Privacy Legal | Daniela Fabian






 

Data privacy has become a critical factor to business success.

The growth of the Internet and the use of new technologies, such as cloud, social media, mobile communications or big data, enabling the collection, storage and mapping of large amounts of data, easy tracking and global sharing of information have opened up new opportunities for many businesses. At the same time, countries around the world, including the EU and Switzerland, continue to adopt new or stronger regulations to address the rapid development of new technologies and the growing concerns and expectations of consumers, employees and other stakeholders regarding the access, collection, use, disclosure and security of their personal information.


What is data privacy about?

Data privacy is about the individual’s right to take decisions in respect to information relating to him or her and to control the collection, use and disclosure of his or her personal data.

Personal data is any information relating to a person, irrespectively of whether the person is identified, for example by a name, or is only identifiable by someone, for example through a passport number or a code.


Why should you care about data privacy?

Companies have a legal obligation to protect personal data and privacy rights. When designing and developing new IT systems or introducing new business practices, for example global data management systems or outsourcing, companies must ensure compliance with applicable privacy laws and should therefore consider privacy requirements from the outset.

Non-compliance with legal obligations may lead to significant risks for companies and the consequences can be serious.

The reputation of a company can be severely affected by poor information management practices. Stakeholders’ trust and confidence can be damaged. Further consequences of violations may be heavy fines, injunctions, governmental inspections and criminal liability.


What should you do?

Be prepared to respond to increasing privacy-related challenges and cyber risks. A structured privacy approach simplifies privacy management by providing a framework that enables companies to respond proactively to the ever-increasing challenges in data privacy and security management and to meet jurisdictional, organizational and strategic requirements and thus to reduce risk. At the same time, privacy governance and management practices enable companies to demonstrate accountability and enhance trust among stakeholders.


How can we support you?

We assist companies in establishing an adequate level of privacy compliance and minimizing legal and commercial risks in a structured and straightforward risk-based approach, taking into account the legal and regulatory requirements applicable to the company and its specific needs. 

Would you like more information? Then contact us via e-mail: daniela.fabian@privacylegal.ch or call us:  +41 61 544 44 01. 

Developments:

Privacy by design as an opportunity for companies


The Swiss Parliament recently adopted the revised Data Protection Act, which newly introduces the concept of “privacy by design”. The correct implementation of this concept is the basis for responsible and efficient data protection and a decisive factor for the success of each company. In an article published in the Bilanz (Fokus Business Success) magazine, Daniela Fábián explains the concept and its practical implementation. 

Please note that the article is only available in German.

To download the article, please click here.

The new Swiss Data Protection Act - The most significant changes for companies


On 25 September 2020, the Swiss Parliament adopted the revised Federal Act on Data Protection. The Federal Council will decide on the entry into force after the 100-day referendum period has expired. This article summarises the most significant changes for companies.

To read the article please click here.

 

The revised Swiss Data Protection Act is adopted


The revised Swiss Data Protection Act is adopted

 

On 25 September 2020, the Swiss Parliament adopted the revised Federal Act on Data Protection (FADP-new) (final voting text in French). The federal law is subject to an optional referendum. The Federal Council decides on the entry into force after the 100-day referendum period has expired.

After disagreeing until the very end on the issue of profiling, the Councils finally agreed on the introduction of the concept of "high-risk profiling". The consequence of this type of profiling is that consent, if required, must be explicit (see below the relevant legal articles concerning profiling and consent).

It remains to be seen how companies will assess the risk level of profiling in practice. In any case, this exercise will be a challenge for companies.

It should be noted that the revised FADP does not introduce a consent requirement for high-risk profiling, but only requires that consent, if at all required as a justification under Art. 31 FADP-new, must be given explicitly. It must be reminded that the basic concept of the FADP and FADP-new is different from that of the GDPR. While under the GDPR, a legal ground is always required for the processing of personal data (Art. 6 and 9 GDPR), the processing of personal data under the FADP and FADP-new is, in principle, permitted as long as the personality of the data subjects is not unlawfully violated. According to the FADP-new, the "permission principle subject to prohibition" continues to apply, while the GDPR applies the "prohibition principle subject to permission". 

The revised Data Protection Act will in future apply to the processing of personal data of natural persons (today also legal entities). It introduces specific terms such as "controller" and "processor" and extends the term "sensitive personal data" to include "genetic data" and "biometric data that uniquely identifies a natural person". Concepts, as already known from the GDPR, are now enshrined in the law, such as Privacy by Design, the inventory of processing activities, data protection impact assessments, the general duty to provide information when collecting personal data and the notification of data security breaches. In the future, under certain conditions, controllers located abroad will also have to appoint a representative in Switzerland if they process personal data of persons in Switzerland. The new law tightens the penal provisions with fines of up to 250,000 Swiss francs for private individuals who violate specific provisions, such as the obligation to inform, consult and cooperate with the FDPIC, the provisions on the transfer of personal data abroad and the assignment of processors, as well as non-compliance with minimum data security requirements.

A detailed summary and analysis of the revised law and its principles will follow. 

