In a nutshell

Since the processing of personal data is increasingly not only carried out jointly by several federal agencies, but also jointly with cantonal or municipal agencies or even private individuals, there is a need for clear regulations on responsibilities. Art. 33 FADP empowers the Federal Council to define responsibilities in these constellations.

I. General

A. History

1 The predecessor provision in Art. 16 aDSG was split up with the data protection revision. Art. 16 para. 1 aDSG, which governed general responsibility, was transferred to Art. 5 lit. j. Art. 16 para. 2 aDSG, which regulated the responsibility in the case of several data processors involved, was transferred to Art. 33 FADP.

B. Purpose of the Norm

2 Art. 5 lit. j FADP defines who is to be subsumed under the term "data controller" (see OK-Hofmann on Art. 5 lit. j FADP): the connecting factor is the decision-making authority over the purpose and means of the data processing operations. Which federal body has this decision-making authority is determined by the respective special laws that serve as the legal basis for the data processing.

3 Since the processing of personal data is increasingly not only carried out jointly by several federal agencies, but data processing operations that cross the federal levels are also part of everyday life and even private persons can access common information stocks, there is a need for clear regulation of responsibilities. Otherwise, there is a risk that many agencies will process the personal data in question, but no one will feel responsible.

II. No vacuum of responsibility

4 Art. 33 FADP empowers the Federal Council to regulate the responsibilities for compliance with data protection law as well as the associated controls if several federal bodies, or federal bodies and cantonal or private third parties are jointly involved in data processing operations. This regulation does not take place in the DPA, but in the respective special legislation or in the associated implementing ordinances. Thus, Art. 33 FADP explicitly states that the Federal Council shall regulate the control procedures and responsibility in the case of joint processing of personal data.

III. Shared responsibility

5 Three constellations are conceivable for the joint processing of personal data:

• A special law or the Federal Council may, in an ordinance, assign sole responsibility for joint data processing to a federal body (Art. 5 lit. j FADP).

• From a special law or an ordinance, a relationship of superiority or subordination can be identified for joint data processing, which is reflected in a primary and a secondary responsibility. An example of this is commissioned data processing (Art. 5 lit. k FADP).

• A parallel responsibility for joint data processing may arise from a special law or an ordinance (Art. 33 FADP), which must be differentiated by a clear division of labor in the special law or ordinance.

IV. Control procedure

6The concept of the control procedure is to be understood as supervision of the data processing operations. In the first constellation of sole responsibility, as well as in the case of clear primary and secondary responsibility, there is unilateral supervision of the sole responsible party or the primary responsible party vis-à-vis those involved in joint data processing. In the second constellation of parallel responsibility for joint data processing, reciprocal control procedures must naturally be established. The details regarding the scope, the manner as well as the regularity of the control procedures shall be regulated in the special law or ordinance.

V. Regulatory regime

7 In the case of joint data processing by federal bodies with cantonal bodies and private persons, different regulatory regimes shall apply. For federal bodies, the special provisions on data processing pursuant to Art. 33 ff. FADP, for private persons the special provisions in Art. 30 ff. FADP apply, and cantonal law applies to cantonal bodies. Even if joint data processing is involved, a clear distinction must always be made as to which actor is bound by which obligations.

VI. Liability issues

8 The liability of federal bodies, cantonal bodies and private persons is governed by different standards: For federal bodies according to the Liability Act (VGG), for cantonal bodies according to the cantonal liability laws and for private persons according to civil law. The extent to which a responsible party can be liable externally for the entire damage caused by the joint data processing (cf. joint and several liability) is unclear. It is also unclear to what extent breaches of duty by third parties can be imputed to a data controller on the basis of the obligation to control.

The author provides her personal assessment in this commentary.

Bibliography

Mund Claudia, Kommentierung zu Art. 33 DSG, in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Datenschutzgesetz, Stämpflis Handkommentar, 2. Aufl., Bern 2023.

Rudin Beat, Kommentierung zu Art. 5 DSG, in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Datenschutzgesetz, Stämpflis Handkommentar, 2. Aufl., Bern 2023.

Ballenberger Sara, Kommentierung zu Art. 16 DSG, in: Maurer-Lambrou Urs/Blechta Gabor-Paul (Hrsg.), Datenschutzgesetz / Öffentlichkeitsgesetz, Basler Kommentar, 3. Aufl., Basel 2014