I. General

1 The term “processing” is to be understood very broadly and encompasses all handling of personal data – “roughly speaking: everything that is done with personal data”. For example, Art. 5 let. d mentions the forms of processing “obtaining, storing, keeping, using, modifying, disclosing, archiving, deleting or destroying”. The terms “storing” and “deleting” were added to bring the wording of Art. 5 let. d FADP closer to that of Art. 4 no. 2 DSGVO. In terms of content, however, the concept of processing remains unchanged by the revision of the law. The old legal concept of data collection was subsumed under the concept of processing.

2 A complete terminological alignment with the DSGVO did not take place for “practical reasons”. The FADP speaks of the act of processing or the act of processing, whereas the DSGVO speaks of the act of processing / the act of processing. In addition, the examples in Art. 5 lit. d FADP differ significantly from those mentioned in Art. 4 No. 2 DSGVO. However, despite the editorial differences, “the processing” within the meaning of the FADP and “processing” within the meaning of the DSGVO are to be understood as congruent. When interpreting the term “processing” in accordance with Art. 5 let. d FADP, case law regarding Art. 4 no. 2 DSGVO can therefore be used for orientation purposes.

3 A central principle of the FADP is its technology-neutral character. Therefore, the question of whether processing is taking place is irrelevant to the means and procedures used. Processing within the meaning of the FADP can therefore be both manual and automated. It also follows from the technology-neutral character that the FADP also covers or will cover future forms of processing that are not yet known.

II. Processing as a requirement for the application of the FADP

4 The concept of processing is of central importance, since the FADP is only applicable if personal data is processed by any entity involved in the handling of personal data. The resulting obligations then depend on whether the respective entity is a (jointly) responsible party or a processor. Processing requires an action that has the purpose and effect of doing something with the data, or an action that objectively relates to the data. By contrast, actions that merely affect data are not considered processing, such as transporting passengers by bus or train if these passengers are carrying personal data stored on data carriers. It is immaterial whether or not the personal data in question is actually taken note of by a person, which is why processing by means of computer programs is also covered. The purely mental handling of personal data is not considered processing within the meaning of Art. 5 let. d. Accordingly, information that is only present in a person's memory is also not covered by the right of access under data protection law.

5 Sometimes difficulties arise in defining the term 'processing' or assigning data processing to specific persons, as the case decided by a German court on the storage of files shows: a real estate company became the owner of a disused hospital property following insolvency proceedings, and patient files were found in the building. The owner objected to the official order to store the files in a specially protected location. The court ruled that the owner was not deemed to be processing the data because she had not stored the files herself and was not handling them in any other way. However, this did not determine whether another entity was processing the data or had it processed as a processor or controller.

6 Questions about the scope of the processing concept have also recently arisen in connection with AI systems. The fact that the handling of information – insofar as it is personal – using AI systems constitutes processing is a consequence of the broad concept of processing and the technology-neutral design of the FADP. However, in individual cases, it may be less clear how to distinguish between different processing operations, such as those that occur when AI systems are used in a collaborative way. This distinction is relevant because it affects who is responsible for compliance with data protection law (in particular, for safeguarding the rights of data subjects) and for any violations that occur during processing. In order to define the obligations, the EU AI ODR differentiates between the different roles of the actors, including between providers and operators of AI systems. Such distinctions are not yet established in data protection law. However, it would be obvious to distinguish here as well between the creation of an AI system (i.e. the associated training, insofar as personal data is involved) and its use.

III. Specified forms of processing

7 The list of specified forms of processing is merely an example and the terms overlap to some extent. Only some of the specified forms of processing are subject to specific instructions, such as the collection, disclosure and destruction of data. In all other respects, the data protection principles must be observed for all processing. If an activity cannot be assigned to any of the named forms of processing, it is still possible that it is an unnamed form of processing (see Chapter I above). The named forms of processing are therefore less central to the application of the FADP.

