-
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 29a FC
- Art. 30 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 75b FC
- Art. 77 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123b FC
- Art. 136 FC
- Art. 166 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
- Art. 808c CO
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 5 lit. f und g FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 54 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
FEDERAL CONSTITUTION
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
SWISS CRIMINAL CODE
CYBERCRIME CONVENTION
- In a nutshell
- I. General
- II. Obligated person and connecting factor (para. 1)
- III. Content of the information (para. 2-4)
- IV. Modalities of information (para. 5; Art. 13 DPA)
- V. Practical tips
- VI. Enforcement and Legal Consequences
- VII. Criticism of the Norm
- Bibliography
- Materials
In a nutshell
The obligation to provide information pursuant to Art. 19 FADP concerns the data protection declarations that are important in practice and is specifically intended to increase the transparency of data processing. It supplements the general principle of transparency and requires that data subjects be informed of the key points of data processing whenever personal data is collected. The list of minimum information to be provided is shorter than that of the DSGVO and includes contact information, purposes of processing, categories of data processed, categories of data recipients, information on transfers abroad and information on automated individual decisions. However, Art. 19 FADP goes beyond the DSGVO in one respect and also requires the specification of recipient countries, whereby the specification of country groups or regions is sufficient. In most cases, the information does not have to be actively communicated to data subjects and it is sufficient if it is made readily available on the Internet. The obligation to provide information is one of the criminal offenses under the revised Data Protection Act: Anyone who intentionally fails to provide the information or intentionally provides false or incomplete information can be fined. In view of the fact that data protection declarations are hardly ever read or understood in detail in practice, it seems questionable overall whether the information obligation actually achieves the objective pursued of increasing transparency with regard to data processing.
I. General
A. Purpose of the Norm
1 Art. 19 FADP standardizes the duty of the controller to provide information when obtaining personal data. This concerns the data protection notices, which are significant in practice, or the data protection declarations, which are very common in business life. The duty to inform is one of the core provisions of data protection law, which is sometimes reflected in the fact that it is one of the provisions of the new Data Protection Act that is subject to penalties.
2 The aim of the duty to inform is to increase the transparency of data processing. Transparent processing of personal data is a fundamental principle of data protection law and increasing transparency was a stated goal of the FADP revision. Data subjects should know that data about them is being processed, and they should have the opportunity to find out the key points of the data processing.
3 Transparency of data processing should enable data subjects to make an informed decision about the use of offers and services and enable them to exercise their rights granted by data protection law. The duty to provide information thus also indirectly serves to strengthen the rights of data subjects, which corresponds to another objective of the revision.
4 Finally, according to the dispatch, the duty to provide information is intended to increase the public's awareness of data protection and thus also to promote data protection concerns in general.
B. History
5 Art. 19 FADP expands the obligation to provide information already contained in the previous FADP when obtaining personal data. Under the old law, data subjects only had to be informed in the event of the acquisition of particularly sensitive personal data or personality profiles. Now, data controllers must inform the data subject whenever they obtain personal data. The catalog of mandatory disclosures is also moderately expanded by the new FADP. The revised FADP also combines the provisions that were previously spread across several articles and creates a uniform regulation for processing by private data controllers and by federal bodies.
6 Increasing the transparency of data processing was one of the main objectives of the revision of the FADP. In addition, the Data Protection Convention 108, which is binding on Switzerland, imposes a general obligation to provide information when obtaining personal data, which must be implemented in national law. Directive (EU) 2016/680, which is relevant for the Schengen area, also has an information obligation. The extension of the information obligation was therefore undisputed in principle in the legislative process. With few changes, the text that has become law corresponds to the version of the draft.
C. Classification and delimitation
7 Art. 19 FADP supplements the general transparency requirement of Art. 6 FADP. While the transparency requirement creates basic transparency, the information requirement builds on it to serve a more extensive need for information. The controller should not only ensure that the data collection is recognizable as such, but also provide the data subjects with certain information on the processing purposes and the manner of processing. Illustrative is David Rosenthal's food comparison: it must be immediately recognizable to consumers that the product in question is a strawberry jam (transparency requirement), while the list of ingredients and other details can be found on the food label, which can be consulted if interested (information requirement).
8 Unlike the transparency requirement, the duty to inform is not a concretization of the right of personality under Art. 28 of the Civil Code, but is of a public law nature. Violation of the duty to inform therefore does not constitute a violation of personality rights. Accordingly, a violation cannot be justified under Art. 31 FADP. The exceptions and limitations to the duty to inform are exhaustively standardized in Art. 20 FADP.
