The FDPIC has its 26th Activity Report (2018 / 2019) published, as always divided into three parts, (1) data protection, (2) publicity principle and (3) FDPIC.
From the point of view of the companies, the following comments of the FDPIC:
- According to information from the FDPIC are first Swiss company, the data of persons in the EEA edit affected by local procedures.
- The cost of inspections at companies fell in 2018. It is now back at the level of 2016/17, but still below the average for previous periods.
- The European Commission is currently examining the Adequacy of Swiss data protection law. A report is expected in May 2020.
- The planned Extension of the automatic exchange of information on financial accounts (AIA) is “problematic” because all of the 18 additional partner states do not have an adequate level of data protection. That is putting it delicately – if one compares the brief references in the messages on the extensions of the AEOI network to the data protection law of the recipients with the requirements for adequacy under Art. 6 FDPA or also the GDPR The procedure of the “new” process is a blatant contradiction in terms. The procedure of the FDPIC against the Federal Tax Administration (FTA) in connection with the AIA (lack of information for persons affected) is still pending before the Federal Administrative Court.
- The activity report comments, among other things, on the following formal and informal Clarifications of the FDPIC:
- Swiss regarding retrieval of booking data via the website;
- Central Office for Credit Information (ZEK): Issuance of a recommendation concerning the retention of credit applications and card applications denied for reasons unrelated to creditworthiness; of the ZEK accepted; for the rest, the FDPIC no data privacy violations were identified.
- Swisscom: The study of the FDPIC of the measures following the data theft in December 2017 was completed without formal action.
- EOS: After a data theft at EOS Switzerland had the FDPIC opened a fact-finding investigation. After EOS replaced the system concerned, the procedure was closed without recommendation.
- Tamedia: The FDPIC opened proceedings in 2017 to examine whether the consent contained in Ricardo.ch’s new privacy policy was effective. The audit of the consent granted in connection with the GDPR revised privacy policy is still in progress.
- At Helsana+ judgment the BVGer has statedthat data processing is only unlawful within the meaning of the FDPA is, if it violates a norm, which at least also aims at the protection of personality. The FDPIC interprets this decision as follows: “With this, the Federal Administrative Court imposes on the FDPIC a certain restraint in the dynamic interpretation of the FDPA of 1992 with regard to digital applications”. However, the BVGer’s considerations are not limited to digital applications. And further, “The ruling thus reveals the limits of the aging law.” Both parties, Helsana and the FDPIC, have not appealed the judgment.
- Consent of employees to the Outsourcing of personnel data abroad is “generally not necessary and would also not be valid”. What is necessary, however, is the comprehensive information of the employees. – This is correct and at the same time makes clear that contrary to other statements of the FDPIC even in the case of processing of personal data requiring special protection and personality profiles – which are frequently affected by outsourcing – no consent is required in principle.