The new harmonised EU General Data Protection Regulation entered into force on 24 May 2016 and must be applied from 24 May 2018 without any further transitional period. All companies operating in the EU, regardless of their place of business, are already subject to the legislation. Legal enforcement in Switzerland is already in progress. For us, this is a reason to examine the basic data protection regulation in more detail in a series of articles.
The four cornerstones of data protection
The cornerstones regarding data protection are (based on: Markus Schäffter, 2016, Verfahrensverzeichnis 2.0):
- Legality: Purpose limitation and necessity
- Transparency: safeguarding the rights of data subjects
- proportionality: risk-based measures
- Controllability: Documented procedures
With regards to the lawfulness of the processing, three important principles in particular play a role.
Firstly, there is a prohibition subject to authority approval. In other words, any processing of personal data is prohibited for the time being. However, precisely defined exceptions (whitelists) allow processing. For most companies, this primarily includes the first two of the following conditions (Art. 6):
- The data subject has given his consent to the processing of his personal data for specific purposes. The word “certain” must be observed, i.e. consent with a flexible general power does not fulfil this requirement.
- Processing is necessary for the performance of a contract where the data subject is either a party to the contract or the processing is carried out at the request of the data subject.
- The processing is intended to fulfil the legal obligations to which the controller is subject. This condition will primarily enable the processing to be carried out by public authorities and companies close to public authorities. This is also an important basis for the HR departments in companies.
- Processing is necessary to protect the vital interests of the data subject or another natural person.
- Public interest and the exercise of official authority by a person can be a legitimate reason for processing.
- Processing is necessary to safeguard legitimate interests, unless fundamental rights and freedoms outweigh the protection of the data subject (especially children).
Secondly: In the first part of this series of articles we have already touched on the issue of purpose limitation. The admissibility of a processing operation must be assessed for a specific purpose. The use of the same information for other purposes requires a re-examination of these conditions. If, for example, the first processing was based on the consent of the data subject, consent must be obtained again if further processing is for a new purpose.
Finally, the principle of necessity applies. This principle makes it impossible, for example, to carry out processing operations which are not directly necessary for the authorised purpose.
In practice, the consent of the person concerned is usually obtained in the General Terms and Conditions (GTC). By accepting the GTC, they also accept the processing of personal data (consent). Obtaining consent by accepting the GTC is also permissible under the new basic regulation. But: Clauses in the General Terms and Conditions that are not easy to understand are not legal. Consent to data processing must be clear and formulated in a simple language. Finally, the company must be able to prove at any time that person in question has given their consent to the processing operation.
If their consent is not clearly evident, they have not given any consent. In this case, the data processor risks fines of up to 4% of his annual turnover.
Children and adolescents younger than 16 years cannot consent to the processing of their data. The consent of their parents or legal representatives is required.
Under transparency, we summarise a number of personal rights in connection with data protection.
The right to information and disclosure allows the data subject to know which personal data are processed and for what purpose.
The right of objection and rectification enables the the data subject to have false information about them corrected. If, for example, they are classified as not creditworthy due to a debt enforcement case, but there is a confusion of names, they can demand that the data be corrected.
The the data subject also have the right to be forgotten. They have the right to have the data relating to them deleted.
Finally, there is another, for us engineers very interesting aspect, which is the right to data transfer. This means that every data subject has the right to obtain an extract from all the data stored about him in a machine-readable format. This “detail” is likely to have a relatively large potential impact. In principle, for example, it enables a patient to create his personal electronic patient file with all examination and treatment data in machine-readable form by requesting the data from hospitals and doctors. In addition to the useful cases, it also offers wonderful possibilities for companies to deal with themselves until automatisation has been implemented.
Each company should appoint a data protection officer or (for larger companies) a data protection team. The requirements of the new basic regulation are complex and the tasks involved time-consuming.
If the data subject requests information, they must be informed within one month of, among other things, the following contents:
- whether personal data relating to them are processed,
- what the processing purposes are, and
- who the recipients or categories of recipients are.
Of course, this is assuming that it’s known where data about a person is stored and with what purpose.
A copy of the data that are the subject of processing must be given to the data subject free of charge. For all further copies requested by the data subject, the company may charge an appropriate fee (in practice approx. CHF 0.40 – 0.70 per A4 page).