Relevant articles in the FADP-new concerning profiling (unofficial translation)

Art. 5 lit f: Profiling Is any automated processing of personal data consisting in the use of such data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the performance of work, economic situation, health, personal preferences, interests, reliability, behaviour, whereabouts or movements of that natural person.

Art. 5 lit g: High-risk profiling: profiling which involves a high risk to the personality or fundamental rights of the data subject, by creating a link between data which allows an assessment of substantial aspects of the personality of a natural person.

Art. 6 para 6: If the consent of the data subject is required, this consent is only valid if it is given voluntarily for one or more specific processing operations after adequate information has been provided. 

Art. 6 para. 7: Consent must be given explicitly for: 

a. the processing of sensitive personal data; 

b. high risk profiling by a private person; or 

c. profiling by a federal body. 

Art. 30 Violation of the personality

1 Anyone who processes personal data must not unlawfully violate the personality of the data subjects. 

2 A violation of personality exists in particular if: 

a. personal data is processed in violation of the principles set out in Articles 6 and 8; 

b. personal data is processed contrary to the data subject’s express declaration of intent; 

c. sensitive personal data is disclosed to third parties. 

3 As a rule, there is no violation of personality if the data subject has made the personal data generally accessible and has not expressly prohibited its processing.

Art. 31 para 1 A violation of privacy is unlawful if it is not justified by the consent of the person concerned, by an overriding private or public interest or by law. 

Article on Privacy by Design in the International Comparative Legal Guide - Data Protection 2021


Privacy by Design ("PbD") is a fundamental requirement for privacy-compliant processing of personal data and is, in principle, a well-known approach. Nevertheless, PbD is often not consistently implemented, in some cases leading to significant consequences and costs for organisations. This article describes the concept of PbD and its practical implementation under the application of the EU General Data Protection Regulation.

 

Please click here to download the article in PDF format.

Please click here to read the article online.

 

EU Personal Data Transfers 2021: Planning for a Year of Increased Scrutiny


As 2021 begins, ex-EU transfers of personal data continue to pose a challenge for data privacy professionals. The following article explains what organizations can do in order to minimize risks associated with data transfers.

Please click here to read the article.

Article on cross-border data transfers in "Fokus Rechtsguide"


In an article published in the magazine "Fokus Rechtsguide", Daniela Fábián Masoch explains what needs to be considered when transferring personal data to third countries and what are the consequences of the CJEU judgment (Schrems II) for Swiss companies.

Please note that the publication is only available in German.

To download the PDF please click here: Fokus Rechtsguide 2020.pdf

To read the article online please click here.

CJEU judgment on cross-border data transfers from the EU to third countries - what now?


 

On 16 July 2020, the Court of Justice of the European Union (CJEU) delivered its judgment in Case C-311/18 — Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (so-called "Schrems II"). In this case, M. Schrems requested the Commission to prohibit or suspend the transfer by Facebook Ireland of his personal data to Facebook Inc., established in the US, on the ground that that third country did not ensure an adequate level of protection. This ruling has far-reaching consequences for any transfers of data from the EU to third countries.

 

The following article details the findings of the decision, the reactions of data protection authorities and the consequences for companies transferring personal data from the EU to third countries. Please click here to read the article.

Privacy by design in digital health


The exponential growth of digital health solutions and products, such as software or internet-enabled devices, brings a range of benefits for patients, the health industry and the general public, from preventing new diseases, monitoring patient conditions, data analysis and personalised medicine, to reducing health costs through more efficient processes.

To be effective, these technologies rely on the use of large amounts of data. Particular caution is needed when personal data are involved, as the processing of personal data – in particular, health-related data – can pose significant risks to the privacy of data subjects and the security of personal data.

This article examines the privacy aspects under the GDPR that need to be taken into account when designing digital health solutions, and why this is important to fully exploit the potential of digital health. It also attempts to clarify the concept of PbD and to translate legal requirements into practical solutions, with a focus on mobile applications in the context of digital health.

Please click here to read the article.

 

 

Why should companies invest in Binding Corporate Rules?


Why should companies invest in Binding Corporate Rules? Download the article here: DP19_Chapter-3_FABIAN[2].pdf

https://iclg.com/practice-areas/data-protection-laws-and-regulations/3-why-should-companies-invest-in-binding-corporate-rules

Privacy in Practice Workshops


Privacy in Practice, a training course consisting of a series of workshops by practitioners for practitioners was recently launched by FABIAN PRIVACY LEGAL. Privacy in Practice aims to provide companies with the knowledge and tools they need to implement privacy and security requirements effectively and sustainably. The workshops are held in the form of lectures by proven data protection experts and long-standing practitioners, practical examples and interactive group work and discussions. The first workshops will be held on 3 September, 15 October and 14 November 2019 in Basel. Registration is open via https://privacyinpractice.ch

Privacy by Design in practice


Privacy by Design in practice.pdf

The concept of controller and processor in practice


 

The concept of controller and processor in practice.pdf

12 November 2020: The EU Commission launches public consultation on revised SCC


On 12 November 2020, the EU Commission launched public consultation (until 10 December) on revised Standard Contractual Clauses (SCC).

