Data Processing Principles and Privacy-by-Design
What are the basic rules that companies must observe when processing personal data?
The revFADP requires compliance with the following principles:
- Lawfulness and good faith
- Purpose limitation and transparency
- Accuracy of data
How long can personal data be stored? How and when should the collected data be deleted or destroyed?
Collected data should be deleted once the purpose of the data processing is fulfilled or if it is no longer necessary to fulfil the defined purpose. Personal data may not be collected simply for the sake of having it and/or for any previously unspecified purpose.
Can a cloud provider be used to store a company's data? Is it possible to store customer data on a blockchain?
The use of cloud services or blockchain technologies is not prohibited as long as the data protection principles are complied with. In particular, the principle of proportionality must be observed in such cases.
In addition, the prerequisites for "cross-border data transfers" and "data processors" may have to be complied with depending on the circumstances.
Can unlawfully obtained data be used for an internal investigation of a company’s employees?
In principle, personal data that was obtained in violation of applicable law may not be processed.
This means, for example, that data that was obtained by hacking into another person's computer may not be used in a court proceeding.
I received data collected from a third party. How can I ensure that the third party collected the data lawfully and that I use the data lawfully myself?
In principle, anyone who processes personal data, including third parties, must comply with the data protection principles. However, you can only ensure that the third party has done so, if you can audit and fully understand how and under what conditions the third party collected the data. That being said, the risks of unlawful data collection by a third party can be addressed through a contractual arrangement. For example, the third party can contractually guarantee that it is authorised to share the data and that it has collected it lawfully. It is also possible to agree on a liability provision, i.e., that the third party must pay for any damage caused by unlawfully obtained and shared data. Ultimately, however, if you process data originating from a third party, you always bear a certain residual risk, because you remain responsible to the data subjects concerned for compliance with data protection law.
Companies regulated on the financial markets must undertake extensive onboarding/KYC processes, during which a lot of data is collected. Can this data be used for other purposes (e.g., development of new products, sending out of advertising materials, etc.)?
In principle, data can only be processed for a predetermined and specified purpose (principle of purpose limitation). As a result, the collected data could only continue to be used for such other purposes if the customer was aware of such processing in advance and the processing is proportionate.
At a glance
In principle, the revFADP did not change the data protection principles. In general, any processing of personal data must be carried out in accordance with the data protection principles:
- Lawfulness / good faith
- Purpose limitation and transparency
- Accuracy of the data
In addition, companies must ensure that they take data protection into account from the outset, i.e., in the development of new business models, products or services and that their products and services are set out in a data protection-friendly manner (principles of privacy-by-design / privacy-by-default).
The processing principles under Swiss law are largely identical to the principles of EU data protection law. However, under Swiss data protection law, certain principles are included within other (existing) principles. This concerns, for example, the principle of "data minimisation", which is part of the principle of proportionality. The big difference to the EU GDPR is that in Switzerland, personal data can be processed if the principles are complied with. This means that contrary to the EU law, no explicit justification (i.e., data subject's consent, statutory obligation or a contractual relationship) is needed as long as the data protection principles are met.
1 What does the principle of lawfulness mean?
This principle states that personal data cannot be processed unlawfully, e.g., contrary to the applicable law or for criminal purposes.
2 When is data processing unlawful?
The processing of data may be considered unlawful:
- If a provision of Swiss law, aiming at the protection of personality rights would be violated; or
- If the processing would be used for criminal purposes.
The publication of a person's photograph qualifies as processing data. If the person concerned (data subject) has not consented to the publication, his/her right to his/her own image (Article 28 Swiss Civil Code) is violated. Such data processing would then be considered unlawful.
1 When is data processing proportionate?
The principle of proportionality means that only data that is objectively needed or is necessary for a specific purpose may be obtained or processed. The access to data must, therefore, be restricted as far as possible.
Please note: Data processing without purpose limitation is disproportionate from the outset and, thus, inadmissible.
2 What are the minimum requirements that a company must observe?
- Data may only be processed to the extent of being absolutely necessary for the declared purpose (collecting and processing the necessary data for a specific purpose)
Example: If only an email address, age and name are necessary for registering for an app, the app provider should not require additional data such as gender, hobbies, profession (those can, nonetheless, be freely indicated by the customers).
