The new, harmonised EU basic data protection regulation came into force on 24 May 2016 and is to be applied from 24 May 2018 without any further transitional period. For us, this is a reason to examine the basic data protection regulation in more detail in a series of articles.
The four cornerstones of data protection
The cornerstones regarding data protection are (based on: Markus Schäffter, 2016, procedural directory 2.0)
- Legality: purpose limitation and necessity
- Transparency: respect for the rights of data subjects
- Proportionality: risk-based measures
- Controllability: documented procedures
With regard to the lawfulness of processing, three important principles in particular play a role.
Firstly, a prohibition subject to authorisation applies. In other words, any processing of personal data is, in principle, prohibited in the first place. But precisely defined exceptions (whitelist) allow processing. For most companies these primarily include the first two of the following conditions (Art. 6):
- The data subject has given his/her consent to the processing of personal data relating to him/her for specific purposes. Note the word specific, i.e. consent with a cloudy, flexible general authorisation does not fulfil this.
- The processing is necessary for the performance of a contract, in which case the data subject is either a party to the contract or the processing is carried out at the request of the data subject.
- The processing serves to fulfil legal obligations to which the controller is subject. This condition will primarily enable authorities and companies close to authorities to carry out processing. It is also an important basis for HR departments in companies.
- The processing is necessary to protect the vital interests of the data subject or of another natural person.
- Public interest and the exercise of official authority by one may be a permissible reason for processing.
- The processing is necessary to safeguard legitimate interests, unless fundamental rights and freedoms outweigh the protection of the data subject (especially in the case of children).
Secondly, in the first part of this series of articles we have already touched on the subject of earmarking. The admissibility of a processing operation must be assessed in each case for a specific purpose. The use of the same information for other purposes requires a renewed examination of these conditions. For example, if the first processing operation was based on the consent of the data subject, consent must therefore be obtained again if further processing operations serve a new purpose.
And last but not least, the principle of necessity applies. This principle makes it impossible, for example, to carry out processing operations that are not directly necessary for the authorised purpose.
In practice, the consent of the data subject is usually obtained in the General Terms and Conditions (GTC). By accepting the GTC, the data subject therefore also accepts the processing of personal data (consent). Obtaining consent by accepting the GTC is also permissible under the new basic regulation. But: Clauses in the GTC that are claused and difficult to understand are not legal. Consent for data processing must be formulated clearly and in simple language. Finally, the company must be able to prove at any time that the data subject has given his or her consent to the processing operation.
If consent is not clearly apparent to the data subject, he or she has not given consent. In this case, the data processor risks fines of up to 4 percent of his annual turnover.
Children and young people under the age of 16 cannot give their consent to the processing of their data. The consent of their parents or legal representatives is required in this case.
Under the title of transparency we summarize a number of personal rights related to data protection.
The right to information and disclosure allows the data subject to know what personal data is being processed and for what purpose.
The right of objection and rectification enables the person concerned to have incorrect information about him or her corrected. For example, if he or she is not creditworthy due to a debt collection case, but there is a mix-up of names, the data subject can request that the data be corrected.
Furthermore, the persons concerned have the right to be (will be) forgotten. The data subject therefore has the right to have his or her personal data deleted.
Finally, there is the right to data transferability, which is of great interest to us technicians. This means that every person concerned has the right to receive a data extract in a machine-readable format of all the data stored about him/her. This “detail” is likely to have a potentially relatively large impact. For example, in principle it enables a person concerned to build up his or her personal electronic patient file with all examination and treatment data in a machine-readable format by requesting the data in this form from hospitals and doctors. It offers beside the useful applications for this accordingly also wonderful possibilities around enterprises with itself to occupy, until an automatism for it is converted.
Every company should appoint a data protection officer or (for larger companies) a data protection team. The requirements of the new basic ordinance are complex and the tasks involved are time-consuming.
If the person concerned requests information, the following information, among other things, must be provided within one month Namely,
- whether personal data concerning them are processed,
- what the processing purposes are, and
- who the recipients or categories of recipients are
Of course, this presupposes that it is known in which systems data with what meaning about a person are stored.
A copy of the data being processed must be given to the data subject free of charge. For all other copies requested by the data subject, the company may charge a reasonable fee (in practice, approximately CHF 0.40 – 0.70 per A4 page).
