Inter­pel­la­ti­on Grin (09.4022): Secu­ri­ty risks asso­cia­ted with tele­pho­ne data hand­led abroad

Inter­pel­la­ti­on Grin (09.4022): Secu­ri­ty risks asso­cia­ted with tele­pho­ne data hand­led abroad
Done (19.03.2010)

Sub­mit­ted text

Sin­ce cer­tain risks emana­te from Paki­stan, I put the fol­lo­wing que­sti­ons to the Fede­ral Council:

1. is infor­ma­ti­on encrypt­ed befo­re it is sent to third count­ries so that it is not pos­si­ble to link peo­p­le and data?

2. is data pro­tec­tion gua­ran­teed by the tele­pho­ne com­pa­nies? If so, how?

3. if unaut­ho­ri­zed per­sons could gain access to CRM data: What infor­ma­ti­on could they extra­ct from it?


Tele­pho­ne com­pa­nies have their CRM (Cus­to­mer Rela­ti­on­ship Manage­ment) data pro­ce­s­sed abroad. CRM is defi­ned as “a pro­cess for hand­ling all data used to iden­ti­fy cus­to­mers, crea­te data­ba­ses of infor­ma­ti­on about cus­to­mers, deve­lop cus­to­mer rela­ti­on­ships and impro­ve the com­pa­ny and pro­duct image among cus­to­mers”. CRM data is used to defi­ne the needs of cus­to­mers and to be able to make them cus­to­mi­zed offers. Swis­s­com, for exam­p­le, has its data pro­ce­s­sed in Pakistan.


h1>Statement of the Fede­ral Council



The pre­sent inter­pel­la­ti­on gene­ral­ly deals with the pro­ce­s­sing of “tele­pho­ne data”. Howe­ver, the expl­ana­to­ry state­ment men­ti­ons Swis­s­com by name, which has its CRM data pro­ce­s­sed in Paki­stan. Upon request, Swis­s­com coun­ters that it does not pro­cess any CRM data in Paki­stan. Only main­ten­an­ce work on a spe­ci­fic appli­ca­ti­on is curr­ent­ly still being car­ri­ed out in Paki­stan, but this work is expec­ted to be taken over exclu­si­ve­ly by Swis­s­com again in the cour­se of this year.

The fol­lo­wing ans­wers to the que­sti­ons in the inter­pel­la­ti­on are based on infor­ma­ti­on from the four lar­gest tele­com­mu­ni­ca­ti­ons com­pa­nies in Switz­er­land, which tog­e­ther ser­ve up to 97 per­cent of Swiss cus­to­mers, depen­ding on the sec­tor. This shows that the­se com­pa­nies are beha­ving in com­pli­ance with the law. The Fede­ral Coun­cil has no indi­ca­ti­on that other tele­com­mu­ni­ca­ti­ons ser­vice pro­vi­ders do not also com­ply with the rele­vant data pro­tec­tion regulations.

1 Befo­re per­so­nal data is trans­fer­red abroad, orga­nizatio­nal and tech­ni­cal mea­su­res are taken to ensu­re com­pli­ance with the Data Pro­tec­tion Act of 19 June 1992 (DPA; SR 235.1). In par­ti­cu­lar, the data is encrypt­ed and authen­ti­ca­ted so that the secu­ri­ty of the data trans­mis­si­on can be gua­ran­teed. Depen­ding on the appli­ca­ti­on, the con­tents of the data are also anony­mi­zed. Howe­ver, anony­mizati­on is not always pos­si­ble, e.g. if name and address are requi­red for pro­ce­s­sing. Fur­ther­mo­re, data pro­tec­tion con­tracts are con­clu­ded and orga­nizatio­nal mea­su­res are taken, such as rest­ric­ting access to the data and regu­lar checks.

2 For the dis­clo­sure of per­so­nal data to reci­pi­en­ts abroad, the owners of data coll­ec­tions, i.e. also the tele­com­mu­ni­ca­ti­ons ser­vice pro­vi­ders, must com­ply in par­ti­cu­lar with Artic­le 6 FADP. Accor­din­gly, the dis­clo­sure of data abroad is only per­mit­ted if the data pro­tec­tion legis­la­ti­on the­re gua­ran­tees ade­qua­te pro­tec­tion. The Fede­ral Data Pro­tec­tion and Infor­ma­ti­on Com­mis­sio­ner (FDPIC) main­ta­ins a public list of count­ries that gua­ran­tee this protection.

Howe­ver, the dis­clo­sure of per­so­nal data to reci­pi­en­ts in count­ries wit­hout ade­qua­te pro­tec­tion is only per­mit­ted in cer­tain cases. For exam­p­le, dis­clo­sure is per­mit­ted if a con­tract with the reci­pi­ent of the data abroad ensu­res ade­qua­te pro­tec­tion. Dis­clo­sure is also per­mit­ted if it takes place bet­ween com­pa­nies that are sub­ject to uni­form manage­ment and the par­ties invol­ved are sub­ject to data pro­tec­tion rules that ensu­re ade­qua­te protection.

Traf­fic and bil­ling data are sent eit­her only to count­ries that gua­ran­tee ade­qua­te data pro­tec­tion accor­ding to the Edöb list, or only to for­eign com­pa­nies with which con­tracts exist that gua­ran­tee data pro­tec­tion. Howe­ver, if cus­to­mers make calls in count­ries that are not secu­re, traf­fic data will of cour­se also be gene­ra­ted there.

3. should unaut­ho­ri­zed per­sons abroad gain access to per­so­nal data, they would not be able to extra­ct more infor­ma­ti­on from it than was trans­mit­ted from Switz­er­land to the for­eign coun­try. Depen­ding on the pro­ce­s­sing order, this could include the fol­lo­wing data: Tele­pho­ne num­bers, names, addres­ses, bil­ling data, tele­pho­ny beha­vi­or, infor­ma­ti­on about ser­vices used via the Inter­net. Howe­ver, it can­not be ruled out that the abo­ve-men­tio­ned data from tele­com­mu­ni­ca­ti­ons ser­vices will be com­bi­ned with data from other ser­vice pro­vi­ders, e.g. cre­dit card tran­sac­tions, Inter­net ser­vices for infor­ma­ti­on sear­ches, e‑mail or chat ser­vices. Cus­to­mers should the­r­e­fo­re choo­se a ser­vice pro­vi­der with the hig­hest pos­si­ble level of data pro­tec­tion for all sen­si­ti­ve data.




Rela­ted articles