The Cantonal Court of Vaud had already ruled on September 10, 2021 (Swisslex) to deal with the question of whether the disclosure of purchasing data violates data secrecy under Art. 35 FADP. An employee of a retailer had, in the context of civil proceedings under family law, on request Screenshots released that showed credit card purchases (these screenshots were apparently used to prove purchases in case a customer lost his receipt). The facts of the case show that the request to the retailer did not come from the customer in question, but from the other party, probably the mother of their children. The customer had then Criminal complaint for violation of Art. 35 FADP submitted.
The public prosecutor’s office was of a narrow scope of application of Art. 35 DPA assumed. This provision presupposes that the perpetrator learned of the unauthorized disclosure of particularly sensitive personal data or personality profiles “in the exercise of his profession, which requires knowledge of such data.” Following a view of Meier The prosecutor’s office held that examples of such professions were those in Art. 321 StGB named professionsbut in any case not a job in the customer service department of a retailer.
The KGer does not address this point (and other courts have interpreted Art. 35 DSG more broadly), but the data disclosed here is neither particularly worthy of protection nor does it constitute a personality profile. Moreover, the address of the data subject is not a secret data.
It further states that Art. 35 DPA does not speak of a “disclosure”, unlike Art. 321 SCC, but of a “disclosure”. It is therefore sufficient if the personal data collected are be disclosed, even if it does not come to knowledge (cf. here to disclosure in the sense of professional secrets as a crime of success):
Le texte allemand parle quant à lui de ” Bekanntgabe ” (et non de ” Offenbarung “, comme à l’art. 321 CP), ce qui fait le lien avec la notion technique de ” communication “, définie à l’art. 3 let. f LPD. Il y a donc révélation au regard de l’art. 35 LPD in the fact that rendre les données accessibles à un tiers qui n’en avait pas connaissance auparavant.
The court further states that disclosure pursuant to Art. 35 FADP is only punishable if it is “unauthorized”, and thus if they are justified according to data protection standards. is:
Le texte allemand parle quant à lui de ” Bekanntgabe ” (et non de ” Offenbarung “, comme à l’art. 321 CP), ce qui fait le lien avec la notion technique de ” communication “, définie à l’art. 3 let. f LPD. Il y a donc révélation au regard de l’art. 35 LPD dans le fait de rendre les données accessibles à un tiers qui n’en avait pas connaissance auparavant. La révélation doit être illicite. Elle ne l’est pas lorsqu’il existe un motif justificatif (cf. art. 13 al. 1 LPD: consentement, intérêts prépondérants, loi): une communication licite sous l’angle de la LPD ne saurait être sanctionnée pénalement.
It remains to be seen whether these considerations will also be valid under Art. 62 nDSG, but at least it would be correct to continue to cover only “unauthorized” disclosures, i.e. disclosures that are not permissible under data protection law. If a disclosure is permissible under data protection law, even if it concerns secret personal data, there is in any case no duty relationship whose violation is punishable, and Art. 14 StGB also states that permissible actions are not punishable. Therefore, punishability does not apply only in the case of criminal law justification, but above all in the case of data protection law justification.