22 July 2020 – In his annual report 2019/2020, the Federal Data Protection and Information Commissioner (FDPIC) deems consulting for major digital projects to limit his capacity to exercise his supervisory activities. The report also outlines the FDPIC’s recent actions and investigative activities as well as his future priorities.

In his 27^th annual report 2019/2020 (Report), the FDPIC identifies future focus areas and gives an overview of his activities and assessments in the past year.

• Upon a consultancy request by PostFinance AG, the FDPIC recommended to obtain the customer’s explicit consent for the use of voice recognition to identify individuals calling customer support. PostFinance declined to do so on the basis that the current Swiss Data Protection Act (DPA) does not expressly qualify biometric data as sensitive data. In the Report, the FDPIC expresses his concern about the growing practice of companies to process biometric data. We would thus not be surprised to see additional scrutiny by the FDPIC in this regard.
• The FDPIC assessed a retailer’s analysis of transactional consumer data for strategy purposes (planning and statistics) to be legitimate based on the retailer’s overriding interests. The payment service provider is however required to obtain the consumer’s consent for sharing the data for such purposes.
• With regard to an employee tracking and time recording app, the FDPIC started investigations with a focus on data security, transfer and transparency. The FDPIC intends to continue to carefully monitor employment apps.
• Switzerland formally signed the Convention 108 at the end of 2019. Accession of the convention is highly relevant to the adequacy decision of the European Commission which, if confirmed, will continue to facilitate data transfers to the European Union for Swiss businesses.
• In September 2019, the FDPIC’s review of the Swiss-US Privacy Shield identified weaknesses and improvements. The FDPIC now confirmed his intention (stated in the Report) to analyse the implications of the Schrems II judgement on the Swiss-US Privacy Shield.
• The supervisory activity of businesses accounted for less than 10% of the FDPIC’s overall activities in the Report period. The FDPIC identifies his limited resources and the consultancy of major digital projects (e.g. Facebook Libra) as the main reason for his limited supervisory activities. Yet, the FDPIC’s staff will be increased by 10 positions once the revised DPA (revDPA) enters into force. The FDPIC further hopes that the revised Data Protection Act will enter into force by the beginning of 2022 at the latest.