On the draft of the revi­sed VDSG: a missed opportunity

Con­tent

Gene­ral

On June 23, 2021, the Draft of the total­ly revi­sed ordi­nan­ce to the FADP (E‑VDSG) published. After rea­ding it, one has to be dis­ap­poin­ted: The e‑VDSG (Online ver­si­on) is a missed opportunity.

Like alre­a­dy the Preli­mi­na­ry draft of the DPA (VE-DSG), it is impre­cise in terms of con­tent and often unneces­s­a­ri­ly rest­ric­ti­ve. This applies to the Expl­ana­to­ry report even more. It lea­ves essen­ti­al que­sti­ons unans­we­red and appears unre­flec­ti­ve over­all. Instead of sub­stan­tia­ting regu­la­to­ry pro­po­sals on the merits, the report fre­quent­ly refers to the 13-year-old Com­ment of the FOJ to today’s VDSG and adopts regu­la­ti­ons from the soon to be 20-year-old cur­rent VDSG wit­hout asking its­elf whe­ther the­se regu­la­ti­ons are still useful or whe­ther they ever were.

It is also striking how care­less the lan­guage of the report is, at least in the Ger­man ver­si­on (“tele­pho­ne set­ting”) and how super­fi­ci­al some state­ments are (“For exam­p­le, in a hos­pi­tal, whe­re par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data is regu­lar­ly pro­ce­s­sed, the­re are gene­ral­ly more strin­gent requi­re­ments com­pared to the pro­ce­s­sing of cus­to­mer or sup­plier data in a bak­ery or butcher’s shop”).. Gram­ma­ti­cal errors can also be found in the E‑VDSG.

The rea­son is pro­ba­b­ly the same as for the VE-DSG: time pres­su­re and lack of resour­ces and a cer­tain despon­den­cy in view of the high com­ple­xi­ty of the area. Howe­ver, this is less under­stan­da­ble with the e‑DDSG than per­haps still with the VE-DSG. The revi­sed DPA (revDSG) was the result of a long poli­ti­cal pro­cess in which two camps essen­ti­al­ly faced each other, the more regu­la­ti­on-fri­end­ly, con­su­mer-pro­tec­tion-ori­en­ted camp, which wan­ted more GDPR, and the more civil and com­mer­cial-ori­en­ted camp, which deman­ded more open regu­la­ti­ons and more prac­ti­ca­bi­li­ty. The result of long dis­cus­sions was a com­pro­mi­se. In the e‑DDSG, one reco­gnizes litt­le respect for this pro­cess when it even wants to revi­ve a regu­la­ti­on that was found in the VE-DSG but had not sur­vi­ved the con­sul­ta­ti­on of the VE-DSG.

Litt­le sen­si­ti­vi­ty for poli­ti­cal pro­ce­s­ses is also evi­dent else­whe­re, in pro­vi­si­ons that would pro­ba­b­ly have to be regu­la­ted by for­mal law. The VDSG is a depen­dent ordi­nan­ce. It requi­res a basis in law; wit­hout such a dele­ga­ti­on, the Fede­ral Coun­cil remains entit­led to imple­ment legal pro­vi­si­ons in more detail (Art. 182 para. 2 BV), but in doing so can only “ela­bo­ra­te pro­vi­si­ons of the fede­ral law con­cer­ned by detail­ed regu­la­ti­ons and, con­se­quent­ly, con­tri­bu­te to the impro­ved appli­ca­bi­li­ty of the law.” (BGE 141 II 169). The impres­si­on sug­gests its­elf that this frame­work has been exce­e­ded in the case of the e‑VDSG. This applies in par­ti­cu­lar to the fol­lo­wing regu­la­ti­ons, which are not detail­ed pro­vi­si­ons but are equi­va­lent in importance to the pro­vi­si­ons con­tai­ned in the revDSG:

  • Pro­ce­s­sing regu­la­ti­ons of pri­va­te per­sons: Art. 4; syste­ma­ti­cal­ly, this is regu­la­ted under data secu­ri­ty, but the regu­la­ti­ons are not a data secu­ri­ty mea­su­re, but refer to this, among others. Art. 8 para. 3 revDSG (“The Fede­ral Coun­cil shall issue pro­vi­si­ons on the mini­mum requi­re­ments for data secu­ri­ty”). the­r­e­fo­re does not bear the duty of pri­va­te par­ties to main­tain pro­ce­s­sing regulations;
  • Infor­ma­ti­on when dis­clo­sing per­so­nal data: Art. 15 and 16; the obli­ga­ti­on to inform reci­pi­en­ts about the time­liness, relia­bi­li­ty and com­ple­ten­ess of the dis­c­lo­sed per­so­nal data and their cor­rec­tion, dele­ti­on, etc. has no basis in the revDSG, neither for pri­va­te nor for fede­ral bodies, but would be dra­stic in its imple­men­ta­ti­on (the obli­ga­ti­on to inform in Art. 16 is the pro­vi­si­on alre­a­dy men­tio­ned, which was found in the VE-DSG, but was not inclu­ded in the revDSG; to include it now in the ordi­nan­ce is hop­eful­ly an oversight);
  • Docu­men­ta­ti­on requi­re­mentsThe obli­ga­ti­on to keep and retain docu­men­ta­ti­on can be extre­me­ly cost­ly from an ope­ra­tio­nal point of view. In the revDSG, such obli­ga­ti­ons are lar­ge­ly absent, and deli­bera­te­ly so: The mes­sa­ge sta­ted, “instead of a gene­ral docu­men­ta­ti­on obli­ga­ti­on, a pro­vi­si­on on a list of pro­ce­s­sing acti­vi­ties was inser­ted. The con­sul­ta­ti­on has shown that a gene­ral docu­men­ta­ti­on obli­ga­ti­on is too litt­le defi­ned”.. Accor­din­gly, the legis­la­tor had deci­ded to regu­la­te cer­tain docu­men­ta­ti­on obli­ga­ti­ons in the law, but – deli­bera­te­ly – to dis­pen­se with others. The E‑VDSG now pro­vi­des for seve­ral such obli­ga­ti­ons (e.g., in the event of secu­ri­ty brea­ches, Art. 19(5); grounds for rest­ric­tion in the case of data sub­jects’ rights, Art. 20(5); reten­ti­on of data pro­tec­tion impact assess­ments for two years, Art. 18(5); reten­ti­on of system logs for two years, Art. 3(4); reten­ti­on of docu­men­ta­ti­on of secu­ri­ty brea­ches for three years, Art. 19(5)), which tog­e­ther are of a weight that calls for sta­tu­to­ry regulation.

