si­on estab­lishes prin­ci­ples to be fol­lo­wed by the con­trol­ler and the pro­ces­sor when estab­li­shing an ade­qua­te level of pro­tec­tion and deter­mi­ning appro­pria­te mea­su­res for this pur­po­se. This pro­vi­si­on is the Data secu­ri­ty The expl­ana­to­ry report right­ly sta­tes that this is the case. Howe­ver, it con­ta­ins pro­gram­ma­tic prin­ci­ples and No con­cre­te requi­re­ments to data secu­ri­ty, let alo­ne any Mini­mumrequi­re­ments. This pro­vi­si­on is not justi­cia­ble in this sen­se, becau­se Artic­le 1 FADP does not con­tain any mini­mum requi­re­ments, even when view­ed in the most favorable light, but only gene­ral ins­truc­tions for the controller’s pro­ce­du­re when deter­mi­ning secu­ri­ty mea­su­res. As alre­a­dy men­tio­ned, the Fede­ral Coun­cil may make such a spe­ci­fi­ca­ti­on, but not on the basis of Art. 8 (3) nDSG.

Goes the respon­si­ble not as pro­vi­ded by Art. 1 DPA If the user does not deter­mi­ne the need for pro­tec­tion, for exam­p­le. lege artis or does not take rele­vant fac­tors into account in the risk assess­ment or does not review its mea­su­res on an ongo­ing basis, The­r­e­fo­re, this does not indi­ca­te a vio­la­ti­on of mini­mum requi­re­ments to data security:

  1. On the one hand, Art. 1 DSV does not pro­vi­de for any mini­mum requi­re­ments regar­ding the “what”, but only spe­ci­fi­es the “how”.
  2. On the other hand, a con­trol­ler or order pro­ces­sor can also take strong mea­su­res wit­hout reflec­tion and ther­eby achie­ve ade­qua­te secu­ri­ty. This is even often the case when a robust secu­ri­ty mea­su­re is applied to a system in which dif­fe­rent cate­go­ries of data are pro­ce­s­sed with dif­fe­rent secu­ri­ty measures.

Over­all, it is the­r­e­fo­re not appa­rent how a vio­la­ti­on of Art. 1 DPA could be punis­ha­ble under Art. 61 lit. b in con­junc­tion with. Art. 8 para. 3 nDSG could be punishable.

Art. 2 DSV (Objec­ti­ves)

This pro­vi­si­on for­mu­la­tes secu­ri­ty objec­ti­ves – accor­ding to a com­mon, but not the only clas­si­fi­ca­ti­on – and is thus pri­ma­ri­ly to be assi­gned to data secu­ri­ty as defi­ned in Art. 8 nDSG. The­se pro­tec­tion goals are taken up again in Art. 3 DPA.

Howe­ver, Art. 2 lit. d pro­vi­des for the pro­tec­tion goal of the Tracea­bi­li­ty befo­re. Strict­ly spea­king, this is not neces­s­a­ri­ly a data secu­ri­ty mea­su­re within the mea­ning of Art. 8 in con­junc­tion with Art. 5 lit. Art. 5 lit. g nDSG, becau­se it does not – not direct­ly in any case – ser­ve to pre­vent per­so­nal data from being unin­ten­tio­nal­ly or unlawful­ly lost, dele­ted, destroy­ed or modi­fi­ed, or from being dis­c­lo­sed or made acce­s­si­ble to unaut­ho­ri­zed per­sons. Indi­rect­ly, tracea­bi­li­ty may ser­ve the­se goals, becau­se other­wi­se brea­ches that have occur­red can only be reme­di­ed with dif­fi­cul­ty in the true sen­se. In its­elf, howe­ver, tracea­bi­li­ty is more about accountability.

Howe­ver, the objec­ti­ves of the DSV thus cor­re­spond to tho­se of the Infor­ma­ti­on Secu­ri­ty Act (see Art. 6 para. 2 ISG; cf. here), as reque­sted in the con­sul­ta­ti­on pro­ce­du­re. Howe­ver, Art. 2 DPA is of a pro­gram­ma­tic and non-justi­cia­ble natu­re. A requi­re­ment for spe­ci­fic TOMs can­not be deri­ved from it, and cer­tain­ly not an Mini­mumrequi­re­ment. Here, too, it is the­r­e­fo­re not appa­rent how a vio­la­ti­on could be punishable.

Art. 3 DSV (TOMs)

Art. 3 FADP con­ta­ins requi­re­ments for tech­ni­cal and orga­nizatio­nal mea­su­res (TOMs) and thus spe­ci­fi­es data secu­ri­ty. The pro­vi­si­on is based on the pro­tec­tion goals accor­ding to Art. 2 DPO, con­fi­den­tia­li­ty, avai­la­bi­li­ty, inte­gri­ty and tracea­bi­li­ty. Howe­ver, Art. 3 DPA also con­ta­ins no mini­mum requi­re­ments, but mere­ly con­cre­ti­zes the­se pro­tec­tion goals.

Mini­mum requi­re­ments could be infer­red from Art. 3 at most becau­se, accor­ding to Art. 3 DPA, con­fi­den­tia­li­ty, avai­la­bi­li­ty, inte­gri­ty and tracea­bi­li­ty “.to ensu­re”. The cur­rent Art. 9 VDSG, on the other hand, sta­tes that mea­su­res are to be taken “that sui­ta­ble are”, the pro­tec­tion goals “to meet”. If the word “ensu­re” were to be under­s­tood abso­lut­e­ly, every vio­la­ti­on of a pro­tec­tion goal would be pro­of that a cor­re­spon­ding mea­su­re was miss­ing. Howe­ver, this can­not be what is meant. The risk-based approach is undis­pu­ted, the word “ensu­re” in this sen­se to be inter­pre­ted as “stri­ve”.

Howe­ver, Art. 3 DSV is thus also pro­gram­ma­tic in natu­re. Art. 3 is to be read tog­e­ther with Art. 1 and 2 DPA as a who­le, which con­cre­ti­zes the con­cept of data secu­ri­ty. Howe­ver, mini­mum secu­ri­ty requi­re­ments are not spe­ci­fi­ed. Over­all, the­r­e­fo­re, Art. 3 DPA can­not be puni­ti­ve either.

Fur­ther­mo­re, data con­trol­lers and pro­ces­sors do not have to struc­tu­re their tech­ni­cal and orga­nizatio­nal mea­su­res (TOMs) accor­ding to the struc­tu­re of Art. 3 DPA. Cf. e.g. the expl­ana­to­ry report:

It is quite conceiva­ble that not every pro­tec­tion goal is rele­vant in every case. Howe­ver, if a pro­tec­tion goal is not rele­vant in a case, the con­trol­ler and pro­ces­sor must be able to justi­fy why this is the case.

It is clear that this does not rever­se the bur­den of pro­of, neither in civil nor in admi­ni­stra­ti­ve nor in cri­mi­nal pro­ce­e­dings. The Fede­ral Coun­cil would not have had the aut­ho­ri­ty to do so.

Art. 4 DSV (log­ging)

The assign­ment of Art. 4 DPA to data secu­ri­ty or to Pri­va­cy by Design is not easy at first glan­ce. “Log­ging” sounds tech­ni­cal and thus like data secu­ri­ty, but it would be a fun­da­men­tal misun­derstan­ding to assign all tech­ni­cal mea­su­res to data secu­ri­ty in the strict sen­se – even Pri­va­cy by Design, i.e. com­pli­ance with data pro­tec­tion law in gene­ral, can be secu­red with tech­ni­cal measures.

