• Keine Ergebnisse gefunden

Amendments to the Swiss Federal Data Protection Act ww&p

N/A
N/A
Info
Herunterladen
Protected

Academic year: 2022

Aktie "Amendments to the Swiss Federal Data Protection Act ww&p"

Copied!
2
0
0

Wird geladen.... (Jetzt Volltext ansehen)

Jetzt herunterladen ( 2 Seite )

Volltext

(1)

1

ww&p

Walder Wyss & Partners Attorneys at Law

Background and timeline

The amendments to the Swiss Federal Data Protec- tion Act of 1992 (“DPA”) have two main objectives:

(i) to update the DPA and, in particular, to make the subjects of data collection and processing aware of the purposes and uses of such data collection and processing and (ii) to make adjustments needed to comply with, and permit ratification of, the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The amendments do not attempt to implement the EU Directive 95 / 46 / EC on Data Protection, although they are, in part, derived from it.

The Swiss DPA protects the data of both natural persons (individuals) and legal entities (e.g., corporations). The protection of data relating to corporations and other business organisations is a special feature of Swiss law and it creates difficulties in respect of cross-border data transfers. Indeed, only a few other countries provide an equivalent level of protection for such data.

The amendments were enacted on 24 March 2006 and are expected to become effective in 2007.

Taking the amendments into account now in data protection policies and procedures, and in processing agreements may avoid a revision when the amend- ments become effective.

Key elements of the amendments Transparency

The collection of personal data and, in particular, the purposes for which it will be used, must be apparent to the person or entity whose data is being collected.

This requirement does not always lead to a specific disclosure obligation, but it will be necessary to give notice of any purpose or use of collected data which the subject of the data cannot infer from the circum- stances. For example, if personal data are collected in

the course of concluding and performing a contract, but the recipient of the data intends to use the data for purposes outside the scope of the contract or for the benefit of third parties, then such uses of the data will have to be disclosed by appropriate means.

Information for special categories of data

The amendments will require the person who owns or controls a data collection to inform the subjects thereof if sensitive personal data is collected or per- sonality profiles are maintained. The disclosure must at least identify the person who owns or controls the relevant data collection, the purpose of the data pro- cessing and the categories of data recipients, if any.

Consent

The amendments make it clear that if the consent of the data subject is required for data processing, such consent will only be valid if given freely after ade- quate disclosure of the purpose and use of the data collected and processed. Furthermore, such consent will have to be explicit, rather than merely inferred from the surrounding circumstances, if sensitive data are processed or personality profiles are maintained.

Cross-border data transfers

Under current law, a cross-border data transfer is only possible if the legislation of the destination country provides a level of data protection equivalent to that under Swiss law, a cross-border data transfer agreement has been made or the subjects of the rele- vant data have given their consent to the transfer.

This regime is especially cumbersome because the laws of most countries do not protect data relating to legal entities and therefore do not afford an equiva- lent level of data protection.

The amendments state that the destination country must have data protection legislation which provides

“appropriate” protection, rather than protection The Swiss Parliament adopted on 24 March 2006 amendments to the Swiss Federal Data Protection Act of 1992. These amendments will create additional disclosure obligations for data processors, but they also will simplify cross-border data transfers. Even though these amendments have not yet become effective, it is advisable to take them into account in the preparation or revision of data protection policies and procedures and long term data processing agreements.

NewsLetter No. 65 April 2006

New!www.dataprotection.ch

Amendments to the Swiss Federal Data Protection Act

by André Thalmann

+ 41 44 265 75 64; athalmann@wwp.ch

(2)

“equivalent” to that available under Swiss law. This should be understood as a change in form rather than a change in substance. The amendments, however, do provide a list of exceptions which allow for data transfers even in the absence of legislation providing

“appropriate” data protection. In addition to reliance on either a cross-border data transfer agreement or the consent of the data subjects, the amendments would permit data transfers between two legal entities which are subject to common management and to data protection policies which provides for

“appropriate” data protection, e.g., a corporate group data protection policy. In order to rely on the exception, the group data protection policy must comply with the Swiss DPA. Another exception will be granted if the transfer is directly necessary in order to conclude a contract or perform its obligations and the transaction involves the data of the contractual counterparty. Unlike the EU data protection directive, there will be no exception for the conclusion or performance of a contract which is concluded in the interest of the data subject between the party controlling the relevant data and a third party.

