- 20.12.2024 -
Navigating compliance: Key insights from FDPIC recent investigations
To download the article in PDF format, please click here.
In recent months, the Federal Data Protection and Information Commissioner (FDPIC) has completed several investigations and published his final reports with recommendations. In this article, we will focus on two of these cases and highlight the findings and takeaways.
Although the investigations were initiated before the revised Federal Act on Data Protection Act (FADP) came into force in September 2023 and were therefore conducted under the previous law, some of the conclusions deserve special attention and can serve as an indicator of the expected requirements for data protection compliance under the revised FADP.
This article does not address or evaluate the individual recommendations of the Federal Data Protection and Information Commissioner (FDPIC). It also does not address the arguments of the companies under investigation, which in most respects contradict the assessment and recommendations of the FDPIC. Instead, it summarises the key messages and findings based on the data protection audit conducted by the FDPIC, which are also relevant under the applicable law.
Investigation into Digitec Galaxus
In a comprehensive investigation, the FDPIC examined the processing of customer data at Digitec Galaxus, Switzerland's largest online shop. The investigation concerned, on the one hand, Digitec Galaxus' privacy notice and, on the other, the requirement to open a customer account to place an order online.
The investigation, which was opened in 2021, had been prompted by data subjects’ reports of having to accept a large range of data processing activities and being obliged to create an account before they could place an order, and of Digitec Galaxus refusing data subjects’ requests to delete personal data or not to use it for profiling, marketing and market research purposes.
In his final report1, the FDPIC states that the principles of transparency and proportionality were violated and provides recommendations. Here are the key messages and takeaways based on the data protection evaluation carried out by the FDPIC:
Concept of personal data
The FDPIC confirms that the ability to identify the data subject depends on the specific situation, whereby the interest, the means and, in particular, the technical possibilities of the party interested in identifying the data subject must be taken into account. If, based on general life experience, it is not to be expected that an interested party will take the effort to identify the data subject, there is generally no identifiability of the data subject given.
Furthermore, the FDPIC states that data that has a clear link to the corresponding end user is personal data under the FADP. Usage data and other device-specific data that can be assigned to a specific user is therefore personal data within the meaning of the FADP. Similarly, hash values are to be considered personal data if they can be used to draw conclusions about specific users.
Transparency and privacy notice
a) Linking of personal data and the purposes of its processing:
The FDPIC makes it clear that a list of the personal data collected (regardless of the purpose) and a separate list of the purposes are not sufficient to meet the transparency requirement, as the data subjects are unable to determine which data is collected for what purpose and thus to effectively object to the processing. According to the FDPIC, it must be apparent to the data subject which personal data is processed for which specific purposes and which personal data is passed on to which specific companies.
The FDPIC’s view that personal data must be linked to their processing purpose corresponds to the approach taken in the EU, according to which the purposes and data categories must be linked.
b) Scope of data processing:
The FDPIC considers that the information in the privacy notice must be accurate and that individuals are entitled to expect that the data processing described will actually take place. Providing information about data processing that is neither taking place nor planned is misleading and, in the opinion of the FDPIC, violates the principles of good faith and transparency, so that a legal justification would be required. The FDPIC argues that, as a first step, the data subjects must find out from the controller which data processing operations are actually taking place, and only then can they exercise their rights as data subjects.
c) Right to object:
The FDPIC states that data subjects have a right to object to the processing of their personal data, and that the controller must cease data processing if there is no justifiable reason for the data processing (e.g., an overriding legitimate interest of the controller).
Principle of proportionality
To place an order with Digitec Galaxus, data subjects were obliged to create a customer account and to accept all the processing activities and purposes listed in the privacy notice, including those not directly linked to and necessary for the processing of their order, such as customer behaviour analysis, creation of customer profiles, personalised advertisements, etc.
The FDPIC considers the requirement to create a customer account when placing an online order to be inadmissible because it violates the requirement of necessity and thus the principle of proportionality of data processing. The FDPIC recommends offering a guest purchase option, without creating a customer account, as an alternative to avoid the identified infringement of privacy.
Investigation into Ricardo / TX Group
In 2017, the FDPIC opened an investigation into the auction platform Ricardo and its parent company TX Group, following reports and complaints by users who were informed in a new privacy notice that their data would be shared within the TX Group for security and marketing purposes, and that if they objected to such disclosure and/or use of their data, their account would be deactivated and their membership cancelled.
The subject of the investigation was the transmission of data by Ricardo to TX Group, the use of this data for personalised marketing and the privacy notices in this context.
In his final report2, the FDPIC concludes that the principles of good faith, transparency and proportionality have been violated, and emphasises the concept of personal data.
Concept of personal data
As in the Digitec Galaxus case described above, the FDPIC has defined the concept of personal data in such a way that a person is identifiable even if they cannot be clearly identified from the data alone, but can be inferred from the circumstances, i.e. the context of a piece of information. In this context, it is fundamentally irrelevant how the reference to the data subject and thus the identification is established, e.g. by means of a key, a number or a file reference. However, the effort required for the identification must be reasonable for an interested party to undertake it. It is therefore not sufficient to have a theoretical possibility of identification. The effort required for identification depends largely on the interest in the identification and the means available to the interested party, including specialised knowledge or additional sources of information, or due to other circumstances. If personal data can be identified without undue effort or can be re-identified in the case of a concealment of the identity, it is personal data.
Complying with the processing principles
The FDPIC emphasises that personal data must be processed in accordance with the processing principles of the FADP, in particular the principle of good faith, as well as the principles of transparency and proportionality (with regard to data minimisation and storage limitation). A violation of the processing principles constitutes a violation of privacy, which means that there must be a justification for the data processing, i.e., the consent of the data subject, an overriding private or public interest or law. It should be noted that an overriding interest cannot be readily assumed to justify an infringement of privacy due to a violation of the processing principles, as this would undermine compliance with the processing principles. Whether an overriding interest applies must be examined on a case-by-case basis. The FDPIC confirms that, when weighing up interests, in principle all specific interests worthy of protection can be considered, including economic interests. On the other hand, consent must be based on a clear privacy notice and given through an affirmative act. Similarly, a reason for justifying the processing of personal data against the express will of the data subject is required, for example, if the data subject has expressly objected to the data processing.
Conclusion
These two investigations and the conclusions of the FDPIC clearly underscore the importance of transparency and proportionality when processing personal data. It is debatable whether the FDPIC goes too far in imposing requirements that are not legally required, such as a bundling ban. However, the FDPIC's perspective remains relevant to companies' compliance efforts.
If you have any questions or need support in this area, please do not hesitate to contact FABIAN PRIVACY LEGAL.
1 https://www.newsd.admin.ch/newsd/message/attachments/87062.pdf (in German)
2 https://www.newsd.admin.ch/newsd/message/attachments/90127.pdf (in German)