Accor­ding to the expl­ana­to­ry report, the Log­ging pri­ma­ri­ly a mat­ter of accoun­ta­bi­li­ty rather than data secu­ri­ty:

Log­ging con­sti­tu­tes a mea­su­re within the mea­ning of Artic­le 3 DPA. This takes into account the fact that Swiss law, unli­ke the GDPR, does not pro­vi­de for a gene­ral “accoun­ta­bi­li­ty obli­ga­ti­on”. Moreo­ver, log­ging is also recom­men­ded by cer­tain Euro­pean data pro­tec­tion aut­ho­ri­ties. Fur­ther­mo­re, log­ging is a clas­sic, pre­ven­ti­ve means of ensu­ring cybersecurity.

This is also reflec­ted in the fact that, accor­ding to Art. 4, log­ging is not requi­red when

the pre­ven­ti­ve mea­su­res the data pro­tec­tion not ensu­re…, in par­ti­cu­lar if … other­wi­se it can­not be deter­mi­ned retro­s­pec­tively whe­ther the data were pro­ce­s­sed for the pur­po­ses for which they were obtai­ned or disclosed.

So it’s about pur­po­se limi­ta­ti­on and, in gene­ral, about ensu­ring “data pro­tec­tion.” This is not a que­sti­on of data secu­ri­ty. That this is the goal of Art. 4 DPA is also clear from a histo­ri­cal per­spec­ti­ve. Art. 4 DPA takes over today’s Art. 10 FADP, as the expl­ana­to­ry report states:

Log­ging is gover­ned by Artic­le 10 of the VDSG, which also applies to fede­ral bodies due to the refe­rence in the first sen­tence of Artic­le 20(1) of the VDSG. Artic­le 4 adopts this regu­la­ti­on in amen­ded form.

Art. 10 VDSG was amen­ded by the Fede­ral Office of Justi­ce in the Com­men­ta­ry on the VDSG explai­ned as follows:

In par­ti­cu­lar, the aim is to con­trol that the data are not used for unfo­re­seen or incom­pa­ti­ble pur­po­ses. The Risk of mis­ap­pro­pria­ti­on increa­ses when the infor­ma­ti­on system in which the data is stored is made acce­s­si­ble to a lar­ge num­ber of users or is phy­si­cal­ly or visual­ly lin­ked to other data coll­ec­tions. It is not neces­sa­ry to log ever­ything. In this con­text, the prin­ci­ple laid down in Art. 8 must also be taken into account and the prin­ci­ple of pro­por­tio­na­li­ty must be applied (Art. 4 para. 2 FADP and Art. 8 para. 2 FADP). The pro­to­cols are used to veri­fy com­pli­ance with data pro­tec­tion regulations.

The legis­la­ti­ve histo­ry of Art. 4 DPA thus also cle­ar­ly shows that log­ging is inten­ded to ensu­re pur­po­se limi­ta­ti­on – and not data secu­ri­ty in the strict sen­se. Thus, log­ging is not a data secu­ri­ty issue, and fail­ure to log can­not be a cri­mi­nal offense. 

It can­not be ruled out, howe­ver, that the log­ging as a mea­su­re of tracea­bi­li­ty may indi­rect­ly be also data secu­ri­ty in the true sen­se of the term. Howe­ver, cri­mi­nal lia­bi­li­ty would then requi­re a law enforce­ment agen­cy to pro­ve in an indi­vi­du­al case that the Log­ging has been neces­sa­ry for data secu­ri­ty in the actu­al sen­se and that the per­son respon­si­ble or the order pro­ces­sor or the per­sons acting on their behalf were awa­re of this, at least in outline.

Art. 5 and 6 DSV (Pro­ce­s­sing Regulations)

The pro­ce­s­sing regu­la­ti­ons are also taken over from the VDSG (Art. 11 for pri­va­te per­sons and Art. 21 for fede­ral bodies). This is again a mat­ter of not about data secu­ri­ty, but about accoun­ta­bi­li­ty. The Fede­ral Coun­cil sta­tes this expli­ci­t­ly in the expl­ana­to­ry report:

Pro­ce­s­sing regu­la­ti­ons had to be drawn up by the “con­trol­ler of an auto­ma­ted data file sub­ject to noti­fi­ca­ti­on” under Artic­le 11a (3) FADP, who was not exempt from the obli­ga­ti­on to noti­fy his data files on the basis of Artic­le 11a (5) let­ters b‑d FADP (Art. 11 (1) FADP). Sin­ce the noti­fi­ca­ti­on obli­ga­ti­on for pri­va­te data con­trol­lers (Art. 11a FADP) no lon­ger exists in the nDSG, Artic­le 11 FADP can­not be adopted unch­an­ged. Accor­ding to the prin­ci­ple of accoun­ta­bi­li­ty pro­vi­ded for in the GDPR, the con­trol­ler must be able to demon­stra­te com­pli­ance with the prin­ci­ples of data pro­ce­s­sing (Art. 5 para. 2 GDPR). Swiss law does not know a gene­ral accoun­ta­bi­li­ty or “accoun­ta­bi­li­ty”, but the obli­ga­ti­on to crea­te a pro­ce­s­sing regu­la­ti­on ful­fills the same pur­po­se.

Alt­hough the obli­ga­ti­on to prepa­re the pro­ce­s­sing regu­la­ti­ons is lin­ked to a increa­sed risk an, but that does not make this duty a safe­ty duty, it mere­ly shows that the risk-based approach not only applies to data secu­ri­ty in the strict sen­se of the wordbut with proac­ti­ve com­pli­ance in gene­ral. This is also shown by the mes­sa­ge on Art. 7 nDSG (inclu­ding Pri­va­cy by Design):

Para­graph 2 spe­ci­fi­es the requi­re­ments for the pre­cau­ti­ons accor­ding to para­graph 1. The­se must in par­ti­cu­lar … be appro­pria­te. … The stan­dard expres­ses the risk-based approach.

The Fede­ral Coun­cil over­looks this when it refers to data secu­ri­ty – and not accoun­ta­bi­li­ty – at this point in the expl­ana­to­ry report wit­hout fur­ther elaboration.

Fur­ther comm­ents on indi­vi­du­al provisions

Art. 1 Principles

Risk-based approach

Accor­ding to Art. 1 para. 1 FADP, the tech­ni­cal and orga­nizatio­nal mea­su­res with regard to the risk for the per­so­nal data spe­ci­fi­cal­ly pro­ce­s­sed must be appro­pria­te be. This requi­res an assess­ment of the need for pro­tec­tion. Art. 1 (2) DPA con­ta­ins cri­te­ria for this, and Art. 1 (3) DPA con­ta­ins cri­te­ria for asses­sing the risk. Art. 1 DPA refers to the risk for the Per­so­nal databut cer­tain­ly means the risk for the per­sons con­cer­ned. This is a big dif­fe­rence, becau­se a high risk for harm­less data can mean a low risk for data sub­jects. In the cri­te­ria of Art. 1 DPA, the risk-based approach in pro­s­pec­ti­ve com­pli­ance (see also here) expres­ses: secu­ri­ty mea­su­res must be ade­qua­te, not less, but also not more. The expl­ana­to­ry report:

The need for pro­tec­tion is asses­sed on the basis of the type of data pro­ce­s­sed and the pur­po­se, natu­re, scope and cir­cum­stances of the data pro­ce­s­sing. In par­ti­cu­lar, this invol­ves the level of pro­tec­tion that must be ensu­red in view of the risk to the per­so­nal and fun­da­men­tal rights of the data sub­jects. The hig­her the need for pro­tec­tion, the stric­ter the requi­re­ments for the mea­su­res.

