The FDPIC has approved the Guide to technical and organizational data security measures published in a new version (from January 15, 2024). The Previous edition dates back to August 2015.
The guide is a “guide”, but rejects any validity:
This document is not a legal guide. Although it contains the most important provisions of the Data Protection Act, this is primarily for information purposes. The guide is not intended to explain, comment on or clarify these legal requirements. It is therefore not a basis for the application or interpretation of these rules.
The guideline primarily concerns obligations Private person responsiblebut also speaks Federal bodies on. It initially contains very brief statements with some recommendations on data protection issues, e.g. on processing principles, the processing directory, data subject rights, etc. The reference to data security is sometimes quite loose.
A second part is more technical and addresses topics such as pseudonymization or anonymization. Here you will also find recommendations on specific measures, such as securing the infrastructure, identification and authentication, encryption, securing and deleting data, network security, etc.
In terms of content, most of the points do not give rise to any comments, with the possible exception of the following:
- The Principle of legality requires that processing “does not violate any legal provisions”; this is “not limited to the FADP, but encompasses the entirety of all legal norms (in particular criminal law such as Articles 138 et seq. and 179 et seq. of the Swiss Criminal Code)”. This is generally incorrect; the principle of legality can only be violated by breaches of standards that protect personal privacy (Helsana decision).
- The FDPIC speaks just under the Data protection impact assessment (DPIA). This is of course obvious, because the technical and organizational measures (TOMs) in a DPIA are one of the essential elements and a DPIA is often the best format for bringing about a discussion between data protection and IT. However, the DPIA itself is not a (minimum) data security measure, and its omission cannot be punishable under Art. 8 para. 3 in conjunction with 61 lit. c FADP (which the FDPIC does not say; regarding the minimum measures see also here).
- It is to be welcomed that the Anonymization is successful if the anonymization cannot be reversed without disproportionate effort; the criterion here is identifiability. The same criteria therefore apply as for the question of personal reference in general. This is obvious, but is often presented differently.
- Go to Logging (in addition also here), the FDPIC states the following:
- Separate logging of personal data and information security is not expected. Redundancy is therefore not necessary.
- The logging obligation applies exclusively to personal data in systems for automated data processing. For example, manual access to a text document containing personal information does not necessarily have to be logged in accordance with Article 4 GDPR. However, if a script is executed in the same document that deletes personal data, this must be logged.
- Nevertheless, it must be noted that it may be in the interests of the controller to log these activities or not to allow the processing of certain personal data in documents that are not logged.
- The term “generally publicly accessible” refers to data that is accessible without identification or that is accessible to a large number of people.