The con­sul­ta­ti­on lasts until Octo­ber 14, 2021. Broad cir­cles will par­ti­ci­pa­te in the con­sul­ta­ti­on pro­cess. The aim will not only be to achie­ve impro­ve­ments and cla­ri­fi­ca­ti­ons to the regu­la­ti­on, but abo­ve all to respect the balan­ce found in the revDSG in the regu­la­ti­on and to take account of the fact that many com­pa­nies have advan­ced in their pre­pa­ra­ti­ons for the revDSG. Now, after long pre­pa­ra­to­ry work and many post­po­ne­ments, to intro­du­ce sur­pri­sing new obli­ga­ti­ons shows a lack of under­stan­ding for the efforts of many com­pa­nies that are serious about data pro­tec­tion. This will cer­tain­ly not streng­then accep­tance of data protection.

Comm­ents on sel­ec­ted provisions

Data secu­ri­ty

Art. 1 – Principles

  • Ade­qua­cy of the mea­su­resIt is not only the imple­men­ta­ti­on costs that are rele­vant, but the imple­men­ta­ti­on effort in gene­ral (this can also be per­son­nel expen­ses that are not sole­ly attri­bu­ta­ble to the spe­ci­fic imple­men­ta­ti­on, but also time and orga­nizatio­nal expen­ses). The expl­ana­to­ry report is very rest­ric­ti­ve here (p. 16): a con­trol­ler or pro­ces­sor is not free to estab­lish less than ade­qua­te data secu­ri­ty due to exce­s­si­ve costs; they may only choo­se the more favorable of seve­ral ade­qua­te mea­su­res. This is alre­a­dy logi­cal­ly wrong: If ade­qua­cy is also deter­mi­ned by the imple­men­ta­ti­on costs, the con­trol­ler does not eva­de ade­qua­cy for cost rea­sons, but deter­mi­nes it with a view to the costs. Other­wi­se, the refe­rence to imple­men­ta­ti­on costs would also be meanin­g­less, becau­se it goes wit­hout say­ing that the respon­si­ble par­ty can choo­se the more favorable of the appro­pria­te measures.
  • Test­ing of the mea­su­res: The mea­su­res are actual­ly not to be checked “at appro­pria­te inter­vals”, but “in an appro­pria­te man­ner”. Inter­vals imply an obli­ga­ti­on to check the mea­su­res taken, whe­re only tem­po­ral cir­cum­stances are que­stionable. But alre­a­dy whe­ther mea­su­res have to be checked is que­stionable, becau­se often it is not the mea­su­res that have to be checked first, but the risk fac­tors – if they have not chan­ged, the mea­su­res do not have to be checked. This is pro­ba­b­ly also what is meant, but it would have to be spe­ci­fi­ed in the text of the ordinance.
  • Cri­mi­nal lia­bi­li­tyA vio­la­ti­on of the mini­mum requi­re­ments is punis­ha­ble under Art. 61 revDSG if com­mit­ted inten­tio­nal­ly. Cri­mi­nal lia­bi­li­ty requi­res not only that a mea­su­re was deli­bera­te­ly omit­ted, but also that the respon­si­ble par­ty at least accept­ed that the level of pro­tec­tion requi­red in view of the fore­seeable risks would be under­cut. In this regard, the E‑VDSG takes a case-by-case, risk-based approach. It will the­r­e­fo­re be dif­fi­cult to estab­lish a deli­be­ra­te breach of data secu­ri­ty except in extre­me cases. A breach of the obli­ga­ti­on to review the mea­su­res can­not in its­elf con­sti­tu­te a cri­mi­nal offen­se eit­her; as long as it is not estab­lished that a con­scious decis­i­on was made to omit a mea­su­re that had beco­me spe­ci­fi­cal­ly neces­sa­ry, this does not con­sti­tu­te a breach of data security.

Art. 2 – Pro­tec­tion goals

  • This pro­vi­si­on is uncle­ar­ly worded: The mea­su­res do not have to meet the pro­tec­tion goals reachbut stri­ve for them. This is pro­ba­b­ly what is meant (“appro­pria­te”). The expl­ana­to­ry report also sta­tes (p. 16) that not every breach of data secu­ri­ty implies a breach of mini­mum requi­re­ments, becau­se abso­lu­te secu­ri­ty can­not be deman­ded. – The expl­ana­to­ry report fur­ther spe­ci­fi­es what is meant by the sta­te of the art (p. 16): the cur­rent sta­te, i.e. mea­su­res that are alre­a­dy available and have pro­ven themselves.
  • The pro­tec­tion goals have been slight­ly expan­ded to ali­gn with the GDPR (Expl­ana­to­ry Report, p. 19).

