Content
ToggleGeneral
On June 23, 2021, the Draft of the totally revised ordinance to the FADP (E‑VDSG) published. After reading it, one has to be disappointed: The e‑VDSG (Online version) is a missed opportunity.
Like already the Preliminary draft of the DPA (VE-DSG), it is imprecise in terms of content and often unnecessarily restrictive. This applies to the Explanatory report even more. It leaves essential questions unanswered and appears unreflective overall. Instead of substantiating regulatory proposals on the merits, the report frequently refers to the 13-year-old Comment of the FOJ to today’s VDSG and adopts regulations from the soon to be 20-year-old current VDSG without asking itself whether these regulations are still useful or whether they ever were.
It is also striking how careless the language of the report is, at least in the German version (“telephone setting”) and how superficial some statements are (“For example, in a hospital, where particularly sensitive personal data is regularly processed, there are generally more stringent requirements compared to the processing of customer or supplier data in a bakery or butcher’s shop”).. Grammatical errors can also be found in the E‑VDSG.
The reason is probably the same as for the VE-DSG: time pressure and lack of resources and a certain despondency in view of the high complexity of the area. However, this is less understandable with the e‑DDSG than perhaps still with the VE-DSG. The revised DPA (revDSG) was the result of a long political process in which two camps essentially faced each other, the more regulation-friendly, consumer-protection-oriented camp, which wanted more GDPR, and the more civil and commercial-oriented camp, which demanded more open regulations and more practicability. The result of long discussions was a compromise. In the e‑DDSG, one recognizes little respect for this process when it even wants to revive a regulation that was found in the VE-DSG but had not survived the consultation of the VE-DSG.
Little sensitivity for political processes is also evident elsewhere, in provisions that would probably have to be regulated by formal law. The VDSG is a dependent ordinance. It requires a basis in law; without such a delegation, the Federal Council remains entitled to implement legal provisions in more detail (Art. 182 para. 2 BV), but in doing so can only “elaborate provisions of the federal law concerned by detailed regulations and, consequently, contribute to the improved applicability of the law.” (BGE 141 II 169). The impression suggests itself that this framework has been exceeded in the case of the e‑VDSG. This applies in particular to the following regulations, which are not detailed provisions but are equivalent in importance to the provisions contained in the revDSG:
- Processing regulations of private persons: Art. 4; systematically, this is regulated under data security, but the regulations are not a data security measure, but refer to this, among others. Art. 8 para. 3 revDSG (“The Federal Council shall issue provisions on the minimum requirements for data security”). therefore does not bear the duty of private parties to maintain processing regulations;
- Information when disclosing personal data: Art. 15 and 16; the obligation to inform recipients about the timeliness, reliability and completeness of the disclosed personal data and their correction, deletion, etc. has no basis in the revDSG, neither for private nor for federal bodies, but would be drastic in its implementation (the obligation to inform in Art. 16 is the provision already mentioned, which was found in the VE-DSG, but was not included in the revDSG; to include it now in the ordinance is hopefully an oversight);
- Documentation requirementsThe obligation to keep and retain documentation can be extremely costly from an operational point of view. In the revDSG, such obligations are largely absent, and deliberately so: The message stated, “instead of a general documentation obligation, a provision on a list of processing activities was inserted. The consultation has shown that a general documentation obligation is too little defined”.. Accordingly, the legislator had decided to regulate certain documentation obligations in the law, but – deliberately – to dispense with others. The E‑VDSG now provides for several such obligations (e.g., in the event of security breaches, Art. 19(5); grounds for restriction in the case of data subjects’ rights, Art. 20(5); retention of data protection impact assessments for two years, Art. 18(5); retention of system logs for two years, Art. 3(4); retention of documentation of security breaches for three years, Art. 19(5)), which together are of a weight that calls for statutory regulation.
The consultation lasts until October 14, 2021. Broad circles will participate in the consultation process. The aim will not only be to achieve improvements and clarifications to the regulation, but above all to respect the balance found in the revDSG in the regulation and to take account of the fact that many companies have advanced in their preparations for the revDSG. Now, after long preparatory work and many postponements, to introduce surprising new obligations shows a lack of understanding for the efforts of many companies that are serious about data protection. This will certainly not strengthen acceptance of data protection.
