In a nutshell

The provisions of Art. 6 para. 3 FADP (purpose limitation and transparency), Art. 6 para. 4 FADP (time limitation of data processing) and Art. 6 para. 5 FADP (accuracy) are among the so-called processing principles, the most important substantive principles of data protection law. They are essential for the specific design of data processing.

A violation of the processing principles constitutes an infringement of the personal rights of the data subjects. However, the infringement of privacy can be justified by consent, an overriding private or public interest or by law in the case of private data processors. This significant difference to the EU DSGVO, in which every data processing requires a specific legal basis, was also maintained in the new FADP.

Unlike under the EU's DSGVO, a violation of the processing principles discussed here is not subject to a fine under the FADP, but it can have far-reaching consequences, especially in view of the expanded powers of the Federal Data Protection Commissioner (FDPIC) under the new FADP. The Federal Data Protection and Information Commissioner can order that data processing be partially or completely adjusted, interrupted or even terminated, and that personal data be partially or completely destroyed. In addition, possible (civil) legal claims by the persons concerned and, in particular, the consequences of a loss of trust and reputational damage should be taken into account.

I. General

A. Preliminary remarks

1 The provisions of Art. 6 para. 3 FADP (purpose limitation and transparency), Art. 6 para. 4 FADP (temporal limitation of data processing) and Art. 6 para. 5 FADP (accuracy) belong together with Art. 6 As. 1 FADP (lawfulness), Art. 6 para. 2 (proportionality and good faith), and Art. 8 FADP (data security) are among the so-called processing principles, the most important substantive principles of data protection and the actual guiding principles of the law. Articles 6 para. 6 and para. 7 FADP (consent) are not processing principles, but merely explain the conditions for consent.

2 The processing principles of the FADP apply to private data processors as well as to federal bodies. A violation of the processing principles constitutes a violation of privacy. However, not every violation of privacy is unlawful in the case of private data processors. Rather, it may be justified by the consent of the data subject, by an overriding private or public interest or by law (Art. 31 para. 1 FADP). This significant difference to the EU DSGVO, in which every data processing requires a justification (prohibition with permission reservation), was maintained in the course of the revision of the FADP. Thus, according to Swiss data protection law, a legal basis for private data processing is only required if an infringement of privacy has occurred. In contrast to data processing by private individuals, Swiss data protection law still requires a legal basis for data processing by federal authorities (prohibition with reservation of permission). Even if and to the extent that such a basis exists, the processing principles also apply. They constitute directly applicable behavioral rules, and the data subject can take legal action against any violation of them. Whether and to what extent federal authorities are exceptionally exempt from compliance with the processing principles must be determined on the basis of the legal basis.

3 The data processing principles apply to the entire life cycle of data processing, regardless of the means and procedures applied, and are therefore technology-neutral, i.e. designed without reference to specific technical or commercial applications.

B. Background and purpose of the standard

4 The Swiss legislature has always emphasized that Swiss data protection law is not intended to prevent or restrict the possibilities for development in the field of information technology. Rather, the aim is to develop a coherent and forward-looking data policy in Switzerland. In this context, the FDPIC has expressly stated that, even under the new data protection law, potentially high processing risks do not represent a deal-breaker for digital transformation projects. However, certain guard rails must be observed. In addition to the other processing principles, these include the principle of purpose limitation (Art. 6 para. 3 FADP), the provisions on the duration of data processing (Art. 6 para. 4 FADP) and the requirements for the accuracy of data (Art. 6 para. 5 FADP). In particular, in view of the rapid and dynamic development of information technology, compliance with these processing principles is intended to prevent excessive, improper or inaccurate data processing.

C. Addressee of the duties

5 The obligations arising from the processing principles apply primarily to the data controller (Art. 5 let. j FADP). The processor processes personal data only on behalf of the controller (Art. 5 let. k FADP) and can rely on the same grounds for justification as the controller (Art. 9 para. 4 FADP).

6 The processor is not expressly listed as such as the addressee of the processing principles of Art. 6 FADP; this is otherwise the case with the (punishable) data security processing principle (Art. 8 FADP, Art. 61 let. c FADP) and with further obligations under the FADP, e.g. Art. 12 para. 1 FADP, Art. 17 para. 2 FADP and Chapter 3 of the FADP, which explicitly place the controller and/or the processor under an obligation.

