- FDPIC criticizes Digitec Galaxus’ old privacy policy and recommends greater transparency on analysis tools used, purposes, profiling and legal remedies.
- FDPIC recommends the offer of a guest purchase as a proportionate measure; legally controversial due to transitional law, purpose and lack of FADP basis.
Today (April 17, 2024), the FDPIC published the final report in a fact-finding investigation into the Digitec Galaxus AG online store that has been ongoing since 2021 (Media release and Final report).
The subject of the clarification of the facts was questions relating to Digitec Galaxus’ (“Digitec”) privacy policy at the time – which has long been outdated – and the linking of customer orders with a customer account (keyword: guest purchase). Overall, the FDPIC is (very) strict – a certain trend that can also be observed elsewhere.
DisclaimerDigitec Galaxus was represented in the investigation by Walder Wyss (including the author of this article).
Digitec’s recommendations and position
The final report contains six recommendations. The first five mainly concern Digitec’s privacy policy at the time. The FDPIC recommends that:
- it is clearly recognizable for the data subjects which web analysis tools are used and which data processing results from this.
- it is clearly recognizable to the data subjects for which purposes which personal data is processed and that data processing takes place that leads to personality profiles.
- the declaration does not contain any data processing “on reserve” and only those data processing operations are listed that actually take place.
- the declaration provides differentiated and unambiguous information about which processing operations lead to violations of personality rights and the reasons Digitec Galaxus AG relies on to justify them.
- the declaration describes the correct deletion or objection option depending on the justification for the data processing and its practice with regard to deletion or objection requests is implemented correctly in this respect.
On the subject of guest purchases, the final report contains the following somewhat cryptic, but certainly deliberately ambiguous recommendation (emphasis added):
- 6. As far as the data processing operations examined as a result of linking with the mandatory requirement of a customer account violate the principle of proportionalitythey prove to be inadmissible. Digitec Galaxus AG is therefore adapting the processing in such a way that it will no longer interfere with users’ informational self-determination in future, than necessary for the proper execution of the processing and can be justified under data protection law with the private interests of those responsible. An obvious option The alternative offer of a data processing service for the proportionate organization of data processing is the Guest purchase represent.
Digitec has taken the following position on these recommendations (see final report):
- Recommendation 1: Pointless because your request has already been anticipated by the privacy policy updated in 2023.
- Recommendation 2Ditto; and the new law no longer recognizes personality profiles, so this point has been settled.
- Recommendation 3: Rejected.
- Recommendation 4: Rejected.
- Recommendation 5: Pointless because your request has already been anticipated by the privacy policy updated in 2023.
- Recommendation 6Accepted (as formulated).
Legal notes
General
The clarification of the facts was Transitional law under the old law (Art. 70 FADP). This is provided for in the FADP, but it is wrong. It means that all recommendations are based on the old law – it was still relevant for the FDPIC, but it is largely no longer applicable to Digitec. In other words, there is a discrepancy under transitional law between the law that is or was relevant in the clarification of the facts and the law to which the controller is subject. This transitional provision forces the FDPIC to consider the legal history, and the FDPIC must not assume that the legal situation is the same under the current law. Whether recommendations may be made at all in this situation is at least questionable, and the FDPIC can no longer enforce them before the FAC. It is also questionable whether the FDPIC’s recommendations are in line with the actual Subject of the clarification of the facts The FDPIC interprets the scope of the factual clarification very freely.
Recommendation 1: Web analysis tools
The FDPIC has recommended here that Digitec should make it clear which web analysis tools are used and what processing results from this.
The final report overlooks the fact that Art. 45c TCA a special regulation on the references to cookies and other technologies exists, which requires no more than that users are informed about the processing and its purpose and are informed of the possibility to object. It is not necessary to specify which tools are used. This provision is a lex specialis that has not been touched by the new DPA. The DPA can therefore no longer require this.
In any case, the question arises as to whether data protection law applies at all. The FDPIC assumed here that personal data is processed in connection with cookies. If there is a clear link between the data and a person, it “does not matter very much” how much effort is required for identification; there is always identifiability here. A clear reference will also be supported by a Non-speaking ID created.
