swiss data protection law and personal data security measures. unaware data breaches by employees...
TRANSCRIPT
SWISS DATA PROTECTION LAW AND PERSONAL DATA SECURITY
MEASURES.
UNAWARE DATA BREACHES BY EMPLOYEES AND COMPANY’S
MONITORING INTERNAL PROCEDURES IN COMPLIANCE WITH
THE PRIVACY LAW.
Zurich – 6 November 2013
Prof. Avv. Alessandro del Ninno
www.alessandrodelninno.it
SWISS CONFEDERATION PRIVACY RULES
The processing of personal data in the Swiss Confederation is mainly regulated by the Federal Act on Data Protection of 19 June 1992 ("FDPA") and its ordinances, i.e. the Ordinance to the Federal Act on Data Protection ("DPO") and the Ordinance on Data Protection Certification ("ODPC").
In addition, the processing of personal data is further restricted by provisions in other laws, mainly with regard to the public sector and regulated markets.
FEDERAL ACT ON DATA PROTECTION OF 19 JUNE 1992 (STATUS AS OF 1
JANUARY 2011)
This Swiss Federal Data Protection Law provides the legal protection of privacy and fundamental rights of persons when their data is processed and applies to the processing of data pertaining to natural persons and legal persons by private persons and federal bodies.
FEDERAL ACT ON DATA PROTECTION OF 19 JUNE 1992 (STATUS AS OF 1
JANUARY 2011)
MAIN DEFINITIONS PROVIDED BY THE FADP
a. personal data (data): all information relating to an identified or identifiable person;b. data subjects: natural or legal persons whose data is processed;c. sensitive personal data: data on:
1. religious, ideological, political or trade union-related views or activities2. health, the intimate sphere or the racial origin3. social security measures4. administrative or criminal proceedings and sanctions
FEDERAL ACT ON DATA PROTECTION OF 19 JUNE 1992 (STATUS AS OF 1
JANUARY 2011)
MAIN DEFINITIONS PROVIDED BY THE FADP
d. personality profile: a collection of data that permits an assessment of essential characteristics of the personality of a natural person;e. processing: any operation with personal data, irrespective of the means applied and the procedure, and in particular the collection, storage, use, revision, disclosure, archiving or destruction of data;f. disclosure: making personal data accessible, for example by permitting access, transmission or publication;
FEDERAL ACT ON DATA PROTECTION OF 19 JUNE 1992 (STATUS AS OF 1
JANUARY 2011)
MAIN DEFINITIONS PROVIDED BY THE FADP
g. data file: any set of personal data that is structured in such a way that the data is accessible by data subject;
h. federal bodies: federal authorities and services as well as persons who are entrusted with federal public tasks;
i. controller of the data file: private persons or federal bodies that decide on the purpose and content of a data file.
FEDERAL ACT ON DATA PROTECTION: COLLECTING AND PROCESSING DATA –
GENERAL PRINCIPLES
The following principles apply to the collection and processing of personal data (including data of legal entities):
• personal data may only be processed lawfully, in good faith and according to the principle of proportionality;
• the collection of personal data and, in particular, the purpose of its processing must be evident to the data subject;
FEDERAL ACT ON DATA PROTECTION: COLLECTING AND PROCESSING DATA –
GENERAL PRINCIPLES
• personal data should only be processed for a purpose that is indicated or agreed at the time of collection, evident from the circumstances at the time of collection, or provided for by law;
• the data controller and any processor must ensure that the data processed is accurate;
• personal data must not be transferred abroad if the privacy of the data subject may be seriously endangered;
FEDERAL ACT ON DATA PROTECTION: COLLECTING AND PROCESSING DATA –
GENERAL PRINCIPLES
• personal data must be protected from unauthorised processing by appropriate technical and organisational measures;
• personal data must not be processed against the explicit will of the data subject, unless this is justified by:
the consent of the data subject (which must be given voluntarily and based upon adequate information); an overriding private or public interest; or law.
FEDERAL ACT ON DATA PROTECTION: COLLECTING AND PROCESSING DATA –
GENERAL PRINCIPLES
• sensitive personal data or personality files must not be disclosed to a third party, unless this is justified by:
the consent of the data subject (which must be given expressly in addition to the voluntariness and adequate information requirement); an overriding private or public interest; or law.
FEDERAL ACT ON DATA PROTECTION: REGISTRATION OR NOTIFICATION TO
THE FEDERAL DATA PROTECTION AND INFORMATION COMMISSIONER
("FDPIC")
The processing of personal data by private persons does not usually have to be notified or registered, respectively.