Art. 3 – Logging

  • Mea­ningIt is initi­al­ly unclear whe­ther a breach of the log­ging obli­ga­ti­on can also con­sti­tu­te a breach of data secu­ri­ty that may be punis­ha­ble. This is pro­ba­b­ly to be affirm­ed, but only if log­ging is actual­ly mate­ri­al­ly neces­sa­ry in the indi­vi­du­al case to pre­vent a breach of data security.
  • Para. 1 and 2Con­ver­se­ly, pro­ce­s­ses such as sto­rage etc. do not have to be log­ged if no high resi­du­al risks are accept­ed (except by fede­ral bodies and their com­mis­sio­ned pro­ces­sors, who have to design systems in such a way that they can com­ply with this obli­ga­ti­on). Con­tra­ry to the wor­ding, the log­ging obli­ga­ti­on, on the other hand, should also exist if a DSFA was omit­ted but a high risk nevert­hel­ess exists.
  • Para. 3: The iden­ti­ty of the reci­pi­ent does not mean the per­son who acce­s­ses, but the orga­nizati­on to which he belongs or under who­se ins­truc­tion he acts.
  • Para. 4The hard pur­po­se limi­ta­ti­on of the pro­to­cols, even if it is found today in Art. 10 VDSG, is mis­gui­ded. It con­tra­dicts the prin­ci­ple of pur­po­se limi­ta­ti­on, which is lin­ked to the pur­po­ses trans­par­ent­ly set by the per­son respon­si­ble. If anything, it should have been enshri­ned in law. Howe­ver, the­re is not­hing to pre­vent a data con­trol­ler from eva­lua­ting logs, e.g. for ana­ly­sis pur­po­ses, if it descri­bes this in the pri­va­cy state­ment. The regu­la­ti­on on access rest­ric­tion is also inap­pro­pria­te in this form; the reten­ti­on of logs is a que­sti­on of pro­por­tio­na­li­ty and data secu­ri­ty and requi­res consideration.

Art. 4 – Pro­ce­s­sing regu­la­ti­ons of pri­va­te persons

  • Man­da­to­ry for high risksIt is dif­fi­cult to under­stand why the FOJ wants to pro­vi­de for an obli­ga­ti­on to keep pro­ce­s­sing regu­la­ti­ons for pri­va­te pro­ce­s­sing. Accor­ding to the dis­patch (see abo­ve), the pro­ce­s­sing direc­to­ry, the con­tent of which over­laps with that of the regu­la­ti­ons, is suf­fi­ci­ent for docu­men­ta­ti­on pur­po­ses. The expl­ana­to­ry report says that this infor­ma­ti­on can be “copied” from the pro­ce­s­sing direc­to­ry. Ope­ra­tio­nal­ly, this will not be that simp­le, and of cour­se one could also com­bi­ne the pro­ce­s­sing direc­to­ry with the regu­la­ti­ons, or one could record the addi­tio­nal infor­ma­ti­on in the regu­la­ti­ons sepa­ra­te­ly and refer to the direc­to­ry for the rest, or one could refer only to exi­sting pro­cess ins­truc­tions and the pro­ce­s­sing direc­to­ry and a data pro­tec­tion impact assess­ment or even to a data pro­tec­tion decla­ra­ti­on in which the requi­red infor­ma­ti­on can be found – deed unity can app­ly just as litt­le as with the pro­ce­s­sing direc­to­ry. – The expl­ana­to­ry report pro­vi­des fur­ther gui­dance on the mini­mum content.
  • With the pro­ce­s­sing regu­la­ti­ons, the legis­la­tor also accepts that data sub­jects will attempt to access the pro­ce­s­sing regime befo­re or out­side of court via a request for infor­ma­ti­on. For this pur­po­se, data sub­jects will rely on the gene­ral clau­se of the right to infor­ma­ti­on, which in turn – in con­junc­tion with the cri­mi­nal pro­vi­si­on of Art. 62 revDSG – is high­ly pro­ble­ma­tic in terms of the rule of law.
  • Lack of legal basisAn attempt has been made here to trans­fer today’s Art. 11 VDSG into the new VDSG, but wit­hout neces­si­ty and with an unat­trac­ti­ve Swiss finish (the GDPR knows no such obli­ga­ti­on). The FOJ seems not to have been awa­re of the effort this would gene­ra­te for lar­ger orga­nizati­ons. In addi­ti­on, the legis­la­tor deli­bera­te­ly repla­ced the obli­ga­ti­on to regi­ster data coll­ec­tions in the revDSG with the obli­ga­ti­on to keep a pro­ce­s­sing direc­to­ry. It was the­r­e­fo­re not to be expec­ted that the pro­ce­s­sing ele­ment for pri­va­te pro­ces­sors – which today is lin­ked to the obli­ga­ti­on to regi­ster a data coll­ec­tion – would be inclu­ded in the new VDG. Such a pro­vi­si­on would have belon­ged in the law as a who­le, as alre­a­dy men­tio­ned above.
  • High riskIn any case, howe­ver, the obli­ga­ti­on to main­tain pro­ce­s­sing regu­la­ti­ons would only app­ly in the case of exten­si­ve pro­ce­s­sing of per­so­nal data requi­ring spe­cial pro­tec­tion or in the case of high-risk pro­fil­ing. Howe­ver, if a data pro­tec­tion impact assess­ment shows that such pro­ce­s­sing actual­ly does not (any lon­ger) ent­ail a high risk due to the mea­su­res taken by the con­trol­ler, the obli­ga­ti­on to main­tain a pro­ce­s­sing ele­ment must con­se­quent­ly also be omit­ted (see here).
  • Pri­va­cy Advi­sorPara. 3 sounds as if a data pro­tec­tion advi­sor must always be appoin­ted. Howe­ver, this is optio­nal for pri­va­te par­ties (unli­ke for fede­ral bodies; Art. 27 E‑VDSG), even in cases whe­re the draft requi­res pro­ce­s­sing regu­la­ti­ons to be kept. And what is “in a form under­stan­da­ble to the lat­ter”? Does this mean that pri­va­te indi­vi­du­als wit­hout a data pro­tec­tion advi­sor are also allo­wed to mana­ge incom­pre­hen­si­ble regulations?

