EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 )

Transcription

1 EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 ) October 26, 2017 Version 4.01 David Rosenthal (david.rosenthal@homburger.ch) Updates and more infos: Material scope 2 Comparable 2 Comparable 2 The GDPR excludes all purely personal and household activities from scope; under the DPA, the exclusion is slightly narrower. Territorial scope 3 Comparable PILA 139 Comparable PILA 139 The DPA has slightly broader territorial applicability. Definitions 4 Comparable 3 Comparable 4 On the face of it, the DPA defines personal data slightly narrower as to when a person is identifiable. However, in practice it will likely be the same, with both following a "relative approach". Personal data today includes data of legal persons under the DPA, but will no longer in the future. The new DPA will adopt the controller processor terminology, and will give up the "personality profiles" as a sensitive personal data type. Instead, it will provide provisions on profiling and data breaches (both defined slightly different than under the GDPR). 1 Excluding provisions on processing by public authorities and excluding provisions concerning authorities and procedures in the Union (e.g., coordination among supervisory authorities) 2 All statements made herein are based on the draft bill published by the Federal Council on September 15, 2017 for deliberation by the Swiss Federal Parliament. We do not expect it to change significantly. I450381v2

2 2 17 The GDPR states that consent must be "freely given, specific, informed and unambiguous" to be valid, which corresponds to the current definition of consent under the DPA; however, the GDPR defines consent by affirmative action more narrowly than under the current and future DPA (e.g., no preticked boxes, as opposed to the current and future DPA). Principles of processing** 5 Comparable 4, 5, 7Comparable 5 The GDPR and new DPA are express on particular aspects of proportionality (such as data minimization and data retention); the revised DPA is less express on the principle of transparency than the GDPR. The GDPR expressly requires controller to be able to demonstrate compliance ("accountability"), which the current and future DPA does not, but in practice, the requirement already exists today. Lawfulness of processing** Conditions for consent** 6 Less strict 12, 13Less strict 26, 27The current and future DPA follows different concept (a legal justification is required only in case of a violation of personality, namely in the case that the processing principles are violated); under the GDPR, a "justification" (legal ground) is required for each processing (e.g., consent, performance of a contract, compliance with EU law, legitimate interests). 7 Less strict 4 Less strict 5 The GDPR requires that request for consent is clearly distinguishable from the other matters and suggests that it is normally not permitted to "bundle" the consent to the processing of personal data required for the performance of a contract with the consent to another processing of personal data (i.e. the

3 3 17 consent for such other processing must be obtained separately and optional in order to be "freely"). The current and revised DPA does not prohibit such bundling, if done correctly. Consent by children* 8 Less strict CC 19c Less strict CC 19c Swiss Civil Code grants children capable of judgment more rights to decide on their own personality. Special categories of data** 9 Less strict 3 Comparable 4 Under the GDPR and revised DPA, sensitive personal data includes biometric and genetic data used in order to identify a person. Under the current DPA this is not the case. However, under both the current and new DPA, consent has to be express in the case of special categories of data (or profiling). The GDPR permits processing of sensitive personal data only with explicit consent or in specific, limited other cases (e.g., employment law, legal defense, public data, public interest). Under the DPA this is not the case; only onward transfers to other controllers require a justification (e.g., consent, statutory obligation or overriding private or public interest). Data related to criminal convictions offences No obligation to maintain possibility of 10 Less strict 3 Less strict 4 Processing according to the GDPR only permitted where authorized by law. Under the DPA this category of data is merely considered sensitive personal data and treated accordingly. 11 Comparable 4, 7 Comparable 5, 6, 7

4 4 17 identification of data subjects* Modalities for the exercise of the rights of the data subject* *** Information to be provided (direct collection of data)** *** 12 Stricter 5, 8, Comparable 23, 9, 10, 24, 12 25, 28 The GDPR allows for refusal or possibility to impose charges in case of manifestly unfounded or excessive requests (repetitive requests may be excessive); deadline to respond may be extended from one by two additional months. The current DPA is stricter on the imposing of charges; the future DPA may be comparable on this point with the GDPR (yet to be defined). 13 Less strict 4, 14 Stricter 17, The current DPA requires (express) information at the time of collection only 18, 19in cases of systematic collection of sensitive personal data (in addition to the principle of transparency), and less minimum information than under the GDPR. The future DPA will provide for similar information obligations as does the GDPR, with the list of minimum information being shorter (but providing for information on the countries of processing), but worded more openly (nonconclusive list of minimum information) than the GDPR. The exemptions and possibilities to limit the information are comparable. An overriding private interest can be relied on, as well, but only if personal data is not shared with other controllers.