Comments on selected provisions
Data security
Art. 1 – Principles
- Adequacy of the measuresIt is not only the implementation costs that are relevant, but the implementation effort in general (this can also be personnel expenses that are not solely attributable to the specific implementation, but also time and organizational expenses). The explanatory report is very restrictive here (p. 16): a controller or processor is not free to establish less than adequate data security due to excessive costs; they may only choose the more favorable of several adequate measures. This is already logically wrong: If adequacy is also determined by the implementation costs, the controller does not evade adequacy for cost reasons, but determines it with a view to the costs. Otherwise, the reference to implementation costs would also be meaningless, because it goes without saying that the responsible party can choose the more favorable of the appropriate measures.
- Testing of the measures: The measures are actually not to be checked “at appropriate intervals”, but “in an appropriate manner”. Intervals imply an obligation to check the measures taken, where only temporal circumstances are questionable. But already whether measures have to be checked is questionable, because often it is not the measures that have to be checked first, but the risk factors – if they have not changed, the measures do not have to be checked. This is probably also what is meant, but it would have to be specified in the text of the ordinance.
- Criminal liabilityA violation of the minimum requirements is punishable under Art. 61 revDSG if committed intentionally. Criminal liability requires not only that a measure was deliberately omitted, but also that the responsible party at least accepted that the level of protection required in view of the foreseeable risks would be undercut. In this regard, the E‑VDSG takes a case-by-case, risk-based approach. It will therefore be difficult to establish a deliberate breach of data security except in extreme cases. A breach of the obligation to review the measures cannot in itself constitute a criminal offense either; as long as it is not established that a conscious decision was made to omit a measure that had become specifically necessary, this does not constitute a breach of data security.
Art. 2 – Protection goals
- This provision is unclearly worded: The measures do not have to meet the protection goals reachbut strive for them. This is probably what is meant (“appropriate”). The explanatory report also states (p. 16) that not every breach of data security implies a breach of minimum requirements, because absolute security cannot be demanded. – The explanatory report further specifies what is meant by the state of the art (p. 16): the current state, i.e. measures that are already available and have proven themselves.
- The protection goals have been slightly expanded to align with the GDPR (Explanatory Report, p. 19).
Art. 3 – Logging
- MeaningIt is initially unclear whether a breach of the logging obligation can also constitute a breach of data security that may be punishable. This is probably to be affirmed, but only if logging is actually materially necessary in the individual case to prevent a breach of data security.
- Para. 1 and 2Conversely, processes such as storage etc. do not have to be logged if no high residual risks are accepted (except by federal bodies and their commissioned processors, who have to design systems in such a way that they can comply with this obligation). Contrary to the wording, the logging obligation, on the other hand, should also exist if a DSFA was omitted but a high risk nevertheless exists.
- Para. 3: The identity of the recipient does not mean the person who accesses, but the organization to which he belongs or under whose instruction he acts.
- Para. 4The hard purpose limitation of the protocols, even if it is found today in Art. 10 VDSG, is misguided. It contradicts the principle of purpose limitation, which is linked to the purposes transparently set by the person responsible. If anything, it should have been enshrined in law. However, there is nothing to prevent a data controller from evaluating logs, e.g. for analysis purposes, if it describes this in the privacy statement. The regulation on access restriction is also inappropriate in this form; the retention of logs is a question of proportionality and data security and requires consideration.
Art. 4 – Processing regulations of private persons
- Mandatory for high risksIt is difficult to understand why the FOJ wants to provide for an obligation to keep processing regulations for private processing. According to the dispatch (see above), the processing directory, the content of which overlaps with that of the regulations, is sufficient for documentation purposes. The explanatory report says that this information can be “copied” from the processing directory. Operationally, this will not be that simple, and of course one could also combine the processing directory with the regulations, or one could record the additional information in the regulations separately and refer to the directory for the rest, or one could refer only to existing process instructions and the processing directory and a data protection impact assessment or even to a data protection declaration in which the required information can be found – deed unity can apply just as little as with the processing directory. – The explanatory report provides further guidance on the minimum content.
- With the processing regulations, the legislator also accepts that data subjects will attempt to access the processing regime before or outside of court via a request for information. For this purpose, data subjects will rely on the general clause of the right to information, which in turn – in conjunction with the criminal provision of Art. 62 revDSG – is highly problematic in terms of the rule of law.