Art. 5 – Pro­ce­s­sing regu­la­ti­ons of fede­ral bodies

The abo­ve comm­ents app­ly, espe­ci­al­ly sin­ce fede­ral bodies must also keep a pro­ce­s­sing direc­to­ry (Art. 12 revDSG). In any case, the obli­ga­ti­on to keep regu­la­ti­ons for all pro­fil­ing is also too broad – pro­fil­ing is often reco­gnized as harm­less becau­se the term pro­fil­ing is so broad. The other vari­ants of making per­so­nal data acce­s­si­ble and the lin­king of data­ba­ses are also unclear. Nowhe­re in the law does lin­king occur as a term, except in the defi­ni­ti­on of high-risk pro­fil­ing, but the­re it is about some­thing else, and the term “data files” is also new – accor­ding to the expl­ana­to­ry report, this is meant to refer to data coll­ec­tions (p. 23), a term that remains unclear. At least this makes it clear that the lin­king of Data not yet such from Data­ba­ses is.

Pro­ce­s­sing by order processor

Art. 6 – Modalities

  • Para. 1The per­son respon­si­ble can never ensu­re that data is pro­ce­s­sed in accordance with the con­tract and the law – he can only ensu­re that it is. This plays a role, becau­se the respon­si­ble par­ty remains respon­si­ble under data pro­tec­tion law, but is lia­ble under civil law only in case of fault (accor­ding to Art. 41 OR) and not causally.
  • Para. 3 con­tra­dicts the gene­ral con­cern not to under­mi­ne digi­tizati­on with for­mal requi­re­ments. Appr­oval in text form should suf­fice, which would have to be spe­ci­fi­ed (the writ­ten form requi­re­ment is taken from the expl­ana­to­ry report of the Direc­ti­ve 2018/680but whe­re pro­of by text is meant). In addi­ti­on, it should be clear that a fede­ral body can also issue a gene­ral aut­ho­rizati­on sub­ject to objec­tion, as is also pos­si­ble under the GDPR (and also under the afo­re­men­tio­ned Directive).

Art. 7 – Infor­ma­ti­on to the data pro­tec­tion advi­sor of the fede­ral body

This pro­vi­si­on is unsuc­cessful. On the one hand, it assu­mes that the invol­vement of a data pro­ces­sor is fun­da­men­tal­ly ris­ky, which it is not (despi­te the state­ment to the con­tra­ry in the expl­ana­to­ry report). On the other hand, it requi­res that the data pro­tec­tion advi­sor be infor­med, “when pro­blems ari­se in com­ply­ing with legal or con­trac­tu­al data pro­tec­tion requi­re­ments”. This is unat­trac­ti­ve in terms of lan­guage, but also in terms of con­tent. What are “pro­blems”? This pro­vi­si­on is unneces­sa­ry any­way, becau­se Art. 10(2)(b) revDSG (which also applies to advi­sors to a fede­ral body) alre­a­dy pro­vi­des that the advi­sor must coope­ra­te in the appli­ca­ti­on of data pro­tec­tion law.

Dis­clo­sure of per­so­nal data abroad

Art. 9 – Data pro­tec­tion clau­ses and spe­ci­fic safeguards

  • The sub­stan­ti­ve requi­re­ments for data pro­tec­tion clau­ses – i.e. con­tracts that legi­ti­mi­ze dis­clo­sure to a sta­te wit­hout an ade­qua­te level of pro­tec­tion but are not reco­gnized by the FDPIC – are impre­cis­e­ly for­mu­la­ted. Fur­ther­mo­re, lit. g is wrong; it does not deal with the “aut­ho­ri­zed to pro­cess the data” reci­pi­en­ts, but sim­ply about the reci­pi­en­ts. Moreo­ver, it can­not be that the reci­pi­en­ts have to inform the data sub­ject, at least if the export­er has been infor­med about the pro­ce­s­sing by the reci­pi­en­ts or if the reci­pi­ent is an order processor.

Art. 10 – Stan­dard data pro­tec­tion clauses

This pro­vi­si­on (the export­er shall take rea­sonable steps to ensu­re that the importer com­plies with the clau­ses) is cover­ed by the new stan­dard con­trac­tu­al clau­ses actual­ly beco­me super­fluous (cf. clau­ses 14 and 15). And again, in prin­ci­ple, the export­er can­not ensu­re that the con­si­gnee com­plies with the clau­ses; it can only requi­re it and, under clau­se 14 of the new stan­dard con­trac­tu­al clau­ses, check whe­ther local law pre­clu­des com­pli­ance. The expl­ana­to­ry report fur­ther pro­vi­des that the con­si­gnee would have to be obli­ged, “the Swiss data pro­tec­tion regu­la­ti­ons” to com­ply with. This is wrong; he must com­ply with the stan­dard clau­ses, not Swiss law. Even Art. 6 (2) E‑VDSG only requi­res that the order pro­ces­sor must com­ply with “equi­va­lent” provisions.