Current law requires notice to be given to the Federal Commissioner for Data Protection of a data transfer abroad if the data subjects do not have knowledge of the transfer. The amendments will replace this requirement with an obligation to notify to the Commissioner the cross-border data transfer agree- ments or data protection policies under which data transfers will be made.

Data processors

Under the amendments, the person who owns or controls a data collection will have to verify that any third-party data processor processes the relevant data in compliance with the law and will be liable to the subjects of the data if it fails to perform this verification.

Registration of databases

Databases will have to be registered with the Federal Commissioner for Data Protection if sensitive data or personality profiles are regularly processed or data is regularly disclosed to third parties. Currently, no registration is required if the data subjects have knowledge of the processing. In the future, this exception will not be available. However, no registra- tion will be required if the person with ownership or control of the data has either (i) obtained a data protection quality assurance certification from a recognized, independent third-party or (ii) designated an internal data protection officer who has authority to independently oversee compliance with data

The ww&p NewsLetter provides comments on new developments and significant issues of Swiss law. These comments are not intended to provide legal advice. Before taking action or relying on the comments and the information given, addressees of this NewsLetter should seek specific advice on the matters which concern them.

© Walder Wyss & Partners, Zurich, 2006

NewsLetter No. 65 April 2006

Münstergasse 2 P.O. Box 2990 CH-8022 Zurich Phone + 41 44 265 75 11 Fax + 41 44 265 75 50 reception@wwp.ch www.wwp.ch

ww&p

Walder Wyss & Partners Attorneys at Law

protection rules and maintain records of the data collections which are maintained.

No exception to the principles

The DPA in its current form specifies that data may not be processed against the principles set out in the law without justification. The amendments will remove the exception for “justified” non-compliance with the principles of the DPA. This small, perhaps even unintended change, means compliance with the principles of the DPA will be an absolute require- ment. E.g. the principle that data may only be processed for the purpose for which it was collected or which is evident from the circumstances cannot be compromised, even if the person who owns or controls the data collection claims an “overriding interest” as a justification for processing of data in a manner not otherwise permitted by law. It is there- fore crucial that all potential uses or purposes for the collection and processing of data are disclosed when the data are collected.

Appraisal

The amendments to the Swiss Data Protection Act will simplify compliance in certain areas, such as cross-border data transfers, and add to the compli- ance burden in other areas, such as new disclosure obligations. In general, these requirements will be familiar to companies operating in the EU, because they are derived from the EU’s data protection directive. They will, however, have a wider scope because the Swiss DPA also applies to data concerning legal entities.

For further information on Swiss data protection law, see our new website www.dataprotection.ch

Referenzen

Jetzt herunterladen ( PDF - 2 Seite - 161.87 KB )

ÄHNLICHE DOKUMENTE

SwitzerlandChanges to the Swiss Federal Data Protection Act (“SDPA”)by Ueli Sommer, Dr.iur, LL.M.

In case of cross-border data transfers to countries not providing an ap- propriate level of data protection according to the SDPA, the Federal Commissioner for Data Protection

Application of Data Mining to Predict and Assess the ROP Response

It was clear that the starting point was to gather data from the same field. Wells drilled in the same field, normally share the same geology, lithology, formation

View of The Making of Harry and Susie Get Married?: A Performative Approach to Data Collection

The primary purpose of this paper is to address some of these issues in relation to the experiences of participants involved in creating Harry and Susie, and to consider

View of Processing Raw Data both the Qualitative and Quantitative Way

Hitherto, I have only described the quantitative side of KT, where a score is calcu- lated for each of one or many theories (relational structures) that expresses how well this

How to make quantitative data on the web searchable and interoperable part of the common vocabulary

Introduction of online defined standardized metric spaces (DSs resp. "Domain Spaces") is an efficient means for extending the common vocabulary by user defined quantitative

Using data-stream and complex-event processing to identify activities of bats

The goal of this work is to investigate the use of of data-stream processing (DSP) and complex-event processing (CEP) to extract information meaningful for biologists from the

3 Access to the data and metadata description

2.2.1 The European Forestry Dynamics Model (EFDM) The European Forestry Dynamics Model (EFDM; Packalen et al. 2014) was developed to simulate the development of the forest and

Phases and Steps in the Access to Data in Information Tools

The situation and the type of user will determine whether someone looking for information will turn to a non-human source (such as a printed dictionary, an electronic dictionary, a