The revFDPA (from September 1, 2023) provides, as is well known, for a stricter duty to provide information in addition to the principle of transparency (Art. 19). It is still not entirely clear how this information obligation can be fulfilled, which is why it is worth taking a closer look.
Principles of interpretation for the fulfillment of the information obligation
Not a duty to inform, but a duty to provide information
First of all, it is clear that within the scope of the duty to inform under the revDSG No access principle applies. (Art. 13 DPA (“The controller must communicate the information […] to the data subject”) is wrong in this respect – one must not “communicate” but “provide”). As far as can be seen, this is undisputed and is even expressed in Art. 13 DPA, at least if one considers the following requirements under this provision (“… in a precise, transparent, comprehensible and more easily accessible Form”) refers not only to the content and design of the information, but also to its provision. Accordingly, it is sufficient to provide the mandatory information Provide in an easily accessible manner.
“Easily accessible” in this context indicates that the access – to be made easily available – ultimately lies with the person concerned – he or she must therefore participateif he wants to know the relevant information. This is also clear from the message:
If, on the other hand, the data are not obtained from the data subject, the controller must examine how the information must be provided so that the data subject can actually take note of it. If applicable In this case, it is not sufficient to simply provide information, but the data subject must be actively informed
- because “if necessary” means that it may well be sufficient to “provide” the information; only if necessary and depending on the circumstances is not sufficient.
Overall, therefore, the duty to inform is a Duty to provide information. The person responsible must create an opportunity, and the person concerned can use it if he or she wishes; but he or she does not have to – this is also an expression of the right to self-determination, which data protection law seeks to protect, but which is sometimes disregarded by paternalism.
Constitutional interpretation
The duty to inform is a duty under public law, unlike the principle of transparency under private law. Therefore, a violation of the duty to inform cannot be justified generally by law, consent or overriding interests like a violation of personality, but only within the more rigid framework of Art. 20 revDSG.
This duty to provide information is defined as Encroachment on the economic freedom protected by Art. 27 BV to be understood as a free choice. This applies comprehensively and also protects the free choice of operating resources. One could certainly elaborate on this point, it would deserve it, but it is obvious to understand the obligation to provide information, which is often not easy to implement, and the resulting costs and expenses as an encroachment on the protected area of Art. 27 BV. This encroachment is to be measured against Art. 36 BVin particular the principle of proportionality. Accordingly, it may not go further than is necessary. Admittedly, little is gained from this for practical application – certain, specific requirements can neither be proven nor disproven with this – but it does show that a broad interpretation of the duty to inform is particularly subject to justification from this point of view as well.
Another factor to consider is the Criminal liability for intentional breach of the duty to provide information according to Art. 60 para. 1 lit. b revDSG. In the case of norms that are both civil and criminal in nature, a restrictive interpretation based on constitutional law is applied in practice; for example, in the case of Art. 3 para. 1 lit. a UWG (disparagement; a “particular seriousness” of the disparagement is therefore required here) – cf. e.g. 6S.858/1999. According to case law, this restrictive interpretation then applies generally, not only when the relevant norm is applied as criminal law, in order to avoid a split of norms. For this reason, too, the duty to inform must be interpreted restrictively as a whole, especially the general clause contained therein (but of course also the manner of its fulfillment).
This raises the question of whether the general clause thus becomes a dead letter. Although this would be desirable in itself, it would be an exaggerated conclusion. A restrictive interpretation does not a priori exclude the possibility of including certain information under the general clause in exceptional cases. However, it can only be a matter of exceptional cases.
Protection of only one information interest worthy of protection
The duty to inform then serves the Information interest of the persons concerned. This follows from the above-mentioned materials, but also from the exception of Art. 20 revDSG: According to this, a balancing of interests can justify a restriction of the duty to inform (a balancing of interests in the individual case or an anticipated, general-abstract balancing of interests by the legislator). Accordingly, the core issue is the protection of this information interest.
Now must be an interest worthy of protection in order to be protected by the legal system. However, an interest in the actions of another is worthy of protection only to the extent that one’s own actions are unreasonable. This is a requirement of logic and a liberal order, but obviously also corresponds to the understanding of the legislator.
In this context, the Difference between the principle of transparency and the duty to inform to be taken into account. Although the legislator has blurred this distinction by introducing a general clause in the duty to inform, the two are still not the same:
The responsible party must create basic transparency anyway. The duty to inform is therefore added as a second level. A basic need for information is thus already satisfied at the first level, and the duty to provide information only serves one purpose. further Need for information. Although the legislator may simulate such a more extensive need for information by introducing a general duty to provide information, the interpretation must nevertheless take into account that the duty to provide information can no longer have the task of covering the basic need for information. From this point of view, too, the person concerned can be expected to do a little more.
One could counter that the duty to inform is not a supplement to the duty of transparency, but rather a concretization of it. Consequently, it goes beyond the basic need for transparency, but only defines it. This would render the preceding argument superfluous. However, this understanding contradicts two considerations:
- The principle of transparency would no longer have any independent meaning if it were to be included in the duty to provide information.