9 Art. 19 FADP is in turn supplemented by Art. 21 FADP, which provides for a special duty to inform in the case of full automation of important decisions, as well as concretized by Art. 13 FADP, which sets out requirements for the type and manner of information.
10 The duty to inform must be distinguished from the concept of consent. A data protection declaration ensures transparency as required by law, but does not constitute consent under data protection law and does not legitimize an act of data processing that is subject to justification under Art. 30 f. DPA. FADP that requires justification. However, there is a connection between the duty to inform and consent insofar as, on the one hand, the information basis required for valid consent can be created by means of a data protection declaration and, on the other hand, the fulfillment of the duty to inform and the obtaining of consent can coincide in individual cases (e.g. if a declaration of consent contains all the mandatory information required by Art. 19 FADP).
D. Interpretative Notes
11 The duty to provide information under the revised DPA is modeled on the duty to provide information contained in the DSGVO. However, Art. 19 FADP does not simply reproduce the obligation to provide information contained in the GDPR, but sets out a provision that deliberately deviates from parts of the GDPR. For example, the FADP prescribes fewer minimum disclosures than the GDPR and grants more extensive exemptions from the information obligation. As shown by Thomas Steiner, Art. 19 FADP is therefore to be interpreted autonomously and the DSGVO practice is only to be consulted for confirmation and plausibility checks of the Swiss interpretation result.
12 With David Vasella, a cautious interpretation of the duty to inform must also be advocated: On the one hand, Art. 19 FADP is also a penal norm and the principle of legality under criminal law therefore requires a restrictive interpretation. On the other hand, the fulfillment of the duty to provide information involves considerable effort for companies, which affects economic freedom under Article 27 FC and is only permissible if the interference is proportionate and limited to the necessary extent. Finally, a certain restraint in the interpretation is also required because a basic transparency is already guaranteed by the transparency requirement of Art. 6 FADP and the information obligation only protects a need for information that goes beyond this.
II. Obligated person and connecting factor (para. 1)
A. Obligated person
13 The duty to inform is directed at the controller, i.e. the private person or federal body that decides on the purpose and means of processing. Order processors bound by instructions are not subject to any duty to provide information for processing carried out on behalf of the controller.
14 The person responsible does not have to carry out the duty to provide information himself. He may also delegate the provision of information to a processor or another third party (e.g. to a web agency when operating a website). Even in such cases, however, the responsible party remains responsible for the proper fulfillment of the duty to inform.
B. Connecting factor
15 The duty to inform is triggered by any acquisition of personal data, regardless of whether the data controller acquires the data directly from the data subject or indirectly. The type of data procurement is only relevant for the time of information. It is also not decisive whether it is a permanent or repeated procurement or, as in the case of an isolated lottery, only a one-time data collection. In both cases, information must be provided. A (renewed) collection that triggers the duty to inform also occurs if already existing personal data is used for a new or additional purpose.
16 Information does not have to be provided if the data controller receives personal data by chance or otherwise without any action on his part. Examples are inquiries from journalists, blind applications, employee recommendations or unsolicited e-mail inquiries. However, information must be provided if such unintentionally obtained personal data is to be used for new or additional purposes.
17 The linking of the duty to inform to the event of data acquisition means, in terms of transitional law, that data subjects do not have to be informed about data processing already in progress when the new FADP comes into force (unless the information has already been provided at an earlier point in time anyway). However, data subjects, e.g., existing customers, must be informed at the latest when new data is obtained, e.g., subscribers to an online service when they next log in or participants in a customer loyalty program when they next make a purchase.
III. Content of the information (para. 2-4)
A. Mandatory information
1. General
18 Art. 19 FADP contains in para. 2-4 a catalog of mandatory information that must be provided to data subjects: Contact details of the data controller, purposes of processing, data recipients or categories thereof, categories of data processed, as well as recipient states in the case of transfers abroad and their safeguarding. Few additional mandatory disclosures can be found in other provisions of the FADP, such as in Art. 21 FADP regarding automated individual decisions and in Art. 14 para. 3 FADP regarding representation in Switzerland.
19 Compared to the FADP, the catalog of the FADP is short. This is to be welcomed and at least leaves room outside the scope of the DSGVO to inform with a sense of proportion and to counteract the "information overload" that is rampant today. The flexible regulation of the FADP allows the information to be limited to relevant details based on risk and to omit unnecessary details.
2. Contact details
20 First, the name and contact details of the data controller must be provided. The law does not specify which contact details must be disclosed. However, it is obvious to provide at least a postal address and an e-mail address. It is also conceivable to provide a telephone number, but in view of the possibility of intrusive contact by troublemakers, this is unusual and not recommended.