- Access to personal data on a "need-to-know" basis
Example: Work colleagues should not have access to an employee's personnel file. The access should be restricted to the HR department and the line managers.
- Storage of personal data only for as long as it is necessary for the original purpose
Example: If a customer has registered for a newsletter of a company, his/her email address should only be retained until he/she unsubscribes from the newsletter (unless there is another reason thereafter to keep the email address, i.e., he/she is also a customer of the company's online shop).
Purpose limitation and transparency
1 What do the principles of purpose limitation and transparency entail?
The collection of personal data and its purposes must be transparent to the data subject. Data processing is only permitted if there is a clearly stated purpose, if the purpose is apparent from the circumstances or if the processing is provided for by law. This purpose remains binding for the data controller or processor.
2 What are the minimum requirements that a company must observe?
- Personal data may only be processed for predetermined and specified/identifiable purposes.
Example: If, during the collection of the data, it is indicated that the data will be used for invoicing purposes only, the data, generally, may not be processed for other purposes, e.g., advertising (exceptions).
- The purpose of the data processing must be sufficiently determined (no vague, undefined or imprecise purposes).
Example of insufficient determinability: "We process your personal data for our business purposes" (without further details).
- The purpose of the data processing shall be deemed transparent to the data subject based on an active information, a legal basis, or if it is compatible with the original purpose.
In addition to the specified purpose, the most important parameters of data processing must also be transparent, insofar as the data subject has a particular interest in them.
What information is of particular interest?
What information is of particular interest, must, generally, be assessed on a case-by-case basis. In general, there is a particular interest concerning the following information:
- Who is responsible for the processing of my data?
Example: name of the company which collects the data or name of the company which sends out a newsletter
- What data will be collected?
Examples: security cameras in a building must be clearly marked or visible to the data subject; a form that a patient must fill out which indicates required and optional information when registering with a new physician
- Who may receive this data?
Examples: authorities, group companies, service providers
The principle of transparency is closely linked to the new duty of information introduced in the revFADP, clearly determining which information must be shared with data subjects when their data is collected and processed.
3 Can we subsequently use the collected data for a different purpose?
If the other purpose is "compatible" with the initial purpose, the data may be processed for this other purpose. The "compatibility" must also be transparent to the data subject.
Example: If the data subject has provided his/her data to issue a payment, he/she is aware that this data is used to process this payment by his/her own bank and the recipient's bank (primary purpose). However, the bank may also use the data in the context of combating money laundering and to prevent fraud. In this regard, the data is used for a secondary purpose which is compatible with the original purpose. Therefore, the secondary purpose does not need any further justification.
4 When can the data not be used for a different purpose?
The data cannot be used for a secondary purpose, if the secondary purpose is incompatible with the primary purpose or if such use would be unexpected or inappropriate for the data subject. In such cases, a justification, i.e., consent from the data subject, legal basis or an overriding interest , must apply in order to comply with the principle of purpose limitation.
Example: If the data subject has provided his/her data during the signature collection for a political campaign, he/she will likely not expect this data to be subsequently used for marketing purposes.
In the event that the data is processed for a different or a new purpose than originally specified, the data subject must be informed so that he/she has the opportunity to object to the processing.
When and how must personal data be deleted?
The collected data must be deleted if the defined purpose is fulfilled or if it is no longer necessary to fulfil this purpose. Please note that personal data may not be collected simply for the sake of having it and/or for a non-specified purpose.
Instead of deleting personal data, it is possible to anonymise it , i.e., to remove any data relating to the data subject. However, taking into account the technological developments, complete anonymisation can often not be fully guaranteed and, consequently, a certain risk remains that the data can be reidentified.
In contrast to anonymisation, the mere pseudonymisation of personal data would not qualify as the deletion of the data.
Please note: Certain companies may, however, be subject to statutory retention obligations. Then personal data will only have to be deleted after expiry of this period.
Examples: ten-year retention obligations are provided for in the following cases:
- Article 958 lit. f of the Swiss Code of Obligations: in the case of commercial accounting;
- Article 7 of the Anti-Money Laundering Act: for transactions subject to the Anti-Money Laundering Act;
- Article 19 of the Financial Market Infrastructure Act: in the context of documentation obligations of financial market infrastructures.
