17th annual report 2009/2010

Below, you find a selection of articles taken from the FDIPC's 17th annual report. If you are interested in the complete version of the reports, please refer to the corresponding pages in German or French.

Gold digger fever in the internet - the end of privacy as we know it?

Hardly a week goes by without one of the internet giants, such as Google or Facebook, coming out with yet another impressive new service or tool. They all conform to the same model: the service comes free of charge, but the provider generates income from advertising. The more users take up the offer and the more their needs can be analyzed with pinpoint accuracy, the more advertising revenue is generated. In the search for the greatest number of users and the highest advertising potential, providers are prepared to go to extreme lengths. A few recent examples:

There is certainly no intention whatsoever on the part of the data protection authorities to protect irresponsible drivers who engage in speeding. However, we have serious doubts as to whether naming and shaming actually works as a deterrent. Each canton is responsible for dealing with motoring offences on its territory. As a result, the cantonal data protection authorities need to act in a coordinated manner.

The Data Protection Act must be respected, even in cases involving cross-border administrative assistance. The first thing that needs to be verified is whether the administrative assistance being requested is covered by a specific law. It is important to ensure that the privacy of the person whose data are to be transmitted abroad is not going to be seriously compromised because the foreign country in question has no laws that offer a suitable level of protection. In such cases, sufficient guarantees must be obtained. This can be done either by including a data protection clause in an agreement, or else by means of a declaration.

After an extensive examination of Street View, we came to the conclusion that the service presented a number of considerable shortcomings from a data protection perspective. We also received many complaints from the individuals concerned. As a result, we issued a recommendation and filed a complaint with the Federal Administrative Court against Google.

On its website, a company based in Switzerland, is running a service that competes head on with Google Street View and offers very similar functions. Unlike Google, however, Annularspace GmbH has a completely different approach to data collection, and one which we believe conforms to data protection principles.

If a company in Switzerland sends blood samples for analysis to a laboratory in South Africa, it must have a signed agreement with the lab in question that sufficient data protection safeguards will be put in place.

We were asked by a company how it could set up a time and attendance clocking system for their employees by means of fingerprinting. We suggested to the company in question to not to use the fingerprint itself, but rather just an extract of the fingerprint images, in order to minimize the risks involved in the processing of biometric data.

We received a number of complaints during the course of last year regarding the use of various computer programmes for the uninterrupted monitoring of employees at the workplace. In all the cases involved we were able to convince the companies concerned to adapt their practices to comply with data protection principles.

The obligation to register data collections with the FDPIC is a provision under public law to which the territoriality principle applies. This duty arises for private individuals who regularly process highly sensitive personal data or personality profiles or communicate them to third parties.

Corporate mergers are commonplace in today's economic environment. It is not surprising therefore that mergers always involve the processing of personal data. During the reorganisation and consolidation process, personal data are transferred and subject to numerous forms of processing. As a result, there is a risk that unauthorized persons may gain access to this personal information, that too much data may be disclosed (they may be released too soon, or to the wrong person), or that the personal data may be used for a purpose other than the one for which they were originally intended. However, the Data Protection Act obviously applies in the event of a merger to all the different phases. We have outlined the risks and issued recommendations on how to avoid infringements of privacy. The explanations may be found in German, French or Italian here (switch to the respective language section).

The revision of the Data Protection Act, which came into effect in 2008, opened up the possibility for self-regulation. If companies appoint a data protection officer and notify the FDPIC accordingly, they are released from the requirement of having to register their data collections with us. However, the position and the person who will act as data protection officer have to fulfil certain criteria. The main duty of such a person is to check all personal data that may be processed in the company, to ensure that corrections are made where necessary, and to keep a list of all data collections that are held by the company. In order for the person in question to be able to carry out his/her supervisory duties correctly, the data protection officer must be independent - in other words, he/she must not be involved in any other activities, and he/she must have the required professional skills for the job (knowledgeable about data protection issues and familiar with the company's activities). Furthermore, he/she must not be bound by any instructions from the management and be protected against any form of sanctions resulting from the performance of his/her duties. Naturally, the data protection officer must have access to all data collections, data processing and all other pertinent information. The comments may be found here in German, French or Italian (switch to the respective language section).

The number of requests for access to information remained more or less at the same level as the previous year. Over the years, a clear trend has emerged and there are fewer and fewer cases where requests for access to information have been entirely rejected. Instead, the authorities have increasingly allowed partial access. We have also witnessed a distinct increase in the number of requests for mediation over the last year.