5 5 17 Information to be provided (indirect collection of data)** *** 14 Less strict 4, 14 Stricter 17, See foregoing comments. 18, 19 Right of access** *** 15 Less strict 8, 9, 10 Comparable 23, Under the GDPR, some additional information (e.g., on data subject's rights, 24, 25safeguards in case of international transfers, automated decisions and their logic) needs to be provided; no copy has to be provided if this negatively affects third parties; access right is not limited to data files as under the current DPA. The right of access under the future DPA will be comparable with the GDPR (with slightly different information obligations), however, with fewer exceptions (no reliance on business secrets, privilege and other overriding private interest if personal data is shared with group companies, regulators and other controllers). Right to rectification** 16 Comparable 5 Stricter 28 The GDPR also provides for right to obtain completion. The exemptions under the revised DPA will be more narrowly (statutory obligation, public archival interest, but not overriding private interests). Right to erasure (right to be forgotten)** 17 Less strict 12, Less strict 26, The exemptions are defined more narrowly and specifically under the GDPR 13, 15 27, 28than under the current and future DPA (e.g., freedom of expression, compliance with law, legal claims, public archival purposes); an overriding

6 6 17 private interest as such is not sufficient to refuse erasure of data under the GDPR. The current and future DPA provides for a broad right to object; the controller can justify non-compliance with an objection based on overriding private interest, among other things. The GDPR requires reasonable steps to inform other controllers of the data subject's request, which the current and future DPA does not. Right to restriction of processing** Notification of rectification, erasure or restriction** Right to data portability** 18 Less strict 12, Less strict 26, Under the current and future DPA, the right to restrict the processing is less 13, 15 27, 28absolute (balancing of interest); the GDPR provides for a more absolute right in certain cases (e.g., pending the verification of correctness of data, or following the objection by the data subject while the controller verifies its grounds for processing). 19 Less strict 15 Less strict 28 Under the GDPR, requests for rectification and erasure have to be passed along to previous data recipients. Under Swiss law, a court can order that third parties are informed. 20 No provision No provision Data subjects may require a controller to return personal data that the data subjects have provided to them and have been processed automatically on the basis of a contract or other consent. The data has to be provided in a machine-readable form and, if technically feasible, directly to another controller as directed by the data subject.

7 7 17 Right to object** 21 Less strict 12, Less strict 26, The GDPR only addresses right to object when the processing is based on a 13, 15 27, 28private or public interest, is done for direct marketing or occurs for scientific, historical, research or statistical purposes. The GDPR requires that data subject must be informed about the right "separately from any other information". The current and future DPA provides for a broad right to object; the controller can justify non-compliance with an objection based on overriding private interest, among other things. Automated individual decision making including profiling** *** 22 No provision Less strict 19 The GDPR grants right of data subject not to be subject of decisions based solely on automated processing ("automated processing" shall also include any form of profiling) that produces legal effects or similarly affects the data subject, with exceptions (such as conclusion or performance of contract or explicit consent); furthermore, such processing has to meet certain standards to safeguard the data subjects, such as granting a right to human intervention. The future DPA will provide for a similar provision which, however, is less strict in terms that no human intervention and separate information needs to be provided in cases where automated individual decisions are based on express consent or for the conclusion or performance of a contract insofar such contract corresponds what the data subject has requested.

8 8 17 Restrictions of rights of data subject and processing principles by law Responsibility of controller Data protection by design and default* 23 Comparable 13 Comparable 27 The GDPR provides for various predefined cases under which the EU and Member States can limit (or justify non-compliance with) data subject rights and the processing principles (e.g., the protection of "rights and freedoms of others" and enforcement of civil claims). Under the current and future DPA, however, restrictions may be justified more generally on the basis of "legitimate (private) interests". 24 Comparable 7, 12, 13 Comparable 7, 26, The GDPR requires that controller must be able to demonstrate that its 27 processing is in compliance. The current and revised DPA does not expressly provide for this, but de facto the requirement exists as well. 25 Less strict 4, 7 Comparable 5, 6 The GDPR is express on these principles, and so will the future DPA. Under the current DPA, data protection by design is required already implicitly. The GDPR requires that by default only the data necessary for the purpose is processed; publication shall require the individual's intervention. The future DPA will require that unless the data subject directs otherwise, pre-settings shall provide for the least possible processing of personal data offered by default (does not apply if the data subject has agreed otherwise). Joint controllers* 26 Comparable 7 Comparable 6 The GDPR requires that joint controllers set forth their allocation of responsibilities in an arrangement. The current and future DPA does not require any kind of formal arrangement.

