data protection 2020 - media.homburger.ch · initiatives to boost data business in japan takashi...

Data Protection 2020A practical cross-border insight into data protection law

Seventh Edition

Featuring contributions from:

Addison Bright Sloane

Anderson Mōri & Tomotsune

Chandler MHM Limited

Clyde & Co

DDPV Studio Legale

Deloitte Kosova Shpk

Deloitte Legal Shpk

D’LIGHT Law Group

DQ Advocates Limited

Drew & Napier LLC

Elzaburu S.L.P.

FABIAN PRIVACY LEGAL GmbH

Herbst Kinsky Rechtsanwälte GmbH

Homburger AG

Khaitan & Co LLP

King & Wood Mallesons

Koushos Korfiotis Papacharalambous LLC

Lee and Li, Attorneys-at-Law

Leśniewski Borkiewicz & Partners

LPS L@w

LYDIAN

Marval O’Farrell Mairal

Matheson

Mori Hamada & Matsumoto

Naschitz, Brandes, Amir & Co., Advocates

NEOVIAQ IP/ICT

Nyman Gibson Miralis

OLIVARES

Pellon de Lima Advogados

PPM Attorneys

Rothwell Figg

Semenov&Pevzner

SEOR Law Firm

SKW Schwarz Rechtsanwälte

SSEK Indonesian Legal Consultants

S. U. Khan AssociatesCorporate & Legal Consultants

Synch Advokatpartnerselskab

Templars

White & Case LLP

White & Case, s.r.o., advokátní kancelář

Wikborg Rein Advokatfirma AS

Table of Contents

Q&A Chapters

6

12

Privacy, Data Protection, and Cybersecurity: A State-Law AnalysisMartin M. Zoltick & Jenny L. Colgate, Rothwell Figg

Privacy By Design in Digital HealthDaniela Fábián Masoch, FABIAN PRIVACY LEGAL GmbH