Obli­ga­ti­ons of the con­trol­ler and the order processor

Art. 13 – Moda­li­ties of the infor­ma­ti­on obligations

  • Para. 1Here you rub your eyes: The order pro­ces­sor has a duty to inform? That can only be an over­sight. But also the expl­ana­to­ry report says, “the duty of the con­trol­ler and the pro­ces­sor to pro­vi­de infor­ma­ti­on is enshri­ned in Artic­le 19 nDSG”.. It is not (“The respon­si­ble per­son shall inform the data sub­ject…”).; have you not read up on it? The order processor’s own duty to inform would be absurd and con­tra­dict his obli­ga­ti­on to fol­low instructions.
  • Imple­men­ta­ti­on of the infor­ma­ti­on obli­ga­ti­on:
    • Equal­ly reg­rettable, but pro­ba­b­ly not an over­sight, is the con­tent of the regu­la­ti­on. The duty to inform is pro­ba­b­ly the most dif­fi­cult duty of the respon­si­ble par­ty to imple­ment. In a purely online envi­ron­ment, it may be easy to ful­fill (if one thinks away the gene­ral clau­se in the duty to inform), but what about informing per­sons with whom one only com­mu­ni­ca­tes in writing?
    • Here is the Visi­ting a web­site rea­sonable. It is not a coun­ter­ar­gu­ment that not all peo­p­le have Inter­net access, other­wi­se pri­va­cy noti­ces would also have to be published in Braille. The FOJ should the­r­e­fo­re have cla­ri­fi­ed in the ordi­nan­ce that infor­ma­ti­on can be effec­tively pro­vi­ded via a web­site, at least if the data sub­ject knows the iden­ti­ty of the con­trol­ler and the infor­ma­ti­on can be easi­ly found on the controller’s web­site. Cor­re­spon­ding regu­la­ti­on pro­po­sals were available to the FOJ. In this con­text, it should have been fur­ther cla­ri­fi­ed that a refe­rence to a web­site may not always be neces­sa­ry, but that it is in any case suf­fi­ci­ent to refer to a pri­va­cy state­ment, even wit­hout pro­vi­ding cer­tain basic infor­ma­ti­on (“basic infor­ma­ti­on”) alre­a­dy in the refe­rence source (for exam­p­le, through a link in GTC).
    • All this is miss­ing in the E‑VDSG, and in the expl­ana­to­ry report a serious dis­cus­sion of the­se issues. The pro­po­sed regu­la­ti­on in Art. 13(1) can only be descri­bed as con­ve­ni­ent – it com­ple­te­ly mis­ses the point, is impre­cise, leads to legal uncer­tain­ty, is super­fluous in this form, and bor­rows from con­side­ra­ti­ons in the law gover­ning gene­ral terms and con­di­ti­ons wit­hout even asking whe­ther the­se con­side­ra­ti­ons are trans­fera­ble. The expl­ana­to­ry report wri­tes instead, “… the con­trol­ler or pro­ces­sor must ensu­re, when choo­sing the form of infor­ma­ti­on, that the data sub­ject always recei­ves the most important infor­ma­ti­on at the first level of com­mu­ni­ca­ti­on.” What does this mean? Does this mean the men­tio­ned Basic infor­ma­ti­on after the GDPR? One can only spe­cu­la­te and read on, “the­re can be a good prac­ti­ce in it” (?), “that all essen­ti­al infor­ma­ti­on is available at a glan­ce”. Is this an obli­ga­ti­on to the table of con­tents? It should be urgen­tly spe­ci­fi­ed here that it is suf­fi­ci­ent to refer to a web­site, for exam­p­le, from the GTC, wit­hout fur­ther infor­ma­ti­on and wit­hout a QR code.
    • And at the end the expl­ana­to­ry report still wri­tes, “Does the com­mu­ni­ca­ti­on take place in a tele­pho­ne set­ting takes place, the infor­ma­ti­on may be com­mu­ni­ca­ted oral­ly by a natu­ral per­son and, if neces­sa­ry, sup­ple­men­ted by a link to a web­site.” A tele­pho­ne “set­ting”? And fur­ther: “For recor­ded infor­ma­ti­on, the data sub­ject must have the oppor­tu­ni­ty to hear more detail­ed infor­ma­ti­on.” Who wants to do this after 30 minu­tes on hold, and abo­ve all: How does the FOJ arri­ve at this, what is the legal natu­re of the duty to inform, what is its con­cept of tho­se affec­ted, what prac­ti­cal con­side­ra­ti­ons does it make? One lear­ns not­hing about this.
  • Para. 2What does “machi­ne-rea­da­ble” mean for pic­to­grams? Pre­su­ma­b­ly it is suf­fi­ci­ent if the expl­ana­to­ry text of icons can be read aloud by a screen rea­der or if the ope­ra­tor of the web­site inserts an expl­ana­ti­on with the pic­to­grams, e.g. as alter­na­ti­ve text (<img src=“xyz.jpg” alt=“Expl­ana­ti­on text”>). Howe­ver, this is pro­ba­b­ly not pos­si­ble when icons are inclu­ded as a font. The expl­ana­to­ry report only says “[…] the soft­ware used must be able to easi­ly iden­ti­fy, reco­gnize, and extra­ct the infor­ma­ti­on pre­sent in such for­mats.” That does­n’t make it any clea­rer. And “Among other things, this allo­ws for com­pa­ri­son of dif­fe­rent docu­ments as well as some auto­ma­ti­on in gene­ral.” Is “gene­ral­ly some auto­ma­ti­on” a pri­va­cy concern?

Art. 14 – Duty of fede­ral bodies to pro­vi­de infor­ma­ti­on in the case of syste­ma­tic acqui­si­ti­on of per­so­nal data

This con­cern is known from the GDPR and cor­re­sponds to today’s Art. 14 VDSG. Nevert­hel­ess, such a duty to inform should not app­ly if it is clear from the cir­cum­stances that infor­ma­ti­on (mea­ning dis­clo­sure of per­so­nal data) is vol­un­t­a­ry. If a health insurer con­ducts a satis­fac­tion sur­vey, for exam­p­le, such a noti­ce should not be necessary.