- Lack of legal basisAn attempt has been made here to transfer today’s Art. 11 VDSG into the new VDSG, but without necessity and with an unattractive Swiss finish (the GDPR knows no such obligation). The FOJ seems not to have been aware of the effort this would generate for larger organizations. In addition, the legislator deliberately replaced the obligation to register data collections in the revDSG with the obligation to keep a processing directory. It was therefore not to be expected that the processing element for private processors – which today is linked to the obligation to register a data collection – would be included in the new VDG. Such a provision would have belonged in the law as a whole, as already mentioned above.
- High riskIn any case, however, the obligation to maintain processing regulations would only apply in the case of extensive processing of personal data requiring special protection or in the case of high-risk profiling. However, if a data protection impact assessment shows that such processing actually does not (any longer) entail a high risk due to the measures taken by the controller, the obligation to maintain a processing element must consequently also be omitted (see here).
- Privacy AdvisorPara. 3 sounds as if a data protection advisor must always be appointed. However, this is optional for private parties (unlike for federal bodies; Art. 27 E‑VDSG), even in cases where the draft requires processing regulations to be kept. And what is “in a form understandable to the latter”? Does this mean that private individuals without a data protection advisor are also allowed to manage incomprehensible regulations?
Art. 5 – Processing regulations of federal bodies
The above comments apply, especially since federal bodies must also keep a processing directory (Art. 12 revDSG). In any case, the obligation to keep regulations for all profiling is also too broad – profiling is often recognized as harmless because the term profiling is so broad. The other variants of making personal data accessible and the linking of databases are also unclear. Nowhere in the law does linking occur as a term, except in the definition of high-risk profiling, but there it is about something else, and the term “data files” is also new – according to the explanatory report, this is meant to refer to data collections (p. 23), a term that remains unclear. At least this makes it clear that the linking of Data not yet such from Databases is.
Processing by order processor
Art. 6 – Modalities
- Para. 1The person responsible can never ensure that data is processed in accordance with the contract and the law – he can only ensure that it is. This plays a role, because the responsible party remains responsible under data protection law, but is liable under civil law only in case of fault (according to Art. 41 OR) and not causally.
- Para. 3 contradicts the general concern not to undermine digitization with formal requirements. Approval in text form should suffice, which would have to be specified (the written form requirement is taken from the explanatory report of the Directive 2018/680but where proof by text is meant). In addition, it should be clear that a federal body can also issue a general authorization subject to objection, as is also possible under the GDPR (and also under the aforementioned Directive).
Art. 7 – Information to the data protection advisor of the federal body
This provision is unsuccessful. On the one hand, it assumes that the involvement of a data processor is fundamentally risky, which it is not (despite the statement to the contrary in the explanatory report). On the other hand, it requires that the data protection advisor be informed, “when problems arise in complying with legal or contractual data protection requirements”. This is unattractive in terms of language, but also in terms of content. What are “problems”? This provision is unnecessary anyway, because Art. 10(2)(b) revDSG (which also applies to advisors to a federal body) already provides that the advisor must cooperate in the application of data protection law.
Disclosure of personal data abroad
Art. 9 – Data protection clauses and specific safeguards
- The substantive requirements for data protection clauses – i.e. contracts that legitimize disclosure to a state without an adequate level of protection but are not recognized by the FDPIC – are imprecisely formulated. Furthermore, lit. g is wrong; it does not deal with the “authorized to process the data” recipients, but simply about the recipients. Moreover, it cannot be that the recipients have to inform the data subject, at least if the exporter has been informed about the processing by the recipients or if the recipient is an order processor.
Art. 10 – Standard data protection clauses
This provision (the exporter shall take reasonable steps to ensure that the importer complies with the clauses) is covered by the new standard contractual clauses actually become superfluous (cf. clauses 14 and 15). And again, in principle, the exporter cannot ensure that the consignee complies with the clauses; it can only require it and, under clause 14 of the new standard contractual clauses, check whether local law precludes compliance. The explanatory report further provides that the consignee would have to be obliged, “the Swiss data protection regulations” to comply with. This is wrong; he must comply with the standard clauses, not Swiss law. Even Art. 6 (2) E‑VDSG only requires that the order processor must comply with “equivalent” provisions.
Obligations of the controller and the order processor
Art. 13 – Modalities of the information obligations
- Para. 1Here you rub your eyes: The order processor has a duty to inform? That can only be an oversight. But also the explanatory report says, “the duty of the controller and the processor to provide information is enshrined in Article 19 nDSG”.. It is not (“The responsible person shall inform the data subject…”).; have you not read up on it? The order processor’s own duty to inform would be absurd and contradict his obligation to follow instructions.