However, private persons must register their data files before the data files are opened, if:
• they regularly process sensitive personal data or personality profiles; or• they regularly disclose personal data to third parties;
FEDERAL ACT ON DATA PROTECTION: REGISTRATION OR NOTIFICATION TO
THE FEDERAL DATA PROTECTION AND INFORMATION COMMISSIONER
("FDPIC")
and unless some exemptions applies (for example: because the data controller has designated a data protection officer who independently monitors internal compliance with data protection regulations and maintains a list of the data files; or the data controller has acquired a data protection quality mark under a certification procedure).
FEDERAL ACT ON DATA PROTECTION: DATA PROTECTION OFFICERS
There is no requirement under Swiss data protection law to appoint a data protection officer.
However, a data controller can be dispensed from registering its data files if it has designated a data protection officer who:• carries out his/her duties autonomously and independently, i.e. without being subject to instructions;• has a certain level of expertise that is appropriate for the relevant data processing at the company (whereas it is not relevant if the respective expertise was not acquired in Switzerland);
FEDERAL ACT ON DATA PROTECTION: DATA PROTECTION OFFICERS
• must check and audit the processing of personal data within the company;• must be in a position to recommend corrective measures when detecting any breaches of applicable data protection rules;• must have access to all data files and all data processing within the company as well as to all other information that he/she requires to fulfill his/her duties;• must maintain records of all data files controlled by the company and provide this list to the FDPIC or affected data subjects upon request;
FEDERAL ACT ON DATA PROTECTION: DATA PROTECTION OFFICERS
• may not carry out any other activities that are incompatible with his/her duties as data protection officer.
The data controller must notify the FDPIC of the appointment of a data protection officer to be listed on the public list of companies exempted from the requirement to register their data files.
ORDINANCE TO THE FEDERAL ACT ON DATA PROTECTION: SECURITY MEASURES AND PROCEDURES
The data controller and any processor must take adequate technical and organisational measures to protect personal data against unauthorised processing and ensure its confidentiality, availability and integrity. In particular, personal data shall be protected against the following risks:• unauthorised or accidental destruction;• accidental loss;• technical errors;• forgery, theft or unlawful use; and• unauthorised altering, copying, accessing or other unauthorised processing.
.
ORDINANCE TO THE FEDERAL ACT ON DATA PROTECTION: SECURITY MEASURES AND PROCEDURES
The technical and organisational measures must be appropriate, in particular with regard to:
1.the purposes of the data processing2.the scope and manner of the data processing3.the risks for the data subjects and4.the current technological standards.
The technical and organisational measures must be periodically reviewed.
ORDINANCE TO THE FEDERAL ACT ON DATA PROTECTION: SPECIAL SECURITY
MEASURES AND PROCEDURES WITHIN THE COMPANY
The controller of the data file shall, in particular for the automated processing of personal data, take the technical and organisational measures that are suitable for achieving the following goals in particular:
a. entrance control: unauthorised persons must be denied the access to facilities in which personal data is being processed;b. personal data carrier control: unauthorised persons must be prevented from reading, copying, altering or removing data carriers;
ORDINANCE TO THE FEDERAL ACT ON DATA PROTECTION: SPECIAL SECURITY
MEASURES AND PROCEDURES WITHIN THE COMPANY
c. transport control: on the disclosure of personal data as well as during the transport of data carriers, the unauthorised reading, copying, alteration or deletion of data must be prevented;d. disclosure control: data recipients to whom personal data is disclosed by means of devices for data transmission must be identifiable;e. storage control: unauthorised storage in the memory as well as the unauthorised knowledge, alteration or deletion of stored personal data must be prevented;
ORDINANCE TO THE FEDERAL ACT ON DATA PROTECTION: SPECIAL SECURITY
MEASURES AND PROCEDURES WITHIN THE COMPANY
f. usage control: the use by unauthorised persons of automated data processing systems by means of devices for data transmission must be prevented;g. access control: the access by authorized persons must be limited to the personal data that they required to fulfillment their task;h. input control: in automated systems, it must be possible to carry out a retrospective examination of what personal data was entered at what time and by which person.
ORDINANCE TO THE FEDERAL ACT ON DATA PROTECTION: SPECIAL SECURITY MEASURES
AND PROCEDURES WITHIN THE COMPANY
The Records
The controller of the data file shall maintain a record of the automated processing of sensitive personal data or personality profiles if preventive measures cannot ensure data protection. Records are necessary in particular if it would not otherwise be possible to determine subsequently whether data has been processed for the purposes for which it was collected or disclosed. The Commissioner may also recommend that records be maintained of other processing.
ORDINANCE TO THE FEDERAL ACT ON DATA PROTECTION: SPECIAL SECURITY MEASURES
AND PROCEDURES WITHIN THE COMPANY
The Records
The records must be stored for one year in a state suitable for auditing.
They are accessible only to those bodies or private persons whose duty it is to supervise compliance with the data protection regulations, and may be used only for this purpose.