Importance of costs

In the con­sul­ta­ti­on, the regu­la­ti­on of Art. 1 (4) DPO was also dis­cus­sed, accor­ding to which the “imple­men­ta­ti­on costs”, among other things, must be taken into account when deter­mi­ning the tech­ni­cal and orga­nizatio­nal mea­su­res. More pre­cis­e­ly: Art. 1 DPO requi­res “appro­pria­te” data secu­ri­ty. For this, “appro­pria­te” mea­su­res are to be deter­mi­ned. In turn, the costs play a role in this.

The Con­cept of “costs was cri­ti­ci­zed in the con­sul­ta­ti­on as being too nar­row. The expl­ana­to­ry report now sta­tes the following:

The term “costs” is to be under­s­tood in a broad sen­se. It is not limi­t­ed to finan­cial costs, but also inclu­des the neces­sa­ry human and time resources.

So far so good – but:

Respon­si­ble par­ties and order pro­ces­sors may in par­ti­cu­lar not exempt from the obli­ga­ti­on of ade­qua­te data secu­ri­ty on the grounds that it invol­ves exce­s­si­ve costs; rather, they must in any case be able to ensu­re ade­qua­te data security.

This is wrong. If this were so, i.e., if costs did not mat­ter until ade­qua­te safe­ty was achie­ved, costs would never mat­ter; for more than ade­qua­te safe­ty is never requi­red, and until then costs would be of no con­se­quence. They could only be a fac­tor in sel­ec­ting pos­si­ble mea­su­res of equal effect. The expl­ana­to­ry report even says so, but that would be a mat­ter of cour­se that needs no regulation.

Cor­rect­ly, the costs are alre­a­dy in deter­mi­ning the appro­pria­ten­ess of the data secu­ri­ty achie­ved a fac­tor. This is reco­gnized in the GDPR, and the Fede­ral Coun­cil expli­ci­t­ly does not want any data secu­ri­ty requi­re­ments that exce­ed tho­se of the GDPR (Expl­ana­to­ry Report: “[…] so that Swiss com­pa­nies that […] ensu­re data secu­ri­ty that is com­pli­ant in accordance with the GDPR can also assu­me that they meet the mini­mum requi­re­ments in Switz­er­land.”). As a result, it is the­r­e­fo­re not a vio­la­ti­on of data secu­ri­ty – and can­not be punis­ha­ble – if the con­trol­ler or the order pro­ces­sor also take the costs, among other things, into account when deter­mi­ning the appro­pria­te data secu­ri­ty and the appro­pria­te measures.

Also dis­cus­sed was the Review of the safe­ty mea­su­res. The DPA no lon­ger requi­res, as the E‑DPA does, that the mea­su­res be review­ed “at appro­pria­te inter­vals” but that they be review­ed “over the enti­re pro­ce­s­sing peri­od.” Accor­ding to the expl­ana­to­ry report, this means:

The need for review depends in par­ti­cu­lar on the hazard situa­ti­on […]: The hig­her it is, the more fre­quent­ly the mea­su­res must be regu­lar­ly review­ed. The new for­mu­la­ti­on goes in the direc­tion of a con­stant review. Howe­ver, it lea­ves the per­son respon­si­ble and the order pro­ces­sor a lar­ge mar­gin of dis­creti­on. A review may also be neces­sa­ry if the­re has been a breach of data secu­ri­ty or if the pro­ce­s­sing of per­so­nal data has been adapted.

Howe­ver, fail­ure to check the mea­su­res can­not in its­elf con­sti­tu­te a breach of the mini­mum data secu­ri­ty requi­re­ments and accor­din­gly can­not lead to a fine (see above).

Art. 4 – 6 Log­ging and pro­ce­s­sing regulations

Preli­mi­na­ry remarks

It has alre­a­dy been sta­ted abo­ve that the log­ging obli­ga­ti­ons and the pro­ce­s­sing regu­la­ti­ons are not about data secu­ri­ty issues, but about gene­ral obli­ga­ti­ons under data pro­tec­tion law (accoun­ta­bi­li­ty or pri­va­cy by design). Inde­pen­dent of their legal natu­re, the­se obli­ga­ti­ons pre­sup­po­se increa­sed risks in each case, name­ly that

  1. par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data is pro­ce­s­sed auto­ma­ti­cal­ly on a lar­ge sca­le, or
  2. high-risk pro­fil­ing is performed.

In the case of log­ging, a nega­ti­ve con­di­ti­on is that the “pre­ven­ti­ve mea­su­res can­not gua­ran­tee data protection”.

What is “auto­ma­ted processing”?

It is initi­al­ly unclear what a auto­ma­ted pro­ce­s­sing of per­so­nal data. The expl­ana­to­ry report does not address this requi­re­ment, alt­hough the que­sti­on was alre­a­dy rai­sed in the con­sul­ta­ti­on pro­cess. It is the­r­e­fo­re pro­ba­b­ly neces­sa­ry to refer back to the nDSG. Howe­ver, this lea­ves open in par­ti­cu­lar whe­ther it is suf­fi­ci­ent if the pro­ce­s­sing in que­sti­on is with the help of com­pu­ter-aided tech­ni­ques is made or whe­ther the pro­ce­s­sing Exclu­si­ve­ly auto­ma­ted must be car­ri­ed out. Unfort­u­n­a­te­ly, the Expl­ana­to­ry Report does not pro­vi­de any prac­ti­cal examp­les or fur­ther information.

Howe­ver, the inter­pre­ta­ti­on of a rest­ric­ti­ve ele­ment must not lead to the fact that this ele­ment does not in fact rest­rict. The use of a com­pu­ter can­not the­r­e­fo­re be suf­fi­ci­ent, becau­se index cards with pati­ent data are cer­tain­ly not pro­ce­s­sed exclu­si­ve­ly by hand on a lar­ge sca­le. It is the­r­e­fo­re neces­sa­ry to have a Exclu­si­ve­ly auto­ma­ted pro­ce­s­sing requi­re.

Pro­ce­s­sing of per­so­nal data wort­hy of pro­tec­tion on a lar­ge scale

Also the fac­tu­al requi­re­ment of the Pro­ce­s­sing of per­so­nal data wort­hy of pro­tec­tion “on a lar­ge sca­leas requi­red by Art. 4 DSV, is not deter­mi­ned. The expl­ana­to­ry report sta­tes in con­nec­tion with Art. 5 DSV that the only “iso­la­ted pro­ce­s­sing of sen­si­ti­ve per­so­nal data is not cover­ed, and that “in par­ti­cu­lar ‘tra­di­tio­nal’ SMEs” are not affec­ted. Howe­ver, with regard to Art. 24 (excep­ti­on for the pro­ce­s­sing list, see below), the expl­ana­to­ry report goes on to sta­te that pro­ce­s­sing of data requi­ring spe­cial pro­tec­tion is con­side­red exten­si­ve if it invol­ves lar­ge amounts of data or a lar­ge num­ber of per­sons. This should also app­ly here (wha­te­ver that means in the end).

