FDPIC: New edi­ti­on of the gui­de to TOMs

The FDPIC has appro­ved the Gui­de to tech­ni­cal and orga­nizatio­nal data secu­ri­ty mea­su­res published in a new ver­si­on (from Janu­ary 15, 2024). The Pre­vious edi­ti­on dates back to August 2015.

The gui­de is a “gui­de”, but rejects any validity:

This docu­ment is not a legal gui­de. Alt­hough it con­ta­ins the most important pro­vi­si­ons of the Data Pro­tec­tion Act, this is pri­ma­ri­ly for infor­ma­ti­on pur­po­ses. The gui­de is not inten­ded to explain, com­ment on or cla­ri­fy the­se legal requi­re­ments. It is the­r­e­fo­re not a basis for the appli­ca­ti­on or inter­pre­ta­ti­on of the­se rules.

The gui­de­line pri­ma­ri­ly con­cerns obli­ga­ti­ons Pri­va­te per­son respon­si­blebut also speaks Fede­ral bodies on. It initi­al­ly con­ta­ins very brief state­ments with some recom­men­da­ti­ons on data pro­tec­tion issues, e.g. on pro­ce­s­sing prin­ci­ples, the pro­ce­s­sing direc­to­ry, data sub­ject rights, etc. The refe­rence to data secu­ri­ty is some­ti­mes quite loose.

A second part is more tech­ni­cal and addres­ses topics such as pseud­ony­mizati­on or anony­mizati­on. Here you will also find recom­men­da­ti­ons on spe­ci­fic mea­su­res, such as secu­ring the infras­truc­tu­re, iden­ti­fi­ca­ti­on and authen­ti­ca­ti­on, encryp­ti­on, secu­ring and dele­ting data, net­work secu­ri­ty, etc.

In terms of con­tent, most of the points do not give rise to any comm­ents, with the pos­si­ble excep­ti­on of the following:

  • The Prin­ci­ple of lega­li­ty requi­res that pro­ce­s­sing “does not vio­la­te any legal pro­vi­si­ons”; this is “not limi­t­ed to the FADP, but encom­pas­ses the enti­re­ty of all legal norms (in par­ti­cu­lar cri­mi­nal law such as Artic­les 138 et seq. and 179 et seq. of the Swiss Cri­mi­nal Code)”. This is gene­ral­ly incor­rect; the prin­ci­ple of lega­li­ty can only be vio­la­ted by brea­ches of stan­dards that pro­tect per­so­nal pri­va­cy (Hels­a­na decis­i­on).
  • The FDPIC speaks just under the Data pro­tec­tion impact assess­ment (DPIA). This is of cour­se obvious, becau­se the tech­ni­cal and orga­nizatio­nal mea­su­res (TOMs) in a DPIA are one of the essen­ti­al ele­ments and a DPIA is often the best for­mat for brin­ging about a dis­cus­sion bet­ween data pro­tec­tion and IT. Howe­ver, the DPIA its­elf is not a (mini­mum) data secu­ri­ty mea­su­re, and its omis­si­on can­not be punis­ha­ble under Art. 8 para. 3 in con­junc­tion with 61 lit. c FADP (which the FDPIC does not say; regar­ding the mini­mum mea­su­res see also here).
  • It is to be wel­co­med that the Anony­mizati­on is suc­cessful if the anony­mizati­on can­not be rever­sed wit­hout dis­pro­por­tio­na­te effort; the cri­ter­ion here is iden­ti­fia­bi­li­ty. The same cri­te­ria the­r­e­fo­re app­ly as for the que­sti­on of per­so­nal refe­rence in gene­ral. This is obvious, but is often pre­sen­ted differently.
  • Go to Log­ging (in addi­ti­on also here), the FDPIC sta­tes the following:
    • Sepa­ra­te log­ging of per­so­nal data and infor­ma­ti­on secu­ri­ty is not expec­ted. Red­un­dan­cy is the­r­e­fo­re not necessary.
    • The log­ging obli­ga­ti­on applies exclu­si­ve­ly to per­so­nal data in systems for auto­ma­ted data pro­ce­s­sing. For exam­p­le, manu­al access to a text docu­ment con­tai­ning per­so­nal infor­ma­ti­on does not neces­s­a­ri­ly have to be log­ged in accordance with Artic­le 4 GDPR. Howe­ver, if a script is exe­cu­ted in the same docu­ment that dele­tes per­so­nal data, this must be logged.
    • Nevert­hel­ess, it must be noted that it may be in the inte­rests of the con­trol­ler to log the­se acti­vi­ties or not to allow the pro­ce­s­sing of cer­tain per­so­nal data in docu­ments that are not logged.
    • The term “gene­ral­ly publicly acce­s­si­ble” refers to data that is acce­s­si­ble wit­hout iden­ti­fi­ca­ti­on or that is acce­s­si­ble to a lar­ge num­ber of people.