- Implementation of the information obligation:
- Equally regrettable, but probably not an oversight, is the content of the regulation. The duty to inform is probably the most difficult duty of the responsible party to implement. In a purely online environment, it may be easy to fulfill (if one thinks away the general clause in the duty to inform), but what about informing persons with whom one only communicates in writing?
- Here is the Visiting a website reasonable. It is not a counterargument that not all people have Internet access, otherwise privacy notices would also have to be published in Braille. The FOJ should therefore have clarified in the ordinance that information can be effectively provided via a website, at least if the data subject knows the identity of the controller and the information can be easily found on the controller’s website. Corresponding regulation proposals were available to the FOJ. In this context, it should have been further clarified that a reference to a website may not always be necessary, but that it is in any case sufficient to refer to a privacy statement, even without providing certain basic information (“basic information”) already in the reference source (for example, through a link in GTC).
- All this is missing in the E‑VDSG, and in the explanatory report a serious discussion of these issues. The proposed regulation in Art. 13(1) can only be described as convenient – it completely misses the point, is imprecise, leads to legal uncertainty, is superfluous in this form, and borrows from considerations in the law governing general terms and conditions without even asking whether these considerations are transferable. The explanatory report writes instead, “… the controller or processor must ensure, when choosing the form of information, that the data subject always receives the most important information at the first level of communication.” What does this mean? Does this mean the mentioned Basic information after the GDPR? One can only speculate and read on, “there can be a good practice in it” (?), “that all essential information is available at a glance”. Is this an obligation to the table of contents? It should be urgently specified here that it is sufficient to refer to a website, for example, from the GTC, without further information and without a QR code.
- And at the end the explanatory report still writes, “Does the communication take place in a telephone setting takes place, the information may be communicated orally by a natural person and, if necessary, supplemented by a link to a website.” A telephone “setting”? And further: “For recorded information, the data subject must have the opportunity to hear more detailed information.” Who wants to do this after 30 minutes on hold, and above all: How does the FOJ arrive at this, what is the legal nature of the duty to inform, what is its concept of those affected, what practical considerations does it make? One learns nothing about this.
- Para. 2What does “machine-readable” mean for pictograms? Presumably it is sufficient if the explanatory text of icons can be read aloud by a screen reader or if the operator of the website inserts an explanation with the pictograms, e.g. as alternative text (<img src=“xyz.jpg” alt=“Explanation text”>). However, this is probably not possible when icons are included as a font. The explanatory report only says “[…] the software used must be able to easily identify, recognize, and extract the information present in such formats.” That doesn’t make it any clearer. And “Among other things, this allows for comparison of different documents as well as some automation in general.” Is “generally some automation” a privacy concern?
Art. 14 – Duty of federal bodies to provide information in the case of systematic acquisition of personal data
This concern is known from the GDPR and corresponds to today’s Art. 14 VDSG. Nevertheless, such a duty to inform should not apply if it is clear from the circumstances that information (meaning disclosure of personal data) is voluntary. If a health insurer conducts a satisfaction survey, for example, such a notice should not be necessary.
Art. 15 – Information in case of disclosure of personal data
- This obligation also represents a Swiss Finish. In my opinion, such an obligation cannot be regulated at ordinance level; its implementation is too drastic for that. It is also superfluous. Ultimately, it is up to those responsible to ensure compliance with data protection principles. This may require an indication of the timeliness, etc., of personal data, but not in all cases. A hard obligation to provide such information simply will not and cannot be implemented.
- And here again, the order processor is obligated to disclose information that is not available to him. This is probably the same error as with Art. 13.
- The Schengen Directive has been followed here, but there is no reason to extend such obligations to private processors.
Art. 16 – Information on the correction, deletion or destruction as well as the restriction of the processing of personal data
- Here, the FOJ has too short a memory. An obligation to inform recipients about the correction, deletion or destruction of personal data was already found in Art. 19 lit. b of the preliminary draft of the FADP (“You shall inform the […] recipients […] of any rectification, deletion or destruction […], of any breaches of data protection and of any restrictions on processing […], unless such notification is not possible or is possible only with disproportionate effort”).. This proposal did not survive the consultation. And now the same obligation is to be resurrected in the ordinance? The explanatory report does not even mention this proposal of the VE-DSG.
- But that’s not all: The sender is now also supposed to inform the recipient about a restriction of processing. This sounds like the data subject right to restriction of processing under the GDPR (Art. 18). The revDSG does not even know such a data subject right.