17 Initiatives to Boost Data Business in JapanTakashi Nakazaki, Anderson Mōri & Tomotsune

24 AlbaniaDeloitte Legal Shpk: Ened Topi & Aida Kaloci

33 ArgentinaMarval O’Farrell Mairal: Gustavo P. Giay &Diego Fernández

169 IndonesiaSSEK Indonesian Legal Consultants:Denny Rahmansyah & Raoul Aldy Muskitta

178 IrelandMatheson: Anne-Marie Bohan & Chris Bollard

Expert Chapters1 The Rapid Evolution of Data Protection Laws

Dr. Detlev Gabel & Tim Hickman, White & Case LLP

42 AustraliaNyman Gibson Miralis: Dennis Miralis &Phillip Gibson

54 AustriaHerbst Kinsky Rechtsanwälte GmbH:Dr. Sonja Hebenstreit

65 BelgiumLYDIAN: Bastiaan Bruyndonckx & Olivia Santantonio

77 BrazilPellon de Lima Advogados: Rafael Pellon &Nathalia Santos

86 ChinaKing & Wood Mallesons: Susan Ning & Han Wu

97 CyprusKoushos Korfiotis Papacharalambous LLC:Loizos Papacharalambous & Anastasios Kareklas

109 Czech RepublicWhite & Case, s.r.o., advokátní kancelář: Ivo Janda & Anna Stárková

119 DenmarkSynch Advokatpartnerselskab: Christine Jans & Heidi Højmark Helveg

131 FranceClyde & Co: Benjamin Potier & Pierre Affagard

141 GermanySKW Schwarz Rechtsanwälte: Nikolaus Bertermann

150 GhanaAddison Bright Sloane: Victoria Bright &Justice Oteng

190 Isle of ManDQ Advocates Limited: Kathryn Sharman &Sinead O’Connor

200 IsraelNaschitz, Brandes, Amir & Co., Advocates:Dalit Ben-Israel & Efrat Artzi

211 ItalyDDPV Studio Legale: Luciano Vasques &Chiara Sciarra

223 JapanMori Hamada & Matsumoto: Hiromi Hayashi & Masaki Yukawa

234 KoreaD’LIGHT Law Group: Iris Hyejin Hwang & Hye In Lee

244 KosovoDeloitte Kosova Shpk: Ardian Rexha & Ened Topi

253 LuxembourgNEOVIAQ IP/ICT: Raymond Bindels & Milan Dans

264 MexicoOLIVARES: Abraham Díaz Arceo & Gustavo Alcocer

273 NigeriaTemplars: Emmanuel Gbahabo &Oghomwen Akpaibor

286 NorwayWikborg Rein Advokatfirma AS: Gry Hvidsten & Emily M. Weitzenboeck

298 PakistanS. U. Khan Associates Corporate & Legal Consultants: Saifullah Khan & Saeed Hasan Khan

159 IndiaKhaitan & Co LLP: Harsh Walia &Supratim Chakraborty

306 PolandLeśniewski Borkiewicz & Partners:Grzegorz Leśniewski, Mateusz Borkiewicz &Jacek Cieśliński

317 RussiaSemenov&Pevzner: Ekaterina Smirnova

326 SenegalLPS L@w: Léon Patrice Sarr

335 SingaporeDrew & Napier LLC: Lim Chong Kin

397 TurkeySEOR Law Firm: Okan Or & Basak Feyzioglu

349 South AfricaPPM Attorneys: Delphine Daversin & Melody Musoni

359 SpainElzaburu S.L.P.: Ruth Benito Martín &Alberto López Cazalilla

370 SwitzerlandHomburger AG: Dr. Gregor Bühler, Luca Dal Molin & Dr. Kirsten Schmidt

379 TaiwanLee and Li, Attorneys-at-Law: Ken-Ying Tseng &Sam Huang

389 ThailandChandler MHM Limited: Pranat LaohapairojMori Hamada & Matsumoto: Atsushi Okada

407 United KingdomWhite & Case LLP: Tim Hickman & Matthias Goetz

417 USAWhite & Case LLP: Steven Chabinsky &F. Paul Pittman

Q&A Chapters Continued

Data Protection 2020

Chapter 38370

Switzerland

Homburger AG

Luca Dal Molin

Dr. Gregor Bühler

Switzerland

Dr. Kirsten Schmidt

© Published and reproduced with kind permission by Global Legal Group Ltd, London

1 Relevant Legislation and Competent Authorities

1.1 What is the principal data protection legislation?

In Switzerland, data protection is regulated on the federal and the cantonal level. The Federal Act on Data Protection (“DPA”) and its corresponding ordinances regulate the processing of personal data by private parties and by federal authorities. In addition, there are cantonal rules addressing the processing of personal data by the cantonal and municipal authorities.

1.2 Is there any other general legislation that impacts data protection?

The most important statute regarding data protection is the DPA. There are several implementing regulations and guidelines, such as the Ordinance to the Federal Act on Data Protection and the Ordinance on Data Protection Certification.

1.3 Is there any sector-specific legislation that impacts data protection?

Various individual laws contain additional, sector-specific rules on data protection; for instance, in the fields of telecom-munication and of research and medicine. For example, the Federal Telecommunications Act contains rules governing the processing of certain personal data by telecommunication service providers, and the Federal Act on Research involving Human Beings contains rules regarding the use of health-related personal data, biological material and genetic data for research purposes.

1.4 What authority(ies) are responsible for data protection?

The Federal Data Protection and Information Commissioner (“FDPIC”) is the federal authority overseeing the application of the DPA. The cantons have their own cantonal data protection authorities for the enforcement of their data protection laws.

2 Definitions

2.1 Please provide the key definitions used in the relevant legislation:

■ “Personal Data” means all information relating to an identified or identifiable person.

■ “Processing” means any operation with personal data, irrespective of the means applied and the procedure, and in particular the collection, storage, use, revision, disclosure, archiving or destruction of data.

■ “Disclosure” means making personal data accessible, for example by permitting access, transmission or publication.

■ “Controller” is not expressly defined in Swiss legislation. However, the term is largely interpreted in line with the definition of the EU General Data Protection Regulation (“GDPR”), i.e. as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

■ “Processor” is not expressly defined in Swiss legislation, but the term is largely interpreted in line with the GDPR definition, meaning a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

■ “Data Subject” means an individual who is the subject of the relevant personal data. Under current Swiss law, both natural persons and legal entities are considered data subjects and protected by the applicable legislation.

■ “Sensitive Personal Data” are personal data revealing racial origin, political opinions, religious or ideological beliefs, trade-union membership, social security measures, administrative or criminal proceedings or sanctions; data concerning health or the intimate sphere; genetic data; or biometric data.

■ “Data File” means any set of personal data that is struc-tured in such a way that the data is accessible by data subject.

■ “Personality Profile” means a collection of data that permits an assessment of essential characteristics of the personality of a natural person.

371Homburger AG

Data Protection 2020© Published and reproduced with kind permission by Global Legal Group Ltd, London

5 Individual Rights

5.1 What are the key rights that individuals have in relation to the processing of their personal data?

■ Information right: A data subject may request informa-tion on a controller’s processing of his or her personal data. In particular, the data subject is entitled to infor-mation on: (i) whether the controller processes the data subject’s personal data; (ii) the purposes of the processing; (iii) the categories of data that are processed; (iv) the cate-gories of recipients to whom data may be disclosed; and (v) the source of the data. Additionally, the data subject may request a copy of the personal data being processed free of charge. This information right can only be limited or excluded if required by overriding public or, subject to certain limitations, private interests or by a Swiss statutory provision. In practice, courts tend to interpret this right to information broadly, often granting data subject access to original documents relating to the data subject.