… “pre­ven­ti­ve mea­su­res do not ensu­re data protection”.

The log­ging obli­ga­ti­on of Art. 4 para. 1 DPA also pre­sup­po­ses, as does the cur­rent VDSG, that “.the pre­ven­ti­ve mea­su­res do not gua­ran­tee data pro­tec­tion” can. The fact that this pro­ves that the issue is not data secu­ri­ty but gene­ral data pro­tec­tion and thus pri­va­cy by design has alre­a­dy been explai­ned above.

The expl­ana­to­ry report then sta­tes that this fea­ture is “of secon­da­ry importance”, “as pre­ven­ti­ve mea­su­res rare­ly ensu­re data pro­tec­tion”. That is an asto­nis­hing state­ment. If it means that pre­ven­ti­ve mea­su­res can never gua­ran­tee com­pli­ance with data pro­tec­tion with abso­lu­te cer­tain­ty, that is of cour­se cor­rect – after all, the risk-based approach applies. But then what is the point of the ele­ment of fact that data pro­tec­tion is not guaranteed?

After all, Art. 4 Par. 1 sta­tes that log­ging must take place in par­ti­cu­lar, “if it can­not other­wi­se be deter­mi­ned after the fact whe­ther the data were pro­ce­s­sed for the pur­po­ses for which they were obtai­ned or dis­c­lo­sed”. One must inter­pret this pro­ba­b­ly sim­ply in such a way that a log­ging is requi­red with other con­di­ti­ons if it is within the frame­work of an over­all con­side­ra­ti­on from a pri­va­cy by design point of view sen­si­bly neces­sa­ry is.

In doing so, the per­son respon­si­ble – the order pro­ces­sor can hard­ly car­ry out this weig­hing hims­elf – has a gre­at deal of discretion.

Log­ging with fede­ral bodies

A stric­ter regu­la­ti­on applies to fede­ral bodies: accor­ding to Art. 4 (2) DPA, fede­ral bodies and their com­mis­sio­ned pro­ces­sors (also pri­va­te order pro­ces­sors(which, as an auxi­lia­ry per­son, do not them­sel­ves beco­me a fede­ral body, but which are here sel­ec­tively sub­jec­ted to the same regu­la­ti­on) for any auto­ma­ted pro­ce­s­sing, at least the sto­rage, modi­fi­ca­ti­on, rea­ding, dis­clo­sure, dele­ti­on and des­truc­tion of the data.

Accor­ding to Art. 4 Par. 3, the scope of the log­ging obli­ga­ti­on is deter­mi­ned by whe­ther the per­so­nal data in que­sti­on is publicly acce­s­si­ble or not:

  1. In the case of publicly acce­s­si­ble per­so­nal data, accor­ding to Art. 4 para. 1 and 2 FADP, “at least the sto­rage, modi­fi­ca­ti­on, dele­ti­on and des­truc­tion of the data must be recorded”.
  2. In all other cases, the rea­ding and announce­ment must also be recorded.

This pro­vi­si­on, i.e. Art. 4 para. 3 DPA, should only refer to pro­ce­s­sing by fede­ral bodies (para. 2) and not also to that by pri­va­te par­ties (para. 1).

Fur­ther­mo­re, in the case of fede­ral bodies – but only in their case – a Tran­si­tio­nal pro­vi­si­on (Art. 46 DPA): Inso­far as pro­ce­s­sing by a fede­ral body is not Schen­gen-rele­vant, the spe­cial log­ging obli­ga­ti­on of Art. 4(2) DPA does not app­ly until 1 Sep­tem­ber 2026 or after the end of the system’s life cycle (whi­che­ver comes first). In the mean­ti­me, the log­ging regime for pri­va­te indi­vi­du­als applies.

Scope of the log­ging obligation

Art. 4 (4) FADP regu­la­tes the mini­mum infor­ma­ti­on that must be pro­vi­ded by log­ging, name­ly the iden­ti­ty of the pro­ces­sor and any reci­pi­en­ts, as well as the type, date and time of pro­ce­s­sing. Soft­ware and system pro­vi­ders will have to pro­vi­de cor­re­spon­ding func­tions so that data con­trol­lers and order pro­ces­sors can com­ply with data pro­tec­tion regulations.

Art. 4 Para. 5 con­ta­ins spe­ci­fi­ca­ti­ons on the Sto­rage and acce­s­si­bi­li­ty of the logs. In con­trast to the wor­ding of the cur­rent VDSG, the reten­ti­on peri­od is no lon­ger exact­ly one year, but “at least” one year; logs may the­r­e­fo­re also be retai­ned for longer.

Unfort­u­n­a­te­ly, the fol­lo­wing was retai­ned spe­cial ban on mis­ap­pro­pria­ti­on: Logs may only be used to “veri­fy the appli­ca­ti­on of data pro­tec­tion rules or to main­tain or resto­re the con­fi­den­tia­li­ty, inte­gri­ty, avai­la­bi­li­ty and tracea­bi­li­ty of data”. This also does not ser­ve data secu­ri­ty and Remains con­tra­ry to fede­ral law. The legis­la­tor has no com­pe­tence to rest­rict the gene­ral prin­ci­ples – name­ly the free­dom of the con­trol­ler to deter­mi­ne the pur­po­se of pro­ce­s­sing through trans­pa­ren­cy. Logs may the­r­e­fo­re con­ti­n­ue to be used for other pur­po­ses, con­tra­ry to the text of the ordi­nan­ce, e.g. in the con­text of an inter­nal investigation.

Editing regu­la­ti­ons

The con­tent of the Editing regu­la­ti­ons for pri­va­te per­sons and for fede­ral bodies fol­lows from Art. 5 para. 2 DPA and 6 para. 2 DPA. Accor­ding to the­se, the regu­la­ti­ons must “in par­ti­cu­lar Infor­ma­ti­on on the inter­nal orga­nizati­on, the data pro­ce­s­sing and con­trol pro­ce­du­re, and the mea­su­res taken to ensu­re data secu­ri­ty contain”.

The expl­ana­to­ry report (p. 28) fur­ther pro­vi­des that the pro­ce­s­sing regu­la­ti­ons shall be “to be desi­gned as a docu­men­ta­ti­on or manu­al and should also ser­ve the respon­si­ble per­son”; The the­r­ein refer­red Com­men­ta­ry of the Fede­ral Office of Justi­ce on the VDSG, para. 6.1.4, fur­ther states:

The­se regu­la­ti­ons con­tain infor­ma­ti­on on the inter­nal Orga­nizati­on of the owner of the data coll­ec­tion, as well as about the struc­tu­re in which the data coll­ec­tion or auto­ma­ted pro­ce­s­sing system is embedded. It descri­bes abo­ve all the Data pro­ce­s­sing and con­trol pro­ce­du­res, thus con­ta­ins the docu­ments con­cer­ning the Plan­ning, ela­bo­ra­ti­on and ope­ra­ti­on of the data coll­ec­tion and the used Infor­ma­ti­on Tech­no­lo­gy Resources

and:

The regu­la­ti­ons must also spe­ci­fy the pro­ce­du­re for exer­cis­ing the Right to infor­ma­ti­on and the right to Data out­put or trans­mis­si­on con­tain. The con­trol pro­ce­du­res must make it pos­si­ble to Access per­mis­si­onsto deter­mi­ne the type and scope of access. Final­ly, it is of cru­cial importance that the pro­ce­s­sing regu­la­ti­ons also include the tech­ni­cal and orga­nizatio­nal mea­su­res to ensu­re appro­pria­te data secu­ri­ty is included.

