Latest News

Court of Justice of the European Union (CJEU) ruling on European standard contractual clauses and the EU-US Privacy Shield

16.07.2020 - In its judgment of 16 July 2020 in Case C-311/18 Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems, the Court of Justice annulled Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield. However, the EU Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries remains valid.

The FDPIC has taken note of the CJEU ruling. This ruling is not directly applicable to Switzerland. The FDPIC will examine the judgement in detail and comment on it in due course.

Link to the CJEU press release

 
 

Update Proximity Tracing App: technical security of the SwissCovid app confirmed

12.06.2020 - After reviewing the NCSC report on Risk Estimation Proximity Tracing published today, the FDPIC has confirmed his assessment that the Swiss proximity tracing system operated by the Federal Office of Public Health and the SwissCovid app are data protection compliant. 

Report from the National Cyber Security Centre (NCSC) 

The FDPIC is aware of the widespread criticism of Google and Apple’s failure to disclose the API (application programming interface) for the SwissCovid app. The situation, however, is not new. The data protection impact assessment of 1 May 2020 and the report from the National Cyber Security Centre (NCSC) of 28 May 2020, which is published today, also make reference to this lack of disclosure.

The SwissCovid app is based on globally standardised interfaces and their underlying operating systems. The source code for the operating systems and the interfaces is partially available in some cases or not available at all. This issue is known and is not specific to the SwissCovid app.

In the FDPIC’s opinion, when compared to other everyday uses that public makes of the smart devices offered by these two manufacturers, the use of the Google and Apple APIs for the SwissCovid app does not represent a significantly greater risk to their personal data. Anyone who assumes that Google and Apple, regardless of their legal responsibilities and the reputational risks, would disregard the restrictions on use they have promised for the SwissCovid app, should be aware of the following: the use of the SwissCovid app would have to be based on Google or Apple operating systems and their general Bluetooth interfaces even if their proximity tracing API were not used.

In order to be consistent, anyone who mistrusts these manufacturers whatever they may do would have to refrain from using not only the SwissCovid app, whatever its design, but also any other smart devices or operating systems offered by Apple and Google. This option always remains open.

For further information, we would refer you to the full text of our assessment:

Full text (in German) (PDF, 134 kB, 12.06.2020)

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Coronavirus protection plans

19.05.2020 - The FDPIC supervises the implementation of the protection plans by private companies. He attaches importance to the fact that the procurement and transfer of personal data within the framework of these plans is voluntary.

As part of the easing of measures to contain the corona pandemic, the Federal Council in Ordinance 2 on Measures to Combat the Coronavirus (COVID-19; SR 818.101.24) has made the resumption of activities and the re-opening of businesses and institutions conditional on the introduction of precautionary measures (s. FOPH's recommendations for the workplace and schools).

It is the responsibility of the businesses and institutions concerned to implement their own precautionary measures. Where this requires them to process the personal data of customers, members, employees, etc., this will be carried out under the FDPIC’s oversight. The FDPIC will seek to ensure that businesses and institutions respect the principles of the Federal Data Protection Act, in particular that of proportionality. Depending on the sector and the size of the business or institution, in-house legal and data protection advisers will also help to implement the precautionary measures in accordance with data protection law.

The FDPIC regards it as important the customers, etc., will be under no obligation to provide  their personal data as part of the precautionary measures and that they cannot be indirectly compelled to provide data, e.g. by making the provision of goods and services dependent on doing so.

The FDPIC takes the view that using direct or indirect pressure to obtain and process data relating to customers, etc., constitutes an invasion of privacy and of a person’s autonomy over their own information. This is incompatible with the principle of proportionality, other than in the case of mandatory data processing requirements based on precisely defined principles of federal and cantonal public law.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Measures for the safe use of audio and video conferencing systems 

01.05.2020 - The coronavirus pandemic is showing people all over Switzerland and, indeed, the world how a single event can completely change our surroundings and the way we do things. From one day to the next, it was no longer possible for us to meet friends and family in person, or exchange information with colleagues and hold meetings at our offices. In our work and in our private lives, we have abruptly switched to digital solutions such as audio or video conferencing systems. Despite the rush with which business meetings, children’s ‘visits’ with their grandparents, or even parties have been moved online, we must not forget how important information security and data protection continue to be.

The first part of this information sheet lists measures we recommend you take to ensure that the audio or video conferencing system you are using during this crisis is safe. You should make sure to reassess your choice of service – either immediately or at a later point in time – by carrying out a risk analysis according to data protection criteria. If necessary, choose a different service more suitable to your needs. This information sheet also contains a list of points to observe when setting up and introducing an audio or video conferencing system, to ensure it complies with data protection guidelines 

The information sheet deals with exactly these issues, and is aimed at all user groups – both in business and in private life.