Art. 15 – Infor­ma­ti­on in case of dis­clo­sure of per­so­nal data

  • This obli­ga­ti­on also repres­ents a Swiss Finish. In my opi­ni­on, such an obli­ga­ti­on can­not be regu­la­ted at ordi­nan­ce level; its imple­men­ta­ti­on is too dra­stic for that. It is also super­fluous. Ulti­m­ate­ly, it is up to tho­se respon­si­ble to ensu­re com­pli­ance with data pro­tec­tion prin­ci­ples. This may requi­re an indi­ca­ti­on of the time­liness, etc., of per­so­nal data, but not in all cases. A hard obli­ga­ti­on to pro­vi­de such infor­ma­ti­on sim­ply will not and can­not be implemented.
  • And here again, the order pro­ces­sor is obli­ga­ted to dis­c­lo­se infor­ma­ti­on that is not available to him. This is pro­ba­b­ly the same error as with Art. 13.
  • The Schen­gen Direc­ti­ve has been fol­lo­wed here, but the­re is no rea­son to extend such obli­ga­ti­ons to pri­va­te processors.

Art. 16 – Infor­ma­ti­on on the cor­rec­tion, dele­ti­on or des­truc­tion as well as the rest­ric­tion of the pro­ce­s­sing of per­so­nal data

  • Here, the FOJ has too short a memo­ry. An obli­ga­ti­on to inform reci­pi­en­ts about the cor­rec­tion, dele­ti­on or des­truc­tion of per­so­nal data was alre­a­dy found in Art. 19 lit. b of the preli­mi­na­ry draft of the FADP (“You shall inform the […] reci­pi­en­ts […] of any rec­ti­fi­ca­ti­on, dele­ti­on or des­truc­tion […], of any brea­ches of data pro­tec­tion and of any rest­ric­tions on pro­ce­s­sing […], unless such noti­fi­ca­ti­on is not pos­si­ble or is pos­si­ble only with dis­pro­por­tio­na­te effort”).. This pro­po­sal did not sur­vi­ve the con­sul­ta­ti­on. And now the same obli­ga­ti­on is to be resur­rec­ted in the ordi­nan­ce? The expl­ana­to­ry report does not even men­ti­on this pro­po­sal of the VE-DSG.
  • But that’s not all: The sen­der is now also sup­po­sed to inform the reci­pi­ent about a rest­ric­tion of pro­ce­s­sing. This sounds like the data sub­ject right to rest­ric­tion of pro­ce­s­sing under the GDPR (Art. 18). The revDSG does not even know such a data sub­ject right.

Art. 17 – Review of an auto­ma­ted indi­vi­du­al decision

Unneces­sa­ry, but pro­ba­b­ly harm­less. No respon­si­ble par­ty will dis­cri­mi­na­te against someone for reque­st­ing a review of the decis­i­on. Howe­ver: the­re is no dis­cri­mi­na­ti­on in a respon­si­ble par­ty fight­ing back when a data sub­ject dis­agrees with the review. This can go as far as the ter­mi­na­ti­on of a con­tract – it is legi­ti­ma­te if the affec­ted per­son makes the con­ti­nua­tion of the con­tract impos­si­ble by his own beha­vi­or (key­word desi­re neurosis).

Art. 18 – Form and reten­ti­on of the data pro­tec­tion impact assessment

  • Writ­ten” here must mean as much as “pro­of by text” – the expl­ana­to­ry report says so, but one would have to spe­ci­fy this in the text of the ordi­nan­ce, thin­king of the Hels­a­na ruling of the BVGer.
  • The reten­ti­on peri­od of two years is justi­fi­ed by the fact that it repres­ents a cen­tral instru­ment under data pro­tec­tion law and can be of par­ti­cu­lar importance in the cla­ri­fi­ca­ti­on of data secu­ri­ty brea­ches or the assess­ment of the cri­mi­nal lia­bi­li­ty of con­duct. Thus, the con­trol­ler should keep a DSFA in par­ti­cu­lar becau­se it can ser­ve as an indi­ca­ti­on of the alle­ga­ti­on in an inve­sti­ga­ti­on if a secu­ri­ty mea­su­re was omit­ted after the DSFA (i.e., argu­ab­ly a mea­su­re that was descri­bed in the DSFA). First, the fact that a plan­ned secu­ri­ty mea­su­re found its way into a DSFA does not mean that it was neces­sa­ry within the mea­ning of the law, and second, the fail­ure to keep a DSFA is not punis­ha­ble. The con­trol­ler the­r­e­fo­re has an incen­ti­ve not to retain a DSFA if it is unsu­re of its case. This is espe­ci­al­ly true in light of the rest­ric­ti­ve inter­pre­ta­ti­on of the nemo-tenetur prin­ci­ple for legal enti­ties in con­nec­tion with docu­ments sub­ject to a reten­ti­on peri­od (BGE 142 IV 207 E. 8.3.3.).
  • The expl­ana­to­ry report fur­ther sta­tes, with refe­rence to fede­ral bodies, that “due to the per­ma­nence of cer­tain legal bases, it [may] occur that a data pro­tec­tion impact assess­ment must be retai­ned over a very long peri­od of time (e.g. seve­ral deca­des)”. It is unclear which legal basis the FOJ has in mind here; the expl­ana­to­ry report says not­hing about this.