A. Collection

8 Data collection occurs when the collecting body obtains intentional knowledge of the data or justifies the disposition of it. It is not procurement if the data is provided by the data subject or by third parties without request and the data recipient does not intend to process it (e.g. when receiving a misdirected e-mail, when listening in on a conversation, etc., although in such a case processing may be involved under certain circumstances). In contrast, personal data is obtained if the relevant body generally wishes to obtain data in general and accepts that personal data may also be obtained in the process. According to Art. 6 para. 3 FADP, data may only be obtained for a specific purpose that is recognizable to the data subject and entails the obligation to provide information in accordance with Art. 19 FADP. Examples of typical procurement actions include collecting data from other sources, recording or logging information. Whether data is protected or freely available is irrelevant. Therefore, for example, a targeted web search on the internet can also constitute the procurement of personal data and lead to the applicability of the FADP. It is not necessary to actually take note of the content of the data; rather, it is sufficient that the data first comes into the possession of a controller. Thus, automated forms of data collection, such as so-called data scraping, also qualify as procurement within the meaning of the FADP. The above principles also apply in the context of generative AI systems: If personal data is collected unintentionally, it is generally not considered to have been obtained, nor is it considered to have been obtained if existing personal data is merely modified (e.g. by generating or editing a text). However, if generative AI systems are used to obtain additional information about a person or to invent such information, this will regularly constitute data collection from a data protection perspective.

B. Storage

9 The term “storing” was introduced in order to align with the wording of the relevant European legal sources, including in particular Art. 4 no. 2 DSGVO. According to Art. 4 No. 2 DSGVO, storage is understood to mean the retention of data in embodied form on a data carrier (hard disk, server, USB stick, etc.) with the aim of being able to further process the data at a later point in time. Depending on the purpose, the retention of information in AI systems can also be considered storage (see above n. 6).

10 The DSV refers to the term storage in connection with the data security requirements (Art. 3 para. 2 lit. b and e DSV) and the logging requirement (Art. 4 para. 2 and 3 DSV).

C. Retention

11 Retention can be described as the activity by which data is kept available in the processing context. In contrast to archiving (see n. 15 below), retained data can therefore still be used. Retention is expressly subject to the FADP as a form of processing, since violations of privacy are still possible even at this stage of processing, for example due to deficiencies in data security. Storage is addressed in Art. 12 para. 2 let. e FADP, according to which the storage period must be indicated in the processing directory, and in the context of the right of access under Art. 25 para. 2 let. d FADP.

D. Use

12 Data use refers to any activity with the aim of using the information content of the data (including taking note of the data). The use of the data is mentioned in Art. 5 let. f FADP (profiling), Art. 21 DDO (technical requirements for implementing the release of data) and in Art. 4 para. 5 DDO (logging). However, the FADP and the DSV do not provide specific instructions for the use of data.

E. Modifying

13 Data modification can be described as an “activity that changes the information content of personal data (rearranges the content).” The FADP does not provide for any special instructions for action – apart from compliance with the processing principles – or legal consequences; the alteration of data is mentioned in Art. 3 para. 3 let. a DSV (input control), as well as Art. 4 para. 2 and 3 DSV (logging).

F. Disclosure

14 Disclosure of data is a particularly sensitive form of processing and is therefore the subject of a separate provision in OC-NN, Art. 5 let. e FADP. [Comment forthcoming]

G. Archiving

15 Archiving means the keeping available of data detached from the processing context. In contrast to storage (see N. 11 above), archiving involves removing data from the previous processing context. It follows that the intensity of the impairment of the privacy of the data subjects is typically reduced. This is expressed in Art. 32 para. 1 let. b and Art. 41 para. 5 FADP, which restrict the rights of data subjects in the case of processing for archiving purposes. In addition, Art. 38 FADP (Special regulation for federal bodies for the provision of certain personal data for the federal archives) refers to archiving purposes and archiving.

H. Erasure or destruction

16 The term destruction implies that data is destroyed irretrievably. If the data is physically stored on paper, the paper should be burned or shredded. For electronically stored data, the corresponding storage medium must be rendered unusable and all copies must be treated in such a way that the data can no longer be read.