Art. 17 – Review of an automated individual decision
Unnecessary, but probably harmless. No responsible party will discriminate against someone for requesting a review of the decision. However: there is no discrimination in a responsible party fighting back when a data subject disagrees with the review. This can go as far as the termination of a contract – it is legitimate if the affected person makes the continuation of the contract impossible by his own behavior (keyword desire neurosis).
Art. 18 – Form and retention of the data protection impact assessment
- “Written” here must mean as much as “proof by text” – the explanatory report says so, but one would have to specify this in the text of the ordinance, thinking of the Helsana ruling of the BVGer.
- The retention period of two years is justified by the fact that it represents a central instrument under data protection law and can be of particular importance in the clarification of data security breaches or the assessment of the criminal liability of conduct. Thus, the controller should keep a DSFA in particular because it can serve as an indication of the allegation in an investigation if a security measure was omitted after the DSFA (i.e., arguably a measure that was described in the DSFA). First, the fact that a planned security measure found its way into a DSFA does not mean that it was necessary within the meaning of the law, and second, the failure to keep a DSFA is not punishable. The controller therefore has an incentive not to retain a DSFA if it is unsure of its case. This is especially true in light of the restrictive interpretation of the nemo-tenetur principle for legal entities in connection with documents subject to a retention period (BGE 142 IV 207 E. 8.3.3.).
- The explanatory report further states, with reference to federal bodies, that “due to the permanence of certain legal bases, it [may] occur that a data protection impact assessment must be retained over a very long period of time (e.g. several decades)”. It is unclear which legal basis the FOJ has in mind here; the explanatory report says nothing about this.
Art. 19 – Notification of data security breaches
- Para. 1The scope of the information to be provided to the FDPIC in the event of a security breach is based on the GDPR, but deviates from it: According to the e‑FDPPR, the time and duration of the breach must also be indicated, which is not required by the GDPR (even if the controller will already include this information because he wants to prove the timeliness of the notification). Why the text of the GDPR was not simply adopted is unclear.
- Para. 2: This largely corresponds to the requirements of the GDPR, except that the e‑VDSG additionally requires the specification of the “Nature of Injury” required. This is what a responsible person will do anyway.
- Par. 5Another documentation obligation is introduced here without it being clear what it is for (except to facilitate an investigation by the FDPIC). Overall, the conclusion suggests itself that the GDPR is to be followed here. In any case, it follows from the system that only breaches that trigger a reporting obligation to the FDPIC must be documented, not breaches below the reporting threshold. What is not stated, but is clear and should nevertheless be specified: The documentation obligation only covers known facts. The responsible party is not required to make further inquiries just to fulfill the documentation obligation (in particular, he does not have to and cannot “all facts related to the incidents.” completely in experience.
- The retention period of three years seems somewhat arbitrary. Two years would certainly have sufficed.
Rights of the data subject
Art. 20 – Modalities
- Para. 1The content of this provision is unproblematic, but imprecise. The request for information can of course always be made orally, but the responsible person does not have to respond to oral requests.
- Para. 2: As today, a right of access presupposes that both parties – the responsible person and the person concerned – agree to this modality.
- Para. 3Whether the information is comprehensible to the data subject depends primarily on the recipient’s horizon. The person responsible must, of course, provide the information in such a way that an average data subject can make sense of it; however, he or she does not have to address the particular weaknesses of the specific person providing the information. If a child makes a request for information, it can have its content explained to it by its parents or caregivers. Moreover, the person responsible is not obliged to provide information under the title of comprehensibility that is not covered by the right to information. A precise distinction will have to be made between the explanation of a statement and additional information.
- Para. 4: The responsible person will be allowed to ask for a copy of an identity card, as is the case today.
- Par. 5Once again a new documentation obligation à la DSGVO – see above. The data controller is obliged to state the reasons for a refusal, restriction or deferral of the information (Art. 26 (4) revDSG). If this information is not sufficient for the data subject, he can sue for the information; in the process, the burden of proof for the reasons for the restriction etc. lies with the data controller. It is therefore in his interest to document himself accordingly – there is no need for a legal obligation to do so. And the retention period again seems arbitrarily chosen.
Art. 21 – Competence
- Para. 1It is not surprising that in the case of joint responsibility, the data subject can request information from any responsible party. If the other person responsible nevertheless provides the information, the obligation to provide information of the requested but responsible person is fulfilled; the provision of information is not hostile to representation.