This also makes it clear that a con­trol­ler or order pro­ces­sor must not neces­s­a­ri­ly seve­ral regu­la­ti­ons must result, e.g. one per ris­ky machi­ning acti­vi­ty. Rather, it can be a sin­gle set of regu­la­ti­ons are suf­fi­ci­ent – in fact, it often makes more sen­se to main­tain only one, becau­se the con­tent of the regu­la­ti­on may only be repre­sen­ted across edits.

In addi­ti­on, the con­tent requi­red for the pro­ce­s­sing regu­la­ti­ons over­laps with the Pro­ce­s­sing direc­to­ry (Art. 12 nDSG). The report on the E‑VDSG also sta­ted that cer­tain infor­ma­ti­on could be copied from the pro­ce­s­sing direc­to­ry. The expl­ana­to­ry report on the DSV addres­ses over­laps bet­ween the Pro­ce­s­sing direc­to­ryThe Com­mis­si­on does not ela­bo­ra­te on the pos­si­ble obli­ga­ti­on to keep minu­tes and the obli­ga­ti­on to draw up pro­ce­s­sing regu­la­ti­ons, even though the dupli­ca­ti­on of efforts and the resul­ting addi­tio­nal workload were cri­ti­ci­zed on seve­ral occa­si­ons during the con­sul­ta­ti­on process.

Against this back­ground, a pro­ce­s­sing regu­la­ti­on of pri­va­te per­sons could be seen as a Over­view docu­ment be desi­gned, which refers to exi­sting docu­ments, direc­ti­ves and gui­de­lines. Refers. Unity of docu­ments can­not be requi­red here, just as it can­not be requi­red for the pro­ce­s­sing direc­to­ry, which in turn can refer to other documents.

As alre­a­dy sta­ted, the fail­ure to crea­te pro­ce­s­sing regu­la­ti­ons is not a data secu­ri­ty mea­su­re and the­r­e­fo­re also not punis­ha­ble (see above).

Pro­ce­s­sing by order pro­ces­sors (Art. 7 DPA)

Art. 7 FADP regu­la­tes the pre­re­qui­si­tes of order pro­ce­s­sing pur­su­ant to Art. 9 nDSG. An inten­tio­nal breach of the requi­re­ments of Art. 9 nDSG can be punis­hed with a fine accor­ding to Art. 61 lit. b nDSG. Fined up to CHF 250,000 be

After the pro­vi­si­ons on com­mis­sio­ned pro­ce­s­sing in the e‑DPA had been stron­gly cri­ti­ci­zed in the con­sul­ta­ti­on pro­cess as going bey­ond the sta­tu­to­ry regu­la­ti­ons, Art. 7 DPA now mere­ly con­firms what is alre­a­dy com­mon prac­ti­ce against the back­ground of Art. 28 (2) DPA and was alre­a­dy sta­ted in the dis­patch on the nDSG: The com­mis­sio­ning of sub­con­trac­ted pro­ces­sors is in a gene­ral or spe­ci­fic way to appro­ve (Art. 7 para. 1 DPA). In the case of a gene­ral aut­ho­rizati­on, the data con­trol­ler must be infor­med and may con­tra­dict (Art. 7 para. 2 DPA). Art. 7 DPA does not con­tain any for­mal requi­re­ments for this.

Dis­clo­sure of per­so­nal data abroad (Art. 8 – 12 FADP)

The dis­clo­sure of per­so­nal data to count­ries wit­hout an ade­qua­te level of data pro­tec­tion is one of the issues that curr­ent­ly poses par­ti­cu­lar­ly gre­at chal­lenges for com­pa­nies in terms of data pro­tec­tion law – espe­ci­al­ly if they want to com­ply with all offi­ci­al and court rulings (see https://datenrecht.ch/auslandsbekanntgabe/). This applies all the more sin­ce inten­tio­nal vio­la­ti­ons of the cor­re­spon­ding Art. 16 and 17 nDSG pur­su­ant to Art. 61 lit. a nDSG fined are. Com­pa­nies will have to con­ti­n­ue to fol­low deve­lo­p­ments at the Swiss and Euro­pean level clo­se­ly – and with due calm.

Howe­ver, Art. 10 para. 1 DPA is welcome:

1 If the per­son respon­si­ble or the pro­ces­sor pro­vi­des per­so­nal data to by means of stan­dard data pro­tec­tion clau­ses abroad in accordance with Artic­le 16 para­graph 2 let­ter d FADP, it shall meet rea­sonable Mea­su­res to ensu­re that the reci­pi­ent com­plies with these

The mea­su­res to safe­guard the stan­dard con­trac­tu­al clau­ses need only be “appro­pria­te”. This cle­ar­ly lea­ves the Reco­gnize risk-based approach to trans­fers abroad: If the mea­su­res to safe­guard the stan­dard con­trac­tu­al clau­ses need only be ade­qua­te, a resi­du­al risk that the recipient’s com­pli­ance with the stan­dard clau­ses will be under­mi­ned by its local law may be accept­ed, as long as this risk has been ade­qua­te­ly miti­ga­ted. This is an expli­cit com­mit­ment to the risk-based approach also for trans­fers abroad, which is wel­co­me (on this data-rights.ch/edoeb-doubt-risk-based-approach).

It is also to be wel­co­med that the obli­ga­ti­on curr­ent­ly still appli­ca­ble pur­su­ant to Art. 6 FADP, accor­ding to which the con­trol­ler must inform the FDPIC about gua­ran­tees and data pro­tec­tion rules pur­su­ant to Art. 6(2)(c) and (g) FADP, has not been inclu­ded in the FADP.

Ano­ther new fea­ture is that it is no lon­ger the FDPIC but the Fede­ral Coun­cil deter­mi­nes which sta­tes or orga­nizati­ons demon­stra­te ade­qua­te data pro­tec­tion (Art. 16 para. 1 nDSG). Art. 8 DPA con­ta­ins the neces­sa­ry cri­te­ria for asses­sing the ade­qua­cy of data pro­tec­tion and con­cep­tu­al clarifications.

Art. 9 DPA now regu­la­tes the requi­red con­tent for data pro­tec­tion clau­ses and spe­ci­fic gua­ran­tees. Art. 10 DPA con­ta­ins requi­re­ments for stan­dard data pro­tec­tion clau­ses, alt­hough in prac­ti­ce the stan­dard data pro­tec­tion clau­ses adopted by the EU Com­mis­si­on are main­ly used any­way. Art. 11 DPA new­ly regu­la­tes the requi­re­ments for bin­ding cor­po­ra­te data pro­tec­tion rules (also refer­red to as “Bin­ding Cor­po­ra­te Rules”) and Art. 12 DPA codes of con­duct and certifications.

