- The FDPIC has supplemented his website with updated information on the revised FADP, sample letters and a notification form for security breaches, but the content remains non-binding.
- The notification form contains mandatory fields that go beyond Art. 15 DPA; obligations to provide information only arise when the investigation is opened and the form is not binding.
In preparation for the revised FADP, which will enter into force with the ordinance on September 1, 2023, the FDPIC has published its Website redesigned in parts. The existing, partly older – and unfortunately undated – information is still included, but there is also some new information on the revised FADP, e.g. information on the obligation to provide information, the right to information, the criminal provisions, etc. The sensitive questions are rightly avoided.
As before, the statements are not binding and often not explicitly justified, e.g. the position that under the general clause of the duty to inform, depending on the circumstances, information must be provided about the duration of data processing (which can usually be derived from the purpose of the processing). Also updated were Sample letter, including the Sample request for information (still with the request to confirm correctness and completeness of the information, which the responsible person should not do).
Also switched on now is the Security breach notification form with explanations to this. The latter should in itself be supplemented by the note,
- that the information provided cannot be used in criminal proceedings against persons employed by the reporting company, and
- that “whistleblowers” – for whom the form is also expressly designed – may only report if they are not employees of the company concerned or have then already gone through the internal channels and if they are not thereby in breach of contractual or other confidentiality obligations (which is likely often the case).
It should also be made clear that some of the items listed as Mandatory fields designated questions do not have to be filled in because they are go beyond the content of Art. 15 DPA (e.g. the field “Please describe what you know about the incident so far” or the question whether other authorities such as the police have already been informed). This is information that the FDPIC may ask for at any time, but there is no obligation to answer until the FDPIC has opened a corresponding investigation. The reporting company should also be aware that the FDPIC is subject to the Public Information Act and discloses information very liberally, even about security breaches (and that the media know how to use the instrument of the FPO very efficiently).
In any case, the use of the form is not mandatory; the person responsible can also make the notification in another form. The law does not stipulate any requirements in this regard.