■ Rectification right: Data subjects have the right to recti-fication of inaccurate personal data.

■ Objection right: Data subjects have the right to object to the processing of their personal data, as personal data must not be processed against the data subject’s express wishes without justification. The controller may establish a justification for the processing, i.e. a law providing for the processing or an overriding private or public interest. This also results in a right to request deletion of personal data, unless the processor is able to justify the continued retention despite the data subject’s request.

■ Monetary compensation: If the data subject’s personality rights are infringed by unlawful processing of personal data, the data subject may may further claim damages, compensation for pain & suffering and disgorgement or profits resulting from the unlawful data processing to the extent it results from the breach of the data subject’s personality rights. In practice, however, it is often diffi-cult to prove damage, and Swiss courts are often reluctant to award compensation for pain & suffering.

6 Registration Formalities and Prior Approval

6.1 Is there a legal obligation on businesses to register with or notify the data protection authority (or any other governmental body) in respect of its processing activities?

There is no general legal obligation to register with or notify the FDPIC of data processing activities. Under certain circum-stances, notification or registration obligations may, however, arise. In particular, companies may have to register data files with the FDPIC if they regularly process sensitive personal data or personality profiles, or if they regularly disclose personal data to third parties. The FDPIC maintains a register of data files that is accessible online. Exceptions apply if the processing is required by law or if the company has appointed a data protec-tion officer (“DPO”). In addition, there is an obligation to notify the FDPIC with respect to certain cross-border data transfers (cf. section 11 below).

3 Territorial Scope

3.1 Do the data protection laws apply to businesses established in other jurisdictions? If so, in what circumstances would a business established in another jurisdiction be subject to those laws?

The DPA applies to the processing of personal data in Switzerland; i.e., in principle, it does not apply to businesses established else-where that do not have Swiss operations. However, the rules of Swiss private international law allow data subjects to choose Swiss law to apply to civil claims under data protection law if there is a sufficient link to Switzerland as provided for in the law (e.g., because the data subject or the controller is established in Switzerland, or because the relevant processing activity takes effect in Switzerland).

4 Key Principles

4.1 What are the key principles that apply to the processing of personal data?

■ Lawful processing: The processing of personal data has to comply with Swiss law. However, contrary to the GDPR, there is no need for a specific legal basis for processing activities.

■ Good faith: One may only process personal data in good faith.

■ Proportionality: One may only collect and process such personal data as is necessary to achieve a legitimate purpose, and only as little data and for as long as necessary for pursuing the purpose intended.

■ Transparency: This requires that data subjects be informed about the processing of their personal data, unless they have other reasonable means of understanding how their data is processed. When processing sensitive personal data or personality profiles, the data subject needs to be expressly informed about the identity of the data controller, the purpose of the processing and the categories of recipients of such personal data if they are disclosed to third parties.

■ Purpose limitation: Personal data may only be processed for the purpose indicated at the time of collection or for the purpose that is evident from the circumstances or provided for by law.

■ Accuracy: Personal data must be accurate and, where necessary, kept up to date. Personal data that is incorrect or incomplete in view of the purpose of its processing must not be processed.

■ Data security: Those who process personal data have to implement and maintain adequate technical and organisa-tional measures to ensure data security, i.e. to prevent unau-thorised processing of such personal data.

If personal data are processed in accordance with these processing principles, data processing is usually considered lawful as long as the data subject has not expressly objected to the rele-vant processing. The processing of personal data in violation of these principles, and processing notwithstanding the data subject’s objection, are considered a breach of the personality rights of the affected data subject. Such breach of personality rights is deemed unlawful unless it can be demonstrated that the processing is justified by the consent of the data subject, by an overriding private or public interest or by a provision of Swiss law.

372 Switzerland


6.9 Is any prior approval required from the data protection regulator?

As a matter of principle, data files have to be registered before they are opened, but the creating of such data file does not require any approval by the FDPIC.

6.10 Can the registration/notification be completed online?

Yes, this can be done online.

6.11 Is there a publicly available list of completed registrations/notifications?

The FDPIC maintains a register of data files. It accessible online and may be consulted by anyone.

6.12 How long does a typical registration/notification process take?

The registration of the data file can be completed by filling out an online form.

7 Appointment of a Data Protection Officer

7.1 Is the appointment of a Data Protection Officer mandatory or optional? If the appointment of a Data Protection Officer is only mandatory in some circumstances, please identify those circumstances.

There is no legal requirement to appoint a DPO.

7.2 What are the sanctions for failing to appoint a Data Protection Officer where required?

This is not applicable.

7.3 Is the Data Protection Officer protected from disciplinary measures, or other employment consequences, in respect of his or her role as a Data Protection Officer?

There are no specific rules for DPOs; the general employment law rules on unfair dismissal apply.