D. Legal and economic consequences of a breach

7 The provisions of Art. 6 para. 3 FADP (purpose limitation and transparency), Art. 6 para. 4 FADP (time limitation on data processing) and Art. 6 para. 5 FADP (accuracy) are not listed in the exhaustive catalog of criminal offenses (Art. 60 ff. FADP). A violation of these processing principles is not punishable under the FADP even if it is not justified. Despite a comprehensive revision of the penal provisions in the course of the revision of the FADP, nothing has been changed. However, there is a risk of criminal liability for violating other obligations that are related to these processing principles, for example the obligation to provide information, Art. 19, 21 in conjunction with Art. 60 para. 1 let. b FADP. Offenses outside the FADP may also come into consideration.

8 The further powers of the FDPIC under the new Data Protection Act are of considerable importance. These may, for example, lead to a ban on processing activities or an order to destroy data in the event of a violation of data protection regulations. In this context, the FDPIC has already announced in his 2022/2023 activity report that he will intensify his supervisory activities and increase the number of investigations.

9 In addition, a violation can trigger legal claims under the FADP (in particular under Art. 32 FADP and Art. 41 FADP) as well as civil claims for violation of personality rights (Art. 32 para. 2 FADP).

10 Apart from the potential legal consequences of violating the processing principles, in practice particular consideration must be given to the possible loss of trust and reputational damage that can result from violating the processing principles and can have a long-term negative impact on business development.

E. History of the individual processing principles

1. Principle of purpose limitation and transparency, Art. 6 para. 3 FADP

11 Article 6 paragraph 3 FADP combines the principles of purpose limitation and transparency, which were contained in two separate paragraphs in the aDSG (Article 4 paragraph 3 aDSG and Article 4 paragraph 4 aDSG). The new wording is intended to bring the text closer to Art. 5 para. 4 let. b of Convention 108 plus, in that personal data may only be processed for a “specific” and “recognizable” purpose for the data subjects. The wording that the data may only be processed in a manner that is “compatible” with this purpose is also new. In terms of terminology, the provision is thus closer to Art. 5 para. 1 let. b DSGVO. In terms of content, however, this does not result in any substantive changes compared to the aDSG.

2. Time limitation for data processing, Art. 6 para. 4 FADP

12 Art. 6 para. 4 FADP has introduced a new and explicit obligation to destroy or anonymize personal data as soon as it is no longer required for the purpose of processing. This corresponds to the requirements of Convention 108 plus and Article 4 para. 1 let. e of Directive (EU) 2016/680 and Article 5 para. 1 let. e DSGVO (“storage limitation”). This obligation is also not new. It was previously based on the general principle of proportionality (Art. 4 para. 2 aFADP, Art. 6 para. 2 FADP). By explicitly including it in the law, the legislator wanted to emphasize the particular importance of limiting the processing of personal data over time, which is becoming increasingly important in the context of technological development and almost unlimited storage options.

3. Principle of accuracy, Art. 6 para. 5 FADP

13 While the principle of data accuracy was previously emphasized in a separate article (Art. 5 aDSG), it has now been integrated into Article 6 FADP as paragraph 5 in order to combine the most important data protection principles in a single article. The model for this structure was Article 5 of Convention 108 plus, Article 4 of Directive (EU) 2016/680 and Article 5 of the DSGVO. The right of rectification previously contained in Article 5, para. 2 aDSG is now regulated in Article 32 FADP.

II. Subject matter of the provisions

A. Principle of purpose limitation and transparency, Art. 6 para. 3 FADP

1. Requirements

14 According to the principle of purpose limitation and transparency, personal data may only be collected for a specific purpose that is recognizable to the data subject. They may only be processed in a manner that is compatible with this purpose, Art. 6 para. 3 FADP.

15 According to the new wording of the law, identity of purpose is explicitly no longer required. The processing must merely be consistent with the initial purpose. Further processing for other purposes is only permitted if it is not unexpected and cannot be considered inappropriate or objectionable.

16 In a judgment of March 18, 2021, the Federal Supreme Court had already qualified the principle of purpose limitation in a case concerning the disclosure of personal data by a federal body, and held that absolute purpose identity cannot be required, as otherwise the administrative assistance provided for in Art. 19 para. 1 aFADP would be too restricted. In any case, however, the purpose of the administrative assistance must at least be compatible with the purpose of the original collection of personal data. Under the aDSG, the Federal Supreme Court had already ruled that “compatibility” of the processing with the original purpose was sufficient.