21 Controllers domiciled abroad must also publish the name and contact details of any representation in Switzerland appointed in accordance with Art. 14 FADP (Art. 14 para. 3 FADP).
22 The disclosure of the contact details of any appointed data protection advisor is voluntary. This is in contrast to the DSGVO, where it is mandatory to provide the contact details of the data protection officer. However, the FADP provides a (small) incentive to publish the contact details of the data protection advisor, in that private data controllers can only claim the exemption from notifying the FDPIC in the case of high residual risks after a data protection impact assessment has been carried out. For this purpose, it is sufficient to publish a functional mailbox (e.g., datenschutz@unternehmen.ch); it is not necessary to mention the data protection advisor by name.
3. Processing purposes
23 The data controller must indicate the purposes for which personal data are processed. Data subjects should therefore be able to find out what their data is being processed for.
24 The level of detail with which the processing purposes are described is left to the controller. Short descriptions such as "communication", "contract processing", "product development" or "marketing" are generally permissible. However, more detailed descriptions or explanatory examples are more helpful, which is also recommended in view of the purpose limitation principle because unclear formulations would be interpreted narrowly in accordance with the principle of trust, in case of doubt to the disadvantage of the data controller.
25 In addition to current processing purposes, possible future processing purposes can also be listed. This is permissible even if the processing in question is not yet specifically planned, but is merely a possibility. In view of the purpose limitation principle of Art. 6 para. 3 FADP, many companies will be inclined to draft such excessive data protection notices in order to keep new data uses open as far as possible, although this is not conducive to the clarity of data protection notices.
4. Data Recipients
26 The categories of recipients to whom personal data are disclosed must then be specified. The insertion of "if applicable" in the legal text has little practical relevance, since the recipients also include the commissioned processors used by the controller, and nowadays hardly any controller can manage entirely without commissioned processors. Jointly responsible parties are also considered recipients, as are, of course, actual "third parties". Group companies belonging to the same group are also recipients, but not entities belonging to the same legal entity such as individual departments or branches.
27 The categories can be defined by the responsible party at its own discretion; the law does not make any specifications in this regard. Conceivable, for example, would be somewhat narrowly defined categories such as "IT service provider", "logistics company" or "collection service provider", but broad categories such as "order processor" are also permissible.
28 Instead of categories of recipients, individual recipients may also be named. However, the naming of individual recipients is voluntary; the naming of categories is sufficient. In practice, it is usually not necessary to specify individual recipients, since the majority of companies have quite a large number of recipients (especially order processors) and maintaining a corresponding list would be time-consuming. The specification of specific recipients has become somewhat widespread in the online sector, where the third-party tools used are sometimes listed individually in connection with cookies and similar technologies.
5. Personal data processed
29 The categories of personal data processed must then be specified. Here, too, the controller is free to define the categories at its own discretion and to choose a level of detail that it deems reasonable and suitable for providing sufficient information to the data subjects. Categories such as "master data", "behavioral data" or "preference data" would be conceivable. Personal data requiring special protection" or more narrowly "health data" would also be possible categories. It is usually also helpful to specify the categories, which are sometimes rather elusive, with examples of data types (e.g. "name", "e-mail address", "place of residence") and to make them more tangible. Also helpful, but not required, is the assignment of the individual data categories to concrete processing purposes.
30 According to Art. 19 para. 3 FADP, the categories of data processed need only be specified if the data are not obtained directly from the data subject. This is based on the idea that the data subject only has a need for information in this case. If, on the other hand, the data subject discloses his or her personal data himself or herself (e.g. by filling out an online form or a lottery ticket or by submitting a job application), he or she already knows the data processed by the data controller.
31 Following this idea, the restriction must be interpreted narrowly and limited to cases in which the data subject knowingly discloses data. On the other hand, the categories of data processed must also be indicated, for example, if the data are collected directly from the data subject, but without his or her active involvement and he or she may therefore not be aware that data about him or her are being processed. This is the case, for example, with automated collection of transaction data when shopping in stores or in online commerce, or with web tracking on the Internet. For the same considerations, the categories of data processed must also be indicated if the controller derives new data from the data received from the data subject, e.g. information about personal interests and affinities.
6. Recipient states
32 If personal data is disclosed abroad, the recipient states must be indicated. According to Art. 5 lit. e FADP, disclosure includes not only the transfer but also any access to personal data from abroad. Such transfers abroad are very common in the corporate world, e.g. when using cloud-based services.
