The transmission of data relating to employees to centralised databases outside Switzerland is increasingly becoming the norm, especially in the case of the Swiss subsidiaries of large company groups. The primary objective is to create economies in wage management and staff recruitment.
There are four major structures for making information available via a global IT infrastructure. They differ from each other primarily in the geographic location of the data and in the regulations on data protection.
The first structure is characterised by a totally central storage of the data. Access and processing of the data are effected on the central server by authorised branches. No electronic copies of the central data are kept at the local level. Firms with authorised access define the standards of data protection specifications from the viewpoint of their host country's data protection regulations. This type of structure is generally used for staff management systems (HR systems).
The second structure is a variation of the first. The difference lies in the fact that the data is fundamentally managed at the local level, and is transferred to the central database and thus made available to third parties only when some of the data is required for a specific purpose. The transfer of the data can be on application but can also be automated. Statistical wage data, for instance, which is generated locally, can be made available centrally for company-wide use. A further frequent application can be found in the central availability of personal data or individual staff profiles as an aid to internal staff recruitment.
The third variant is marked by a strict separation between the data and its application. The data is processed exclusively on the local level. The central application system merely occupies an intermediary function between the data-providing company (data exporter) and the data-receiving company (data importer). It controls the data protection specification of the participants and therefore knows what data exchanges can be effected smoothly between which companies. A data transfer can take place directly between data exporter and data importer once the central application system has given its approval to the transfer. The central application system controls the addresses of all participating data processing systems, and communicates these when there is need. This means that for a small outlay a total intermeshing of the system is achieved (everyone knows everyone).
The fourth variant reflects the peer-to-peer structure. Each of the participating partners decides himself which data will be divulged to whom. A mediating authority as in the third variant does not exist. The data exporter must decide, on the basis of local data protection directives, whether he or she is allowed to transfer personal data. There is no central authority to control the data protection specifications of the participating countries. The nature of the data transfer is based on bilateral agreements and can be effected on application or by direct retrieval procedure.
In each one of these variants the data-receiving company abroad becomes the owner of the transferred data if it decides on the purpose and the contents of the centralised database. As such it is responsible for the protection and security of the data. In respect of a centralised database, the companies supplying the data are deemed to be authorised users with special responsibility. They are required to stipulate the conditions relating to data protection to be followed by the company receiving the data (data protection regulations). As early as 1992 the Council of Europe drew up a model data protection clause when it approved the model contract for ensuring equivalent levels of data protection for cross-border data flows.
As regards the divulging of data to third party companies by the company receiving the data, the European Commission laid down clear conditions in a decision of June 15, 2001 regarding standard contract clauses for the transfer of personal data to third countries.
The purpose of transferring data outside Switzerland must have a justification in terms of Article 13 of the DPA (Data Protection Act). Staff recruitment and cost-effective wage management are deemed to constitute such justification. Only that personal data may be transferred, however, which is necessary for fulfilling the indicated purpose.
In the case of data being divulged by the data importer to companies in third countries, the importer must ascertain whether these third countries have a system of data protection equivalent to that in Switzerland. If they do not, data protection with these companies must be guaranteed on a contractual basis. This obligation is particularly important in the case of the creation of data pools for filling posts within the group.
In the case of data processing being performed by third parties the person commissioning the work must see to it that the data is processed only in the manner for which he or she has authorisation, and that the processing does not violate any legal or contractual duty of confidentiality.
Appropriate technical and organisational measures must be used to protect transferred personal data from unauthorised processing. It is therefore recommended that special protective measures be put in place that take account of the classifications of the data categories involved. It must be guaranteed that unauthorised access to the infrastructure and to data carriers is at all times impossible. Likewise the unauthorised access of persons to personal data during their storage and transfer must be prevented by encrypting the data. The encryption must reflect the latest technical advances. This is applicable both to data and to data protection specifications. The identification of the persons authorised by the specifications to receive the data must be unambiguously and clearly guaranteed. The identification must be made using the latest technical advances. Data processing activities must be recorded so that they remain permanently reproducible.
[July 2002]