17 The term “deletion” is typically used for electronic data processing and is less far-reaching in comparison: for deletion, it is generally sufficient to use the deletion commands of the respective program so that the data can no longer be recognized in the course of normal program operations and can only be restored with disproportionate means. In other words, personal data is deleted when it can no longer be linked to a specific person. Effective anonymization is therefore equivalent to deletion and is one method of deleting personal data. In this context, the so-called relative approach must be applied, which means that the perspective of the persons or units that have access to the data is decisive. However, this also means that it can be difficult to assess in individual cases whether personal data has been effectively deleted because data remains in systems after deletion commands have been executed and can potentially be restored. In such cases, the question arises as to whether the restoration of the data or access to the data requires a disproportionate effort. This can only be assessed on a case-by-case basis, depending on the technical circumstances, but also depending on the interest that third parties might have in restoring the personal reference.

18 The distinction between the concepts of deletion and destruction, which is clearly laid out in the legislative materials, is not consistently implemented in the FADP. For example, Art. 6 para. 4 FADP requires that data be “destroyed or anonymized as soon as they are no longer required for the purpose of processing” – deletion would also be correctly mentioned here. Even if the law does not use the terms consistently, for the sake of clarity, care should be taken when drafting contracts, for example in the context of order processing contracts, to ensure that the terms of deletion and destruction are not inadvertently reversed. In particular, care should be taken to avoid inadvertently agreeing to the destruction of data instead of an obligation to delete, because destruction may be difficult to carry out or undesirable in the case of electronic data processing (see above, n. 16).

Bibliography

Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Datenschutzgesetz, Stämpflis Handkommentar, 2. Aufl., Bern 2023 (zit. SHK DSG, Bearbeiter/-in).

Blechta Gabor/Vasella David, Basler Kommentar Datenschutzgesetz Öffentlichkeitsgesetz, 4. Aufl, Basel 2024 (zit. BSK DSG, Bearbeiter-in).

Botschaft zum Bundesgesetz über den Datenschutz (DSG) vom 23.3.1988, BBl 1988, abrufbar unter https://www.fedlex.admin.ch/eli/fga/1988/2_413_421_353/en, besucht am 30.6.2023 (zit. Botschaft 1988).

Botschaft zum Bundesgesetz über die Totalrevision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz vom 15.9.2017, BBl 2017 694, abrufbar unter https://www.fedlex.admin.ch/eli/fga/2017/2057/de, besucht am 30.6.2023 (zit. Botschaft 2017).

Freund Bernhard, Anmerkung zu OVG Hamburg: Datenlagerung ist keine Datenverarbeitung, Zeitschrift für Datenschutz 2021, S. 283-284 (zit. Freund, ZD 2021).

Griesinger Marcel, Schweizerisches Datenschutzgesetz: Datenschutz-Compliance für Unternehmen beim Einsatz von KI-Anwendungen, CB 2024, S. 485 f. (zit. Griesinger, CB 2004, S. 485).

Kühling Jürgen/Buchner Benedikt, Kommentar Datenschutz-Grundverordnung/BDSG, 4. Aufl, München 2024 (zit. Kühling/Buchner, Bearbeiter-in).

Rosenthal David, Löschen und doch nicht löschen, Zeitschrift für Datenrecht und Informationssicherheit 2019, S. 190-197 (zit. Rosenthal, digma 2019).

Rosenthal David, Das neue Datenschutzgesetz, in: Jusletter vom 16.11.2020 (zit. Rosenthal, Jusletter 2020).

Rosenthal David, Datenschutz beim Einsatz generativer künstlicher Intelligenz, in: Jusletter vom 6.11.2023 (zit. Rosenthal, Jusletter 6.11.2023).

Rosenthal David/Jöhri Yvonne, Handkommentar zum Datenschutzgesetz sowie weiteren, ausgewählten Bestimmungen, Zürich 2008 (zit. Rosenthal/Jöhri).

Taeger Jürgen/Gabel Detlev, DSGVO – BDSG – TTDSG, 4. Aufl., Bremen 2022 (zit. Taeger/Gabel, Bearbeiter-in).

Wolff Heinrich Amadeus/Brink Stefan/v. Ungern-Sternberg Antje, BeckOK Datenschutzrecht, 44. Edition, Stand: 1.11.2024 (zit. BeckOK Datenschutzrecht, Bearbeiter-in).