33 With the obligation to disclose the recipient states, the FADP is unnecessarily stricter than the DSGVO, where information only has to be provided about the foreign disclosure itself, but not about the recipient states. The FADP overlooks how international data traffic has become. After all, even under the FADP, individual countries do not have to be listed, which would hardly be practical in practice. The specification of country groups or regions is sufficient, e.g. "EU/EEA" or "Europe". The specification of "worldwide" is also permissible. For data subjects, it is evident that their data can in principle be processed in any country in the world.
34 If the recipient countries include countries without an adequate level of data protection, additional information must be provided: In such constellations, the guarantees made pursuant to Art. 16 para. 2 FADP to ensure an appropriate level of data protection or the exemption claimed pursuant to Art. 17 FADP must be disclosed. Here, for example, it is sufficient to refer to the conclusion of the standard contractual clauses recognized by the European Commission and the FDPIC, which are by far the most common instrument for safeguarding foreign transfers.
7. Automated Individual Decisions
35 If the controller uses automated individual decisions, it must inform data subjects about this and about the possibility of having the decision subjected to human review at the request of the data subject (Art. 21 FADP). Automated individual decisions are decisions that are fully automated and that have legal consequences for the data subjects or affect them significantly in some other way. The obligation to provide information therefore only applies to fully automated decisions; information does not have to be provided about decisions that are only partially automated or computer-aided.
B. Further information
36 In corporate practice, many companies will go beyond the mandatory disclosures outlined above, usually taking their cue from the DSGVO's more comprehensive catalog. Especially (but not only) larger and internationally oriented companies aim for "DSGVO-compliant" privacy notices, be it on a voluntary basis or because their data processing operations fall within the (extraterritorial) scope of the DSGVO. The DSGVO catalog also provides, in particular, for information on the storage period, the applicable legal basis, the legitimate interests pursued, if any, the rights of data subjects and the right of appeal.
37 However, the inclusion of such additional information under the FADP is usually not required by law. Information that goes beyond the minimum catalog must only be provided if it is necessary in a specific case to ensure reasonably transparent data processing (Art. 19 para. 2 FADP). This will rarely be the case and is more likely to be the case the more sensitive the data processed, the more extensive the processing, the more critical the modalities of the processing, the greater the criticality of the purpose of the processing and the more novel the technologies used for the processing. According to Art. 19 para. 2 FADP, the guiding principle is what data subjects need to know in order to be able to exercise their rights.
38 The DSGVO catalog probably represents a kind of upper limit. It is hard to imagine cases in which it might be necessary under the FADP to go even further than the information required by the DSGVO.
39 The regulation of the FADP theoretically also leaves room for specifying the handling of the information obligation for a specific industry in a code of conduct pursuant to Art. 11 FADP. However, such industry-specific codes of conduct have not yet been able to establish themselves in practice and will probably play only a minor role in the future.
IV. Modalities of information (para. 5; Art. 13 DPA)
A. Time
40 Depending on whether the personal data are obtained directly from the data subject or indirectly, information must be provided at different times. Direct procurement occurs when the data subject discloses his or her data to the data controller on his or her own initiative (e.g., by filling out a form or creating a user account) or the data controller collects the data by observation itself or by automated means (e.g., by recording purchase transactions or collecting movement data through a fitness tracker). In contrast, indirect procurement occurs when the responsible party collects data from public sources (e.g., media reports or public registers), obtains data from third parties (e.g., an address trader or a credit agency), or derives new data from existing databases (e.g., deriving preferences by analyzing transaction data).
41 In the case of direct procurement, the information must be provided at the same time as it is procured. In practice, this means that the required information must be easily accessible at the time of procurement, e.g., on the website of the responsible party. The provision of information immediately after the first data acquisition, which was still permitted under the old law, is no longer permitted under the new law. In contrast, information may be provided in advance of the acquisition, provided that the connection between the information and the acquisition is sufficiently clear to the data subjects.
42 In the case of indirect procurement, information must be provided not immediately but within one month of receipt of the data (Art. 19 para. 5 FADP). However, the one-month grace period requires that the personal data are not disclosed by the controller to any other recipient. If, on the other hand, the controller discloses the personal data before the deadline expires, the grace period does not apply and the information must be provided at the latest at the time of disclosure. Since disclosures to order processors also fall under this (e.g., storage in the cloud), the information deferral has little practical significance and information must usually be provided immediately even in the case of indirect procurements, which often requires active communication. If this proves impossible to implement, the only recourse available to the data controller is to make use of an exception under Art. 20 FADP.
B. Form
43 The FADP does not contain any formal requirements for the communication of information. Oral information is also sufficient, e.g. in the form of tape announcements. In practice, however, text form is usually recommended, if only for reasons of proof.
