“Swiss Pass”: FDPIC demands dele­ti­on of con­trol data

The FDPIC has recom­men­ded to the SBB and the Asso­cia­ti­on of Public Trans­port to dele­te alre­a­dy coll­ec­ted con­trol data of pas­sen­gers and to stop the ope­ra­ti­on of the con­trol data­ba­se due to a vio­la­ti­on of the prin­ci­ple of pro­por­tio­na­li­ty and a lack of legal basis (Media release of the FDPIC):

17.02.2016 – In the con­text of the “Swiss Pass”, the Asso­cia­ti­on of Public Trans­port (VöV) and the Swiss Fede­ral Rail­ways (SBB) must dele­te the con­trol data alre­a­dy coll­ec­ted from pas­sen­gers and stop ope­ra­ting the con­trol data­ba­se. This is what the FDPIC demands in its recom­men­da­ti­on for the atten­ti­on of the two play­ers. It also advi­ses them to pro­vi­de more trans­pa­rent infor­ma­ti­on about the use of cus­to­mer data in the gene­ral terms and con­di­ti­ons for Half-Fare and Gene­ral Abonnements.

See also Inter­pel­la­ti­on Schwa­ab (15.3822): Quick­ly cure teething trou­bles of the new public trans­port sea­son ticket “Swiss Pass, inside-it.ch and the NZZ from 17.2.2016:

The data pro­tec­tion offi­cer is cal­ling on SBB and the public trans­port indu­stry asso­cia­ti­on (VöV) to dele­te the pas­sen­ger con­trol data alre­a­dy coll­ec­ted and to cea­se ope­ra­ting the con­trol data­ba­se. The reten­ti­on of the con­trol data is neither neces­sa­ry nor appro­pria­te and the­r­e­fo­re dis­pro­por­tio­na­te, argues inte­rim data pro­tec­tion offi­cer Jean-Phil­ip­pe Wal­ter in his recommendation.

Moreo­ver, it could not be ruled out that move­ment pro­files would be crea­ted in the data­ba­se. The­re was also no suf­fi­ci­ent legal basis for data pro­ce­s­sing. This would requi­re at least a Fede­ral Coun­cil ordi­nan­ce – and in the case of par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data, a fede­ral law.

In the final report, the FDPIC comm­ents on the fol­lo­wing, among other things Con­cept of the hol­der:

The que­sti­on as to who is the owner of the data coll­ec­tion is not jud­ged by the for­mal, but by the actu­al cir­cum­stances. If data are pro­ce­s­sed by a third par­ty in a con­trac­tu­al rela­ti­on­ship, both the cli­ent and the con­trac­tor can be con­side­red as the owner of the data coll­ec­tion, depen­ding on which of the two is respon­si­ble for the data pro­ce­s­sing, which usual­ly goes hand in hand with the pro­vi­si­on of the data mate­ri­al. (cf. Gabor P. Blech­ta in Mau­rer-Lamb­rou/­Blech­ta, BSK Kom­men­tar Daten­schutz­ge­setz, 3^rd edi­ti­on, Hel­bing Lich­ten­hahn Ver­lag, Art. 3, n. 87 f.). Accor­ding to the ratio legis, howe­ver, the que­sti­on is first and fore­most from whom one can rea­son­ab­ly demand the ful­fill­ment of the duties of dis­clo­sure and infor­ma­ti­on lin­ked to owner­ship (Astrid Epiney/Daniela Nüesch in Hand­bü­cher für die Anwalts­pra­xis, Daten­schutz­recht, Hel­bing Lich­ten­hahn Ver­lag, § 3 n. 57). Seve­ral per­sons can also be joint owners of a data coll­ec­tion, such as the share­hol­ders of a simp­le part­ner­ship. Howe­ver, joint owner­ship pre­sup­po­ses that the various per­sons know about each other and allow each other to exer­cise their respec­ti­ve con­trol (cf. David Rosen­thal, Hand­kom­men­tar zum DSG, Zurich 2008, Art. 3, N 112).

Recom­men­da­ti­on of Janu­ary 4, 2016:
[pdf-embedder url=“http://datenrecht.ch/wp-content/uploads/2016/02/DatenschutzbeimSwissPass-EmpfehlungEDC396B.pdf”] Final Report, Janu­ary 4, 2016:
[pdf-embedder url=“http://datenrecht.ch/wp-content/uploads/2016/02/DatenschutzbeimSwissPass-SchlussberichtEDC396B.pdf”]