17 June 2019 – In its annual report 2018/2019, the Federal Data Protection and Information Commissioner (FDPIC) insists on the need to ensure that the data protection level in Switzerland is in line with our European neighbours. The report also outlines the recent actions and developments in relation to data protection as well as the FDPIC investigative activity, including the Helsana+ case (which led to a judgment of the Federal Administrative Court on 19 March 2019).

The FDPIC has released its 26^th annual report (2018/2019), as always divided into three parts: (1) Data Protection, (2) Freedom of Information and (3) The FDPIC.

The following comments of the FDPIC should be emphasized from the point of view of companies:

• According to the preliminary information available to the FDPIC, Swiss companies which process data on EU residents – in the EEA – have also been affected by the proceedings of data protection authorities in the EU in connection with the application of the GDPR.

• The expenditure on supervisory duties significantly declined in 2018. In the meantime, it has climbed back to the 2016/17 level, but is still below the long-term average for previous periods.

• The European Commission is currently reviewing the adequacy of Swiss data protection law in connection with the criteria listed in the GDPR. A respective report is expected in May 2020.

• The planned expansion of the automatic exchange of financial account information (AEOI) “presents problems” from a data protection perspective. None of the 18 additional proposed partner states with which the AEOI is to be implemented on a reciprocal basis have an adequate level of data protection. And this is to put it mildly: if one compares the brief references in the messages on the extensions of the AEOI network to the data protection laws of the recipients with the requirements of appropriateness under Art. 6 para. 1 FADP or the GDPR, a blatant contradiction in valuation becomes apparent.

The FDPIC's proceedings against the Federal Tax Administration (FTA) in connection with the AEOI (lack of information for persons not formally affected but whose names are to be openly transmitted to the foreign authority making the request) are still pending before the Federal Administrative Court.

The activity report also includes information on the following formal and informal investigations conducted by the FDPIC:

• Swiss International Air Lines. The FDPIC held discussions with Swiss to prevent any abuses after it was brought to the FDPIC’s attention that, by entering the last name, first name and booking number when logging into the ‘Swiss’ website, it was possible to retrieve a variety of personal data (first name, last name, date of birth, gender, nationality, place of residence, number and validity period of passport or ID card).

• Zentralstelle für Kreditinformation (ZEK). Loan applications and card applications which are rejected for reasons that bear no relation to the applicant’s creditworthiness or borrowing power must be erased from the database as soon as they are rejected. The FDPIC issued a recommendation to this effect to ZEK. ZEK accepted the FDPIC’s recommendation and will make the necessary changes. Otherwise, the FDPIC has found no data protection violations, allowing the FDPIC to conclude the proceedings without imposing any further measures.

• Swisscom. The FDPIC was able to conclude its investigation following the data theft case at Swisscom in December 2017 to review potential risks of consequential losses caused by the reported data theft without taking any formal measures.

• EOS. Following a data theft at collection firm EOS Schweiz, the FDPIC opened a case investigation to clarify the data protection aspects of the suspected data theft. Since EOS has replaced the affected system with a new one, the procedure was concluded without taking any action or making any formal recommendation.

• Tamedia. In July 2017, the online auction platform ricardo.ch, which shares its users’ data within the Tamedia group, changed its privacy statement. The FDPIC opened a formal procedure to investigate whether the consent contained in ricardo.ch's new data protection declaration was effective. Since then ricardo.ch has revised its privacy statement to coincide with the entry into force of the GDPR. The review of the revised data protection declaration is still in progress.

• Decathlon. The sporting goods retailer made sales of goods contingent on the disclosure of customer data (e-mail address or telephone number). After the investigation began, Decathlon told the FDPIC that it would not make the sale of goods contingent upon the provision of this data anymore but would only collect it on a voluntary basis. The FDPIC concluded however that the information provided to customers by Decathlon is inconsistent and may create the impression that the data is still required in order to purchase goods.

In the Helsana+ judgment of 19 March 2019, the Federal Administrative Court stated that data processing for an illegal purpose is only unlawful under the FADP if it violates a norm which at least also aims to protect the personal privacy. The FDPIC interprets this decision as follows: “The Federal Administrative Court aims to restrain the FDPIC to some extent with respect to its dynamic interpretation of the 1992 FADP regarding to digital applications". However, the considerations of the Federal Administrative Court are not limited to digital applications, which “reveals the limits of this ageing piece of legislation". Both parties, Helsana and the FDPIC, have not contested the judgment.

Many employers decide, for cost-related or organisational reasons, to have their employees’ personal data processed abroad. Employees' consent to the outsourcing of their personal data “is not normally required and would not, in fact, have any validity”. However, it is necessary to provide employees with comprehensive and transparent information. This is true, but it should be noted that unlike other FDPIC declarations, consent is usually not required for the processing of particularly sensitive personal data and personality profiles, which are often involved in outsourcing.