 
 
 
 
 
 
 
 
 
 

Update Libra

20.04.2020 - Libra informs on FINMA's application and intensifies work on the data protection concept.

On 16 April 2020, the Libra Association informed the FDPIC that it had submitted an application to FINMA for authorisation as a payment system (cf. the information published by FINMA). At the same time, it also informed the FDPIC that work on the data protection concept was underway and had been intensified.

 
 
 
 
 
 
 
 
 
 
 
 
 
 

Legal data protection framework for coronavirus containment

17.03.2020 - The authorities, in cooperation with health institutions, are doing everything possible to stem the rapid spread of the coronavirus. Insofar as private individuals (in particular employers) process personal data to combat the pandemic, the principles set out in Article 4 of the Federal Act on Data Protection must be respected.

1. Data processing by health care institutions

Following the declaration of the special situation in accordance with Art. 6 of the Epidemics Act (EpidA) by the Federal Council, the federal, cantonal and communal authorities are continuing to work in conjunction with public health institutions to combat the current coronavirus pandemic.

The Federal Office of Public Health (FOPH), the competent cantonal authorities and the public and private institutions entrusted with tasks in accordance with the EpidA process personal health data in accordance with Section 2 of the EpidA, insofar as this is necessary to identify persons who are ill, suspected of being ill, infected or suspected of being infected, with a view to measures to protect public health. In doing so, they shall also observe the general principles of federal and cantonal data protection legislation. Hospitals and other public or private health care institutions, as well as laboratories and medical personnel, are also subject to special reporting obligations under the EpidA.

2. Data processing by private parties

Insofar as private parties, in particular employers, process personal data to combat the pandemic, the processing must be carried out in compliance with the principles set out in Article 4 of the Federal Data Protection Act:

  • Health data are particularly worthy of protection and, as a matter of principle, may not be obtained by private parties against the will of the persons concerned.
  • Moreover, processing of health data by private parties must be purpose-related and proportionate. This means that they must be necessary and suitable with a view to preventing further infections and must not go beyond what is necessary to achieve this goal.
  • Wherever possible, appropriate data on flu symptoms such as fever should be collected and passed on by those affected themselves.
  • The collection and further processing of health data by private third parties must be disclosed to the data subjects so that the latter understand the purpose and scope of the processing as well as its content and time frame.

3. Body temperature and tracking

Insofar as private individuals collect medical data such as body temperature before entering buildings or workplaces for the purpose of preventing infection, the processing of this data is to be limited to the minimum necessary to achieve the purpose in terms of its content and time. The information and self-determination of the persons concerned must be respected when collecting data. In this context, answering extensive questions about the state of health to non-medical persons proves to be inappropriate and disproportionate.

The same applies to personal data processed by private individuals in connection with operational and organizational measures to prevent infection. At the latest when the pandemic threat has ceased to exist, these data must be deleted as a whole.

If the use of digital methods for the collection and analysis of mobility and proximity data is considered, they must prove to be proportionate to the purpose of preventing infection. They are only so if they are epidemiologically justified and suitable to have an effect justifying the intervention in the personal rights of the persons affected in order to contain the pandemic in the its current stage.

 
 
 
 
 

What impact does Brexit have on cross-border data flows?

31.01.2020 - Following the referendum held in the United Kingdom in June 2016, the British government announced its decision to withdraw from the European Union (Brexit). The United Kingdom will leave the EU on 31 January 2020.

Cross-border transmission of personal data under the Federal Act on Data Protection (FADP)
Cross-border data transmission must comply with the provisions of Article 6 of the Data Protection Act (FADP). According to this article data may only be disclosed abroad if the receiving country has legislation guaranteeing an adequate level of data protection (Art. 6 para. 1 FADP) or if, in the absence of such legislation, it has other provisions or safeguards for ensuring an adequate level of protection (Art. 6 para. 2 letters a and g FADP). Under Article 31 para. 1 let. d FADP, the Federal Data Protection and Information Commissioner (FDPIC) provides an opinion on whether a country’s level of protection is adequate to allow all data transfers to that country. This requires that the data receiver is subject to legislation ensuring a level of protection that is comparable with Swiss law, i.e. legislation that guarantees the rights of the data subjects, that respects the main principles of data protection and that provides for an independent supervisory authority. A list of countries complying with these requirements is published on the FDPIC website (Art. 7 DPO). This list is updated on a regular basis.