The right to deletion (right to be forgotten) is limited. Check whether the conditions for deletion (Art. 17 EU-DSGVO) are actually met.
Let us start with the basic principle of data economy. On the one hand, there is as little data to be processed as necessary for the purpose of processing. On the other hand, the data must be stored and processed only as detailed as necessary. If it is possible to fulfil the purpose using average values for a period instead of individual measurements, only average values are to be stored and processed. If it is not necessary to clearly assign the data to a specific person, the data shall be anonymised or pseudonymised.
Privacy by Design or Privacy by Default requires that settings that affect data protection are set as restrictive as possible by default. If a social network such as Facebook lists my birthday, this may not be displayed to visitors on my profile by default. However, I can explicitly allow it to be displayed afterwards.
Finally, the most pragmatic component of the basic data protection regulation, but also the one that generates the most legal uncertainty, is the risk-based protection requirement. Personal data must be protected with proportionate measures. If the stored data is not very sensitive, this allows in principle for a more pragmatic, less costly implementation of protective measures than in the case of data with a large scope.
In the context of risk considerations, it should be noted that, on the one hand, classic IT security risks must be assessed: What are the points of attack? How are unauthorised data manipulations prevented? How can access to data and processing be prevented, tracked and audited?
In addition to this classic risk assessment, however, it is also necessary that the individual person concerned is also personally protected. When assessing the risks, therefore, it is not only the damage that an occurring risk may cause to the company that must be assessed. The question must also be asked as to what damage may arise for the respective persons concerned. If information becomes accessible to unauthorised persons or even public: will the person ever find a job again? Will an insurance company ever conclude a contract with him again? Is there a risk that spouses will leave him or her because of this information?
This raises questions that cannot be answered in classic risk analyses. But a follow-up question is almost of greater interest: How should the personal damage be set against the costs of protective measures? What costs are proportionate to the protection of the privacy of individuals?
For small and medium-sized enterprises, the proportionality requirement is the sticking point of the new basic regulation: each enterprise must keep a register of data processing activities. This list contains at least:
- The name and contact details of the person responsible;
- the purposes of the processing;
- A description of the categories of data subjects and the categories of personal data;
- The categories of recipients to whom the personal data have been disclosed.
In turn, any processing of personal data must be examined for possible risks (risk assessment). The risk assessment is carried out from the perspective of the data subject (rights and freedoms) but also from the perspective of the company itself (risk of consequences of violations of data protection regulations). Based on the risks now defined, suitable technical and organisational measures must be determined. Such measures may be considered, for example:
- Pseudonymisation and encryption of personal data;
- ensuring the confidentiality, integrity, availability and resilience of systems and services;
- Definition of a procedure for regular monitoring, assessment and evaluation of the effectiveness of the technical and organisational measures.
The last and generally easiest – though not the cheapest – cornerstone of data protection to implement is control. This requires clear agreements, documented procedures. And particularly comprehensible trade-offs, especially with regard to the risk analysis discussed in detail above. Accordingly, not only the final result of a risk analysis should be kept, but also considerations which, for example, have led to a certain damage assessment.
Our series of articles on the topic
- In the lead-in article we drew attention to the need for action.
- In part 1 of the series we introduce the different actors and set the framework.
- In part 2, we examine the principles of data protection based on four pillars.
- Part 3 explained the specific requirements for processing special categories of personal data and for profiling, which is considered particularly critical.
- Part 4 examines legally privileged, desirable processing methods.
- Part 5 of the series concludes with a framework for the pragmatic and appropriate implementation of data protection in your IT project.
About the authors
Stefan Haller is an IT expert specialized in risk management, information security and data protection at linkyard. He supports companies and public authorities in risk analysis in projects, the design and implementation of compliance requirements in software solutions as well as in the creation of IT security and authorization concepts.
He is certified in risk management and has carried out numerous security audits based on the ISO standard 27001 as an internal auditor for more than 10 years.
Do you have any questions about the implementation in your company? Please contact: email@example.com | +41 78 746 51 16
Benjamin Domenig works as a business lawyer in Bern. He is an expert in the legal fields of information technology, telecommunications and data protection law and is active both in litigation and in an advisory capacity. In addition to established telecommunications companies, he advises SMEs and accompanies start-ups. Should you have any questions on these or other legal topics, please contact us without obligation: firstname.lastname@example.org | +41 79 510 24 12