44 In practice, the most widespread way of fulfilling the information obligation is by means of data protection declarations ("privacy notice" or "privacy policy"). A common approach is to describe a broad range of data processing activities in a general privacy notice (from customer business to personnel recruitment to cooperation with business partners) and to supplement this in a targeted manner with special product- or service-specific privacy notices. Special online data protection declarations ("cookie notice" or "cookie policy") for data processing in connection with a visit to a website or an app are also common in practice.
45 Data protection declarations represent one-sided information for the data controller and as such can be flexibly adapted to take into account, in particular, the dynamic nature of many data processing operations. From a practical point of view, the one-sided information also means that no active confirmation or acceptance of the privacy statement by the data subjects is required and therefore, in most cases, the checkboxes frequently found in online forms or ordering processes can be dispensed with.
46 It is also conceivable to include data privacy notices in general terms and conditions (GTC). Unlike data privacy statements, however, data privacy notices contained in GTCs become part of the contract and can therefore only be changed by amending the contract, which often proves too cumbersome in practice. In addition, the duty to inform can only be fulfilled vis-à-vis contractual partners (but not vis-à-vis other data subjects) by means of GTCs. It is therefore not recommended to integrate data protection notices in GTC and only a reference to the data protection declaration should be included in GTC. Additional data protection provisions in GTCs are at most justified if data protection consent is to be obtained, although consent obtained via GTCs is sometimes viewed critically.
47 Data protection notices are interpreted according to the unusualness and ambiguity rule, i.e., special reference must be made to unusual points and unclear formulations are interpreted to the disadvantage of the author. This also applies if data protection notices are designed as data protection statements or otherwise as unilateral information, at least insofar as they are not purely informative and can also have a legal effect, e.g., via the definition of the processing purposes or as an information basis for possible consents. Data protection notices integrated into GTC are additionally subject to abuse control pursuant to Art. 8 UWG.
C. Provision
48 The mandatory disclosures must be easily accessible to data subjects (Art. 13 DPA). It is not required that data subjects actually take note of the information. The access principle does not apply, but it is sufficient if data subjects have the possibility to access the information without great effort. Access to information may therefore require the cooperation of the person concerned, also because basic transparency is already guaranteed by the transparency requirement and the duty to provide information only serves a more extensive need for information.
49 However, the steps to be taken by the data subject in order to obtain knowledge must be reasonable. No longer easily accessible and therefore insufficient would be, for example, the mere designation of a contact person or the sending of the data protection statement only upon request. In contrast, the provision of data protection notices on a website is widespread. The information on the Internet is sufficient as long as it is ensured that the data protection information on the website can be easily found and accessed with a few clicks. In practice, a separate subpage for the data privacy statement and its permanent link in the footer, i.e., in the area at the bottom of a web page, has proven effective.
50 Information on the Internet is generally sufficient even if the data is processed offline. Data subjects are now accustomed to finding data privacy notices on the company's website, and they even take this for granted. Data privacy notices provided on the Internet also offer various advantages, such as simplified navigation and expanded possibilities for user-friendly design. The change of media to the Internet is therefore reasonable in most cases. Only in special cases, e.g., when sensitive processing of particularly sensitive personal data is involved, older groups of persons are targeted, or calling up an Internet page is not reasonable in terms of time due to the situation, may it be necessary in exceptional cases for data subjects to be able to access all mandatory information pursuant to Art. 19 FADP without having to change the medium.
51 One useful means of facilitating the change of medium is the display of QR codes that can be scanned with a cell phone and lead to the data protection statement on the internet. Such QR codes are increasingly common in practice (e.g., in signage for video surveillance), but they are not legally required.
52 Not only permissible, but also generally geared to the needs of data subjects, is multi-level information, in which only an initial overview of data processing is provided at the first level and the full information is only provided at a further level. In principle, the person responsible can define at his or her own discretion which information is provided at which level. There is no "basic information" that must be provided at the first level.
53 Versioning or dating of the privacy statement can be useful, but is not required by law, nor is the archiving and making available of earlier versions, which is sometimes found in practice.
D. Communication
54 The provision of the required information is usually sufficient and no active communication to data subjects is necessary. The references to the data protection statement in forms, in e-mail signatures, on letterhead, in telephone conversations and similar communications, which are sometimes encountered in practice, are also not necessary according to the view expressed here; even in contracts, an explicit reference to the data protection statement often seems dispensable. In the case of video surveillance, a clearly visible pictogram upon entering the sales area is generally sufficient to establish the required basic transparency, provided that the operator is identifiable under the circumstances. In such cases, interested parties can be expected to consult the website if they wish to obtain more detailed information about the data processing activities of the company concerned. They will also do this intuitively and take it for granted that data protection notices can be found on the website.