7.4 Can a business appoint a single Data Protection Officer to cover multiple entities?

A single DPO is permitted to cover multiple entities.

7.5 Please describe any specific qualifications for the Data Protection Officer required by law.

The DPO may be an employee of the controller or a third party. He or she has to be independent, carry out his or her duties without instructions from the controller, and may not carry

6.2 If such registration/notification is needed, must it be specific (e.g., listing all processing activities, categories of data, etc.) or can it be general (e.g., providing a broad description of the relevant processing activities)?

The registration of data files has to be made for the specific data file, and contain the information provided for by the DPA.

6.3 On what basis are registrations/notifications made (e.g., per legal entity, per processing purpose, per data category, per system or database)?

The registration of data files is made per data file, and per legal entity.

6.4 Who must register with/notify the data protection authority (e.g., local legal entities, foreign legal entities subject to the relevant data protection legislation, representative or branch offices of foreign legal entities subject to the relevant data protection legislation)?

The registration of a data file must be carried out by the person who controls the data file. Usually this is the local Swiss entity.

6.5 What information must be included in the registration/notification (e.g., details of the notifying entity, affected categories of individuals, affected categories of personal data, processing purposes)?

The registration of data files has to be relatively specific and contain the following information: (i) the name and address of the controller; (ii) the name of the data file; (iii) the person against whom the right of information may be asserted; (iv) the purpose; (v) the categories of personal data processed; (vi) the categories of data recipients; and (vii) the categories of persons participating, i.e. third parties who are permitted to enter and modify data in the data file. This information has to be updated continuously.

6.6 What are the sanctions for failure to register/notify where required?

The wilful failure to declare data files, or wilfully providing false information in doing so, is punished by a fine of up to CHF 10,000.

6.7 What is the fee per registration/notification (if applicable)?

There is no fee for the registration of a data file.

6.8 How frequently must registrations/notifications be renewed (if applicable)?

In principle, the registration is only valid for the specific data file. Thus, a new registration has to be conducted when the facts reported change significantly and it is not sufficient to update the information provided to the register.

373Homburger AG


9 Marketing

9.1 Please describe any legislative restrictions on the sending of electronic direct marketing (e.g., for marketing by email or SMS, is there a requirement to obtain prior opt-in consent of the recipient?).

Electronic marketing is regulated by the Federal Act on Unfair Competition (“UCA”). It is considered unfair competition to send electronic mass advertising without a direct connection to content requested, without having obtained the prior consent of the customers, indicating the correct sender or pointing to an easy and free-of-charge rejection option. Consent is deemed to be given if contact information has been received from the customer when selling identical or similar goods earlier. In addition, the data protection principles apply to the processing of customers’ contact information.

9.2 Are these restrictions only applicable to business-to-consumer marketing, or do they also apply in a business-to-business context?

The above restrictions under the UCA apply to business-to-con-sumer marketing only.

9.3 Please describe any legislative restrictions on the sending of marketing via other means (e.g., for marketing by telephone, a national opt-out register must be checked in advance; for marketing by post, there are no consent or opt-out requirements, etc.).

In principle, telephone marketing is permitted in Switzerland. Anyone who does not wish to receive promotional calls can register this in the telephone directory with an asterisk (*). According to the UCA, it is considered unfair competition if the notice in the telephone directory that a customer does not wish to receive advertising messages from third parties, and that her or his data may not be passed on for direct marketing purposes, is disregarded. For marketing by post, there are no consent or opt-out requirements. However, a large number of mailboxes in Switzerland have stickers with “no advertising” on them, which means that no marketing communication may be distrib-uted to such mailboxes. In addition, the data protection regula-tions must always be complied with, including when the contact details are not obtained from public sources.

9.4 Do the restrictions noted above apply to marketing sent from other jurisdictions?

The UCA is applicable to all actions affecting the Swiss market due to the principle of impact. For this reason, the regulations also apply to foreign companies that are active on the Swiss market. For the territorial scope of the DPA, please see ques-tion 3.1 above.

9.5 Is/are the relevant data protection authority(ies) active in enforcement of breaches of marketing restrictions?

No. The State Secretariat for Economic Affiars (“SECO”) as well as the cantonal prosecution authorities are active in the enforcement of the marketing restrictions set out in the UCA.

out any other activities that are incompatible with his or her duties. Moreover, the DPO needs the required specialist knowl-edge, the resources required and access to all data files and data processing, as well as to all information required to fulfil his or her duties.

7.6 What are the responsibilities of the Data Protection Officer as required by law or best practice?

A DPO should be involved in all issues which relate to the protec-tion of personal data. The DPA outlines the DPO’s minimum responsibilities, which include: (i) auditing the processing of personal data; (ii) recommending corrective measures if data protection regulations are not complied with; (iii) maintaining a list of the data files that are operated by the controller; and (iv) making the list of data files available to the FDPIC or, on request, to data subjects.