17 The further requirement of recognizability must be met with regard to both the collection of the personal data and the purpose of its processing. It can be considered to have been fulfilled if the circumstances clearly show that the data has been obtained and that the purpose of its processing is clear or if the processing is provided for by law. This possibility still exists even if the terms “evident from the circumstances” and “or provided for by law” from Art. 4 para. 3 aDSG were not adopted in the wording of Art. 6 para. 3 FADP.

18 The requirements for recognizability are to be determined in the individual case, taking into account the principles of proportionality and in good faith, Art. 6 para. 2 FADP. Vague, undefined or imprecise processing purposes are generally insufficient, although this characteristic must in turn be assessed according to the circumstances and a balance must be struck between the interests of the data subjects and those of the controller or processor and society. In the “Google Street View” case, for example, the Federal Supreme Court ruled that the principle of purpose limitation and transparency is not satisfied simply because Google's vehicles, on which cameras are installed, are visible to passers-by and residents. The purpose of these vehicles, to systematically drive along streets (etc.) and to publish the images on the internet without the consent of those affected, is not readily apparent, even though Google Street View enjoys a high level of awareness among the Swiss population.

19 The requirement of recognizability is closely related to the information requirement under Art. 19 et seq. FADP. However, it should not be confused with it. While the requirement of recognizability is a processing principle, the violation of which may be justified (Art. 31 FADP), this is not the case for the violation of the duty to provide information. Rather, a violation of the duty to provide information is punishable under Art. 60 para. 1 let. b FADP.

2. Examples

20 Further processing of addresses for mailing advertising violates the principle of purpose limitation and transparency if the addresses were originally collected in a completely different context, e.g. as part of a political campaign. It is also not permitted to analyze personal data relating to consumption habits (for purposes other than combating fraud) on the basis of payments made by credit or customer card without the consent of the data subject. The sending of unsolicited e-mail advertising to unknown and randomly composed addresses collected on the internet or the procurement by a private company of IP addresses of subscribers offering pirated copies for download also constitutes a violation of the principle of purpose limitation and transparency.

21 On the other hand, the use of an address for advertising purposes is permissible under data protection law if the data subject has provided their address with a view to obtaining a loyalty card or for an order (online or not) within the scope of an initially recognizable purpose.

22 When sending advertising newsletters, the conditions arising from the law against unfair competition must also be met, namely Art. 3 para. 1 let. o UWG (“spam article”). A violation of this can lead to criminal sanctions. When sending newsletters abroad, the respective national laws and practices must also be observed, which may result in even stricter requirements.

23 Data processing “for future use” in the sense of data processing without a specific purpose violates both the principles of proportionality and purpose limitation and transparency and is therefore illegal. However, the storage and retention of peripheral data of telecommunications without cause is still permitted in Switzerland. The police retention of recordings from the surveillance of public places, in which the data is collected and processed for possible criminal investigations, is also permitted, at least for a certain period of time. The Federal Supreme Court has, however, ruled differently on the (excessive) use of radio water meters. In this case, the purpose of storing certain data and the necessity of sending it was lacking.

24 When disclosing data to third parties, particular attention must be paid to whether this disclosure is still covered by the original purpose. This also applies to the exchange of data within group companies. In the absence of a comprehensive group privilege, companies within the same group are also considered third parties, provided that they do not merely process the data as processors. In practice, it is often difficult to distinguish between a processor and a (joint) controller. As a result, it is crucial to set up the system consistently and make it transparent. For example, in the area of HR, it is advisable to make the group context clear in the employment contract. When data is passed on to third parties, it must also be taken into account that (not only but also) the principle of purpose limitation must be observed by the recipient in the further processing of the data.

25 Big data applications such as data warehousing and data mining pose particular challenges in terms of purpose limitation and transparency because it is in the nature of big data analyses that their specific purpose only arises when the data is merged on the basis of the newly acquired findings.