However, the legal basis for this view remains unclear. The final report takes an absolute approach, stating that (only) pseudonymization exists if “there is still the possibility of re-identification of the data through extraction, linking and inference” (whatever that means).
In doing so, the FDPIC is probably talking to the Singularization the word. If this were to be followed, the consequences would be incalculable – data protection law would be far too broadly applicable (“law of everything”). However, it remains unclear whether the FDPIC really wants to go that far. Elsewhere, the FDPIC still requires – in line with the prevailing view and the (inter alia) Logistep case law – that a re-identification “without excessive effort” must be possible, and thus rightly contradicts the singularization thesis.
Ultimately, the legal considerations remain elusive, and the FDPIC is likely to have proceeded in a result-oriented manner here – he apparently does not want to release the area of ID-based online marketing from his competence. However, he would have been correct to must examine the specific effort required for identification and the interest in identification. Because the clarification of the facts failed to do so, the conclusion that personal data was being processed was unfounded in both legal and factual terms.
Recommendation 2: Data and purposes
Recommendation 2 recommends that it should be made clear for which purposes which personal data is processed and that data processing is carried out that leads to personality profiles. Digitec (voluntarily) anticipated this point more than a year ago with a new DSE.
However neither the transparency nor the duty to inform require an allocation of data and purposes. There is no sufficient basis for this in the materials, the case law or the relevant literature. The FDPIC argues here with general considerations on transparency – which can always justify anything – and with the view that the right to object can only be exercised effectively with sufficient transparency.
However, it remains unclear why the right to object should require the assignment of personal data to purposes and disclosures. For example, if a data subject wishes to object to processing for marketing purposes, they will not refrain from objecting because they are not aware of the exact scope of the processed data – if they do, an objection is more likely, not less likely, without an allocation.
Conceptually, the FDPIC’s consideration also disregards the fact that the FADP not only recognizes a right to object, but also a right to information. The duty to inform informs the data subject genericthe right to information more specific. This also speaks against such far-reaching transparency requirements.
Nevertheless, it has become common practice to create a certain link between data and purposes in data protection declarations (see also the Sample data protection declaration from DSAT). However, the Effort for the person responsible must be taken into account. The link therefore does not have to be so granular that the maintenance of the privacy policy becomes too complex, and in fact the FDPIC assumes in the final report that the linking of data and purposes in accordance with Digitec’s current privacy policy is legally compliant, i.e. meets the requirements of the FDPIC.
The FDPIC further assumes that the processing of Digitec Personality profiles arise. However, the FDPIC remains far too general here. It is recognized that the qualification of data as a personality profile also depends on whether its specific processing effectively leads to the particular risks that the personality profile addresses. Anyone who accumulates data but ultimately only identifies affinities or correlations is hardly processing a personality profile – the statement that buyer X has bought sneakers and therefore has a greater interest in T‑shirts is so banal that it is by no means a personality profile. Whether a lot or a little data is processed for this statement cannot be decisive, because it is a question of the specific use. The final report does not contain any clarifications or explanations in this regard.
Recommendation 3: Processing “in stock”
This recommendation recommends that no data processing “on reserve” should be mentioned in the privacy policy.
The final report assumes that data subjects trust that all the information in a privacy policy is correct and therefore generally expect that all the processing mentioned will actually take place. This is an assumption that is hardly accurate. At the very least, the expectations of the data subjects would have been Specific wording of the privacy policy dependent (there is a difference whether a privacy policy says “we process” or “we can process”).
Purpose of the duty to inform is ultimately to calibrate the expectations of the data subjects. Information about possible processing is not harmful, but rather helpful – the data subject then knows what to expect at the time they enter into a relationship with the controller and read the privacy policy – if at all – for the first and probably last time. This is always more data protection-friendly than a privacy policy that changes every two months.
Also the Literature is unanimously of the opinion that future or possible processing may be mentioned; providing information about possible future processing is even expressly recommended. Even the dispatch on the introduction of Art. 4 para. 4 aDSG assumed that information about possible processing may be provided. If data subjects then want more detailed information about possible processing, they have the right to object and the right to information.
Recommendation 4: Specification of justification reasons
The FDPIC recommends providing information here, which processing leads to violations of personality rights lead and which justifications be made use of. What the FDPIC bases this recommendation on remains completely unclear, and there is no apparent basis for this requirement. In any case, the literature does not require such information.