United Kingdom and Gibraltar
The UK and Gibraltar currently have an adequate level of data protection; for the moment the FDPIC has no grounds for changing their status on the country list. As regards the legal consequences of Brexit on the protection of personal data as of 1 February 2020, the British authority responsible for protecting personal data, the Information Commissioner’s Office (ICO), states on its website that the UK will continue to guarantee a high level of personal data protection.

However, if the FDPIC decides to change the status of the UK or Gibraltar on its country list, businesses will be notified in due course so that they can prepare themselves, in particular by using standard contracts. 

The EU will decide by the end of 2020 whether the UK has an adequate level of data protection. The FDPIC is monitoring developments closely.

Further information:

FDPIC, Transfer of personal data abroad

FDFA, Directorate for European Affairs DEA: FAQ Brexit

ICO, Statement on data Protection and Brexit implementation

ICO, Data Protection and Brexit

European Commission, UKTF, Task Force for Relations with the United Kingdom

 
 
 
 

Second chamber concludes consultation on Data Protection Act (DPA)

18.12.2019 - The FDPIC welcomes the fact that the Council of States has debatted the totally revised DPA and has adopted most of the improvements proposed by its Commission in comparison to the National Council version.

 
 
 

The Data Protection Act goes to the Council of States in the winter session

20.11.2019 - The FDPIC welcomes the fact that, within the short time available up to the end of the session, the Political Institutions Committees of the Council of States (PIC-S) has succeeded in adopting a legislative text for the attention of the Plenum of the Council of States that is ready for consultation and significantly improved on the version of the National Council.

Press Release of the PIC-S (in German)

see also:

30.08.2019 - Draft of new Data Protection Act to be debated in the National Council

 
 

Facebook to introduce special features in Switzerland for the elections

17.10.2019 – On the eve of the federal parliamentary elections on 20 October, Facebook is set to introduce features aimed to appeal to Swiss users of its social media platform. The company confirmed the plans following an enquiry made by the Federal Data Protection and Information Commissioner. The FDPIC welcomes the company’s transparency.

After the Federal Data Protection and Information Commissioner (FDPIC) learned through various reports that Facebook was planning to introduce features on its social media platform in connection with Switzerland’s 2019 parliamentary elections such as a ‘voter button’, he wrote to the company requesting further information.

In his letter, the FDPIC, referring to sections 5.3 and 7 of the FDPIC’s Guide, pointed out that operators of social media networks are called on to provide fair and full information about how the feature should work and how the resulting data is to be processed. Only if such transparency exists can voters gauge whether and to what extent the way in which the data gleaned from the applications in question are processed could have an influence on opinion forming or voter behaviour.

Facebook Ireland Ltd subsequently confirmed that the functions will be introduced on its social media platform one day before the elections and on election day itself. The features are to be displayed on the profiles of all Swiss voters and Facebook users. Facebook is not going to select certain users or user groups.

According to the written assurances given by Facebook, the features are solely intended to raise the awareness of users for the upcoming elections, and ultimately to encourage voter participation by allowing users to show on their profiles that they have cast their vote in the elections. Facebook stresses that the company will not process data relating to the political views of users in this context.

Furthermore, Facebook has demonstrated that the company has taken heed of the transparency requirements set out in our Guide. Facebook users can read about the various functions and features it employs by clicking on the links to the multi-level information pages (See the following links: Facebook Data Policy; Control who can see what you share; Why am I seeing a reminder about an election and voting on Facebook?; What information does Facebook use to show information about elections and government?)

 
 

Complete Revision of the Federal Act on Data Protection (FADP) goes to the Commission of the Council of States

25.09.2019 – Now that the National Council has treated the complete revision of the Federal Act on Data Protection (FADP) as first chamber of parliament, the FDPIC hopes that the second chamber will be able to schedule the debate in its winter session and improve the protection of the Swiss population by aligning it with European standards.
 

 

Draft of new Data Protection Act to be debated in the National Council

30.08.2019 - Following its discussion of the Federal Council dispatch of 15 September 2017, the National Council’s political institutions committee decided on 16 August 2019 based on the casting vote of its president to remit the draft of the totally revised Data Protection Act to the plenary session of the National Council for debate.

The proposal made to the National Council contains several provisions which, in the version approved by a majority of the committee, would lead to a lower level of data protection for the Swiss population than in neighbouring European countries and to a partial reduction in the level of data protection afforded by the current Data Protection Act of 1992.