26 Big data is also the most important basis for artificial intelligence (AI), which thus also comes into conflict with the principle of purpose limitation and transparency. The permissibility of such applications must be examined on a case-by-case basis. Often, the subsequent processing purpose cannot yet be defined when developing AI systems and entering training data, e.g. if the algorithm can perform a variety of tasks. In addition, training data is usually used that was originally collected for completely different purposes (e.g. when data that is freely available on the internet is used as training data). It can therefore often be questionable whether their processing is still “compatible” with the original purpose. Particular importance will be attached here to a differentiated consideration of the various data processing steps in the AI lifecycle (development, input of training data, use of the AI system's results “output”, etc.) and to the justifications of consent, performance of a contract and legitimate interest. According to the FDPIC, manufacturers, providers and users of AI systems must also make transparent the purposes, functioning and data sources of the processing based on AI. The French supervisory authority CNIL provides specific examples of purposes according to the DSGVO by developers of AI systems:

Examples of purposes considered to be explicit and specified:

• Development of a large language model (LLM) able to answer questions, generate text according to context (emails, letters, reports, including computer code), perform translations, summaries and corrections of text, perform text classification, analysis of feelings, etc.;

• Development of a voice recognition model capable of identifying a speaker, his or her language, age, gender, etc.;

• Development of a computer vision model capable of detecting different objects such as vehicles (cars, trucks, scooters, etc.), pedestrians, street furniture (dumpsters, public benches, bicycle shelters, etc.), road signs, tricolor lights, road signs, etc.

• Conversely, the purpose would not be considered as specified enough if it only referred to the type of AI system, without mentioning the technically feasible functionalities and capabilities.

Examples of purposes that are not considered explicit and specified:

• Development of a generative AI model (possible capabilities are not defined);

• Development and improvement of an AI system (neither the type of model nor the possible capabilities are defined);

• Development of a model to identify a person's age (the type is not defined).

In this case, the CNIL also recommends, for reasons of transparency, that the controller should be able to determine in advance the foreseeable capabilities of the AI system that pose the greatest risks, that the purpose relates to the functionalities that are excluded from the outset and that the purpose defines the conditions for the use of the AI system as far as possible.

In addition, the EU's AI Act, which may also apply to Swiss companies, must be taken into account, particularly with regard to transparency requirements.

27 The potential for reusing data for secondary uses has also been recognized by Swiss lawmakers. On June 12, 2023, the National Council, as the second council, adopted a motion to create a framework law for the secondary use of data. This instructs the Federal Council to draft a law that resolves the tension between data protection and data use and is intended to create trustworthy data spaces.

28 At the European level, the Data Governance Act, the Data Act, the regulation on the European Health Data Space and, as already mentioned, the AI Act are also to be taken into account. These may also apply to Swiss companies.

3. Implementation recommendations

29 The purposes of data processing must be defined, permanently adhered to and made transparent. In practice, the latter can usually be achieved as part of the data protection declaration that is required in any case, or at least in part via general terms and conditions or by means of individual communication/notes, depending on the case. Care must be taken to ensure that vague, undefined or imprecise processing purposes are not sufficient. The degree of precision required must be determined in each individual case, taking into account the principles of proportionality and good faith. When data is passed on to third parties, a contractual agreement is often recommended that the data will only be processed for specific and lawful purposes, including an obligation to indemnify. At the very least, however, there should be a reference to the purpose limitation.

B. Time limitation for data processing, Art. 6 para. 4 FADP

1. Requirements

30 According to the principle of time limitation for data processing, personal data must be destroyed or anonymized as soon as they are no longer required for the purpose of processing.

31 Nevertheless, further data processing may be justified, Art. 31 para. 1 FADP. This is particularly the case when retention obligations must be fulfilled, for example the ten-year retention obligation for account books, accounting vouchers, the annual and audit reports or retention obligations under tax law. A legitimate interest in retention may also arise from potential future legal disputes and from statutes of limitation.

32 In the strictest sense, 'destroying' means the irretrievable destruction or removal of data. In the case of data on paper, this means shredding or incinerating it and ensuring that third parties do not gain access to the 'relics'. In the case of electronic data, not only how it is stored is relevant, but also how it was obtained. If they were transmitted via a USB stick, the USB stick must be rendered unusable and all copies must be treated in such a way that the data can no longer be read. If they were transmitted by e-mail, any intermediate storage of this e-mail must also be destroyed. In addition, high demands are placed on destruction. According to the message on the FADP, standard deletion commands or simple reformatting do not constitute destruction in the sense of data protection law.

