The FDPIC has recommended to the SBB and the Association of Public Transport to delete already collected control data of passengers and to stop the operation of the control database due to a violation of the principle of proportionality and a lack of legal basis (Media release of the FDPIC):
17.02.2016 – In the context of the “Swiss Pass”, the Association of Public Transport (VöV) and the Swiss Federal Railways (SBB) must delete the control data already collected from passengers and stop operating the control database. This is what the FDPIC demands in its recommendation for the attention of the two players. It also advises them to provide more transparent information about the use of customer data in the general terms and conditions for Half-Fare and General Abonnements.
See also Interpellation Schwaab (15.3822): Quickly cure teething troubles of the new public transport season ticket “Swiss Pass, inside-it.ch and the NZZ from 17.2.2016:
The data protection officer is calling on SBB and the public transport industry association (VöV) to delete the passenger control data already collected and to cease operating the control database. The retention of the control data is neither necessary nor appropriate and therefore disproportionate, argues interim data protection officer Jean-Philippe Walter in his recommendation.
Moreover, it could not be ruled out that movement profiles would be created in the database. There was also no sufficient legal basis for data processing. This would require at least a Federal Council ordinance – and in the case of particularly sensitive personal data, a federal law.
In the final report, the FDPIC comments on the following, among other things Concept of the holder:
The question as to who is the owner of the data collection is not judged by the formal, but by the actual circumstances. If data are processed by a third party in a contractual relationship, both the client and the contractor can be considered as the owner of the data collection, depending on which of the two is responsible for the data processing, which usually goes hand in hand with the provision of the data material. (cf. Gabor P. Blechta in Maurer-Lambrou/Blechta, BSK Kommentar Datenschutzgesetz, 3rd edition, Helbing Lichtenhahn Verlag, Art. 3, n. 87 f.). According to the ratio legis, however, the question is first and foremost from whom one can reasonably demand the fulfillment of the duties of disclosure and information linked to ownership (Astrid Epiney/Daniela Nüesch in Handbücher für die Anwaltspraxis, Datenschutzrecht, Helbing Lichtenhahn Verlag, § 3 n. 57). Several persons can also be joint owners of a data collection, such as the shareholders of a simple partnership. However, joint ownership presupposes that the various persons know about each other and allow each other to exercise their respective control (cf. David Rosenthal, Handkommentar zum DSG, Zurich 2008, Art. 3, N 112).
Recommendation of January 4, 2016:
[pdf-embedder url=“http://datenrecht.ch/wp-content/uploads/2016/02/DatenschutzbeimSwissPass-EmpfehlungEDC396B.pdf”] Final Report, January 4, 2016:
[pdf-embedder url=“http://datenrecht.ch/wp-content/uploads/2016/02/DatenschutzbeimSwissPass-SchlussberichtEDC396B.pdf”]