KGer VD: DSG 35 (data sec­re­cy); no spe­cial per­so­nal data in this case.

The Can­to­nal Court of Vaud had alre­a­dy ruled on Sep­tem­ber 10, 2021 (Swiss­lex) to deal with the que­sti­on of whe­ther the dis­clo­sure of purcha­sing data vio­la­tes data sec­re­cy under Art. 35 FADP. An employee of a retail­er had, in the con­text of civil pro­ce­e­dings under fami­ly law, on request Screen­shots released that show­ed cre­dit card purcha­ses (the­se screen­shots were appar­ent­ly used to pro­ve purcha­ses in case a cus­to­mer lost his rece­ipt). The facts of the case show that the request to the retail­er did not come from the cus­to­mer in que­sti­on, but from the other par­ty, pro­ba­b­ly the mother of their child­ren. The cus­to­mer had then Cri­mi­nal com­plaint for vio­la­ti­on of Art. 35 FADP submitted.

The public prosecutor’s office was of a nar­row scope of appli­ca­ti­on of Art. 35 DPA assu­med. This pro­vi­si­on pre­sup­po­ses that the per­pe­tra­tor lear­ned of the unaut­ho­ri­zed dis­clo­sure of par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data or per­so­na­li­ty pro­files “in the exer­cise of his pro­fes­si­on, which requi­res know­ledge of such data.” Fol­lo­wing a view of Mei­er The prosecutor’s office held that examp­les of such pro­fes­si­ons were tho­se in Art. 321 StGB named pro­fes­si­onsbut in any case not a job in the cus­to­mer ser­vice depart­ment of a retailer.

The KGer does not address this point (and other courts have inter­pre­ted Art. 35 DSG more broad­ly), but the data dis­c­lo­sed here is neither par­ti­cu­lar­ly wort­hy of pro­tec­tion nor does it con­sti­tu­te a per­so­na­li­ty pro­fi­le. Moreo­ver, the address of the data sub­ject is not a secret data.

It fur­ther sta­tes that Art. 35 DPA does not speak of a “dis­clo­sure”, unli­ke Art. 321 SCC, but of a “dis­clo­sure”. It is the­r­e­fo­re suf­fi­ci­ent if the per­so­nal data coll­ec­ted are be dis­c­lo­sed, even if it does not come to know­ledge (cf. here to dis­clo­sure in the sen­se of pro­fes­sio­nal secrets as a crime of success):

Le tex­te alle­mand par­le quant à lui de ” Bekannt­ga­be ” (et non de ” Offen­ba­rung “, com­me à l’art. 321 CP), ce qui fait le lien avec la noti­on tech­ni­que de ” com­mu­ni­ca­ti­on “, défi­nie à l’art. 3 let. f LPD. Il y a donc révé­la­ti­on au regard de l’art. 35 LPD in the fact that rend­re les don­nées acce­s­si­bles à un tiers qui n’en avait pas con­nais­sance auparavant.

The court fur­ther sta­tes that dis­clo­sure pur­su­ant to Art. 35 FADP is only punis­ha­ble if it is “unaut­ho­ri­zed”, and thus if they are justi­fi­ed accor­ding to data pro­tec­tion stan­dards. is:

Le tex­te alle­mand par­le quant à lui de ” Bekannt­ga­be ” (et non de ” Offen­ba­rung “, com­me à l’art. 321 CP), ce qui fait le lien avec la noti­on tech­ni­que de ” com­mu­ni­ca­ti­on “, défi­nie à l’art. 3 let. f LPD. Il y a donc révé­la­ti­on au regard de l’art. 35 LPD dans le fait de rend­re les don­nées acce­s­si­bles à un tiers qui n’en avait pas con­nais­sance aupa­ra­vant. La révé­la­ti­on doit être illi­ci­te. Elle ne l’est pas lorsqu’il exi­ste un motif justi­fi­ca­tif (cf. art. 13 al. 1 LPD: con­sen­te­ment, inté­rêts prépon­dé­rants, loi): une com­mu­ni­ca­ti­on lici­te sous l’ang­le de la LPD ne sau­rait être sanc­tion­née pénalement.

It remains to be seen whe­ther the­se con­side­ra­ti­ons will also be valid under Art. 62 nDSG, but at least it would be cor­rect to con­ti­n­ue to cover only “unaut­ho­ri­zed” dis­clo­sures, i.e. dis­clo­sures that are not per­mis­si­ble under data pro­tec­tion law. If a dis­clo­sure is per­mis­si­ble under data pro­tec­tion law, even if it con­cerns secret per­so­nal data, the­re is in any case no duty rela­ti­on­ship who­se vio­la­ti­on is punis­ha­ble, and Art. 14 StGB also sta­tes that per­mis­si­ble actions are not punis­ha­ble. The­r­e­fo­re, punis­ha­bi­li­ty does not app­ly only in the case of cri­mi­nal law justi­fi­ca­ti­on, but abo­ve all in the case of data pro­tec­tion law justification.

Aut­ho­ri­ty

Area

Topics

Rela­ted articles

Sub­scri­be