Please click on the respective links to download the Commission implementing decision and the Annex with the proposed clauses.

11 November 2020: The EDPB releases recommendations on cross-border data transfers


On 11 November 2020, the EDPB released two recommendations regarding cross-border data transfers. Public consultation until 30 November 2020.

  • Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (these recommendations provide data exporters with a series of steps to follow, potential sources of information, and some examples of supplementary measures that could be put in place) and
  • Recommendations 02/2020 on the European Essential Guarantees for surveillance measures (these recommendations provide elements to examine, whether surveillance measures allowing access to personal data by public authorities in a third country can be regarded as a justifiable interference or not.

To download the recommendations, please click on the following links:

8 September 2020: Swiss Data Protection Authority considers CH-US Privacy Shield no longer adequate - Swiss companies must act now


On 8 September, the Federal Data Protection and Information Commissioner (FDPIC) determined that it no longer considers the CH-US Privacy Shield adequate for transferring personal data from Switzerland to the USA, following the EU Court of Justice judgment of mid-July in the Schrems II case.

The following article explains the consequences of this decision for Swiss companies transferring personal data to third countries and gives advice on how they should react. Please click here to read the article.

4 May 2016: The new EU General Data Protection Regulation (GDPR) published


On May 4, 2016, the EU General Data Protection Regulation (GDPR) was published in the Official Journal of the European Union. The GDPR will replace the current EU Data Protection Directive and will be directly applicable in all EU Member States. Companies will have time until May 25, 2018 to implement all required steps necessary to comply with the new regulation.

The GDPR contains strengthened and new rights for data subjects, such as a right to be forgotten or a right to data portability, and new obligations for data controllers and data processors.

Here are some of the key changes:

1.     The territorial scope has been expanded to include data controllers and (new) data processors that are     established in the EU. Importantly, also companies that are NOT established in the EU, but offer goods or services to, or monitor the (online) behaviour of data subjects in the EU, fall under the scope of the GDPR.

2.     Controllers must demonstrate their accountability to comply with the GDPR. This includes the obligation to:

  • Maintain a documentation of processing activities
  • Establish policies and guidelines
  • Appoint a data protection officer (DPO) in certain cases
  • Implement security measures
  • Implement data protection by design and by default and
  • Conduct privacy impact assessments

Accountability may be demonstrated by various means, such as with Binding Corporate Rules (BCR), certifications or codes of conducts.

3.     The requirements for obtaining consent have been strengthened. Consent must be freely given, specific, informed, unambiguous and explicit for sensitive personal information and must be revocable at any time. It must be clearly distinguishable from other matters when requested in the context of a written document and it must be provided in an intelligible and easily accessible form, using clear and plain language. Also, consent will not be valid, if there is a clear imbalance between the data subject and the controller, which may be the case for example in the employment context. Importantly, a controller may not make a service conditional upon consent, unless the processing of personal data is necessary for that specific service.

4.     Data Processors have now direct statutory obligations under the GDPR. This includes the obligation to:

  • Maintain records of processing activities
  • Implement appropriate data security measures
  • Cooperate with supervisory authorities
  • Assist controllers to comply with the GDPR
  • Comply with cross-border data transfer restrictions
  • Notify controllers in case of a data breach
  • Become joint controller, if data is processed beyond instructions of the controller
  • Enter into written data processing agreement with the controller
  • Appoint a DPO in certain cases

5.     Data controllers must notify supervisory authorities about data breaches without undue delay and, where feasible within 72 hours after having become aware of the breach. Where the breach is likely to result in a high risk to individual’s rights and freedoms, such individuals must be notified about the breach without undue delay.

6.     Violations of the GDPR may result in fines up to EUR 10 m or 2% of the annual worldwide turnover for example for failures to comply with the general obligations, to appoint a DPO or to implement security measures and privacy impact assessments. More severe failures, for example to comply with the basic privacy principles for data processing, such as consent requirements, data subject rights or data transfer restrictions, may result in fines up to EUR 20 m or 4% of the annual worldwide turnover.

What should companies do now?

Companies subject to the GDPR should start now to implement appropriate measures to comply with the GDPR in two year’s time by taking the following steps:

  • Get familiar with the GDPR and the obligations applicable to your organization
  • Conduct an assessment of the current privacy management practices within your organization and of the gaps in respect to the new requirements under the GDPR
  • Identify measures that must be taken to comply with the GDPR and define an action and time plan for the remediation
  • Watch out for guidelines and opinions that will be published by national Data Protection Authorities and the Article 29 Working Party in the coming months

How can we help you?

We are happy to assist organizations in getting a better understanding of the requirements under the GDPR applicable to them; conducting assessments and gap analysis, providing guidance on remediation and developing necessary policies, guidelines and processes to ensure compliance with the GDPR and minimizing risks.

You can find the final text in various languages here:

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC

Would you like to get more information? Then contact us via e-mail: daniela.fabian@privacylegal.ch or under +41 61 564 01 08.