The FDPIC has approved the amendment dated May 17, 2023. Final report i.S. Once Dating with recommendations published. The investigation was apparently triggered by information from users that data could not be deleted from Once.
The subject of the clarification was primarily transparency, which the FDPIC understandably felt was only inadequately ensured. The following statements by the FDPIC, which go beyond the specific case, are particularly noteworthy:
- The mere indication that a person has a Account with Once, be the Privacy thus a personal datum worthy of special protection. One can see it that way, but it is not evident. If one starts from the sphere theory, which is the basis of the category of the date about the intimate sphere, one has to distinguish between the public sphere, the private sphere and the intimate sphere. The intimate sphere
is to be understood in the sense of the French “sphère intime” or the Italian “sfera intima”; it includes data that a person communicates only to a select few and that are of great emotional importance to him. Intimate sphere includes more than sexual life, but does not extend, for example, to financial circumstances (Message 1988).
If you read the message, a narrower concept suggests itself. At the very least, it is doubtful whether a statement about membership in a dating app – certainly no longer a rarity – is really more sensitive, for example, information about salary. Unfortunately, any discussion of this question is missing in the final report.
- The data at Once represent an overall Personality profile i.e. name, picture(s), age, location and sexual orientation, because Once wants to assess whether two people fit together. This is obvious because, according to case law, data tends to form a personality profile if it is used accordingly – so it is not just the abstract meaningfulness of the data, but the concrete risk of corresponding statements, depending on the context of use. This attitude corresponds to the risk-based approach and should be maintained in Switzerland – contrary to a trend in the EU – also for personal data requiring special protection.
- Some of the Service provider From Once edit data also for own purposessuch as Facebook, Google, Sendgrid, Looker, Vonage and Paypal (Once had not designated this information as a trade secret). The term “service provider of Once” is, according to the FDPIC, not applicable to these categories of data recipients, because recipients who process personal data on their own responsibility are third parties and not “pure service providers or contractors”.From this it can be concluded that the FDPIC equates the term service provider with that of the order processor and assumes that the data subjects are the same. There is no basis for this. Banks, insurers and lawyers are also indisputably service providers, but just as indisputably not order processors. And it should be just as clear that the data subject does not equate anything with an order processor, because he does not even know the term, he is not by chance a data protection lawyer. It is of course correct, permissible and sufficient to refer to service providers as “service providers” in a data protection statement. Whether they are legally qualified as order processors or responsible parties is irrelevant: the DPA requires neither specific terminology nor a legal qualification, but simply the specification of the categories of recipients. Often enough, even with all due care, it is not entirely clear when a service provider is a commissioned processor (and the FDPIC will hardly want to make this qualification on a pre-question basis when checking data protection declarations). And if a service provider is a data controller, it has its own duty to provide information anyway – the necessary transparency must therefore be established by the service provider, not by the customer.
- The duty to provide information pursuant to Art. 19 nDSG also includes a Information about the guarantees for data transfer abroad. However, a general statement on the use of standard contractual clauses or other “appropriate safeguards” is not sufficient, according to the FDPIC.
- Why? Art. 19(4) nDSG speaks of a communication about “where applicable, the safeguards under Article 16(2) or the application of an exception under Article 17”. Why is it not sufficient to point out that the controller usually works with the standard contractual clauses? This casual assertion remains unsubstantiated, but this in a potentially punishable area (although one may wonder whether a false indication or omission of the recipient states or the guarantees can really be punishable if Art. 60(1)(a) nDSG refers to Art. 19 as a whole, but Art. 60(1)(b) explicitly refers only to Art. 19(1) and (2) and not also to (4)). In any case, the fact is that Art. 19 nDSG says nothing further about information on the guarantees, and at least in the area of possible criminal liability, the interpretation of the FDPIC is out of the question.
- It is also open whether a need for further information on the guarantees – if any – would really have to be located within the framework of the duty to inform or rather within the general principle of transparency; the FDPIC does not address this either.
- In this context, the FDPIC refers additionally to a passage of the standard contractual clauses, recital 4:
In this context, we would like to point out that the obligation to provide information pursuant to Art. 19 nDSG also includes information about the safeguards used for data transfers abroad and that a general statement about the use of standard contractual clauses or other “appropriate safeguards” is not sufficient to fulfill it. According to recital 4 of the new European standard contractual clauses, “this information must include a reference to the appropriate safeguards and how a copy of them can be obtained or where they are available.
The FDPIC overlooks two things here: First, recital 4 of the clauses refers to Art. 13(1)(f) GDPR, which explicitly provides for such information – but Art. 19(4) nDSG does not, which is why the reference to the standard contractual clauses is also wrong or not relevant. Second, the standard contractual clauses explicitly address the issue in clause 8.2(c) (in the case of Module 1):
The parties shall provide the person concerned with a copy of these clauses upon request, including the annex completed by them, free of charge. […]
However, the standard contractual clauses do not provide that a data protection statement must inform about a corresponding option. According to the nDSG, the data controller therefore clearly does not have to inform whether or where the standard clauses can be obtained (even if many data protection declarations contain a corresponding link).
- The FDPIC is of the opinion that a Data processing is illegal, if an order processor is involved, with whom the Requirements according to Art. 10a FADP not met be made. However, this statement is only made obiter (basically, a final report is always obiter anyway, after it does not become legally binding), because the examination of commissioned processing was not the subject of the clarifications. This incidental statement by the FDPIC, however, touches on a little clarified issue: if a controller works with a service provider who is in and of itself a commissioned processor, but with whom no corresponding agreement exists: Is the service provider then a contractless order processor or a controller? Art. 61 lit. b nDSG seems to assume the more serious, if it can be punishable to involve a commissioned processor in violation of Art. 9 para. 1 nDSG, but it is not entirely clear. It would be correct in itself, but raises a follow-up question: If the controller delegates data processing to a service provider who is actually an order processor, but treats this the same as disclosure to a third party (i.e. waives privilege), is it not disclosure to a third party? In any case, there is nothing to be said against such an assessment from a protection perspective.
- As in the case of information on disclosure abroad, the FDPIC also assumes responsibility for the Revocation of consent undeclared the GDPR:
In view of the sensitivity of the data processed on the Once app, as well as the fact that, according to the privacy policy and the information provided by Once Dating AG in this factual clarification Processed based on the consent of the data subject it is essential that users of the App Once are clearly informed of their deletion options and can demand the immediate deletion of their personal data or profile at any time. Based on the principle of good faith, every user should be able to demand this in a simple manner. That is, it should be no more difficult to withdraw consent and request deletion of one’s data than it is to give consent and create an account with Once Dating Ltd.. […]
What complicates the matter here is the fact that Once apparently obtained consent for the data processing, even though this was hardly necessary. Probably for this reason, the FDPIC links the possibility of deletion – a main issue of clarification – with the question of consent and its revocation. In itself, the statement that consent must be as easy to revoke as to give is unfounded under Swiss law. The GDPR requires this in Art. 7(3), but the nDSG has no corresponding provision. Consent must be voluntary, and it is not if it could not be revoked in a reasonable manner, but it cannot be concluded from this that revocation must be as easy as giving it. Again, the FDPIC does not justify its view with a single word.
There are other passages that raise questions, such as the comments on data accuracy and proportionality in the case of inactive users. Overall, it is regrettable that the FDPIC – shortly before the entry into force of the nDSG, where uncertainties are great – does not even substantiate legal assessments. If it does not want to resolve legal uncertainties, that is one thing; a certain restraint on the part of the regulator – if one wants to call the FDPIC that – has some merit, but it should not only be reflected in providing hardly any aids to practice, but also in the final reports.