Obli­ga­ti­ons of the con­trol­ler (Art. 13 – 15 DPA)

Moda­li­ties of the infor­ma­ti­on obligation

An essen­ti­al and prac­ti­cal­ly rele­vant inno­va­ti­on under the nDSG is the intro­duc­tion of a gene­ral duty to inform (Art. 19 ff. nDSG). Art. 13 FADP does not fur­ther spe­ci­fy this duty, but mere­ly sta­tes in gene­ral terms:

The data con­trol­ler must pro­vi­de the data sub­ject with the infor­ma­ti­on about the acqui­si­ti­on of per­so­nal data in pre­cise, trans­pa­rent, under­stan­da­ble and easi­ly acce­s­si­ble form Communicate

Thus, the DSV does not say anything new. How exact­ly the­se requi­re­ments are to be under­s­tood and whe­ther the adjec­ti­ves “pre­cise” and “com­pre­hen­si­ble” have inde­pen­dent mea­ning remains open, even after the con­sul­ta­ti­on pro­ce­du­re and cor­re­spon­ding cri­ti­cism. Accor­ding to the expl­ana­to­ry report, howe­ver, the per­son respon­si­ble must

When choo­sing the form of infor­ma­ti­on, ensu­re that the data sub­ject always obta­ins the most important infor­ma­ti­on at the first level of com­mu­ni­ca­ti­on when obtai­ning his or her per­so­nal data recei­ves. If the com­mu­ni­ca­ti­on takes place via a web­site, for exam­p­le, good prac­ti­ce may be that all essen­ti­al infor­ma­ti­on is available at a glan­ce, e.g. in the form of an orga­ni­zed over­view. To obtain fur­ther infor­ma­ti­on, the data sub­ject can then click on this infor­ma­ti­on dis­play­ed first, whereu­pon a win­dow opens with more detail­ed information.

This is not­hing new, but it lea­ves the sub­ject of the Media Break if gene­ral terms and con­di­ti­ons or any other prin­ted docu­ment refer to a data pro­tec­tion decla­ra­ti­on on the Inter­net. The expl­ana­to­ry report con­ti­nues in this regard:

It should be noted, howe­ver, that com­mu­ni­ca­ti­on via a web­site is not always suf­fi­ci­ent: The data sub­ject must know that he or she will find the infor­ma­ti­on on a par­ti­cu­lar web­site. In the case of a tele­pho­ne con­ver­sa­ti­on, the infor­ma­ti­on can also be com­mu­ni­ca­ted ver­bal­ly and, if neces­sa­ry, sup­ple­men­ted by a link to a web­site. In the case of recor­ded infor­ma­ti­on, the data sub­ject must have the oppor­tu­ni­ty to listen to more detail­ed information.

From this it beco­mes clear: It is suf­fi­ci­ent, e.g. from GTC to a pri­va­cy poli­cy on the Inter­net even if the GTC do not anti­ci­pa­te any fur­ther infor­ma­ti­on, e.g. on the pur­po­se of pro­ce­s­sing or the rights of the data sub­ject, and even if the GTC do not con­tain a QR code, becau­se even wit­hout this the data sub­ject knows, based on the refe­rence, “that she can find the infor­ma­ti­on on a spe­ci­fic web­site”. The media dis­rup­ti­on is thus gene­ral­ly per­mis­si­ble or harmless.

Fur­ther, the DSV did not adopt the regu­la­ti­on of pic­to­grams, so that com­pa­nies can use pic­to­grams such as Pri­va­cy Icons may con­ti­n­ue to use wit­hout addi­tio­nal hurd­les. Artic­les 14 – 17 of the e‑Data Pro­tec­tion Act, which pro­vi­ded for infor­ma­ti­on obli­ga­ti­ons that went bey­ond the nDSG, were also dele­ted. Like­wi­se, the lap­se of attri­bu­ting infor­ma­ti­on obli­ga­ti­ons to order pro­ces­sors has been remedied.

Reten­ti­on of the pri­va­cy impact assessment

Art. 14 DSV spe­ci­fi­es the Dura­ti­on of sto­rage of the data pro­tec­tion impact assess­ment on At least two years after the data pro­ce­s­sing has ended. The expl­ana­to­ry report points out that for the imple­men­ta­ti­on of the data pro­tec­tion impact assess­ment, the FDPIC may make use of its com­pe­tence to deve­lop working instru­ments as recom­men­da­ti­ons of good practice.

Data secu­ri­ty breach notification

Art. 24 nDSG now regu­la­tes the duty of the data con­trol­ler to report data secu­ri­ty brea­ches to the FDPIC if they are likely to result in a high risk to the per­so­na­li­ty or fun­da­men­tal rights of the data sub­jects. Art. 15 FADP spe­ci­fi­es in more detail the Mini­mum requi­re­ments of such mes­sa­ges. Accor­ding to this, the fol­lo­wing infor­ma­ti­on is requi­red in any case:

  1. Type of Injury;
  2. con­se­quen­ces, inclu­ding any risks, for the per­sons concerned;
  3. Mea­su­res taken or envi­sa­ged to reme­dy the defect and miti­ga­te the con­se­quen­ces, inclu­ding any risks;
  4. Name and cont­act details of a cont­act person;
  5. As far as pos­si­ble, time and dura­ti­on of the breach, cate­go­ries and appro­xi­ma­te num­ber of per­so­nal data and per­sons concerned

Essen­ti­al­ly, the­se dis­clo­sures cor­re­spond to the mini­mum infor­ma­ti­on accor­ding to Art. 33 para. 3 DSGVOwith the excep­ti­on of the levies on the time and dura­ti­on of the breach, which Art. 15 DPA requi­res, but not Art. 33 GDPR. It would have been bet­ter to fol­low the GDPR more clo­se­ly here. Howe­ver, the “natu­re” of the breach within the mea­ning of Art. 33 GDPR may be under­s­tood to include time and dura­ti­on. If con­tract pro­ce­s­sing agree­ments (CPA) requi­re the infor­ma­ti­on pur­su­ant to Art. 33(3) GDPR in the case of noti­fi­ca­ti­ons by con­tract pro­ces­sors, which is often the case, an adap­t­ati­on based on Art. 15 GDPR is the­r­e­fo­re not necessary.

If not all infor­ma­ti­on can be pro­vi­ded at the same time, Art. 15(2) DPA now allo­ws the con­trol­ler (like Art. 33(4) DPA) to pro­vi­de the infor­ma­ti­on stag­ge­red to report.

The expl­ana­to­ry report goes on to sta­te with regard to the noti­fi­ca­ti­on to the FDPIC:

the FDPIC is curr­ent­ly working on the deve­lo­p­ment of a web-based report­ing inter­face, pro­ba­b­ly in the form of an inter­ac­ti­ve form. As part of this pro­ject, the FDPIC is also curr­ent­ly exami­ning the pos­si­bi­li­ty of a joint report­ing por­tal tog­e­ther with other fede­ral bodies

In the event that the data con­trol­ler is obli­ged pur­su­ant to Art. 24 para. 4 nDSG to pro­vi­de a Noti­fi­ca­ti­on to the data sub­ject (if it is neces­sa­ry for the pro­tec­tion of the indi­vi­du­al or if the FDPIC so requi­res), Art. 24(3) DPA obli­ges the con­trol­ler to inform the indi­vi­du­al “in plain and intel­li­gi­ble lan­guage”. It should also be noted that the­re is an obli­ga­ti­on to noti­fy the data brea­ches to the docu­ment (a stan­dar­di­zed data ent­ry form is sui­ta­ble for this) and for at least Two years to be retai­ned from the time of noti­fi­ca­ti­on (Art. 15 (4) DPA). For com­pa­nies that have alre­a­dy estab­lished pro­ce­s­ses for report­ing data secu­ri­ty brea­ches in accordance with the GDPR, the­re is the­r­e­fo­re litt­le new. All others must ensu­re cor­re­spon­ding pro­ce­s­ses until the ent­ry into force of the nDSG and the FADP.

