datenrecht.ch

com­mon search words

Topics

no results

show more

SPK-SR: Con­sul­ta­ti­ons completed

The Sta­te Poli­cy Com­mit­tee of the Coun­cil of Sta­tes (SPK-SR) has Con­sul­ta­ti­on on the bill for a new data pro­tec­tion law com­ple­ted. It unani­mously appro­ved the bill in the over­all vote and refer­red it to its Coun­cil, which can thus dis­cuss it in the win­ter ses­si­on (Decem­ber 2 – 20, 2019). The cor­re­spon­ding Flags for the atten­ti­on of the Coun­cil of Sta­tes were published on Novem­ber 28, 2019.

In essence, the SPK-SR fol­lo­wed the pro­po­sals of the Natio­nal Coun­cil, but in some points tigh­tening or easing is pro­vi­ded. The SPK-SR has spo­ken out in favor of the fol­lo­wing adjust­ments (majo­ri­ty pro­po­sals; mino­ri­ty pro­po­sals are not taken into account):

  • Pro­fil­ing with high riskThe SPK-SR wants to expli­ci­t­ly include this term in the law and under­stands it to mean pro­fil­ing that ent­ails a high risk for the per­so­na­li­ty or the fun­da­men­tal rights of the per­son con­cer­ned, namely 
    • in the syste­ma­tic lin­king of cer­tain cha­rac­te­ri­stics of a per­son that affect dif­fe­rent are­as of a natu­ral person’s life; and
    • in the case of syste­ma­tic and exten­si­ve pro­ce­s­sing of data in order to draw con­clu­si­ons about various are­as of a person’s life;
  • Data secu­ri­ty breachAn inf­rin­ge­ment should only exist if it leads to the unin­ten­tio­nal or unlawful loss, dele­ti­on, des­truc­tion or altera­ti­on of per­so­nal data or if it is dis­c­lo­sed or made acce­s­si­ble to unaut­ho­ri­zed per­sons. The Fede­ral Coun­cil wan­ted to estab­lish an inf­rin­ge­ment in every case in which per­so­nal data is pro­ce­s­sed in the man­ner descri­bed, i.e. regard­less of the inten­ti­on or unlawfulness.
  • Con­sent: Con­sent to pro­fil­ing should only be requi­red expli­ci­t­ly in the case of high-risk pro­fil­ing. Accor­ding to the pro­po­sal, no express con­sent is requi­red for pro­fil­ing wit­hout high risk that is car­ri­ed out by a pri­va­te per­son, whe­re­as express con­sent is requi­red for all pro­fil­ing in the case of cor­re­spon­ding pro­ce­s­sing by fede­ral bodies.
  • Duty to informThe mini­mum con­tent of the duty to pro­vi­de infor­ma­ti­on should be expan­ded to include a list of the rights of the data sub­jects and any inten­ti­on to use per­sons for cre­dit checks. Fur­ther­mo­re, a dis­pro­por­tio­na­te effort should not justi­fy an excep­ti­on or a rest­ric­tion of the duty to pro­vi­de infor­ma­ti­on. In addi­ti­on, a rest­ric­tion shall only be per­mis­si­ble if over­ri­ding inte­rests of the respon­si­ble par­ty requi­re such a mea­su­re and – cumu­la­tively – the per­so­nal data is not dis­c­lo­sed to third par­ties, sub­ject to a new­ly intro­du­ced group privilege.
  • Access rightWith regard to the infor­ma­ti­on within the scope of the right of access, the SPK-SR fol­lows the Fede­ral Coun­cil and drops the pro­po­sal of the Natio­nal Coun­cil, accor­ding to which only the infor­ma­ti­on that the data sub­ject needs to assert his or her data sub­ject rights is to be dis­c­lo­sed. Like­wi­se, any cre­dit checks would have to be dis­c­lo­sed. Ana­log­ous to the rest­ric­tions on the duty to inform, the right to infor­ma­ti­on should also only be pos­si­ble if no data is dis­c­lo­sed to third par­ties, sub­ject to a new­ly intro­du­ced group privilege.
  • Group pri­vi­le­geThe pro­po­sal of the SPK-SR con­ta­ins an inno­va­ti­on with regard to a group pri­vi­le­ge, which is to be applied in the fol­lo­wing situation: 
    • Data sub­ject rightsA rest­ric­tion should only be pos­si­ble for both the duty to pro­vi­de infor­ma­ti­on and the right to infor­ma­ti­on if per­so­nal data is not dis­c­lo­sed to third par­ties. Howe­ver, data flows bet­ween com­pa­nies con­trol­led by the same legal enti­ty are exempt from this, i.e. in this case a rest­ric­tion is permissible.
    • Justi­fi­ca­ti­on: An over­ri­ding pri­va­te inte­rest in con­nec­tion with data pro­ce­s­sing to streng­then the com­pe­ti­ti­ve posi­ti­on should only be con­side­red a justi­fi­ca­ti­on if the data is not dis­c­lo­sed to third par­ties. At least, data flows within the group are exempt from this, i.e. in this case the over­ri­ding inte­rest as a justi­fi­ca­ti­on ground applies.
  • Tigh­tening of vio­la­ti­ons of per­so­na­li­ty rights and grounds for justi­fi­ca­ti­onThe SPK-SR now wants to assu­me that every case in which per­so­nal data is dis­c­lo­sed to third par­ties con­sti­tu­tes a vio­la­ti­on of pri­va­cy that requi­res a justi­fi­ca­ti­on. Syste­ma­ti­cal­ly listed below the grounds for justi­fi­ca­ti­on, howe­ver, dis­clo­sure to third par­ties should only take place with the express con­sent of the per­son con­cer­ned. Should this pro­po­sal actual­ly find a majo­ri­ty in the small cham­ber, this would indi­rect­ly mean the intro­duc­tion of the requi­re­ment of a legal basis for dis­clo­sures, which would amount to a mas­si­ve tigh­tening. Accor­din­gly, dis­clo­sure to third par­ties out­side the group would only be pos­si­ble if the data sub­ject has express­ly con­sen­ted to disclosure.
  • Vio­la­ti­on of safe­ty obli­ga­ti­onsCon­tra­ry to the pro­po­sal of the Natio­nal Coun­cil and in accordance with the ori­gi­nal pro­po­sal of the Fede­ral Coun­cil, it should be pos­si­ble to sanc­tion a breach of the mini­mum data secu­ri­ty requirements.

As a result, the intro­duc­tion of the de fac­to group pri­vi­le­ge and the asso­cia­ted mas­si­ve tigh­tening with regard to data dis­clo­sures to third par­ties appear to be the most signi­fi­cant inno­va­ti­on. It remains to be seen whe­ther, and if so, to what ext­ent the small cham­ber will actual­ly fol­low the­se proposals.

Deutsch 
Deutsch 

Aut­ho­ri­ty

Area

Topics

Rela­ted articles

Sub­scri­be

Sub­scri­be to news →

© datenrecht.ch – Wal­der Wyss Ltd.

🔑

Acts

FDPA imple­men­ta­ti­on

Links

Down­loads

About us

Sub­scri­be

Pri­va­cy Notice