Accuracy of the data
1 What must a company ensure regarding the accuracy of data?
- A company must ensure the factual accuracy and timeliness of the processed personal data.
- A company must also correct or delete incomplete, outdated or inaccurate personal data.
In principle, the processing of the personal data does not require a consent unless there is a specific legal obligation, e.g., when the data is processed in violation of the data protection principles.
Can companies be fined if the data protection principles are not met?
Unlike EU data protection law, the revFADP does not, generally, provide for a fine if the data protection principles are not met. However, the data protection principles form the basis for lawful data processing, which is why a breach of a data protection principle may also result in the violation of another specific duty of the revFADP, such as the duty to inform. Violation of such obligations may lead to a fine.
In addition, the FDPIC has the authority to issue a binding order against companies that violate data protection regulations. For example, the FDPIC may order that the data processing is fully or partially adjusted, suspended or terminated and that the personal data is fully or partially deleted or destroyed (Article 51 para. 1 of the revFADP). Non-compliance with such an order may incur a fine up to CHF 250,000.
The principles of "privacy-by-design" and "privacy-by-default" are intended to ensure that a company takes data protection into account from the outset, i.e., when developing new processes, services or products and implements data protection-friendly settings by "default". The controller has an obligation to implement appropriate technical and organisational measures to comply with the data protection principles in due time.
- Data minimisation
- Data segregation by purpose
- Selective password protection
- Deletion concept
- Pixilation of image data
- Review internal data processing activities: Are the data processing principles taken into account?
Is the data processing suitable for achieving the defined purpose (principle of proportionality)?
Is the processing of data the least invasive and necessary for the achievement of the purpose (principle of proportionality)?
- Could the retention period of personal data be limited?
- Could a lower volume of personal data be collected to achieve the declared purpose?
- Could the data be anonymised/pseudonymised?
- Is the data deleted when it is no longer needed (principles of purpose limitation and storage limitation)? Is there an internal archiving and deletion policy for this purpose?
- Is the access to data appropriately restricted (principle of proportionality)? Has the company implemented an internal access management policy for this purpose?
- Are employees trained on data protection principles?
- Are the IT/software products set to "privacy friendliness"?
- Do the respective products/services allow the company's customers to grant data protection to their end-customers or employees (e.g., can the data be deleted upon request / can customers access all data about their end-customers, when the right to information is exercised, etc.)?
- Do the respective products / services enable our customers to set access restrictions that comply with data protection requirements (e.g., by defining different access rights in our products / services)?
Art. 6 Principles
1 Personal data must be processed lawfully.
2 Processing must be carried out in good faith and must be proportionate.
3 Personal data may only be collected for a specific purpose which is evident to the data subject; personal data may only be processed in a way that is compatible with such purpose.
4 Personal data must be destroyed or anonymised as soon as it is no longer needed with regard to the purpose of the processing.
5 Anyone who processes personal data must ascertain that the data is accurate. It must take all appropriate measures so that the data which is inaccurate or incomplete with regard to the purposes for which it was collected or processed is corrected, deleted or destroyed. The appropriateness of the measures depends in particular on the nature and extent of the data processing and on the risks which the processing entails for the personality and fundamental rights of the data subjects.
6 If the consent of the data subject is required, such consent is only valid if it has been given freely and for one or several specific processing activities and after adequate information.
7 Consent must be given explicitly for:
a. the processing of sensitive personal data;
b. high-risk profiling by a private person; or
c. profiling by a federal body.
Art. 7 Data protection through technology and data protection-friendly default settings
1 The controller must set up technical and organisational measures in order for the data processing to meet the data protection regulations and in particular the principles set out in Article 6. It considers this obligation from the planning of the processing.
2 The technical and organisational measures must be appropriate in particular they must be state of the art and account for the type and extent of processing, as well as the risks that the processing at hand poses to the personality and the fundamental rights of the data subjects.
3 The controller is additionally bound to ensure through appropriate predefined settings that the processing of the personal data is limited to the minimum required by the purpose, unless the data subject directs otherwise.