Rights of the data sub­ject (Art. 16 – 22 DPA)

Access right

Accor­ding to Art. 16(1) DPA, a request for infor­ma­ti­on may be made “in wri­ting” and, with the con­sent of the data con­trol­ler, also oral­ly. See the expl­ana­to­ry report:

In wri­ting” within the mea­ning of Artic­le 16(1) DPA inclu­des any form that pro­vi­des the Pro­of by text enable. Howe­ver, the so-cal­led simp­le writ­ten form accor­ding to Artic­les 13 – 15 of the Code of Obli­ga­ti­ons is not meant.

Requests for infor­ma­ti­on can then also be made by e‑mail.

With regard to the right to infor­ma­ti­on, one of the issues rai­sed in the con­sul­ta­ti­on was the Docu­men­ta­ti­on requi­re­ment of the grounds for deni­al, rest­ric­tion, or defer­ral and cri­ti­ci­zed the three-year reten­ti­on requi­re­ment. In the DSV, this obli­ga­ti­on has now been dropped.

Also cri­ti­ci­zed was Art. 21 (3) E‑Data Pro­tec­tion Act, accor­ding to which requests for infor­ma­ti­on To be for­ward­ed to order pro­ces­sors if the per­son respon­si­ble is not able to pro­vi­de the infor­ma­ti­on hims­elf. This has also been drop­ped. Art. 17 DPA now rather and sen­si­bly sti­pu­la­tes that the pro­ces­sor has to assist the con­trol­ler in pro­vi­ding the infor­ma­ti­on, which in Order pro­ce­s­sing agree­ments is usual­ly agreed any­way (but does not have to be express­ly agreed accor­ding to the DSV).

At the shared respon­si­bi­li­ty - who­se term remains unde­fi­ned – the DPA now sta­tes that the order pro­ces­sor must exer­cise his rights in the case of each of the joint­ly respon­si­ble can assert. This is cor­rect and rai­ses the que­sti­on of whe­ther a pri­va­cy state­ment must name all of the joint­ly respon­si­ble par­ties. This is pro­ba­b­ly not the case: if a data pro­tec­tion decla­ra­ti­on only spe­ci­fi­es one cont­act point in the case of joint respon­si­bi­li­ty, the data sub­ject is alre­a­dy ser­ved. This in no way inva­li­da­tes the DSV requi­re­ment; on the con­tra­ry, the DSV now cla­ri­fi­es that the data sub­ject is not bound by the one-stop shop offer.

The requi­re­ment that the con­trol­ler must take appro­pria­te mea­su­res to pro­tect the data sub­ject has been retai­ned. iden­ti­fy. What this means in detail is open, but in any case the per­son con­cer­ned has a duty to coope­ra­te here.

Art. 23 E‑VDSG was then cla­ri­fi­ed with regard to the excep­ti­ons from the Free of char­ge. Unfort­u­n­a­te­ly, the maxi­mum cost sha­ring remains at CHF 300as is alre­a­dy the case under the cur­rent VDSG. This is dis­pro­por­tio­na­te to the pos­si­ble effort requi­red of the per­son respon­si­ble. In this con­text, it should be remem­be­red that Art. 2 of the Civil Code also applies wit­hout rest­ric­tion in data pro­tec­tion law, and one group of cases of abu­se of rights is the bla­tant dis­pro­por­ti­on of inte­restsi.e. if the inte­rest of the entit­led par­ty in exer­cis­ing the right is not in rea­sonable pro­por­ti­on to the dis­ad­van­ta­ges suf­fe­r­ed by the other par­ty. As far as can be seen, this group of cases has not been applied in the area of the right to infor­ma­ti­on. Howe­ver, if the cost sha­ring is set at such a low amount, this is more likely to lead to a dis­pro­por­ti­on of inte­rests, which in turn is more likely to lead to an abu­se of rights of a request for information.

Art. 19 (3) DPA sti­pu­la­tes in con­nec­tion with costs that the con­trol­ler must inform the data sub­ject of the amount of the con­tri­bu­ti­on befo­re pro­vi­ding infor­ma­ti­on, and if the data sub­ject then fails to con­firm his request within ten days, it is dee­med to be with­drawn. Accor­din­gly, the 30-day peri­od of Artic­le 18(1) DPA starts to run after the coo­ling-off peri­od has expired.

Data out­put and trans­fer (por­ta­bi­li­ty)

Art. 28 f. of the NDSG pro­vi­des for the right to “issue and trans­fer data” (por­ta­bi­li­ty). In the draft ordi­nan­ce, refe­rence was made only by ana­lo­gy to the pro­vi­si­ons on the right of access. Due to the cri­ti­cism in the con­sul­ta­ti­on, the DPA now con­ta­ins more spe­ci­fic pro­vi­si­ons in Art. 20 – 22, which, howe­ver, are not too hel­pful – the legis­la­tor appar­ent­ly does not real­ly know how to deal with the por­ta­bi­li­ty right eit­her: Art. 20 defi­nes the “Scope of the cla­im” on data portability:

  • Data cover­ed is data “kno­wing­ly and wil­lingly made available” (e.g., accor­ding to the expl­ana­to­ry report, “cont­act infor­ma­ti­on via an online form” or “likes”) and
  • Data coll­ec­ted by the Con­trol­ler in the cour­se of the use of a ser­vice or device (“obser­ved data”, accor­ding to the Expl­ana­to­ry Report, e.g., “search queries, acti­vi­ty logs, histo­ry of a web­site usage”),
  • but not data gene­ra­ted by the respon­si­ble per­son through his own eva­lua­ti­on (“deri­ved data”; e.g., “the assess­ment of a user’s health sta­tus, user or risk pro­files, cre­dit risk ana­ly­sis, etc.”).

Art. 21 then con­cerns tech­ni­cal que­sti­ons:

  • A “com­mon elec­tro­nic for­mat” is one that allo­ws trans­mis­si­on “with rea­sonable effort” to be trans­fer­red and reu­sed, but does not requi­re respon­si­ble par­ties to adopt or main­tain com­pa­ti­ble data pro­ce­s­sing systems;
  • a “dis­pro­por­tio­na­te effort for the trans­fer […] to ano­ther respon­si­ble per­son” shall (argu­ab­ly: only) exist if the trans­fer is tech­ni­cal­ly impos­si­ble (a bold state­ment – impos­si­ble and dis­pro­por­tio­na­te­ly effortful are of cour­se two dif­fe­rent things).