33 Destroying requires more than deleting. Nevertheless, the view is expressed in the literature that Art. 6 para. 4 FADP is an editorial mistake and that the principle of time limitation can also be satisfied by deletion. This is justified by an ill-considered adoption of the term “destruction” from the previous provision in Art. 5 aDSG. In addition, the terms “destruction” and “erasure” are used synonymously in the FADP. In our opinion, this can certainly be agreed to if the term “deletion”, which, incidentally, is not defined in either the FADP or the DSGVO, is understood to mean that no personal reference can be established, because then the FADP is not (no longer) applicable anyway due to the lack of personal data, Art. 5 lit. a. FADP. According to the FADP's risk-based approach, this is already the case if the personal reference could only be established with a great deal of effort that no interested party would undertake. Whether this can also be affirmed in the context of archiving, for example, must be examined on a case-by-case basis. Organizational measures, such as access blocks and the four-eyes principle, can also be considered sufficient measures.

34 The principle of time limitation can also be satisfied by means of anonymization. Anonymization refers to any measure that ensures that the identity of the data subjects can no longer be determined or can only be determined with extraordinary effort. Anonymization should not be confused with pseudonymization. Pseudonymization is the replacement of names and other identifying features with another identifier, such as a placeholder, with the aim of preventing or hindering the identification of the data subject. In other words, pseudonymization can be used to restore the personal reference with the associated key. However, this only applies to the person who holds the key. This relative approach means that personal data is also not available to anyone who does not hold the key and for whom obtaining the key is practically impossible. This relative approach has a significant impact in practice because it removes the data from the scope of data protection law for anyone who does not have the key.

2. Implementation recommendations

35 The obligation to destroy or anonymize data can pose major challenges for data controllers in practice. As a first step, it is recommended to gain an overview of the usual data processing in the respective business areas. The respective retention and deletion periods should then be defined. In practice, this is done in clear lists, which are also designed as internal guidelines (“Retention Policy”/“Data Retention Policy”).

36 It is helpful for implementation if the software used for data processing already offers corresponding functionalities for automated deletion. In this case, it should be ensured that these functionalities meet the requirements of data protection law from a technical point of view and that the obligation to delete data is also sufficiently covered by contract in the context of data processing agreements with the IT/cloud provider.

C. Principle of accuracy, Art. 6 para. 5 FADP

1. Accuracy of data

a. Requirements

37 Personal data is accurate if it properly reflects the circumstances and facts related to the data subject. It must be accurate in the overall context, taking into account the purpose and the type of processing. It follows that the concept of accuracy in data protection law is not to be understood in absolute terms, but that the specific application is of considerable importance.

38 Even correct personal data may be incorrect in the overall context and in consideration of the purpose of the processing in the sense of data protection law, for example if a person is stored in a data collection on creditworthiness as a “person subject to debt enforcement proceedings” although they have paid their bills correctly and on time for years and debt enforcement proceedings have only been initiated because the bill was sent to the wrong address. On the other hand, incorrect statements do not necessarily have to be inaccurate in the sense of data protection law. According to a judgment of the Federal Supreme Court, individual pieces of information cannot be considered incorrect if the totality of the information correctly reflects the actual circumstances. Also, information in the sense of “snapshots” may well have been correct even if it subsequently becomes inaccurate, for example if a judgment still lists a name that has since been changed. In this case, the purpose for which the data is still being used is crucial. In this context, the principle of accuracy must be considered in a differentiated way, especially in the work of archives, museums, libraries and other cultural heritage institutions. Since the task of such institutions is to collect, make accessible, preserve and communicate documents of all kinds, these must not be changed, as this would run counter to the purpose of archiving. Archives allow a snapshot of the past with the help of documents, the “correctness” of which refers solely to the fact that the documents in question are reproduced accurately, regardless of whether this is still considered accurate from a current perspective. Similarly, the claim to correctness in the case of police checks does not refer to the objectively ascertainable information about the persons concerned, but to the authenticity of the protocol. What matters is whether the data available reflects the subjective observation of the authorized person at the time the assessment is made.

39 In principle, the accuracy of data can only relate to factual information that can also be determined objectively. Value judgments are subjective and can hardly be classified as right or wrong. It is difficult to draw the line when value judgments and facts are mixed up. This has gained particular relevance in the context of 'fake news'. However, the information that a value judgment was expressed by a certain person or documented in a file, for example, can be correct or false. Similarly, the information as to whom the value judgment refers can also be correct or false. The further use of the fact of the value judgment is also governed by the general processing principles.

