Part 3 of our series on data protection law in Switzerland
In this part of our series, we explore the principles of personal data processing, which are stipulated in Art. 6, Art. 8 and Art. 19-21 of the Swiss Federal Act on Data Protection (FADP).
Lawfulness
Personal data must be processed lawfully. However, private controllers do not need a legal ground for processing, unless they process personal data contrary to the key principles or to the express wishes of the data subject or disclose sensitive personal data to third parties. Only in these cases do they need a legal justification such as the consent of the data subject, an overriding private or public interest or law. Federal bodies on the other hand always must rely on a statutory basis when processing personal data.
Good faith
Good faith is a general principle anchored in the Swiss Federal Constitution, which applies to all actions under the Swiss legal system. With respect to personal data processing, it means that loyal and trustworthy behavior must be adopted, and that contradictory behaviour shall be avoided.
Proportionality
Data processing is proportionate if the data is suitable to achieve the intended purpose and if only the data necessary to achieve this purpose is processed - according to the principle – as much as necessary, as little as possible. Furthermore, the purpose of processing must be in balance against the impact it may have on a person's privacy or rights.
Purpose limitation
Personal data may only be collected for a specific and for the data subject recognisable purpose and be processed for a secondary purpose only if the new purpose is compatible with the original purpose and can be reasonably expected by the data subject, or with a justification such as the consent of the data subject.
Storage limitation
Personal data must be destroyed or anonymised as soon as it is no longer required for the purpose of processing. Controllers are therefore required to define retention periods upfront.
Accuracy
Whoever processes personal data must make sure that the data is accurate and take all appropriate measures to correct, delete or destroy data that is incorrect or incomplete with respect to the purpose of processing. The appropriateness of the measures depends on the form and the extent of the processing and on the risk to the data subject's personality or fundamental rights.
Data security
Controllers and processors must guarantee a level of data security appropriate to the risk by taking suitable technical and organisational measures. Art. 1-6 of the Ordinance on Data Protection contain specific provisions on data security.
Transparency
When collecting personal data, the controller must provide data subjects with adequate information to exercise their rights and ensure transparent data processing. The information must include at least the following: a) controller's identity and contact details; b) purpose of processing; c) if applicable, the recipients or categories of recipients of the personal data; d) if the data is not collected directly from the data subject, the categories of processed personal data; e) if the personal data is disclosed abroad, the state or international body to which it is disclosed and the applicable guarantees or exception (even when transferred to an adequate country). Furthermore, data subjects must be informed of any automated individual decision that has legal consequences or a considerable adverse effect on them.
Preview of Part 4
In part 4 of our series, we will analyse under which circumstances a legal basis for processing is required under the FADP.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