ORDINANCE TO THE FEDERAL ACT ON DATA PROTECTION: SPECIAL SECURITY
MEASURES AND PROCEDURES WITHIN THE COMPANY
The processing policy document
The controller of an automated data file who regularly processes sensitive personal data or personality profiles or who regularly disclose personal data to third parties must issue a processing policy that describes in particular the internal organization and the data processing and control procedures and contain documents on the planning, realization and operation of the data file and the information technology used.
ORDINANCE TO THE FEDERAL ACT ON DATA PROTECTION: SPECIAL SECURITY MEASURES
AND PROCEDURES WITHIN THE COMPANY
The Certification procedure
According to art. 11 of the FDPA, in order to improve data protection and data security, the manufacturers of data processing systems or programs as well as private persons or federal bodies that process personal data may submit their systems, procedures and organization for evaluation by recognised independent certification organisations.The rules on the recognition of certification procedures and on the introduction of a data protection quality label are set forth within the Ordinance on Data protection Certification (”ODPC”)..
ORDINANCE TO THE FEDERAL ACT ON DATA PROTECTION: SPECIAL SECURITY
MEASURES AND PROCEDURES WITHIN THE COMPANY
The processing policy document
The controller of an automated data file who regularly processes sensitive personal data or personality profiles or who regularly disclose personal data to third parties must issue a processing policy that describes in particular the internal organization and the data processing and control procedures and contain documents on the planning, realization and operation of the data file and the information technology used.
ORDINANCE TO THE FEDERAL ACT ON DATA PROTECTION: SPECIAL SECURITY MEASURES
AND PROCEDURES WITHIN THE COMPANY
Art. 5 FDPA - Correctness of the data
Anyone who processes personal data must make certain that it is correct. He must take all reasonable measures to ensure that data that is incorrect or incomplete in view of the purpose of its collection is either corrected or destroyed.
This article is linked with the critical issue of unaware breach by employees.
THE FEDERAL ACT ON DATA PROTECTIONBreaches of privacy
Anyone who processes personal data must not unlawfully breach the privacy of the data subjects in doing so.
In particular, he must not:a. process personal data in contravention of the principles of Articles 4, 5 paragraph 1 and 7 paragraph 1;b. process data pertaining to a person against that person's express wish without justification;c. disclose sensitive personal data or personality profiles to third parties without justification.Normally there is no breach of privacy if the data subject has made the data generally accessible and has not expressly prohibited its processing.
THE FEDERAL ACT ON DATA PROTECTIONJustification
A breach of privacy is unlawful unless it is justified by the consent of the injured party, by an overriding private or public interest or by law.
An overriding interest of the person processing the data shall in particular be considered if that person (amongst the others):
a. processes personal data in direct connection with the conclusion or the performance of a contract and the personal data is that of a contractual party;b. is or intends to be in commercial competition with another and for this purpose processes personal data without disclosing the data to third parties;
THE FEDERAL ACT ON DATA PROTECTION
Justification
c. process data that is neither sensitive personal data nor a personality profile in order to verify the creditworthiness of another, and discloses such data to third parties only if the data is required for the conclusion or the performance of a contract with the data subject;
d. collects data on a person of public interest, provided the data relates to the public activities of that person.
THE FEDERAL ACT ON DATA PROTECTION
Processing of personal data by third parties
The processing of personal data may be assigned to third parties by agreement or by law if:
a. the data is processed only in the manner permitted for the instructing party itself; andb. it is not prohibited by a statutory or contractual duty of confidentiality.
The instructing party must in particular ensure that the third party guarantees data security.Third parties may claim the same justification as the instructing party.
THE FEDERAL ACT ON DATA PROTECTION
Monitoring employees personal data and emails
Section 328 of the Code of Obligations establishes the general conditions for workplace monitoring.
The Federal Data Protection and Information Commissioner has issued a number of statements that appear to make the monitoring of email difficult, if not illegal.
In any case, the guidance documents issued by the Commissioner do not specifically state that monitoring in the workplace is illegal.
THE FEDERAL ACT ON DATA PROTECTIONMonitoring employees personal data and
emails
Instead, the Commissioner has identified a number of measures that would be considered illegal and thus should be avoided by employers. Employers should have in place clear policies that set forth the proper uses of networks, emails, Internet and other electronic communications media. If monitoring is to take place, the employer should set forth the specific basis for monitoring, explain how and when monitoring will take place, and provide information to employees sufficient to enable to employee to understand his or her rights of access, etc. Where feasible, the employer should obtain an employee’s specific consent to monitoring. Monitoring should be tailored to target specific violations of policy – and where possible, immediate notice should be provided to the employee for suspected violations.
THANKS FOR YOUR ATTENTION !