- An information obligation, which is a concretization of the transparency principle, would also have to apply to the order processor, who must also comply with the processing principles, just like the latter, and it is precisely this that the DSV has dropped, unlike the E‑VDSG.
Accordingly, the duty to provide information is a supplement to the principle of transparency, which goes beyond it and is therefore also subject to higher requirements.
Interim result
From the above considerations, it can be concluded that the Requirements for the fulfillment of the duty to provide information to be interpreted restrictively are. In summary, this conclusion is based on three grounds; the first follows from the purpose of the norm itself and the others from an interpretation in conformity with the constitution:
- The duty to provide information only protects the legitimate information interest of the persons concerned, which goes beyond basic transparency, which suggests a certain restraint in interpretation.
- When applied as a criminal norm, the constitutionally based principle of criminal legality requires particular restraint or a “fundamentally restrictive interpretation”.
- It represents an encroachment on economic freedom. The principle of proportionality requires a limitation to the necessary extent.
It is therefore contrary to the system when the dispatch says that the exceptions to Art. 20 revDSG are to be interpreted narrowly. These “exceptions” are in fact not exceptions, but the necessary corrective to a potentially too broad obligation of the responsible party. In any case, the topos that exception provisions are to be interpreted in a generally restrictive manner is methodologically incorrect – an exception has the scope assigned by the legislator, and this scope is to be determined by the usual principles of interpretation.
Requirements for the duty to inform in case of media disruption
Basic transparency about processing as a minimum requirement
In particular, if a data processing does not take place online, but a data subject is offline the question arises as to how it should be informed.
It is a good idea, even in such situations, to think about a Website for several reasons: On the one hand, this form is relatively simple and possible without too much effort and high costs, and on the other hand, it now probably corresponds to expectations and, based on experience, also to practice (including that with regard to the revDSG). In Switzerland in particular, it is rather unusual to provide information on how to obtain information in an offline context (unlike in Germany, for example, where privacy notices can be found on the back of cash register receipts), whereas it is generally known that information on data protection can be found on websites.
The Explanatory Report to the DSV gives an indication of this:
It should be noted […] that the Communication via a website is not always enough: The person concerned must know that she finds the information on a particular website.
That is, of course, correct. Anyone who does not know that a particular controller processes personal data has no reason to visit his website. It follows that at least one thing is required: The Knowledge or knowledge-shouldthat a particular data controller is processing personal data.
However, the data controller is not required to expressly inform the data subject of his or her processing and website if the data subject can infer from the circumstances that personal data is being processed about them and where she can find information about this. This is for several reasons: First, as explained above, the duty to inform cannot go further than is necessary to enable the data subject to reasonably take note of the privacy statement. Secondly, the duty to inform supplements transparency, which requires no more than that data processing is recognizable from the circumstances. To stay with the example: Transparency reveals that the controller processes personal data (assuming this is the case in a specific instance), and the subsequent duty to inform requires that the mandatory information be provided in a reasonable manner.
The duty to provide information is not rendered meaningless by this understanding, because it ensures that the data subject can at least find the information specified in Art. 19 revDSG. The example of the message is correctly chosen here:
If necessary, it is not sufficient in this case merely to provide information, but the data subject must be actively informed, whether in a suitable general form or by individual information. For example, a person who never buys books, hardly ever visit the website of an online bookseller and read its privacy policy. Accordingly, based on this general statement, she will not learn that the online bookseller is processing data about her because she does not even expect it.
This clearly expresses the above idea: If the data subject has to expect that a bookseller will process his or her data – and, as noted, the responsible party must ensure this in accordance with the principle of transparency – it is sufficient to make the information available on the Internet. So, for example, if you buy a book at the highly recommended bookstore Paranoia City, you either don’t have any personal data processed or you know that you only need to Google “paranoia city” to get to https://paranoiacity.ch where he will undoubtedly find a privacy policy in the future.
It should therefore be noted that there are is sufficient to provide a privacy statement on the Internet if the data subject knows or must know that he or she will find privacy information on there. For this purpose, the responsible party does not have to explicitly state its identity (it is sufficient, for example, if the domain corresponds to the company or enseigne), nor does it have to actively refer to the Internet site.
To be rejected, therefore, is also the opinion that there is a need for an initial reference, an explicit link, and perhaps even a QR codeso that information can be provided on the Internet about processing that takes place offline. This opinion disregards the above consideration.
Also, you no longer have to type in a URL to get to an Internet page – you can just as easily enter suitable terms in the search field. As far as we can see, no statistics are available, but we can assume that this is the preferred way for many users to get to a website. It is doubtful that this takes longer than scanning a QR code, which requires launching the camera app and then clicking on the link.