The right to deletion (right to be forgotten) is limited. Check whether the conditions for deletion (Art. 17 EU-GDPR) are actually fulfilled.
Let’s start with the basic principle of data economy. On the one hand, only as little as absolutely necessary data should be processed. In addition, data must be stored and processed as extensively as necessary. If the fulfilment of the purpose is possible with average values instead of single values, only average values are to be stored and processed. If it isn’t necessary to assign data to a specific person, the data must be made anonymous or pseudonymous.
Privacy by Design or Privacy by Default requires that settings that affect data protection are set as restrictively as possible by default. If a social network, such as Facebook, has my birthday, it must not be displayed to visitors on my profile by default. However, I can explicitly allow the display afterwards.
The most pragmatic component of the basic data protection regulation, but also the one that generates the most legal uncertainty, is ultimately the risk-based need for protection. Personal data must be protected with proportionate measures. If the stored data is not very sensitive, this in principle allows for a more pragmatic, less time-consuming implementation of protective measures than if the data has great significance.
When considering risks, it should be taken into account that classic IT security risks must also be assessed. On the one hand: Which angles of attack exist? How are unauthorized data manipulations prevented? How can access to data and processing be prevented, tracked and audited?
In addition to this classic risk assessment, however, it is also necessary to personally protect the individual concerned. When assessing risks, it is therefore important to not only focus and asses potential damage to the company but also to the individuals concerned. Does information become accessible to unauthorised persons or even public: Will the person ever find a job again? Will an insurance company ever conclude a contract with him again? Is there a risk their spouse will leave them based of this information?
So there are points that aren’t considered in classic risk analyses. But there is another question that is almost of greater interest: How can personal damage be offset against the costs of protective measures? What are the relative costs of protecting the privacy of individuals?
For small and medium-sized enterprises, the requirements on proportionality are the sticking point of the new basic regulation: every enterprise must keep a register of the processing activities of data. This directory must contain at least
- The name and contact details of the person responsible;
- The purposes of the processing;
- A description of the categories of data subjects and the categories of personal data;
- The categories of recipients to whom the personal data have been disclosed.
Then again, any processing of personal data must be checked for possible risks (risk assessment). The risk assessment is carried out on the one hand from the perspective of the data subject (rights and freedoms) but on the other hand for the company itself (risk of consequences of breaches of data protection regulations). Based on the risks now defined, suitable technical and organisational measures must be defined. Such measures may be considered, for example:
- Pseudonymisation and encryption of personal data;
- Ensure the confidentiality, integrity, availability and resilience of systems and services;
- Definition of a procedure for regular review, evaluation and evaluation of the effectiveness of technical and organisational measures.
The last cornerstone of data protection, and one that tends to be the easiest to implement (although not the most cost-effective) is the possibility of control. This requires clear agreements and documented procedures. And especially comprehensible considerations, especially with regards to the previously discussed risk analysis. Therefore, it is important to retain considerations that have led to a certain damage assessment and not only the final result of a risk analysis.
Our series of articles on the subject
- In the lead-in article, we drew attention to the need for action.
- In the first part of the series, we introduce the various actors and set the framework.
- In this part 2 we examine the principles of data protection based on four pillars.
- Part 3 explains the special requirements for the processing of special categories of personal data and profiling, which is regarded as particularly critical.
- In Part 4, we highlight legally privileged, desired processing methods.
- The last part of the series concludes with a framework for the pragmatic and appropriate implementation of data protection in your IT projects.
About the authors
Stefan Haller is an IT expert specializing in risk management, information security and data protection at linkyard. He supports companies and authorities with risk analysis in projects, the conception and implementation of compliance requirements in software solutions as well as with the creation of IT security and authorization concepts.
He holds a certification in Risk Management and has carried out numerous security audits on the basis of the ISO 27001 standard as an internal auditor for more than 10 years.
Do you have any questions regarding implementation in your company? Contact: firstname.lastname@example.org | +41 78 746 51 16
Benjamin Domenig works as a business lawyer in Bern. He is an expert in the legal fields of information technology, telecommunications and data protection law and is active both as a litigator and as an advisor. In addition to established telecommunications companies, he advises SMEs and supports start-ups. Should you have any questions on these or other legal topics, please contact us without obligation at: email@example.com | +41 79 510 24 12