- In order to guarantee an adequate level of data security, the controller and the processor must determine the extent to which personal data requires to be protected and adopt the technical and organisational measures that are appropriate to the risk.
- The extent to which personal data requires to be protected shall be assessed according to the following criteria:
- a. the type of the data being processed;
- b. the purpose, nature, extent and circumstances of the processing.
- The risk for the personality or fundamental rights of the data subject shall be assessed according to the following criteria:
- a. the causes of the risk;
- b. the main threats;
- c. measures taken or planned to reduce the risk;
- d. the probability and seriousness of a breach of data security despite the measures taken or planned.
- When determining the technical and organisational measures, the following criteria shall also be considered:
- a. the state of the art;
- b. the implementation costs.
- The extent to which personal data requires to be protected, the risk and the technical and organisational measures shall be reviewed throughout the period of processing. The measures shall be adjusted if necessary.
Chapter 1 (Art. 1 - 12) — General Provisions
Section 1: Data Security
The controller and the processor must take technical and organisational measures in order to ensure, depending on the level of protection required, that the data being processed:
- a. are only accessible to authorised persons (confidentiality);
- b. are available when they are required (availability);
- c. are not altered without authorisation or unintentionally (integrity);
- d. are processed in a traceable manner (traceability).
- In order to guarantee confidentiality, the controller and the processor must take appropriate measures to ensure that:
- a. authorised persons only have access to those personal data that they require to fulfil their tasks (data access control);
- b. only authorised persons have access to the premises and facilities in which personal data are processed (premises and facilities access control);
- c. unauthorised persons are unable to use automated data processing systems by means of data transmission devices (user control).
- In order to guarantee availability and integrity, the controller and the processor must take appropriate measures to ensure that:
- a. unauthorised persons are unable to read, copy, alter, move, delete or destroy data carriers (data carrier control);
- b. unauthorised persons are unable to save, read, alter, delete or destroy stored personal data (storage control);
- c. unauthorised persons are unable to read, copy, alter, delete or destroy personal data in the event of the disclosure of personal data or when data carriers are being transported (transport control);
- d. the availability of personal data and access to them can be rapidly restored in the event of a physical or technical incident (restoration);
- e. all functions of the automated data processing system are available (availability), malfunctions are reported (reliability) and stored personal data cannot be damaged by system malfunctions (data integrity);
- f. operating systems and application software always meet the latest security standards and known critical vulnerabilities are resolved (system security).
- In order to guarantee traceability, the controller and the processor must take appropriate measures to ensure that:
- a. it can be verified what personal data were entered or altered in the automated data processing system at what time and by which person (entry control);
- b. it can be verified to whom personal data are disclosed with the aid of data transmission devices (disclosure control);
- c. breaches of data security are recognised rapidly (recognition) and measures are taken to mitigate or eliminate the consequences (elimination).
- If a large volume of sensitive personal data is processed by automated means or if high-risk profiling is carried out and if preventive measures are unable to guarantee data protection, the private controller and its private processor must as a minimum / log the storage, alteration, reading, disclosure, deletion and destruction of the data. A log file must in particular be kept if otherwise it would not be possible to establish whether the data has been processed for the purposes for which it was collected or disclosed.
- The responsible federal body and its processor shall in the case of automated processing of personal data log as a minimum the storage, alteration, reading, disclosure, deletion and destruction of the data.
- In the case of personal data that are generally accessible to the public, logs shall be kept as a minimum of the storage, alteration, deletion and destruction of the data.
- The log file must provide information about the identity of the person that carried out the processing, the form, date and time of processing, and, if applicable, the identity of the recipient of the data.
- The log files must be retained for at least one year and kept separate from the system in which the personal data are processed. They may only be made accessible to the bodies and persons that are required to review the application of the data protection regulations or to safeguard or restore the confidentiality, integrity, availability and traceability of the data, and may only be used for this purpose.
- The private controller and its private processor must issue regulations on automated processing if they:
- a. process a large volume of sensitive personal data; or
- b. carry out high-risk profiling.
- The regulations must in particular include details of the internal organisational structure, data processing and control procedures and the measures that guarantee data security.
- The private controller and its private processor must update the regulations regularly. If a data protection officer has been appointed, the regulations must be made available to the officer.
- The responsible federal body and its processor must issue processing regulations for automated processing if they:
- a. process sensitive personal data;
- b. carry out profiling;
- c. process personal data in accordance with Article 34 paragraph 2 letter c FADP;
- d. allow cantons, foreign authorities, international organisations or private persons access to personal data;
- e. link data collections with each other; or
- f. operate an information system or manage data collections with other federal authorities.