9 9 17 Representative of non-union based controllers in the Union* Processor arrangements* *** 27 No provision No provision Under the GDPR, controllers and processors outside the EU have to mandate a representative (its liability remains unclear, though) in the EU except if their processing subject to the GDPR is occasional, not concerning significant amounts of sensitive personal data and not risky. 28 Less strict 10a Comparable 8 The GDPR requires that sub-processors are approved in writing by the controller; in case of general approval, controller must be informed of new sub-processor and has to have a right to object. This approval requirement will also be introduced under the future DPA. The GDPR provides for specific content of controller-processor arrangements (e.g., processing of data only on documented instructions by controller, assisting controller in compliance matters). The GDPR provides for standard clauses approved by the Commission. Persons acting for controllers or processors* 29 Comparable 7, 10aComparable 6, 8, 22 The GDPR is more express on their duty towards the controller or processor. Records of processing activities* 30 Less strict 7, 11aComparable 11 The GDPR requires that each controller and processor maintains a record of its processing activities, except for enterprises with less than 250 employees with regard to processing that involves no sensitive data, is only occasional

10 10 17 and involves no risks. The current DPA provides for obligation to register certain data files with the data protection authority, or maintain a corresponding record if a data protection officer has been appointed. The future DPA will provide for an obligation to maintain a record of processing activities comparable to the GDPR, with a slightly different, broader exemption. Obligation to cooperate with the supervisory authority* 31 Comparable 29 Comparable 44 Security of processing* *** Notification of a data breach to the supervisory authority* 32 Comparable 7 Comparable 7 The GDPR is more express on what is required. Under the DPA, more specific requirements are to be regulated in an ordinance. 33 No provision Less strict 22 The GDPR provides for a formal obligation to notify data breaches (i.e. breaches of security leading to unauthorized disclosure or other processing) to the data protection authority within 72 hours except where unlikely to result in a risk for the data subjects. The GDPR also provides for an obligation to maintain a record of "any" data breach. The future DPA will also introduce a data breach notification obligation, but the authority will need to be notified only if there is a high risk for the data

11 11 17 subjects. The notification has to occur as soon as possible. Communication of a data breach to the data subject* Data protection impact assessment* 34 Less strict 2, 7 Comparable 22 The GDPR provides for obligation to inform data subject in any event if the breach is likely to result in a high risk for the data subject. Under the revised DPA, a formal obligation to notify data subjects exists in the case that the notification is necessary to protect their interests. 35 Less strict 7 Comparable 20 The GDPR is more formal on the obligation to perform a data protection impact assessment and defines the cases in which this is necessary ("high risk" cases, e.g., large scale processing of sensitive personal data). The GDPR also provides for consultation of data subjects "where appropriate", and that supervisory authorities may define "high risk" cases. The future DPA will also provide for a formal obligation to conduct and document a data protection impact assessment comparable to the GDPR, but already defines specific cases where such an assessment is necessary and may be stricter than under the GDPR (e.g., profiling). Prior consultation of supervisory authority* 36 No provision Comparable 21 The GDPR provides for obligation to consult supervisory authority if, following a data protection impact assessment, a case remains "high risk" despite the mitigation measures taken; response shall be provided within eight plus six weeks. The future DPA will provide for a similar provision, with the exception that the authority does not need to consulted if instead the internal data

12 12 17 protection counsel is consulted. Designation of a data protection officer* 37 Less strict 11a, ODPA 12a/b Less strict 9 The GDPR requires data protection officer for controllers and processors who require regular and systematic monitoring of data subjects on a large scale or process sensitive personal data on a large scale. The future DPA provides for the appointment of a "data protection counsel", which is not mandatory in any event. In the case of a data protection impact assessment, no consultation of the authority is necessary if instead the counsel is consulted. Position of the data protection officer* 38 Comparable ODPA Comparable 9 12a/b Tasks of the data protection officer* 39 Comparable ODPANo provision 9 Under the GDPR, the officer shall also monitor compliance and be the contact 12a/b point for the supervisory authority, but is not required to maintain the records of all data files (as under the DPA). The future DPA will not define the duties of the data protection counsel. Codes of conduct 40 No provision Comparable 10 The GDPR provides for (private) codes of conduct that can be approved and published by the competent authorities. The future DPA will provide for a similar provision.