In its public debate on 24 and 25 September, the National Council will have the opportunity to compare the respective drafts of the committee’s majority and minority and to decide whether it wishes to improve the level of protection given to the Swiss population and adapt to European standards.

The summary with the requests of the Political Institutions Committee of the National Council for the revision of the Federal Data Protection Act has been published.

 
33
 
 
 
 

Postfinance: no equal treatment for customers under the current law

30.08.2019 - In a letter dated 13 June 2019 in response to an enquiry from the FDPIC, Postfinance AG confirmed that their Swiss customers will still require to register an express objection if they do not wish their identity to be authenticated by voiceprint. In contrast, Postfinance makes authentication by voiceprint for foreign customers subject to their express consent. This unequal treatment, which the FDPIC has publicly criticised, (see the report on SRF’s 10vor10 programme on 20.5.2019) is set to continue.

In its response to the FDPIC, Postfinance AG maintained that this difference in treatment is due to differences in the requirements of Swiss and foreign law, and that the adoption of foreign law to cover domestic circumstances is a political matter reserved to parliament. Postfinance AG will therefore continue to treat Swiss customers differently for as long as Swiss data protection law is not brought in line with EU law.

 
33
 
 
 

26th Annual Report: Switzerland must maintain its level of data protection

18.06.2019 - The FDPIC expects that the Federal Council and Parliament will continue to guarantee the Swiss population a level of data protection that is in line with its European neighbours by signing the Council of Europe Convention 108 in the near future and swiftly bringing to a close the complete revision of the Data Protection Act.

Link to the media release

 
 
 
 

Data Protection Day 2019 - 3 priorities for the Confederation and cantons: elections, police, OASI number 

28.01.2019 - Federal and cantonal data protection authorities' press release:

 
 

25th Annual Report: Freedom before security

25.06.2018 - Monitoring major digital projects has once again been the focus activity for the FDPIC. The E-ID Act as the basis for using a SwissID, the risk report on using the OASI number as a univer-sal personal identifier or the conditions that must be met by e-ticketing or public transport apps underline this prioritisation. As a supervisory authority, the Commissioner had to intervene to prevent the processing of data on compulsory health insurance and had to deal with data leaks at several large companies. As the Freedom of Information Commissioner, the FDPIC succeeded in achieving a substantial increase in the efficiency of his arbitration procedures and welcomed the National Council’s unanimous commitment to guaranteeing transparency in connection with public procurement – thus ensuring that the principle of freedom of information does not become a farce.

Continue...

Selection of arbitrators for the Data Protection Arbitration Panel under the Swiss-U.S. Privacy Shield - First call for Interest

Deadline: April 30, 2018

06.04.2018 - According to Swiss law, personal data transmitted to the USA must be subject to an appropriate level of data protection. The Swiss-U.S. Privacy Shield serves this purpose. Thanks to this new legal framework, personal data can be transferred from Switzerland to a company in the USA, provided that the US company complies with a set of data protection rules and safeguards. This protection that is given to personal data applies to everyone who is resident in Switzerland. For this mechanism to become operational, a list up to five arbitrators must be agreed between the Swiss administration and the DOC. In the event of a dispute, the parties may select the arbitral tribunal from the arbitration pool developed under the EU-U.S. Privacy Shield which has been supplemented by the pool developed under the Swiss-U.S. Privacy Shield. The call for interest has been published in the U.S. Federal Register and can be accessed under the following link: https://www.federalregister.gov/documents/2018/04/02/2018-06737/swiss-us-privacy-shield-invitation-for-applications-for-inclusion-on-the-supplemental-list-of

The deadline for applications is April 30, 2018. They must be submitted to David Ritchie at the U.S. Department of Commerce, either by email at david.ritchie@trade.gov or by fax at: 202-482-5522.

Dispatch concerning the revision of the Data Protection Act: the FDPIC's general assessment

15.09.2017 - The rapid development of information and telecommunications technology and the related digitalisation of society have required the Council of Europe and the European Union to further develop their data protection legislation, and have now necessitated the complete revision of the Federal Data Protection Act, which originally came into force in 1993. The draft act prepared by the Federal Council has the aim of increasing the protection of data by improving the transparency of data processing and increasing the options that data subjects have to control their own data. In addition, the revision of the Act should ensure consistency between the level of data protection in Switzerland and that in the EU. Having a level of data protection that is comparable with that in EU states is particularly important for Swiss businesses, especially because the new EU General Data Protection Regulation (EU-GDPR), which comes into force at the end of May 2018, will have a direct effect on many Swiss enterprises.

Continue...

Webmaster
Last modification 20.07.2020

Top of page