- The regulations must in particular include details of the internal organisational structure, data processing and control procedures, and the measures that guarantee data security.
- The responsible federal body and its processor must update the regulations regularly and make them available to the data protection officer.
Section 2: Processing by Processors
- The prior approval from the controller that allows the processor to assign the data processing to a third party may be specific or general in its scope.
- In the case of general approval, the processor shall inform the controller of any plan to engage additional or replace existing third parties. The controller may object to such changes.
Section 3: Disclosure of Personal Data Abroad
- The States, territories, specified sectors in a State and international bodies that guarantee an adequate level of data protection are listed in Annex 1.
- When assessing whether a State, a territory, a specified sector in a State or an international body guarantees an adequate level of data protection, the following criteria in particular shall be considered:
- a. the international obligations of the State or international body, in particular in relation to data protection;
- b. whether it respects the rule of law and human rights;
- c. the legislation applicable, in particular to data protection, its implementation and the relevant case law;
- d. that data subjects’ rights and redress are effectively guaranteed;
- e. the effective functioning of one or more independent authorities in the State concerned that are responsible for data protection or to which an international body is accountable and that have sufficient powers and responsibilities.
- The Federal Data Protection and Information Commissioner (FDPIC) shall be consulted in the course of each assessment. The assessments of international bodies or foreign authorities responsible for data protection may be taken into account.
- The adequacy of the data protection shall be reassessed periodically.
- The assessments shall be made public.
- If the assessment under paragraph 4 or other information show that an adequate level of data protection is no longer guaranteed, Annex 1 shall be amended; this shall have no effect on disclosures of data already carried out.
- The data protection clauses in an agreement under Article 16 paragraph 2 letter b FADP and the specific guarantees under Article 16 paragraph 2 letter c FADP must include at least the following points:
- a. the requirement to apply the principles of legality, good faith, proportionality, transparency, purpose limitation and accuracy;
- b. the categories of personal data disclosed and of data subjects;
- c. the manner and purpose of the disclosure of personal data;
- d. if applicable, the names of the countries or international organisations, in which personal data is to be disclosed and the requirements for disclosure;
- e. the requirements for safeguarding, deleting and destroying personal data;
- f. the recipients or the categories of recipients;
- g. the measures to guarantee data security;
- h. the requirement to report breaches of data security;
- i. if the recipients are controllers: the requirement to inform the data subjects about the processing;
- j. the rights of data subjects, and in particular:
- the right of access and the right to the data portability,
- the right to object to the disclosure of personal data,
- the right to the correction, deletion or destruction of their data,
- the right to request an independent authority for judicial protection.
- The controller and, in the case of data protection clauses in an agreement, the processor must take appropriate measures to ensure that the recipient complies with these clauses or the specific guarantees.
- If the FDPIC is informed about the data protection clauses in an agreement or the specific guarantees, the duty to provide information is deemed fulfilled for all further disclosures that:
- a. are made in accordance with the same data protection clauses or guarantees, provided the categories of recipients, purpose of processing and data categories essentially remain unchanged; or
- b. take place within the same legal entity or company or between company that belong to the same group of companies.
- If the controller or the processor discloses personal data abroad based on standard data protection clauses in accordance with Article 16 paragraph 2 letter d FADP, it shall take appropriate measures to ensure that the recipient complies therewith.
- The FDPIC shall publish a list of standard data protection clauses that it has approved, issued or recognised. It shall give notice of the result of its assessment of standard data protection clauses that it has been submitted within 90 days.
- Binding corporate rules in accordance with Article 16 paragraph 2 letter e FADP apply to all undertakings that belong to the same group of undertakings.
- They shall include as a minimum the points mentioned in Article 9 paragraph 1 as well as the following information:
- a. details of the organisational structure and the contact details for the group of undertakings and its members;
- b. details of the measures taken within the group of undertakings to comply with the binding corporate rules.
- The FDPIC shall give notice of the result of its assessment of the binding corporate rules that it has been submitted within 90 days.
- Personal data may be disclosed abroad if a code of conduct or certification guarantees an appropriate level of data protection.
- The code of conduct must be submitted beforehand to the FDPIC for approval.
- The code of conduct or certification must be combined with a binding and enforceable obligation for the controller or the processor in the third State to apply the measures contained therein.