Spe­cial pro­vi­si­ons for data pro­ce­s­sing by pri­va­te persons

Art. 23 Data pro­tec­tion advi­sor and data pro­tec­tion consultant

Pri­va­te data con­trol­lers can appoint a data pro­tec­tion advi­sor. Art. 25 E‑DPA had spe­ci­fi­ed tasks and requi­re­ments for this pur­po­se, inclu­ding an obli­ga­ti­on to check the pro­ce­s­sing of data. This was cri­ti­ci­zed in the con­sul­ta­ti­on, and the Fede­ral Coun­cil has now dele­ted Art. 25 DPA (which does not mean that the data pro­tec­tion advi­sor does not have an audi­ting obli­ga­ti­on due to his func­tion, ana­log­ous to Art. 39 (1) b GDPR).

Howe­ver, the data pro­tec­tion advi­sor now has the Right to inform the hig­hest manage­ment or admi­ni­stra­ti­ve body “in important cases. This is a sen­si­ble regu­la­ti­on that cor­re­sponds to cor­po­ra­te gover­nan­ce prin­ci­ples (cf. e.g. para. 75 f. of the FINMA RS Cor­po­ra­te Gover­nan­ce – Banks) and is also found in the GDPR. Howe­ver, the limi­ta­ti­on to the important cases is que­stionable. In any case, the assess­ment of when an important case exists is the respon­si­bi­li­ty of the data pro­tec­tion advi­sor and not the con­trol­ler itself.

If a pri­va­te con­trol­ler appoints a data pro­tec­tion advi­sor, which remains vol­un­t­a­ry, it need not do so to the FDPIC reportbut if it does not do so, it can­not bene­fit from the excep­ti­on – noti­fi­ca­ti­on of the DPA in case of high net risks. Fede­ral bodies must always noti­fy the FDPIC of the data pro­tec­tion advi­sor (Art. 27(2) FADP).

Also inte­re­st­ing is the regu­la­ti­on of the Publi­ca­ti­on of the pri­va­cy advi­sorPri­va­te data con­trol­lers must publish their cont­act details if they wish to make use of the exemp­ti­on, alt­hough the DPA does not spe­ci­fy how this is to be done. Fede­ral bodies must publish the appoint­ment of the data pro­tec­tion advi­sor, name­ly (Art. 27 DPA) “on the Inter­net”. This publi­ca­ti­on will often be in a pri­va­cy state­ment (even though fede­ral bodies are usual­ly not requi­red to have a pri­va­cy state­ment), and this may appar­ent­ly be published on the Inter­net. This is fur­ther evi­dence that the Inter­net is con­side­red acce­s­si­ble and that a media breach is accor­din­gly harm­less (see above).

Art. 24 Exemp­ti­on from the obli­ga­ti­on to keep a pro­ce­s­sing list

Art. 12 nDSG regu­la­tes the obli­ga­ti­on of a data con­trol­ler and pro­ces­sor to main­tain a pro­ce­s­sing direc­to­ry. Para­graph 5 sta­tes that the Fede­ral Coun­cil may pro­vi­de for exemp­ti­ons from this obli­ga­ti­on for com­pa­nies that employ less than 250 employees and who­se data pro­ce­s­sing ent­ails a low risk of vio­la­ti­ons of the per­so­na­li­ty of the data sub­jects. Accor­ding to the expl­ana­to­ry report, this con­cerns employed per­sons and not RTD:

Com­pa­nies and other orga­nizati­ons under pri­va­te law with fewer than 250 employees on Janu­ary 1 of a year (regard­less of the degree of employment) and natu­ral per­sons from the obli­ga­ti­on … to keep a regi­ster of pro­ce­s­sing activities.

Thus, the vast majo­ri­ty of SMEs bene­fit from this exemp­ti­on, unless they are

  • pro­cess per­so­nal data requi­ring spe­cial pro­tec­tion on a lar­ge sca­le or
  • Per­form high-risk profiling.

Exten­si­ve” means the fol­lo­wing accor­ding to the expl­ana­to­ry report:

Exten­si­ve pro­ce­s­sing of data requi­ring spe­cial pro­tec­tion inclu­des, in par­ti­cu­lar, data pro­ce­s­sing invol­ving lar­ge quan­ti­ties of data or a lar­ge num­ber of persons.

Thus, it is not a que­sti­on of a num­ber of data that is lar­ge rela­ti­ve to the total amount of data pro­ce­s­sed, but rather a lar­ge amount of data or lar­ge num­ber of indi­vi­du­als in abso­lu­te terms. If such a Coun­ter­ex­cep­ti­onA pro­ce­s­sing direc­to­ry must be kept, but only for tho­se pro­ce­s­sing acti­vi­ties that fall under such a coun­ter-excep­ti­on. Of cour­se, SMEs, which are gene­ral­ly exempt from the obli­ga­ti­on, are not pre­ven­ted from vol­un­t­a­ri­ly kee­ping a list of pro­ce­s­sing acti­vi­ties. In prac­ti­ce, howe­ver, this is often less hel­pful than it may seem at first (cf. our Imple­men­ta­ti­on notes).

Spe­cial pro­vi­si­ons on data pro­ce­s­sing by fede­ral bodies

The pro­vi­si­ons on the Pri­va­cy Advi­sor at fede­ral bodies have not under­go­ne any serious chan­ges com­pared to the E‑VDSG. In gene­ral, the role of the data pro­tec­tion advi­sor at fede­ral bodies is strengthened:

  • Pur­su­ant to Art. 27, the fede­ral body is obli­ged to ensu­re that the data pro­tec­tion advi­sor is infor­med about Data secu­ri­ty brea­ches infor­med will.
  • The data pro­tec­tion advi­sor advi­ses then assist the data con­trol­ler with the que­sti­on of whe­ther the breach is sub­ject to a noti­fi­ca­ti­on obli­ga­ti­on within the mea­ning of Art. 24 nDSG. The cor­re­spon­ding noti­fi­ca­ti­on of data secu­ri­ty brea­ches to the FDPIC was listed in the e‑DPA as a duty of the data pro­tec­tion advi­sors. Under the FADP, this is now cor­rect­ly a duty of the fede­ral body.
  • Art. 31 E‑VDSG, which requi­res the fede­ral body to inform the data pro­tec­tion advi­sor in the case of Pro­jects for auto­ma­ted data pro­ce­s­sing was dele­ted – this becau­se the fede­ral body’s duty to pro­vi­de infor­ma­ti­on alre­a­dy ari­ses on the basis of the gene­ral advi­so­ry, sup­port and con­trol duties of the data pro­tec­tion advisors.

The Noti­fi­ca­ti­on to the FDPIC in the case of auto­ma­ted pro­ce­s­sing acti­vi­ties pur­su­ant to Art. 32 FADP was stron­gly cri­ti­ci­zed in the con­sul­ta­ti­on pro­cess. Despi­te this, the Fede­ral Coun­cil has incor­po­ra­ted the noti­fi­ca­ti­on to the FDPIC of plan­ned auto­ma­ted pro­ce­s­sing acti­vi­ties into the new ordi­nan­ce with only a few cla­ri­fi­ca­ti­ons (Art. 31 FADP).In the regu­la­ti­ons on the Pilot test­ing the­re have been no major chan­ges com­pared to the e‑DPA. Art. 33 FADP still does not spe­ci­fy the peri­od within which the opi­ni­on of the FDPIC on the que­sti­on of com­pli­ance with the licen­sing requi­re­ments under Art. 35 FADP can be expec­ted. Such a dead­line would have been wel­co­me for plan­ning security.

Aut­ho­ri­ty

Area

Topics

Rela­ted articles

Sub­scri­be