13 13 17 Monitoring of approved codes of conduct* 41 No provision No provision The GDPR provides that a (private) body may monitor compliance with the codes of conduct and impose (private) sanctions (e.g., exclusion from the code). Certifications* 42 Comparable 11 Comparable 12 The GDPR provides for certifications also for the purposes of safeguarding transborder data flows to countries without an adequate level of statutory data protection. The GDPR provides for a "European Data Protection Seal". The current DPA provides for certifications of processing activities and products, the future DPA will also allow for the certification of services. Certification body* 43 Comparable 11 Comparable 12 General principle of cross-border data transfers** *** 44 Comparable 6 Comparable 13 Transfers with an adequacy decision** *** 45 Comparable 6 Comparable 13 The current DPA does not provide for binding adequacy decisions by a supervisory authority; it remains the responsibility of the exporter to assess the adequacy. In the future, the DPA will provide for such decisions, as does the GDPR. The GDPR provides that existing adequacy findings shall remain valid for the

14 14 17 time being. It also provides for criteria to assess adequacy. Transfers based on a safeguard** *** 46 Comparable 6 Comparable 13 The GDPR permits transfers also on the basis of approved codes of conduct, approved certifications. If non-standard contractual clauses are to be used, approval by the supervisory authority is necessary. The GDPR also provides that existing standard clauses shall remain valid for the time being. The current and future DPA provide for both standard and non-standard contractual safeguards. Non-standard contractual safeguards are subject to review by the authority. Transfers by way of binding corporate rules** *** Transfers or disclosures not authorized by EU law** *** Derogations for specific situations** 47 Less formal 6 Comparable 13 The GDPR requires approval of binding corporate rules (BCRs) and defines what they must provide for. Under the future DPA, BCRs need to be approved, as well. 48 Comparable 6 Comparable 13, 14GDPR provides for a "blocking statute" concerning foreign orders to produce data if such production is not done through legal mutual assistance (or the like) or on one of the other grounds for lawful transfers pursuant to the GDPR. Under Swiss law, Art. 271 Swiss Penal Code may be triggered in such cases. 49 Stricter 6 Comparable 14 The GDPR also permits transfers in case of establishment, exercise or defense of legal claims not only before a court (as does the current DPA) or in case of non-repetitive transfers concerning a limited number of data subjects

15 15 17 *** for compelling legitimate (private) interests (but the supervisory authority has to be informed in the latter case). The future DPA will remove the limitation as to court proceedings. However, overriding private interests do not provide for an exemption under the current and future DPA. Supervisory authority powers** *** Right to lodge a complaint with the supervisory authority 58 Less strict 29 Comparable 43, Under the GDPR, the supervisory authority has the power to issue orders to 44, the controller or processor as regards their processing of data and 45, 59administrative fines. Under the future DPA, the authority can investigate matters and issue orders to controllers and processors, but not issue any fines. Fines are to be issued by the cantonal criminal prosecution authorities Less strict 28, 29Comparable 43 Under the GDPR, data subjects can not only submit complaints concerning their individual cases, they have a right to receive information on the progress or outcome from the supervisory authority and go to court if the supervisory authority does not deal with the complaint in time. Under the future DPA, there will be a similar provision, but the authority may refuse to investigate cases deemed not significant. Right to an effective judicial remedy against a controller or processor 79 Comparable 15, Comparable 28, The GDPR is not clear on claims against controllers and processors not CC 28 CC 28established in the Union.

16 16 17 Representation of a data subjects by an organization 80 Comparable CPC 89 Comparable CPC 89 Administrative fines 83 No provision No provision Fines issued by supervisory authority under the GDPR are either up to 10m EUR or 2% of total worldwide annual turnover (whichever is higher) or up to 20m EUR or 4% of total worldwide annual turnover (whichever is higher), depending on the provision violated. Penalties 84? 34 Stricter 54, 55, 56, Penalties under the GDPR are to be set forth by the Member States. Under the future DPA, a number of violations of the DPA or lack of cooperation with the supervisory authority can result in criminal fines against responsible 57, 58individuals (acting intentionally) of up to CHF 250'000. Processing of personal data by media 85 Comparable 10, 13Comparable 25 Exemptions restrictions of obligations under the GDPR to be set forth by the Member States. Processing of national identification numbers 87? Specific conditions under the GDPR to be set forth by Member States. Processing in the employment context 88? CO 328b CO Specific conditions under the GDPR to be set forth by Member States. 328b

17 17 17 Processing for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes 89? Exemptions restrictions of obligations under the GDPR to be set forth by the Member States. Obligations of secrecy 90? 9, 13 18, Member States may define specific rules to reconcile the data protection and 24, 27secrecy obligations. * GDPR: Maximum administrative sanction of EUR 10 million or 2%, whichever is higher. ** GDPR: Maximum administrative sanction of EUR 20 million or 4%, whichever is higher. *** Future DPA: Fines for individuals acting intentionally of up to CHF 250'000; in cases of fines of up to CHF 50'000, it is possible to fine the corporate entity instead.