- On March 4, 2025, the Zurich District Attorney’s Office issued a penalty order against a corporate lawyer of the TX Group for allegedly providing incomplete information.
- TX had provided two data records; attorney Steiger objected to the information as obviously incomplete and filed a criminal complaint.
- Criminal liability requires intentional misrepresentation; it is questionable whether the company lawyer acted with intent or only negligently.
- Criticism: Penalty order emphasizes individual responsibility instead of corporate responsibility and could have a negative impact on data protection practice.
Lawyer colleague Martin Steiger wrote on his blog about a more Penalty order for violation of the right to information reports. The penalty order is based on a request for information and a criminal complaint by Mr. Steiger himself. It is with RA Steiger and here as PDF to find.
The following facts apply:
- The penalty order was issued by the Zurich district governor’s office on March 4, 2025. It is apparently not legally binding.
- Mr. Steiger had requested information from TX Group AG as to whether data about him was being processed.
- TX had responded via a “corporate lawyer at TX Group AG” who “specializes in data protection, among other things”. Tamedia had located two data records, and 20 Minuten had not found any data records in the system with the information provided by Attorney Steiger. In a further exchange, Mr. Steiger said that the information was “obviously incomplete”. Subsequently, the company lawyer asked for specifics as to where Mr. Steiger had provided this data and mentioned that there were also newspaper articles naming Mr. Steiger. Mr. Steiger replied, among other things, that he had been in contact with 20 Minuten for years. TX then invoked the media privilege under Art. 27 FADP.
- Obviously, Mr. Steiger then filed a criminal complaint (only the injured party is entitled to file a complaint).
- The Office of the Public Prosecutor ordered the company lawyer to pay a fine of CHF 600 and procedural costs of CHF 430.
- It justified the penalty order as follows:
In an email dated December 1, 2023, the defendant replied that the editorial team of 20 Minuten was relying on its right of refusal under Art. 27 para. 1 and para. 2 FADP for all processing operations relating to journalism. This would also include the communication content and notes requested by the complainant, insofar as they were not already covered by Art. 2 para. 2 lit. a FADP. The defendant thus admitted that “20 Minuten” had access to the complainant’s data.
Since the defendant, as the person responsible for TX Group AG, gave the impression that no data could be found in “20 Minuten” by stating that it was complete, even though further data relating to the complainant was available, the defendant knowingly and intentionally provided incorrect or incomplete information, thereby committing an intentional violation of Art. 60 para. 1 lit. a FADP. The accused must be punished for the infringement committed.
The poor justification and the criminal complaint raise questions.
False appearance of completeness?
In the objective offense, a penalty under Art. 60 para. 1 lit. a in conjunction with Art. 25 FADP requires that the information is misleading. Art. 25 FADP presupposes that the information is misleading. This may be the case if part of the information is false or if it creates a false impression. This also includes the case that a actually incomplete information appears to be complete.
In contrast, the following in particular are not punishable:
- Inactivity (no response at all, disproportionate extension of the response deadline);
- Total refusal with or without justification (“we won’t talk to you”, “the DPA is not applicable”, “exception XY applies”, etc.);
- incomplete information, unless the false impression is created that the information is complete. This is also the case with the embassy:
Paragraph 1 letter a) covers the intentional provision of false information, but also the intentional provision of incomplete information while giving the impression that the information is complete.
Criminal liability therefore presupposes that the incomplete information is at all suitable for creating the impression of completeness:
- An unrestricted declaration of completeness is harmful. Of course, this is not advisable, and there is no entitlement to such a declaration (even if the Model request for information from the FDPIC requested).
- If a controller does not search in all systems because it assumes that the data subject is only interested in certain data, it should therefore disclose that it has limited its search efforts. In this case, a violation of the right to information relevant under criminal law cannot be considered. It depends on the circumstances and specific wording.
- In this case, TX had not submitted a declaration of completeness. Rather, TX said that it had “been able to find two data records in the system”. This indicates that the internal search for data was carried out by RA Steiger with limited effort and at least suggests that further data may be available (which is why we have chosen this form of response). recommend in our sample answer). However one assesses this circumstance, it is difficult to understand why the governor’s office did not at least check whether the information provided by TX could give the impression of completeness under these circumstances.