Art. 19 – Noti­fi­ca­ti­on of data secu­ri­ty breaches

  • Para. 1The scope of the infor­ma­ti­on to be pro­vi­ded to the FDPIC in the event of a secu­ri­ty breach is based on the GDPR, but devia­tes from it: Accor­ding to the e‑FDPPR, the time and dura­ti­on of the breach must also be indi­ca­ted, which is not requi­red by the GDPR (even if the con­trol­ler will alre­a­dy include this infor­ma­ti­on becau­se he wants to pro­ve the time­liness of the noti­fi­ca­ti­on). Why the text of the GDPR was not sim­ply adopted is unclear.
  • Para. 2: This lar­ge­ly cor­re­sponds to the requi­re­ments of the GDPR, except that the e‑VDSG addi­tio­nal­ly requi­res the spe­ci­fi­ca­ti­on of the “Natu­re of Inju­ry” requi­red. This is what a respon­si­ble per­son will do anyway.
  • Par. 5Ano­ther docu­men­ta­ti­on obli­ga­ti­on is intro­du­ced here wit­hout it being clear what it is for (except to faci­li­ta­te an inve­sti­ga­ti­on by the FDPIC). Over­all, the con­clu­si­on sug­gests its­elf that the GDPR is to be fol­lo­wed here. In any case, it fol­lows from the system that only brea­ches that trig­ger a report­ing obli­ga­ti­on to the FDPIC must be docu­men­ted, not brea­ches below the report­ing thres­hold. What is not sta­ted, but is clear and should nevert­hel­ess be spe­ci­fi­ed: The docu­men­ta­ti­on obli­ga­ti­on only covers known facts. The respon­si­ble par­ty is not requi­red to make fur­ther inqui­ries just to ful­fill the docu­men­ta­ti­on obli­ga­ti­on (in par­ti­cu­lar, he does not have to and can­not “all facts rela­ted to the inci­dents.” com­ple­te­ly in experience.
  • The reten­ti­on peri­od of three years seems some­what arbi­tra­ry. Two years would cer­tain­ly have sufficed.

Rights of the data subject

Art. 20 – Modalities

  • Para. 1The con­tent of this pro­vi­si­on is unpro­ble­ma­tic, but impre­cise. The request for infor­ma­ti­on can of cour­se always be made oral­ly, but the respon­si­ble per­son does not have to respond to oral requests.
  • Para. 2: As today, a right of access pre­sup­po­ses that both par­ties – the respon­si­ble per­son and the per­son con­cer­ned – agree to this modality.
  • Para. 3Whe­ther the infor­ma­ti­on is com­pre­hen­si­ble to the data sub­ject depends pri­ma­ri­ly on the recipient’s hori­zon. The per­son respon­si­ble must, of cour­se, pro­vi­de the infor­ma­ti­on in such a way that an avera­ge data sub­ject can make sen­se of it; howe­ver, he or she does not have to address the par­ti­cu­lar weak­ne­s­ses of the spe­ci­fic per­son pro­vi­ding the infor­ma­ti­on. If a child makes a request for infor­ma­ti­on, it can have its con­tent explai­ned to it by its par­ents or care­gi­vers. Moreo­ver, the per­son respon­si­ble is not obli­ged to pro­vi­de infor­ma­ti­on under the tit­le of com­pre­hen­si­bi­li­ty that is not cover­ed by the right to infor­ma­ti­on. A pre­cise distinc­tion will have to be made bet­ween the expl­ana­ti­on of a state­ment and addi­tio­nal information.
  • Para. 4: The respon­si­ble per­son will be allo­wed to ask for a copy of an iden­ti­ty card, as is the case today.
  • Par. 5Once again a new docu­men­ta­ti­on obli­ga­ti­on à la DSGVO – see abo­ve. The data con­trol­ler is obli­ged to sta­te the rea­sons for a refu­sal, rest­ric­tion or defer­ral of the infor­ma­ti­on (Art. 26 (4) revDSG). If this infor­ma­ti­on is not suf­fi­ci­ent for the data sub­ject, he can sue for the infor­ma­ti­on; in the pro­cess, the bur­den of pro­of for the rea­sons for the rest­ric­tion etc. lies with the data con­trol­ler. It is the­r­e­fo­re in his inte­rest to docu­ment hims­elf accor­din­gly – the­re is no need for a legal obli­ga­ti­on to do so. And the reten­ti­on peri­od again seems arbi­tra­ri­ly chosen.

Art. 21 – Competence

  • Para. 1It is not sur­pri­sing that in the case of joint respon­si­bi­li­ty, the data sub­ject can request infor­ma­ti­on from any respon­si­ble par­ty. If the other per­son respon­si­ble nevert­hel­ess pro­vi­des the infor­ma­ti­on, the obli­ga­ti­on to pro­vi­de infor­ma­ti­on of the reque­sted but respon­si­ble per­son is ful­fil­led; the pro­vi­si­on of infor­ma­ti­on is not hosti­le to representation.
  • Para. 3: This pro­vi­si­on is super­fluous. In any case, it is the respon­si­bi­li­ty of the per­son in char­ge to ensu­re his abili­ty to pro­vi­de information.

Art. 22 – Time limit

Para. 1If it is not clear from the request for infor­ma­ti­on which data the data sub­ject is con­cer­ned with and the con­trol­ler requests cla­ri­fi­ca­ti­on, the time limit only starts to run with this clarification.

Art. 23 – Excep­ti­ons from the free of charge

  • Para. 1 and 2The que­sti­on of cost sha­ring is rela­ted to the fre­quent abu­si­ve requests for infor­ma­ti­on: If a request for infor­ma­ti­on is not made for data pro­tec­tion pur­po­ses, but for other pur­po­ses, and the infor­ma­ti­on inte­rest of the data sub­ject is low, but the effort of the con­trol­ler is high at the same time, the con­trol­ler must have the pos­si­bi­li­ty, accor­ding to gene­ral prin­ci­ples, to object to the bla­tant dis­pro­por­ti­on of inte­rests as a case of abu­se of rights (it is reco­gnized that this con­stel­la­ti­on can fall under abu­se of rights just as much as the more fre­quent­ly dis­cus­sed impro­per exer­cise). A cost sha­ring of CHF 300 is now so low that it in no way takes into account the con­flict of inte­rests. If this cost sha­ring is not sub­stan­ti­al­ly increa­sed (at least ten­fold), this must the­r­e­fo­re be taken as an indi­ca­ti­on that the invo­ca­ti­on of the bla­tant dis­pro­por­ti­on of inte­rests is not only pos­si­ble in rare excep­tio­nal cases. In other words: If the respon­si­ble par­ty remains with a cost sha­ring of CHF 300, even with a much hig­her effort, he can a for­tio­ri invo­ke the dis­pro­por­ti­on of interests.
  • Para. 3: In the­se cases, the infor­ma­ti­on peri­od of 30 days does not start to run until the end of the with­dra­wal peri­od; this would need to be clarified.