Interestingly, the old FADP required information on “the legal basis of the processing” as part of the right to information, and there was a view that this also meant an indication of the grounds for justification. However, the current regulation of the right to information no longer requires this. Even at the downstream level of the right to information, such an obligation was therefore deliberately not adopted, and it can certainly not exist in the context of the obligation to provide information or the principle of transparency, as both go less far than the obligation to provide information.
Also interesting: As part of the revision of the FADP, the FDPIC had suggested that information about the legal basis should be included in the duty to inform. This was not implemented. If the FDPIC now reintroduces this requirement via the principle of transparency, this simply contradicts the will of the legislator.
Recommendation 5: Specification of deletion and objection options
According to this recommendation, the privacy policy should describe the correct deletion or objection option depending on the justification. However, a data controller is not obliged to provide information about erasure or objection options, even if many data controllers do so. These rights – insofar as they exist – arise from the law, and this is generally assumed to be known. Furthermore, the FADP does not contain a simplification requirement for data subject rights such as the GDPR. Digitec has nevertheless included statements on the rights to erasure and objection in its current privacy policy.
Recommendation 6: Guest purchasing
This recommendation is rather vague and certainly unsuitable for a legal request or a ruling. Although the FDPIC speaks of a guest purchase, he does not require it, but merely mentions it as an alternative. He thus allows a connection between the order and the account. The account requirement is thus recognized as fundamentally permissible in Switzerland.
Even if the latter is welcome: this recommendation suffers from a conceptual deficiency. The Processing purpose determined by the controller and not data protection law.
In contrast, the final report assumes that DG is primarily a provider of goods for sale, which makes the customer account appear to be a foreign body. Thus the FDPIC assumes a processing purposeand data protection law never specifies this. This was confirmed by the Federal Administrative Court in its Judgment in favor of Helsana expressly stated:
Moreover, from a systematic point of view, the Data Protection Act does not in principle specify the purposes for which personal data may or may not be processed.
Data protection law only requires the controller to adhere to its (self-imposed) processing purposes. Digitec is still allowed to design its own offeringand if it does not see this as a one-off purchase, but – for good reasons – as a platform offering with a community character, it is of course free to do so. The FDPIC is interfering with this purpose. In doing so, however, it is arrogating to itself powers of economic policing that are not provided for in data protection law and to which it is not entitled.
However, even if the purpose of processing were to be subject to an assessment under data protection law, the FDPIC’s position would be unfounded. In the private sector, at least all those purposes are proportionate that also require a reasonable data processor would pursue. In any case, it would also have to be taken into account that a provider is in international competition and that a large number of online providers operating in Switzerland also require a customer account – the FDPIC cannot assume that they are all acting unreasonably. It is also not clear to what extent the interests of customers require a guest purchase, especially as the account facilitates the assertion of warranty claims and the tracking and allocation of purchases and customers can delete their account at any time.
Especially the Opt-out optioni.e. the possibility of objection or deletion, is relevant here. This is also important when it comes to the voluntary nature of consent, as the FDPIC pointed out in the former Final report on PostFinance (2015) itself has stated: If consent becomes voluntary ex post, so to speak, through an opt-out option, processing must be proportionate a fortiori if data subjects can subsequently free themselves from it. This is probably also the reason why the FDPIC generally permits the account requirement.
Moreover, there is no other basis in the DPA for requiring a guest purchase. The principle of Privacy by Default does not provide this, despite indications to the contrary in the message. The principle of privacy by default is in the context of free purpose setting. It does not restrict this and therefore does not require the user to be offered setting options; the literature is unanimous on this.
If the application area of the GDPR a guest purchase is required in some places, this cannot mean anything for the DPA. The discussion there is primarily about consent and the prohibition of tying. This cannot be adopted conceptually. The GDPR requires a legal basis for all processing, and often consent. A certain prohibition of tying applies. The EDPB therefore interprets the legal basis of the contract narrowly so that consent requirements are not undermined by contract design. In contrast, the FADP does not require a legal basis or consent to be secured accordingly and has not adopted the GDPR’s prohibition of tying.