The question also arises as to what applies if information in itself is likely to give the false impression of completeness, but this impression does not actually arise because the addressee – for whatever reason – knows or assumes that the information is complete.immtthat the information is actually incomplete.
This is the present constellation. RA Steiger stated to TX that the information was “obvious incomplete”. He may have been angry about this, perhaps not unjustifiably, but the anger proves that there was no mistake.
As far as can be seen, literature and case law have not dealt with the question of whether a concrete misleading effect is required. However, the objective offense can only be completed here if the risk of misleading is understood as an abstract endangering offense, i.e. the abstract risk of a false impression is sufficient.
You hardly can:
- If an abstract risk of misleading information does not manifest itself in a specific case, the person concerned can take civil action. However, criminal liability should not apply where the person concerned can take civil action. The message with a generalizable remark:
However, a private individual who claims that he or she is not obliged to provide information on the basis of Article 18 or 25 is not liable to prosecution. In such a case, the data subject knows that data processing is taking place. They are therefore in a position to assert their rights and initiate civil proceedings in which it can be decided whether the refusal or restriction of the right to information or the obligation to provide information is justified. Paragraph 2 adopts Art. 34 para. 2 letter b FADP, which declares the provision of false information or the refusal to cooperate in the context of an investigation by the Commissioner to be punishable.
- In addition, the information is provided within the internal relationship between the controller and the data subject. This is not a mass communication offense. There is no need to look for a public perception and therefore no need for an abstract standard.
- The right to information serves to protect informational self-determination (or whatever the protective purpose of Art. 13 of the Federal Constitution is), at least the protection of the individual. It is therefore not necessary to prevent abstractly sensitive information – it is sufficient if the person concerned is not deceived in practice.
Against this background not why an abstract risk of being misled should be sufficient if concrete there is no misconception. In other words: If, as in this case, it is clear that the person concerned was not misled into believing that the information was complete, the incompleteness cannot be punishable and the person concerned can and should appeal to the civil court.
Intent?
Punishment under Art. 60 FADP also requires intent, whereby contingent intent is sufficient. In the present case, the company lawyer should therefore have known or assumed and accepted that
- his information objectively incomplete is and
- the False impression of completeness arises (because the intent must encompass the entire objective elements of the offense).
This has not been created here and is highly unlikely to be the case:
- Firstly, it is clear that the in-house lawyer does not personally search TX’s systems for RA Steiger’s data. At least in larger companies, the provision of information is a process based on the division of labor. It should therefore not simply be assumed that the in-house counsel knew or assumed that the information provided to him internally was incomplete. On the contrary, the answer that Tamedia “was able to find two data sets” clearly indicates that he simply passed on what a business function was able to locate without questioning it. In this case, only deliberate negligence can be considered, which, however, also presupposes that the company lawyer had relied on completeness in breach of duty.
- Secondly, it is reasonable to assume that the company lawyer did not know or assume that Mr. Steiger would wrongly rely on the completeness of the information. Otherwise he would have formulated his answers to Mr. Steiger differently.
There are no statements on these questions in the penalty order; intent is simply assumed:
Since the defendant, as the person responsible for TX Group AG, gave the impression that no data could be found in ’20 Minuten’ by stating that it was complete, even though further data relating to the complainant was available, the defendant knowingly and intentionally provided incorrect or incomplete information.
The Office of the Governor obviously had no desire to ask questions or clarify the facts of the case in more detail, in particular who at TX knew what and when, and who was responsible for what and when. In view of the low level of the penalty order, the fine should have been imposed on TX itself (Art. 64 para. 2 FADP).
Notes
The criminal complaint and the penalty order are detrimental to existing data protection. Personal criminal liability was always only an emergency solution. It was clear that this would create the wrong incentives (see Glatthaar on this blog). However, one could hope that fines would be limited to more serious cases. In the present case, mistakes may have been made, but if so, then certainly by the company. However, a penalty order is aimed at the man or woman. This is precisely the problem with fines. Ultimately, they only make it harder to find data protection lawyers in companies, make them more risk-averse in their advice and lead to exaggerated notions of independence leading to a game of blackmail. This makes cooperation between the departments or the 1st and 2nd lines more difficult. This leads to mistakes such as incomplete information.