Art. 25 – Data pro­tec­tion advisor

  • Para. 1: The data pro­tec­tion advi­sor does not have to per­form this task; he must have it. In other words, a defaul­ting data pro­tec­tion advi­sor does not result in a pri­va­te data con­trol­ler no lon­ger being able to invo­ke the excep­ti­on to the noti­fi­ca­ti­on requi­re­ment for impact assess­ments under Art. 23 (4) revDSG. This fol­lows not only from Art. 25(1)(b) E‑DPA, but also from the fact that the appoint­ment of the advi­sor is vol­un­t­a­ry for pri­va­te indi­vi­du­als and can be limi­t­ed accor­din­gly to cer­tain pro­ce­s­sing ope­ra­ti­ons or are­as. A defaul­ting con­sul­tant also does not have the con­se­quence that a fede­ral body would not have com­plied with the obli­ga­ti­on to appoint. The lat­ter would only be the case if the fede­ral body pre­ven­ted the con­sul­tant from ful­fil­ling its duties or did not crea­te the con­di­ti­ons for this.
  • The con­sul­tant does not have to check every pro­ce­s­sing – the risk-based approach applies here. In addi­ti­on, it is part of the consultant’s inde­pen­dence that he sets his own priorities.

Art. 26 – Exemp­ti­on from the obli­ga­ti­on to keep a regi­ster of pro­ce­s­sing activities

Pur­su­ant to Art. 12 para. 5 revDSG, the Fede­ral Coun­cil must pro­vi­de for excep­ti­ons from the obli­ga­ti­on to main­tain a pro­ce­s­sing direc­to­ry for com­pa­nies that employ fewer than 250 employees and who­se data pro­ce­s­sing requi­res a “low risk” ent­ails. Accor­ding to Art. 26 of the Regu­la­ti­on, a low risk means that neither “exten­si­ve­ly pro­ce­s­ses per­so­nal data requi­ring spe­cial pro­tec­tion”. are still “con­duc­ted high-risk pro­fil­ing” will. All other pro­ce­s­sing ope­ra­ti­ons con­se­quent­ly ent­ail a low risk. This will be remem­be­red in data pro­tec­tion impact assess­ments, espe­ci­al­ly sin­ce the expl­ana­to­ry report also makes expli­cit refe­rence to the con­cept of risk in impact assess­ments (p. 11 f.). As a result, Art. 26 E‑VDSG is to be applied as a con­cre­tizati­on of Art. 22 (2) revDSG.

Spe­cial pro­vi­si­ons on data pro­ce­s­sing by fede­ral bodies

Art. 27 – 30

This is based on the GDPR. The requi­re­ments for the con­sul­tant are regu­la­ted here at the ordi­nan­ce level, while tho­se for pri­va­te data con­trol­lers are almost iden­ti­cal in terms of con­tent in the law (Art. 10) – syste­ma­ti­cal­ly unat­trac­ti­ve, but laid out in the revDSG in this way.

Art. 31 – 32

  • The­se pro­vi­si­ons are likely to be the sub­ject of fur­ther dis­cus­sion. Fede­ral agen­ci­es must inform the con­sul­tant first – at the “plan­ning” stage – for auto­ma­ted pro­ce­s­sing acti­vi­ties so that “imme­dia­te­ly takes into account the requi­re­ments of data pro­tec­tion”. be imple­men­ted. What “imme­dia­te­ly” means is unclear; it is pro­ba­b­ly only meant that data pro­tec­tion in the sen­se of pri­va­cy by design should be con­side­red in good time. The con­sul­tant must also be infor­med when the pro­ject is “com­ple­ted”, alt­hough it is not clear what the pur­po­se of this infor­ma­ti­on is and what is meant by pro­ject completion.
  • The con­sul­tant is the­r­e­fo­re infor­med during the plan­ning stage. When the pro­ject is sub­se­quent­ly “released” or the “decis­i­on to deve­lop the pro­ject” is made, the FDPIC must then be infor­med. Howe­ver, none of the­se stages is clear. It would have been suf­fi­ci­ent to requi­re a “time­ly” infor­ma­ti­on to the con­sul­tant and an infor­ma­ti­on of the FDPIC “befo­re the start of the pro­ce­s­sing” (if at all).
  • Art. 32: Note the tran­si­tio­nal pro­vi­si­on in Art. 47.

Fede­ral Data Pro­tec­tion and Infor­ma­ti­on Commissioner

Art. 45 – Fees

Accor­ding to Art. 59 revDSG, the FDPIC char­ges fees for acti­vi­ties such as the opi­ni­on on a code of con­duct, con­sul­ta­ti­on based on a data pro­tec­tion impact assess­ment (which leads even more to the fact that the resi­du­al risk is not high), pre­cau­tio­na­ry mea­su­res and mea­su­res under Art. 51 (!!) and for con­sul­ta­ti­ons. The fee now ran­ges from CHF 150 to 350, depen­ding on the case. The Allg­Ge­bV must be obser­ved. Among others, the per­son lia­ble to pay the fee has to be infor­med in advan­ce about the expec­ted fee, if the effort is extra­or­di­na­ry. This should actual­ly also app­ly to pre­cau­tio­na­ry mea­su­res accor­ding to Art. 51 revDSG…

Aut­ho­ri­ty

Area

Topics

Rela­ted articles