FDPIC: Acti­vi­ty report 2018/2019 published

The FDPIC has its 26^th Acti­vi­ty Report (2018 / 2019) published, as always divi­ded into three parts, (1) data pro­tec­tion, (2) publi­ci­ty prin­ci­ple and (3) FDPIC.

From the point of view of the com­pa­nies, the fol­lo­wing comm­ents of the FDPIC:

• Accor­ding to infor­ma­ti­on from the FDPIC are first Swiss com­pa­ny, the data of per­sons in the EEA edit affec­ted by local pro­ce­du­res.
• The cost of inspec­tions at com­pa­nies fell in 2018. It is now back at the level of 2016/17, but still below the avera­ge for pre­vious periods.
• The Euro­pean Com­mis­si­on is curr­ent­ly exami­ning the Ade­qua­cy of Swiss data pro­tec­tion law. A report is expec­ted in May 2020.
• The plan­ned Exten­si­on of the auto­ma­tic exch­an­ge of infor­ma­ti­on on finan­cial accounts (AIA) is “pro­ble­ma­tic” becau­se all of the 18 addi­tio­nal part­ner sta­tes do not have an ade­qua­te level of data pro­tec­tion. That is put­ting it deli­ca­te­ly – if one com­pa­res the brief refe­ren­ces in the mes­sa­ges on the exten­si­ons of the AEOI net­work to the data pro­tec­tion law of the reci­pi­en­ts with the requi­re­ments for ade­qua­cy under Art. 6 FDPA or also the GDPR The pro­ce­du­re of the “new” pro­cess is a bla­tant con­tra­dic­tion in terms. The pro­ce­du­re of the FDPIC against the Fede­ral Tax Admi­ni­stra­ti­on (FTA) in con­nec­tion with the AIA (lack of infor­ma­ti­on for per­sons affec­ted) is still pen­ding befo­re the Fede­ral Admi­ni­stra­ti­ve Court.
• The acti­vi­ty report comm­ents, among other things, on the fol­lo­wing for­mal and infor­mal Cla­ri­fi­ca­ti­ons of the FDPIC:
  • Swiss regar­ding retrie­val of boo­king data via the website;
  • Cen­tral Office for Cre­dit Infor­ma­ti­on (ZEK): Issu­an­ce of a recom­men­da­ti­on con­cer­ning the reten­ti­on of cre­dit appli­ca­ti­ons and card appli­ca­ti­ons denied for rea­sons unre­la­ted to cre­dit­wort­hi­ness; of the ZEK accept­ed; for the rest, the FDPIC no data pri­va­cy vio­la­ti­ons were identified.
  • Swis­s­com: The stu­dy of the FDPIC of the mea­su­res fol­lo­wing the data theft in Decem­ber 2017 was com­ple­ted wit­hout for­mal action.
  • EOS: After a data theft at EOS Switz­er­land had the FDPIC ope­ned a fact-fin­ding inve­sti­ga­ti­on. After EOS repla­ced the system con­cer­ned, the pro­ce­du­re was clo­sed wit­hout recommendation.
  • Tame­dia: The FDPIC ope­ned pro­ce­e­dings in 2017 to exami­ne whe­ther the con­sent con­tai­ned in Ricardo.ch’s new pri­va­cy poli­cy was effec­ti­ve. The audit of the con­sent gran­ted in con­nec­tion with the GDPR revi­sed pri­va­cy poli­cy is still in progress.
• At Hels­a­na+ judgment the BVGer has sta­tedthat data pro­ce­s­sing is only unlawful within the mea­ning of the FDPA is, if it vio­la­tes a norm, which at least also aims at the pro­tec­tion of per­so­na­li­ty. The FDPIC inter­prets this decis­i­on as fol­lows: “With this, the Fede­ral Admi­ni­stra­ti­ve Court impo­ses on the FDPIC a cer­tain restraint in the dyna­mic inter­pre­ta­ti­on of the FDPA of 1992 with regard to digi­tal appli­ca­ti­ons”. Howe­ver, the BVGer’s con­side­ra­ti­ons are not limi­t­ed to digi­tal appli­ca­ti­ons. And fur­ther, “The ruling thus reve­als the limits of the aging law.” Both par­ties, Hels­a­na and the FDPIC, have not appea­led the judgment.
• Con­sent of employees to the Out­sour­cing of per­son­nel data abroad is “gene­ral­ly not neces­sa­ry and would also not be valid”. What is neces­sa­ry, howe­ver, is the com­pre­hen­si­ve infor­ma­ti­on of the employees. – This is cor­rect and at the same time makes clear that con­tra­ry to other state­ments of the FDPIC even in the case of pro­ce­s­sing of per­so­nal data requi­ring spe­cial pro­tec­tion and per­so­na­li­ty pro­files – which are fre­quent­ly affec­ted by out­sour­cing – no con­sent is requi­red in principle.