- Para. 3: This provision is superfluous. In any case, it is the responsibility of the person in charge to ensure his ability to provide information.
Art. 22 – Time limit
Para. 1If it is not clear from the request for information which data the data subject is concerned with and the controller requests clarification, the time limit only starts to run with this clarification.
Art. 23 – Exceptions from the free of charge
- Para. 1 and 2The question of cost sharing is related to the frequent abusive requests for information: If a request for information is not made for data protection purposes, but for other purposes, and the information interest of the data subject is low, but the effort of the controller is high at the same time, the controller must have the possibility, according to general principles, to object to the blatant disproportion of interests as a case of abuse of rights (it is recognized that this constellation can fall under abuse of rights just as much as the more frequently discussed improper exercise). A cost sharing of CHF 300 is now so low that it in no way takes into account the conflict of interests. If this cost sharing is not substantially increased (at least tenfold), this must therefore be taken as an indication that the invocation of the blatant disproportion of interests is not only possible in rare exceptional cases. In other words: If the responsible party remains with a cost sharing of CHF 300, even with a much higher effort, he can a fortiori invoke the disproportion of interests.
- Para. 3: In these cases, the information period of 30 days does not start to run until the end of the withdrawal period; this would need to be clarified.
Art. 25 – Data protection advisor
- Para. 1: The data protection advisor does not have to perform this task; he must have it. In other words, a defaulting data protection advisor does not result in a private data controller no longer being able to invoke the exception to the notification requirement for impact assessments under Art. 23 (4) revDSG. This follows not only from Art. 25(1)(b) E‑DPA, but also from the fact that the appointment of the advisor is voluntary for private individuals and can be limited accordingly to certain processing operations or areas. A defaulting consultant also does not have the consequence that a federal body would not have complied with the obligation to appoint. The latter would only be the case if the federal body prevented the consultant from fulfilling its duties or did not create the conditions for this.
- The consultant does not have to check every processing – the risk-based approach applies here. In addition, it is part of the consultant’s independence that he sets his own priorities.
Art. 26 – Exemption from the obligation to keep a register of processing activities
Pursuant to Art. 12 para. 5 revDSG, the Federal Council must provide for exceptions from the obligation to maintain a processing directory for companies that employ fewer than 250 employees and whose data processing requires a “low risk” entails. According to Art. 26 of the Regulation, a low risk means that neither “extensively processes personal data requiring special protection”. are still “conducted high-risk profiling” will. All other processing operations consequently entail a low risk. This will be remembered in data protection impact assessments, especially since the explanatory report also makes explicit reference to the concept of risk in impact assessments (p. 11 f.). As a result, Art. 26 E‑VDSG is to be applied as a concretization of Art. 22 (2) revDSG.
Special provisions on data processing by federal bodies
Art. 27 – 30
This is based on the GDPR. The requirements for the consultant are regulated here at the ordinance level, while those for private data controllers are almost identical in terms of content in the law (Art. 10) – systematically unattractive, but laid out in the revDSG in this way.
Art. 31 – 32
- These provisions are likely to be the subject of further discussion. Federal agencies must inform the consultant first – at the “planning” stage – for automated processing activities so that “immediately takes into account the requirements of data protection”. be implemented. What “immediately” means is unclear; it is probably only meant that data protection in the sense of privacy by design should be considered in good time. The consultant must also be informed when the project is “completed”, although it is not clear what the purpose of this information is and what is meant by project completion.
- The consultant is therefore informed during the planning stage. When the project is subsequently “released” or the “decision to develop the project” is made, the FDPIC must then be informed. However, none of these stages is clear. It would have been sufficient to require a “timely” information to the consultant and an information of the FDPIC “before the start of the processing” (if at all).
- Art. 32: Note the transitional provision in Art. 47.
Federal Data Protection and Information Commissioner
Art. 45 – Fees
According to Art. 59 revDSG, the FDPIC charges fees for activities such as the opinion on a code of conduct, consultation based on a data protection impact assessment (which leads even more to the fact that the residual risk is not high), precautionary measures and measures under Art. 51 (!!) and for consultations. The fee now ranges from CHF 150 to 350, depending on the case. The AllgGebV must be observed. Among others, the person liable to pay the fee has to be informed in advance about the expected fee, if the effort is extraordinary. This should actually also apply to precautionary measures according to Art. 51 revDSG…