40 Adhering to the principle of data accuracy in relation to AI systems presents particular challenges. Especially in the case of AI systems where the training data is obtained from publicly accessible sources, in particular the internet, it is often impossible to effectively verify the accuracy of the data. The results of AI systems' data processing ('output') may also be inaccurate. On the one hand, it cannot be assumed that 'statistical accuracy' is generally sufficient for data processing in connection with AI systems. On the other hand, however, data processing in relation to AI systems must not be subject to higher requirements than other data processing, since the FADP is designed to be fundamentally technology-neutral. This means that the question of data accuracy must also be assessed on a case-by-case basis and taking into account the overall context when data is processed using AI systems. The purpose of the data processing, the significance of the output and the expectations of the users are particularly relevant in this context. In practice, it will be crucial here to provide users with appropriate information. The associated requirement to check the output should also be reflected in companies' “AI guidelines”.

41 In general, processing inaccurate data is not per se a violation of privacy. Only if the incorrect data processed in this way results in a violation of privacy must it be corrected or destroyed. The principle of accuracy is not absolute either. A violation may be justified in the case of private data processors under Art. 31 FADP. In the case of federal bodies, the right to erasure may also be restricted (see Art. 41 paras. 3-5 FADP).

b. Examples

42 When processing suspicious information about the commission of possible criminal offenses, Art. 6 para. 5 FADP does not preclude such processing as long as the significance of the corresponding information is known and the suspicion does not appear as certain knowledge. Archived e-mails that, according to current knowledge, contain false information are nevertheless correct in terms of data protection law, provided that they are not processed on the assumption that they are still current. Similarly, the storage of business correspondence is permissible within the scope of the storage obligation, even if it contains false information. If a house number is incorrectly recorded in an association's address database, but the address database is not used for postal delivery and only to check the membership list, the information does not need to be corrected. In any case, however, compliance with the other general processing principles must also be checked for such data processing, in particular the principles of proportionality and purpose limitation.

2. Duty to verify, correct and delete

a. Requirements

43 According to the principle of accuracy, every person who processes personal data must ensure its accuracy, Art. 6 para. 5 p. 1 FADP. Art. 6 para. 5 p. 2 FADP also now explicitly states that all appropriate measures must be taken to correct, delete or destroy inaccurate data. This obligation supplements the duty of verification, which would otherwise make no sense. The extent of the duty of verification depends on the individual case. In particular, the purpose and extent of the processing, the type of data being processed, the extent of the data disclosure and the sensitivity of the data must be taken into account. The data processor's duty of verification must also be within this framework. The higher the risk of a violation of privacy, the higher the requirements for the duty of verification. The duty of verification can thus also lead to an updating obligation. However, it does not include a general duty to carry out regular checks without cause.

44 The implementation of measures to ensure accuracy can also be delegated, for example to the data source or a processor. If the duty to ensure accuracy is violated, this constitutes a violation of the processing principles and thus a violation of privacy by law, Art. 30 para. 2 let. a FADP. However, according to the spirit and purpose of the law, such a breach of duty can only trigger claims for correction and damages if the data is actually inaccurate. The measures to be taken depend, among other things, on the type, scope and purpose of the data processing, the sensitivity of the data and the risk to the data subject's privacy rights. This in turn must be determined on a case-by-case basis. In addition, legal obligations may preclude the measures of correction, deletion or updating.

b. Examples

45 If the data processing for marketing purposes is based on information provided by the data subject, the controller does not have to ensure the accuracy of the data. Similarly, there is no general obligation to continuously check a customer file for marketing purposes for outdated addresses. However, if a policyholder notifies the insurer of a change of address that also indicates a change of marital status, the insurer is obliged to update the marital status if this has an impact on the payment of insurance benefits. On the other hand, once information has been provided in an insurance policy, it is no longer necessary to check it, provided it has no influence on the premium or the insurance benefit. When it comes to checking the data held by credit reference agencies, particular consideration should be given to the scope of the data, the existence of personality profiles and consent, and the number of searches carried out. If an insurance company wants to use artificial intelligence (AI) to create a profile of customers who take out insurance and use this profile as a basis for their decisions when calculating the insurance risk, not only should data from existing customers from data sources with correct and up-to-date information be used as training data, but a pool of customers that is representative of the population should also be used to avoid bias.

