At the request of the federal administration, and in response to various enquiries from citizens, we have analysed different aspects of website evaluation tools from a data protection perspective. In our view, certain criteria must be respected when evaluation tools are used for the purpose of producing website access statistics. In particular, a data protection declaration should draw users' attention to the kind of data that are being collected and to whom the data will be transferred (including the country of destination). If the data are to be transferred to a country which does not offer the required level of data protection, the supplier of the evaluation tool must provide the necessary contractual guarantees that a sufficient level of protection will be respected.
Over the last year, more and more website operators decided to stop producing their own web statistics by means of programmes installed on their own servers. Instead, visits to websites are captured by online tools, such as Google Analytics. As IP addresses are considered personal data, the Federal Data Protection Act (FADP) applies. Website operators thus need to pay particular attention to the following points to stay within the law.
The online tool is integrated into the operator's website by means of a special image and a script provided by the supplier. This allows the supplier of the evaluation tool to record website access because the IP address of the user who clicks on the image is retained by the former's server. In other words, the marginal data generated by the internet user's visit to a website is forwarded to the supplier of the evaluation tool. From a data protection perspective, this process is defined as third party data processing. According to Art. 10a FADP, such situations are authorised provided that there is an agreement, that the supplier of the tool processes the data in the same way as the website operator would have done had he processed the data himself, and that there are no legal or contractual provisions regarding confidentiality.
The operator of a website must therefore require the supplier of an evaluation tool to sign an agreement in which the latter undertakes to use the supplied data exclusively for the evaluation required by the operator (and not for his own purposes) and to guarantee data protection. Furthermore, the website operator must, in order to be in conformity with the transparency principle, notify the user by means of a data protection declaration that an evaluation tool is being used. The information must also include the type and scope of the data that is collected.
In the event that the server of the evaluation tool supplier is located abroad, all data protection provisions applicable to transborder data flows must also be respected. Personal data, for example, may not be transferred to a foreign country if to do so would seriously infringe the individual's right to privacy, in particular if the country in question does not have the necessary legislation to guarantee a sufficient level of protection (a list of countries with the level of data protection they afford can be found on our website www.derbeauftragte.ch under Topics - Data protection - Transborder data flows). In this particular case, such an evaluation tool may only be used if the supplier provides sufficient guarantees that he can ensure an adequate level of protection (Art. 6, para. 2 a) FADP). This usually takes the form of a written confirmation from the supplier. Since January 2009, data transfers to the USA are also covered by the "US-Swiss Safe Harbor Framework", which is an instrument for guaranteeing an adequate level of protection (see Section 1.1.6).
As long as website operators respect these rules, there is nothing from a data protection perspective to prevent them using such evaluation tools. As a matter of principle, however, all website operators would be well advised to consider carefully whether they really want to transfer the personal data of visitors to their sites abroad. The fact is that foreign authorities could use national legislation to demand access to data that is being held on their territory.
Amendments of 10.10.2011 relating to "Information for users on the right to object" and "Abbreviation of IP addresses"
A website's data protection declaration must inform users about the processing of personal data by any web-analytics tools used. Users should also be informed of their right to object to the recording of data by the tool.
In addition, the website operator must also ensure that IP addresses are abbreviated by activating the relevant settings in the program code. When using Google Analytics, for example, this can be done by adding the function "_anonymizeIp()" to the tracking code.
10 October 2011