7.7 Must the appointment of a Data Protection Officer be registered/notified to the relevant data protection authority(ies)?

In principle, there is no need for such registration or notifica-tion. However, if the controller of the data file wishes to be exempted from the duty to register the data file, the FDPIC has to be notified of the appointment of the DPO.

7.8 Must the Data Protection Officer be named in a public-facing privacy notice or equivalent document?

The DPO does not need to be named in the public-facing privacy notice.

8 Appointment of Processors

8.1 If a business appoints a processor to process personal data on its behalf, must the business enter into any form of agreement with that processor?

Yes. The processing of personal data may be assigned to third parties by agreement if: (i) the data is processed only in the manner permitted for the instructing party, i.e. the controller, itself; and (ii) it is not prohibited by a statutory or contractual duty of confidentiality. In particular, the instructing party has to ensure that the third party guarantees data security.

8.2 If it is necessary to enter into an agreement, what are the formalities of that agreement (e.g., in writing, signed, etc.) and what issues must it address (e.g., only processing personal data in accordance with relevant instructions, keeping personal data secure, etc.)?

The DPA does not state any requirement regarding formalities or issues that have to be addressed. Usually, the agreement is concluded in writing. The controller must ensure that the data are processed only in the manner permitted to the controller, and that data security is guaranteed. GDPR-compliant processor terms can usually be used for Swiss purposes too.

374 Switzerland


other jurisdictions is only permitted if adequate data protection is otherwise ensured (e.g., by means of implementing contrac-tual safeguards), or if it or the export can be justified on other grounds (such as consent, the performance of an agreement with the data subject, or the enforcement of a claim in a foreign court).

11.2 Please describe the mechanisms businesses typically utilise to transfer personal data abroad in compliance with applicable transfer restrictions (e.g., consent of the data subject, performance of a contract with the data subject, approved contractual clauses, compliance with legal obligations, etc.).

Frequently, businesses seek to ensure an adequate level of data protection when exporting personal data to a third country by implementing alternative safeguards, including by way of imple-menting contracts with the data importer. In particular, the EU Model Clauses are acknowledged as sufficient from a Swiss perspective, and so may be used as a contractual basis to transfer personal data to third countries. Alternatively, Binding Corporate Rules (“BCRs”) can be used for intragroup transfers. Finally, data transfers to the USA are permitted if the data importer has signed up to the Swiss–US Privacy Shield Framework, which is equivalent to the corresponding EU–US framework.

Aside from such alternative safeguards, businesses may rely on case-by-case justifications. Most importantly, personal data may be transferred to third countries if the data subject has consented, if it is required for executing or performing a contract with the data subject, if it is required to exercise or enforce a right in a foreign court, or if it is justified by overriding public interests.

11.3 Do transfers of personal data to other jurisdictions require registration/notification or prior approval from the relevant data protection authority(ies)? Please describe which types of transfers require approval or notification, what those steps involve, and how long they typically take.

The FDPIC must be notified if a business wishes to disclose personal data to a third country and it relies on alternative safe-guards as a basis for the transfer, such as contractual safeguards or BCRs. Formal approval is not required, but the FDPIC may examine the safeguards and BCRs within 30 days. Once the FDPIC has been notified about the use of specific contractual safeguards or BCRs, the notification duty is deemed fulfilled for all future transfers under the same safeguards. If pre-approved standard contractual clauses (such as the EU Model Clauses) are used, a one-time, general notification about their use is sufficient.

12 Whistle-blower Hotlines

12.1 What is the permitted scope of corporate whistle-blower hotlines (e.g., restrictions on the types of issues that may be reported, the persons who may submit a report, the persons whom a report may concern, etc.)?

Whistle-blowing in private businesses is not yet specifically regu-lated under Swiss law, but a draft for a federal whistle-blowing regulation is currently being discussed in Parliament. Hence, there are no restrictions on the types of issues that may be reported, or on the persons who may submit a report or a concern. Even without a specific law, the processing of personal data by businesses in the context of a whistle-blower scheme is subject to the DPA and employment regulation.

9.6 Is it lawful to purchase marketing lists from third parties? If so, are there any best practice recommendations on using such lists?

The sale and purchase of contact details is permitted if the data protection regulations are respected on both the buyer and the seller side. In most cases, therefore, the consent of the data subjects will be required to share their contact information with third parties for their marketing purposes.

9.7 What are the maximum penalties for sending marketing communications in breach of applicable restrictions?

The entity that committed the infringement may be sued for damages, satisfaction and surrender of profits; for example, by competitors or customers. Additionally, criminal sanctions can be imposed: natural persons can be punished, on request, for wilfully committing unfair competition, with imprisonment for up to three years or a fine. Under certain circumstances, if the unfair compe-tition is committed while managing the affairs of a legal entity, the representatives can be subject to the same penalty accordingly.

