Initial situation
The FDPIC has submitted the final report in the case of Postfinance, dated June 1, 2015. The report concerns services provided by Swiss Post under the name “PostFinance”. These include two PostFinance functions, “E‑Cockpit” and “Bicicletta”. E‑Cockpit assigns PostFinance customers’ transactions to categories to give customers a better overview of their spending behavior. The corresponding information is only made available to the customers themselves. Bicicletta goes further and, based on the E‑Cockpit data, calculates Affinities, i.e., the probability that a customer will purchase certain services. On this basis, targeted third-party advertising is displayed to the customer in the e‑finance portal. However, no personal data is made available to the third parties concerned. According to the FDPIC, these processes require justification because both the categorization in the context of E‑Cockpit and the evaluation in the context of Bicicletta are disproportionate10 and because Bicicletta violates the purpose limitation principle11 and the principle of data accuracy. The FDPIC then judges the personal data processed in Bicicletta to be personality profiles. Subsequently, the FDPIC examines whether effective consent was given.
Some of the FDPIC’s statements are questionable, some even untenable. S. on this Vasella, On the Voluntariness and Explicitness of Consent in Data Protection Law, Jusletter v. 16. November 2015..
Concept of personal data requiring special protection
Whether the qualified protection of personal data requiring special protection comes into play must therefore depend on the context in which the data are located or used. The FDPIC has determined that the categorized e‑cockpit data is available exclusively to individual private customers in their e‑finance area. PostFinance does not evaluate the data for its own or third party purposes. This shows that the data collected in e‑finance is not aggregated by PostFinance into personal data requiring special protection. Only the customer, and thus the data subject himself, could carry out such an evaluation and aggregation. For these reasons, it can be stated that PostFinance does not process any particularly sensitive personal data within the meaning of Art. 3 lit. c FADP with E‑Cockpit in its current form.
Concept of personality profile
Thus, it can be assumed that the totality of the amount, content, and retention over time of this data can constitute a substantial partial picture of a data subject. However, even if an essential partial image of the personality is assumed, the concrete context in which the data is used must ultimately be one of the deciding factors as to whether or not the qualified legal protection should come into play – as mentioned at the beginning. This is the case if the creation of a personality profile creates a risk for a data subject that he or she will no longer be able to present and develop himself or herself in society in the way that he or she considers appropriate. For the assessment of this aspect regarding E‑Cockpit, it is crucial that this data is exclusively available to the individual private customers who want to use E‑Cockpit in their e‑finance area. PostFinance does not use the data for a personal evaluation nor does it calculate affinities and the like. Nor is any data passed on to third parties. In this respect, there is no danger for the persons concerned that they will no longer be able to present themselves or develop themselves in society in the way they consider appropriate. In summary, due to the totality of the amount, content and time of storage of the data in E‑Cockpit, it can be assumed that a significant partial image of a data subject is created. However, as long as the data is used exclusively for the customers in connection with the functions of E‑Cockpit and the data is not further processed by PostFinance or third parties, in E‑Cockpit no personality profiles within the meaning of Art. 3 lit. d DSG.
[…]The insights gained through analyses using algorithms are used for marketing measures in connection with Bicicletta. This means that a search is made in the data of a customer concerned […] in order to assign him to an industry and to display targeted advertising offers in his e‑finance portal. These analyses and evaluations take place in the verbogen, they escape the awareness of the persons concerned, so that they cannot control their correctness and use to the full extent. Such systematic data processing can deprive the data subject of the freedom to present himself or herself as he or she wishes, especially if he or she knows that such profiles exist about him or her or are being created. If his transaction data is systematically analyzed for advertising offers for third parties and the data subject is schematized in an industry-specific manner, this can bring about changes in the thinking, actions and behavior of the data subject. And this can significantly impair the development of his personality. For these reasons, in connection with the use and analysis of the transaction data at Bicicletta, it must be assumed that there is a personality profile within the meaning of Art. 3 lit. d FADP.
Proportionality of data processing
[…]Thus, E‑Cockpit is suitable to complement the required purpose of e‑finance. It is questionable, however, whether E‑Cockpit also required is for a functioning e‑banking user interface. […] E‑Cockpit is now a fixed component for all private customers of e‑finance, which cannot be switched off. As mentioned, E‑Cockpit can also display transactions in e‑finance as a pie chart instead of the previous bar chart and offers an archiving and search tool. In addition, it allows private customers to define savings targets or budgets and set up alerts. The additional display format and the supplementary tools may be an important step towards modernizing e‑finance and desirable for many customers. The However, the historical development of e‑finance shows that E‑Cockpit is not absolutely necessary for a functioning e‑banking user interface. The fixed integration of E‑Cockpit in e‑finance without a waiver option is therefore not necessary within the meaning of Art. 4 (2) DPA.
Data correctness
[…] Art. 5 para. 1 DSG obliges PostFinance to ensure the accuracy of the personal data. In the case of Bicicletta, this is not possible in principle, as the calculated data are subject to a certain inaccuracy inherent is. These are probabilities as to whether or not an affected PostFinance customer belongs to a certain target group or industry. Although PostFinance has an interest in ensuring that the affected customers effectively belong to the calculated target group, a clarification within the meaning of Art. 5 para. 1 FADP is not possible. There is therefore a violation of Art. 5 para. 1 FADP.
Assessment of consent
Voluntariness
A withdrawal results in the customer no longer having electronic access to their PostFinance accounts. In this case, e‑finance customers will have to complete their payment orders by mail using a payment form or go to the post office counter. Against this backdrop, it should be noted that PostFinance has permanently expanded the electronic payment system in recent years, whereas the infrastructure for cash payment transactions has tended to be dismantled, as it is complex and expensive (see also dispatch on the Postal Act, para. 5.2.2, pp. 5204 – 5205). This development is likely to continue in the coming years. Furthermore, it should be noted that private customers of purely electronic accounts (such as the e‑savings account), which are only available via e‑finance, have no alternative to e‑finance to be able to manage these accounts. It follows that if the new e‑finance TNB is rejected, there are no reasonable alternative courses of action available to customers. By accepting the new TNB on e‑finance, customers will also be forced to accept data processing in connection with e‑cockpit. Since there is no waiver option for E‑Cockpit, there is no voluntariness within the meaning of Art. 4 (5) sentence 1 DPA. Consequently, there is no valid consent for E‑Cockpit within the meaning of Art. 4 (5) sentence 1 FADP..
Expressiveness
All other customers who had already accepted the TNB prior to 12 October 2014 did not have this option directly on the interim e‑finance page. The declaration was indeed also voluntary within the meaning of Art. 4 As. 5 Sentence 1 DPA, as the data subjects can subsequently opt out of Bicicletta at any time (“opt-out”; cf. para. 20 TNB e‑finance and above para. 5.5.3 of this final report with comments). As informed in the last sentence of para. 20 of the TNB on e‑finance, PostFinance assumes the consent of the private customer until the declaration of waiver by a person concerned. However, consent to data processing in connection with Bicicletta must not be implicit. The global acceptance of the new TNB on e‑finance is therefore not expressly accompanied by the consent of the data subjects to data processing in connection with Bicicletta. For customers who accepted the ABB in the form described before October 12, 2014, there is therefore no express consent within the meaning of Art. 4 (5) sentence 2 DPA.