One can counter that a QR code is more reliable, i.e. more likely to lead to the correct destination, and that its very existence explicitly points to a location on the Internet, but the latter is not compelling according to the opinion expressed here. In addition, with a QR code the user cannot always see which link he is visiting when scanning, which raises security questions.
Incidentally, there are already cases under current law where active information is necessary because recognizability cannot be established otherwise. Here already wonders today whether information on the Internet is enough. However, the FDPIC has repeatedly allowed it to suffice that necessary notices are only published on the Internet, as experience has shown, even in the case of not insensitive processing operations that affect a large number of persons.
The Data Protection Officer Zurich for its part, has stated even for public bodies that a DSE on the Internet can fulfill the information obligation (in the Video Surveillance Guide of November 2020 – and at that time the active information obligation of § 12 IDG ZH already applied):
[…] video surveillance […] shall be indicated to the public with notices if it is not obviously recognizable to affected persons. Notice boards shall in principle be placed where they are accessible and clearly visible to the persons concerned. The content of the notice boards depends on the circumstances on site, where basically one pictogram (camera symbol, eye) is sufficient. If needed can additional information is provided, such as the responsible body, a telephone number or where to find the relevant video surveillance regulations.
Especially in the case of video surveillance, it is therefore sufficient to refer to the surveillance as such. The FDPIC has also already expressed itself in this direction in the Guidelines from April 2014:
The persons responsible for video surveillance must label all persons entering the recording field of the cameras with a clearly visible sign inform about the monitoring system. If the recorded images are connected to a data collection (i.e. if they are stored in any form), it must also be stated, with whom the right to information is asserted can be made, if this is not evident from the circumstances (principle of good faith and right to information).
One must ask whether it is not sufficient that the cameras and their recording area are recognizable, even without a pictogram, but this would probably only be affirmed with reservation. It is permissible to require information by means of a pictogram, also because this is common practice.
The Internet is sufficiently widespread
Today, the Internet is part of basic equipment. That should be indisputable. Network coverage for mobile data is almost comprehensive, and apparently there were around 1.26 mobile subscriptions per inhabitant in Switzerland in 2019. A Study on Liechtenstein for 2019 found that about 95% of residents use the Internet at least occasionally. Without wanting to sound cynical: The SKOS shopping cart also calculates 8.8% costs for messaging, Internet and radio/TV for basic needs. The fact that a percentage of people remain excluded from information on the Internet cannot be denied, but this is unavoidable – there are always people who, for various reasons, are unable to use a particular medium. This is to be accepted, not because these people do not play a role, but because the duty to inform is based on the general public.
The fact that the legislator also assumes that the Internet can be used generally is shown by other provisions, e.g. the fact that in the case of federal laws the version published on the Internet is authoritative (Art. 1a and Art. 15 PublG), but also Art. 27 para. 2 of the new FADP, according to which federal bodies publish the contact details of the data protection advisor “on the Internet”.
So, also from this point of view, the information on the Internet can be sufficient.
Measures to promote transparency
However, depending on the circumstances, it may be appropriate to provide additional information beyond the minimum standard. This may be appropriate, for example, in situations where information cannot be easily accessed on the Internet. This may concern cases in which a person cannot read a data protection declaration at his or her leisure due to time constraints. An example would probably be entering an area monitored by video cameras. However, a data privacy statement on the Internet offers advantages here because a Privacy policy here designed like this that the essential information is recognizable at a glance, e.g. by means of a summary, a linked table of contents, fold-out texts, summary notes for individual chapters, etc. Especially the variant with fold-out texts (harmonica) cannot be implemented offline.
In such a case, however, it would also be possible to Sign with basic information (as required by the German authorities, e.g. the BayLDA) little is gained, unless this sign already contains all mandatory information according to Art. 19 revDSG. To stay with the example of video surveillance: Anyone who enters a sales area of a major retailer, for example, will – let us assume – see a camera symbol when they enter, and it is also obvious who the person responsible is. This also makes it clear where the data protection information can be found.
In certain cases, however, it may be useful to have an on-site Have a printed privacy policy availablewhich can be handed over or printed out on request. However, the person concerned can be expected to make such a request if the processing is recognizable as such (which, as already mentioned, must be ensured anyway).
Result
The general duty to provide information is a major innovation of the revDSG. In particular, it is intended to ensure transparency, also as a basic prerequisite for the rights of data subjects. It thus joins the general transparency obligation as a processing principle.
Accordingly, it should respond to a need for information. Conversely, this also means that only a genuine need for information is to be protected. Among other things, this means that the data subject must be expected to take his or her own steps if he or she wants to take effective note of the data privacy information.
From this, but also from constitutional considerations, it follows that the responsible person must provide information may in principle provide on the Interneteven if the data processing takes place offline. The only requirement is that the data processing is recognizable as such, and further that it is at least clear from the circumstances where the data subject can find a data protection declaration. In contrast, it cannot be required that the data controller explicitly refers the data subject to its website or even provides a QR code.