3. Implementation recommendations

46 The requirements for the measures required under Art. 6 para. 5 FADP should be proportionate to the risks and consequences of the specific use. Examples of measures to be taken, which at the same time represent key aspects in the context of technology design according to the principles of privacy by design and privacy by default, may include:

• Checking the reliability of the data source

• Determining the degree of accuracy based on the overall circumstances of the individual case

• If necessary, re-examining the data depending on the overall circumstances and the various phases of data processing

• Reducing false positives / false negatives, e.g. to reduce errors in automated decision-making and in the use of artificial intelligence

• Updating data if it is necessary for the purpose of processing

• Implementation of “self-service” solutions where the data subjects can check their data themselves and correct it if necessary

• Introduction of plausibility checks and quality checks

• Implementation of automatic input checks, e.g. to avoid incorrect input of postcodes

• Drop-down menus instead of free text input

From the point of view of the controllers, it is also advisable to impose a contractual obligation on the data subjects to provide their data correctly and to keep it up to date, and to exclude any liability in this regard as far as possible. In principle, an obligation of indemnity should also be considered for external data sources. Depending on the case, this can be taken into account as part of an overall concept that includes the assignment of data and responsibilities, as well as other related rights and obligations.

Bibliography

Basler Kommentar zum Datenschutzgesetz und Öffentlichkeitsgesetz, 3. Auflage, Basel 2014 (zit. BSK DSG-Bearbeiter:in [3. Auflage]) sowie 4. Auflage, Basel 2024 (zit. BSK DSG-Bearbeiter:in).

Basler Kommentar zum Geldwäschereigesetz, Basel 2021 (zit. BSK GWG-Bearbeiter:in).

Fischer Joel A./Bornhauser Jonas, Elektronische Board Portale: Hosted in Switzerland als neuer rechtlicher Qualitätsstandard, GesKR 2016, S. 425-448.

Gola/Heckmann, Datenschutzgrundverordnung/Bundesdatenschutzgesetz, 3. Auflage 2022 (zit. Gola/Heckmann DS-GVO/BDSG-Bearbeiter:in).

Hartmann Damian, Text and Data Mining and Copyright in Switzerland and the European Union, sic! 2023, S. 157-167.

Lobsiger Adrian, Hohes Risiko – kein Killerargument gegen Vorhaben der digitalen Transformation, SJZ 119 (2023), S. 311-319.

Orell Füssli Kommentar zum Schweizerischen Datenschutzgesetz mit weiteren Erlassen, 2023 (zit. OFK DSG- Bearbeiter:in).

Rosenthal David, Controller oder Processor: Die datenschutzrechtliche Gretchenfrage, Jusletter vom 17.6.2019.

Rosenthal David, Löschen und doch nicht löschen, digma 2019, S. 190-197.

Rosenthal David/Jöhri Yvonne, Handkommentar zum Datenschutzgesetz sowie weiteren, ausgewählten Bestimmungen, Zürich 2008.

Rossnagel Alexander, Pseudonymisierung personenbezogener Daten, ZD 2018, 243 ff.; Stämpflis Handkommentar zum Datenschutzgesetz, 2. Auflage (zit. SHK DSG- Bearbeiter:in).

Specht/Mantz, Handbuch Europäisches und deutsches Datenschutzrecht, 2019 (zit. Specht/Mantz DSGVO/BDSG-Bearbeiter:in).

Materials

Botschaft zum Bundesgesetz über den Datenschutz (DSG) vom 23.3.1988, BBl 1988 II 413 ff. (zit. Botschaft DSG 1988).

Botschaft zur Änderung des Bundesgesetzes über den Datenschutz (DSG) und zum Bundesbeschluss betreffend den Beitritt der Schweiz zum Zusatzprotokoll vom 8.11.2001 zum Übereinkommen zum Schutz des Menschen bei der automatischen Verarbeitung personenbezogener Daten bezüglich Aufsichtsbehörden und grenzüberschreitende Datenübermittlung vom 19.2.2003 BBl 2002 2101 ff. (zit. Botschaft DSG 2003).

Botschaft zum Bundesgesetz über die Totalrevision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz vom 15.12.2017, BBl 2017 6941 ff. (zit. Botschaft DSG 2017).