55 Active communication to data subjects is only necessary if the data subject does not know (and does not need to know) that the company in question is processing data about him or her. This is often the case when personal data is not collected directly from the data subject, but also in cases of direct collection when the data collection takes place without the awareness of the data subjects (e.g., when people are automatically recorded when entering a public area and walking routes are tracked). In such cases, data subjects must be actively made aware of the data protection statement (which can be done, for example, by providing the URL or providing a QR code), as otherwise they would not even think of calling up the company's website and finding out about the data processing there.
56 For the same considerations, changes to the data protection declaration must be communicated to existing customers in continuing obligations, at least if processing purposes are expanded and the change is therefore equivalent to a new procurement. Otherwise, data subjects would have no indication at all that the data protection statement might have changed and that it might therefore be advisable to visit the website. In practice, such information is usually sent by e-mail or via pop-up banners in an online store or when logging into a customer account. A notice in an invoice dispatch is also conceivable.
V. Practical tips
A. Procedure and Tools
57 Data protection notices should be prepared in close cooperation with the business and technical managers in the areas that perform the data processing, since these functions know best which data is used for which purposes and how. Often, relevant knowledge holders are located in business units responsible for data-intensive processing, such as marketing departments, data analytics, and HR areas. In practice, a participative, workshop-based approach involving these knowledge carriers has proven successful. However, it is also possible to collect information via structured questionnaires or interviews.
58 The processing directory pursuant to Art. 12 FADP or Art. 30 DSGVO also provides an initial overview of processing operations and often offers a good basis for identifying the relevant data processing operations. Furthermore, the processing directory in most cases contains information that can be used to prepare the mandatory data, such as information on the types of data processed, the purpose of processing and the (categories of) recipients.
59 In practice, there are various tools that support companies in the preparation of data protection notices, including sample data protection statements that can be used as a starting point and adapted for the company's own needs. The following are examples of offerings that are widely used:
Template for a general data protection declaration, which covers numerous standard processing activities and is aligned with both the Swiss FADP and the DSGVO, prepared by two renowned Swiss law firms and available at https://dsat.ch/download/ (free of charge);
Data protection generator by Datenschutzpartner for creating a data protection declaration for websites with sample formulations for numerous common web tools, available at https://www.datenschutzpartner.ch/angebot-datenschutz-generator/ (subject to a fee);
Sample data protection declaration by German university professor Thomas Hoeren for website operators, available at https://www.itm.nrw/wp-content/uploads/Musterdatenschutzerkaerung-nach-der-DSGVO_Stand_September_2022-1.docx (free of charge).
60 According to common governance understanding, the content of the data privacy statement should be approved by the management bodies responsible for data processing, e.g., the executive board. The role of the data protection officer or advisor and other legal and compliance functions should be limited to a coordinating and advisory role, also in view of the sanctions regime.
B. Preparation and Design
61 The Implementing Regulation to the Data Protection Act requires precise and comprehensible information (Art. 13 DPA). However, these are hardly justiciable (and also not punishable) criteria, and in practice, legalistic-looking flow texts still dominate. Many companies apparently believe that it is difficult to achieve a positive positioning with data protection and that it is therefore not worthwhile to invest significant resources in a user-friendly preparation of data protection notices.
62 It also does not help that data privacy law provides incentives to view data privacy notices primarily as a defensive instrument and not as customer-centric communication: on the one hand, in view of stricter regulatory means and sanctions, companies are anxious to include opening formulations and general clauses and thus protect themselves against accusations of incorrect or incomplete data privacy notices. On the other hand, in view of the principle of purpose limitation, companies do not want to block any room for maneuver and merely list possible future processing purposes in data protection notices.
63 Despite this unfortunate incentive structure, there are various promising approaches in practice for making data protection notices more reader-friendly and more closely aligned with the needs of addressees:
Multi-level information ("layered approach"), in which relevant main aspects of data processing are first presented clearly and detailed information only follows at a further level. Layered information also includes fold-out texts and tangible examples to illustrate the sometimes rather abstract explanations.
Use of data protection pictograms that allow data subjects to quickly gain an initial overview of how their data is processed. One example is the standardized pictograms published by the Privacy Icons association, which make certain aspects typically relevant to data subjects visible at a glance and are already used by various prominent Swiss companies.
Privacy dashboards that provide an easy entry point and enable data subjects to set priorities themselves and obtain targeted information on the essential points.
Explainer videos that introduce data subjects to the topic and give them an easy-to-understand understanding of the most important content.
Gamification elements that convey key aspects of data processing to data subjects in a playful way.