10 Cookies

10.1 Please describe any legislative restrictions on the use of cookies (or similar technologies).

There is no opt-in requirement to use cookies under Swiss law. Website operators, however, have to inform visitors about the use of cookies and similar technologies, including the purpose of the cookies and information about how they can be rejected.

10.2 Do the applicable restrictions (if any) distinguish between different types of cookies? If so, what are the relevant factors?

No, Swiss regulation does not distinguish between different types of cookies.

10.3 To date, has/have the relevant data protection authority(ies) taken any enforcement action in relation to cookies?

There are no enforcement actions that are publicly known in respect of cookies.

10.4 What are the maximum penalties for breaches of applicable cookie restrictions?

A violation of the cookie regulation is considered an administra-tive offence and can entail a fine of up to CHF 5,000.

11 Restrictions on International Data Transfers

11.1 Please describe any restrictions on the transfer of personal data to other jurisdictions.

Data transfers to jurisdictions that have adequate data protec-tion laws in place are permitted. The transfer of personal data to

375Homburger AG


employees have to be adequately informed about the use and the purpose of the surveillance or monitoring system, and about their right to information.

14.3 To what extent do works councils/trade unions/employee representatives need to be notified or consulted?

Employee representatives are entitled to timely and comprehen-sive information on all matters that they need to be aware of in order to perform their duties. Thus, if such employee represent-atives exist in a company, it is advisable to keep them informed about employee monitoring. There is, however, no consulta-tion obligation.

15 Data Security and Data Breach

15.1 Is there a general obligation to ensure the security of personal data? If so, which entities are responsible for ensuring that data are kept secure (e.g., controllers, processors, etc.)?

Yes. Anyone processing personal data has to implement adequate technical and organisational measures to protect the data against unlawful processing. The obligation is primarily with the controller. In the case that it delegates the processing to a processor, the controller must ensure that the processor guarantees data security.

15.2 Is there a legal requirement to report data breaches to the relevant data protection authority(ies)? If so, describe what details must be reported, to whom, and within what timeframe. If no legal requirement exists, describe under what circumstances the relevant data protection authority(ies) expect(s) voluntary breach reporting.

The current DPA does not provide for any reporting obligations in the event of data security breaches.

15.3 Is there a legal requirement to report data breaches to affected data subjects? If so, describe what details must be reported, to whom, and within what timeframe. If no legal requirement exists, describe under what circumstances the relevant data protection authority(ies) expect(s) voluntary breach reporting.

The current DPA does not provide for any reporting obligations in the event of data security breaches.

15.4 What are the maximum penalties for data security breaches?

The current DPA does not provide for specific sanctions for data security breaches; however, the unlawful disclosure of secret information may trigger criminal sanctions.

12.2 Is anonymous reporting prohibited, strongly discouraged, or generally permitted? If it is prohibited or discouraged, how do businesses typically address this issue?

Anonymous reporting is generally permitted.

13 CCTV

13.1 Does the use of CCTV require separate registration/notification or prior approval from the relevant data protection authority(ies), and/or any specific form of public notice (e.g., a high-visibility sign)?

There is no requirement for separate registration or approval to use CCTV. CCTV, however, has to comply with the DPA, including its requirements regarding transparency and propor-tionality. Thus, data subjects need to be informed of the use of CCTV before they are captured on camera, e.g., by means of clearly visible signs. Whether or not there is a reasonable need to use CCTV (e.g., security reasons) to render it proportionate is assessed on a case-by-case basis; courts and authorities often take a restrictive view. Where workplaces are covered, relevant employment regulation needs to be complied with.

13.2 Are there limits on the purposes for which CCTV data may be used?

There is no general limitation as to the purposes for which CCTV may be used. However, given that the use of CCTV is typically considered to involve high risks for the personality rights of the data subjects, compelling grounds are needed to render it proportionate. This effectively limits the purposes for which its data can be used.

14 Employee Monitoring

14.1 What types of employee monitoring are permitted (if any), and in what circumstances?

The operation of surveillance or monitoring systems at the workplace is only permitted if the intended purpose cannot be achieved by less restrictive measures. Video surveillance may be permitted for organisational reasons, for security reasons or for production control. In contrast, surveillance systems designed to monitor the behaviour of employees are prohibited.