64 Such "legal design" approaches can significantly increase the accessibility and reader-friendliness of data protection notices and are therefore to be welcomed in terms of transparent data processing. However, there is no legal obligation to use such customer-friendly approaches, not even under the DSGVO.
VI. Enforcement and Legal Consequences
A. Administrative Law
65 If data subjects have not been properly informed about the data processing, the FDPIC may open an investigation and order the provision of legally compliant information as an administrative measure (Art. 51 para. 3 lit. c FADP). The FDPIC may act ex officio or upon notification.
66 The prohibition of data processing or the ordering of an adjustment by the FDPIC is also conceivable in principle (Art. 51 para. 1 FADP). However, in most cases, such a drastic measure is not likely to be proportionate solely on the basis of improper information.
B. Criminal law
67 The obligation to provide information is one of the obligations under the FADP that is subject to criminal penalties. Anyone who fails to provide information pursuant to Art. 19 FADP or provides false or incomplete information may be fined up to CHF 250,000 (Art. 60 para. 1 FADP). The duty to inform is a duty with great external impact and the threat of punishment therefore has the potential to be used specifically as a means of exerting pressure on a company or the responsible employees or decision-makers.
68 In some cases, it is questioned whether Art. 19 FADP satisfies the criminal law requirement of Art. 1 StGB and whether a violation of the duty to inform may therefore be sanctioned by criminal law at all. In any case, it must be demanded that, with regard to completeness, only the mandatory information pursuant to Art. 19 para. 2-4 FADP is to be taken into account. Any additional information to be provided under the general clause of Art. 19 para. 2 is not to be taken into account.
69 In principle, it is not the company that is liable to prosecution, but the natural person(s) responsible for the breach (Art. 64 para. 1 FADP in conjunction with Art. 6 VStrR). This can be management personnel who have a legal duty to ensure data protection compliance, or persons who have operational process responsibility within the company and are authorized to make decisions on issues relating to the duty to inform. On the other hand, anyone who merely provides support is an accessory and as such remains exempt from punishment. In certain cases, the natural person may not be punished and the company may be fined instead. This is the case if the identification of the guilty person would require disproportionate investigative measures and a fine of no more than CHF 50,000 is possible (Art. 64 para. 2 FADP in conjunction with Art. 7 VStrR).
70 Only intentional acts are punishable. This also includes contingent intent, i.e. the acceptance of the crime. The negligent commission of an act, on the other hand, remains unpunished. Anyone who forgets a piece of information, formulates something imprecisely or deliberately omits something because he believes it is not part of the mandatory information does not act intentionally and remains unpunished. In order to exclude intentional acts as far as possible, decisions in connection with the duty to provide information should be documented in a comprehensible manner in each case, e.g. for which considerations information is omitted or an item of information is omitted.
71 Art. 60 para. 1 FADP is an application offense. A violation of the duty to provide information is therefore only prosecuted upon application, not ex officio. Criminal charges may be filed by any data subject, but not by the FDPIC.
C. Civil law
72 The violation of Art. 19 FADP as a provision of public law does not in itself cause a violation of personality rights and consequently cannot be asserted by data subjects by way of legal action.
73 However, data subjects may, if necessary, assert a violation of the general requirement of transparency as a processing principle and, based on this, bring an action before the competent civil court.
D. DSGVO
74 Within the scope of the DSGVO, violations of the duty to inform can be punished with fines of up to EUR 20 million or 4% of the total worldwide annual turnover (Art. 83 para. 5 DSGVO). This is the higher of the two fine frameworks provided for by the DSGVO. Unlike under the FADP, the DSGVO fine is primarily directed against the company and not against the natural persons acting on behalf of the company.
75 Under the DSGVO, a breach of the duty to provide information can, if necessary, also render the legal basis required for processing obsolete and thus render the data processing unlawful.
VII. Criticism of the Norm
76 The duty to inform is an expression of a basic understanding of data protection law based on informational self-determination. The basic idea is that data subjects inform themselves about data processing and, based on this, make an informed decision as to whether they consent to the corresponding processing of their data and whether they wish to exercise one of the data protection rights granted to them.
77 In today's digitalized and data-based world, the limits of this basic understanding are becoming increasingly apparent. The processing of personal data now affects all areas of life and data subjects are continually confronted with comprehensive data protection notices for which they often lack the time and usually also the necessary expertise. The result is information overload and a constant feeling of being overwhelmed. For many people, it is economically rational to save themselves this effort and remain uninformed.