14.2 Is consent or notice required? Describe how employers typically obtain consent or provide notice.

The employer may only process data about an employee which relate to the employee’s suitability for the employment relation-ship or which are necessary for the execution of the employment contract. Usually, obtaining the employee’s consent is not neces-sary (and such consent may not be a sufficient ground, unless the employee has a real choice to consent or not). However,

376 Switzerland


16 Enforcement and Sanctions

16.1 Describe the enforcement powers of the data protection authority(ies).

Investigatory/Enforcement Power

Civil/AdministrativeSanction Criminal Sanction

Investigative Powers The FDPIC may investigate data processing by private persons on his or her own initiative or at the request of a third party if: a) methods of processing are capable of breaching the

privacy of larger number of persons (system errors);b) data files must be registered (see section 6 above); orc) there is a duty to provide information regarding cross-

border disclosure of data (see question 11.3 above).To this end, the FDPIC may request files, obtain infor-mation and arrange for processed data to be shown to him or her.

Private persons are liable to a fine of up to CHF 10,000 if they wilfully:(a) fail to provide information about certain cross-

border data transfers;(b) fail to register data files;(c) refuse to cooperate in a case investigation; or(d) provide false information to the FDPIC

in doing (a), (b), or in the course of a case investigation.

Note that it is not the legal entity that is fined, but the responsible individual.

Corrective Powers On the basis of his or her investigations, the FDPIC may issue a formal recommendation that the method of processing be changed or abandoned.If the formal recommendation by the FDPIC is not complied with or is rejected, the FDPIC may refer the matter to the Federal Administrative Court for a deci-sion. The FDPIC has the right to appeal against this decision to the Federal Supreme Court.

Not applicable.

Authorisation and Advisory Powers

The FDPIC:■ advisesprivatepersonsondataprotectionissues;■ examinesandkeepsalistofcountrieswithlegislation

guaranteeing an adequate level of data protection;■ examinescross-bordertransferofpersonaldatato

jurisdictions without an adequate level of data protec-tion on the grounds of model contracts, Standard Contractual Clauses or BCRs (see section 11 above);

■ receivesregistrationsofdatafilesandkeepstheregister; and

■ examinesthecertificationproceduresofindependentcertification organisations for data processing systems, programs or organisation, and may issue recommendations.

Not applicable.

Imposition of administrative fines for infringements of specified DPA provisions

Not applicable. Not applicable.

Non-compliance with a data protec-tion authority

Not applicable. Not applicable.

16.2 Does the data protection authority have the power to issue a ban on a particular processing activity? If so, does such a ban require a court order?

No, the FDPIC does not have the power to ban a particular data processing activity. If a formal recommendation by the FDPIC is not complied with or is rejected, the FDPIC may refer the matter to the Federal Administrative Court to render a binding decision.

16.3 Describe the data protection authority’s approach to exercising those powers, with examples of recent cases.

To date, the FDPIC has issued relatively few formal recommen-dations per year, and even fewer cases have been submitted to the Federal Administrative Court for decision (and ultimately appealed up to the Federal Supreme Court). Recent leading cases were Helsana+ (2019), Moneyhouse (2017), AXA and Google Street View (2012) and Logistep (2010).

377Homburger AG


17.2 What guidance has/have the data protection authority(ies) issued?

The FDPIC has issued specific guidance, along the lines set forth above.

18 Trends and Developments

18.1 What enforcement trends have emerged during the previous 12 months? Describe any relevant case law.

Under current data protection law, the FDPIC has only limited powers to enforce the DPA, and there are no clear enforcement trends that could be observed over the past 12 months (the last recommendation issued by the FDPIC dates from 2018). The most important topic during the last 12 months was the ongoing revision of the DPA, which will, inter alia, grant the FDPIC the power to issue a ban on particular data processing activities. Hence, the FDPIC will have greater enforcement powers under the new law.

18.2 What “hot topics” are currently a focus for the data protection regulator?

The FDPIC has recently issued statements regarding a number of data protection questions that arise in the context of government measures to fight COVID-19 (such as the use of proximity-tracing apps, the use of telecom provider data to analyse movements and gatherings of people during a lockdown, temperature and health screenings by employers, etc.). Similarly, the FDPIC often reviews issues arising in the use of new technology, such as facial recogni-tion, video conferencing, use of cloud technology, social media, etc. It is expected that data protection in the context of the use of technology and digitisation will remain a hot topic over the next 12 months.

Aside from the above, the revision of the DPA, which is expected to enter into force in 2021, will continue to be a key issue.

16.4 Does the data protection authority ever exercise its powers against businesses established in other jurisdictions? If so, how is this enforced?

Usually, the FDPIC does not exercise its powers against busi-nesses established in other jurisdictions, due to the (in principle) territorial scope of the DPA.

However, in the leading Google Street View case, the FDPIC issued a formal recommendation to Google Inc. and Google Switzerland GmbH, collectively, which was submitted to the Federal Administrative Court and ultimately to the Federal Supreme Court for decision. It can be assumed that a judgment would have been enforced primarily against Google Switzerland GmbH, if the Google entities had not complied.

Decisions of Swiss courts regarding businesses established in other jurisdictions would have to be enforced through formal international enforcement procedures.