78 The question therefore arises as to whether the duty to inform still achieves its intended goal at all and justifies the effort and expense associated with it. Its conceptual basis dates back to the early days of data protection, when data processing was simpler. Since then, however, our world has evolved considerably in terms of technology, and modern data processing is often complex. It's almost like requiring an airline to publish comprehensive technical information and expecting potential airline passengers to use it to make up their own minds about the airplane's airworthiness. Here, as there, this is neither realistic nor purposeful. It would be worthwhile to develop new approaches to data protection that are not based on superficial transparency.
Bibliography
Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01, adopted on 29 November 2017, as last revised and adopted on 11 April 2018, abrufbar unter https://ec.europa.eu/newsroom/article29/items/622227/en, besucht am 25.5.2023.
Bäcker Matthias, Kommentierung zu Art. 13 und 14 DSGVO, in: Kühling Jürgen/Buchner Benedikt (Hrsg.), Datenschutz-Grundverordnung, 3. Aufl., München 2020.
Bergt Matthias, Kommentierung zu Art. 83 DSGVO, in: Kühling Jürgen/Buchner Benedikt (Hrsg.), Datenschutz-Grundverordnung, 3. Aufl., München 2020.
Bieri Adrian/Powell Julian, Informationspflicht nach dem totalrevidierten Datenschutzgesetz, AJP 2020, S. 1533 ff.
Bühlmann Lukas/Lagler Marion, Informationspflichten und Auskunftsrecht nach dem neuen Datenschutzrecht, SZW 2021, S. 16 ff.
Bühlmann Lukas/Schüepp Michael, Information, Einwilligung und weitere Brennpunkte im (neuen) Schweizer Datenschutzrecht, in: Jusletter 15. März 2021.
Ettlinger Claudius, Die Informationspflicht gemäss neuem Datenschutzgesetz, in Jusletter IT 16. Dezember 2021.
Franck Lorenz, Kommentierung zu Art. 13 DSGVO, in: Gola Peter/Heckmann Dirk (Hrsg.), Datenschutz-Grundverordnung – Bundesdatenschutzgesetz, 3. Aufl., München 2022.
Kohlmeier Astrid/Klemola Meera, Das Legal Design Buch, Hürth 2021.
Maric Antonio, Legal Design im Kontext von Datenschutzerklärungen, in: Jusletter IT 20. Juli 2023.
Paal Boris/Hennemann Moritz, Kommentierung zu Art. 13 DSGVO, in: Paal Boris/Pauly Daniel (Hrsg.), Datenschutz-Grundverordnung – Bundesdatenschutzgesetz, 3. Aufl., München 2021.
Pärli Kurt/Flück Nathalie, Kommentierung zu Art. 19 DSG, in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Stämpflis Handkommentar zum DSG, 2. Aufl., Bern 2023.
Rampini Corrado/Fuchs Philippe, Kommentierung zu Art. 14 DSG, in: Maurer-Lambrou Urs/Blechta Gabor P. (Hrsg.), Basler Kommentar zum Datenschutzgesetz/Öffentlichkeitsgesetz, 3. Aufl., Basel 2014.
Rosenthal David, Das neue Datenschutzgesetz, in: Jusletter 16. November 2020.
Rosenthal David/Gubler Seraina, Die Strafbestimmungen des neuen DSG, SZW 2021, S. 52 ff.
Schweikard Christine/Vasella David, Datenschutzerklärungen und AGB, digma 2020, S. 88 ff.
Steiner Thomas, Zwischen Autonomie und Angleichung: Eine Analyse zur Anwendung des neuen DSG im Lichte der DSGVO, in: Widmer Michael (Hrsg.), Datenschutz: Rechtliche Schnittstellen, Zürich 2023, S. 51 ff.
Thouvenin Florent, Datenschutz auf der Intensivstation, digma 2019, S. 206 ff. (zit. Intensivstation).
Thouvenin Florent, Informationelle Selbstbestimmung: Intuition, Illusion, Implosion (noch nicht erschienen) (zit. Informationelle Selbstbestimmung).
Thouvenin Florent/Glatthaar Matthias/Hotz Juliette/Ettlinger Claudius/Tschudin Michael, Privacy Icons: Transparenz auf einen Blick, in: Jusletter 30. November 2020.
Vasella David, Zu den Anforderungen an die Erfüllung der Informationspflicht nach dem revDSG, datenrecht.ch, 28. Oktober 2022, abrufbar unter https://datenrecht.ch/zu-den-anforderungen-an-die-erfuellung-der-informationspflicht-nach-dem-revdsg, besucht am 25.5.2023 (zit. Informationspflicht).
Materials
Botschaft zum Bundesgesetz über die Totalrevision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz vom 15.7.2017, BBl 2017 S. 6941 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/2017/2057/de, besucht am 25.5.2023 (zit. Botschaft DSG).