17 E-discovery / Disclosure to Foreign Law Enforcement Agencies

17.1 How do businesses typically respond to foreign e-discovery requests, or requests for disclosure from foreign law enforcement agencies?

Swiss businesses with an international footprint frequently have to react to foreign e-discovery or data disclosure requests. In doing so, not only data protection law, but also Swiss blocking statutes need to be considered and adhered to. Such blocking statutes prohibit foreign authorities’ activities on Swiss territory as well as the aiding and abetting of such activities. Thus, as a first step, Swiss businesses typically need to verify whether or not they may respond to a foreign request under the blocking statutes. If the foreign request may be complied with in prin-ciple, compliance with the DPA needs to be ensured. In this context, the provisions governing cross-border transfers are of particular relevance, including those which permit data exports to exercise or enforce rights in a foreign court.

378

Data Protection 2020

Switzerland

Dr. Gregor Bühler is deputy head of the IP/IT and Litigation/Arbitration teams, and co-heads the Data Protection practice at Homburger. He focuses on intellectual property law, information technology and privacy law. Gregor Bühler represents clients in arbitration and state court proceedings and also acts as arbitrator on IP and technology-related disputes. He is currently Co-Chair of the IBA’s Intellectual Property and Entertainment Law Committee. Gregor Bühler completed his legal studies at the University of St. Gallen (Dr. iur.) and was admitted to the Bar in 1992. He was a visiting scholar at the Max Planck Institute in Munich (1994–95) and holds a Master’s degree (LL.M.) from Georgetown University (1997).

Homburger AGHardstrasse 201CH-8005 ZurichSwitzerland

Tel: +41 43 222 1644Email: [email protected]: www.homburger.ch

Luca Dal Molin co-heads the Homburger Data Protection practice. He specialises in data protection and privacy, intellectual property and technology law. He advises clients on all kinds of technology and IT matters, outsourcing projects and IP transactions and he has broad experience in telecommunication law. Luca Dal Molin regularly advises tech companies and supports the implementation of innovative technology and digitalisation strategies. Further, he focuses on copyright, trademark, patent and media law. In all areas of his practice, he represents clients in litigation and regulatory proceedings. Luca Dal Molin studied law at the University of Zurich and graduated in 2008. From 2014 to 2015 he studied at Stanford Law School and obtained a Master of Laws (LL.M.) in Law, Science and Technology.



We help businesses and entrepreneurs master their greatest challenges. We combine the know-how, drive and passion of all our specialists to support our clients in reaching their goals. Whether advising clients on transactions, representing them in court proceedings or helping them with regulatory matters, we are dedicated to delivering exceptional solutions, no matter the complexity or time constraints. We are renowned for our pioneering legal work, for uncompromising quality and our outstanding work ethic. We are at our best when we work as a team. Smart, efficient collaboration within our firm, with the involvement of our clients and other parties, is crucial to our performance.

www.homburger.ch

Dr. Kirsten Schmidt is an associate in Homburger’s IP/IT and Data Protection teams and advises clients on corporate, regulatory and litigious matters. The main focus of her practice lies in Swiss and European data protection law as well as information technology and intellectual property law. Kirsten Schmidt completed her legal studies at the University of Basel (MLaw, Dr. iur.) and was admitted to the Bar in 2017. She holds a Master’s degree (LL.M.) from Boston University (2014).



© Published and reproduced with kind permission by Global Legal Group Ltd, London

Current titles in the ICLG series

Alternative Investment Funds

Anti-Money Laundering

Aviation Finance & Leasing

Aviation Law

Business Crime

Cartels & Leniency

Class & Group Actions

Competition Litigation

Construction & Engineering Law

Consumer Protection

Copyright

Corporate Governance

Corporate Immigration

Corporate Investigations

Corporate Tax

Cybersecurity

Data Protection

Derivatives

Designs

Digital Business

Digital Health

Drug & Medical Device Litigation

Employment & Labour Law

Enforcement of Foreign Judgments

Environment & Climate Change Law

Family Law

Fintech

Foreign Direct Investment Regimes

Franchise

Gambling

Insurance & Reinsurance

International Arbitration

Investor-State Arbitration

Lending & Secured Finance

Litigation & Dispute Resolution

Merger Control

Mergers & Acquisitions

Mining Law

Oil & Gas Regulation

Outsourcing

Patents

Pharmaceutical Advertising

Private Client

Private Equity

Product Liability

Project Finance

Public Investment Funds

Public Procurement

Real Estate

Renewable Energy

Restructuring & Insolvency

Sanctions

Securitisation

Shipping Law

Telecoms, Media & Internet

Trade Marks

Vertical Agreements and Dominant Firms

The International Comparative Legal Guides are published by:@ICLG_GLG

data protection 2020 - media.homburger.ch · initiatives to boost data business in japan takashi...

Documents