Transcript Nessun titolo diapositiva - Avvocato Alessandro Del Ninno

SWISS DATA PROTECTION LAW AND
PERSONAL DATA SECURITY MEASURES.
UNAWARE DATA BREACHES BY
EMPLOYEES AND COMPANY’S
MONITORING INTERNAL PROCEDURES IN
COMPLIANCE WITH THE PRIVACY LAW.
Zurich – 6 November 2013
Prof. Avv. Alessandro del Ninno
[email protected]
www.alessandrodelninno.it
SWISS CONFEDERATION PRIVACY RULES
The processing of personal data in the Swiss
Confederation is mainly regulated by the Federal Act
on Data Protection of 19 June 1992 ("FDPA") and its
ordinances, i.e. the Ordinance to the Federal Act on
Data Protection ("DPO") and the Ordinance on Data
Protection Certification ("ODPC").
In addition, the processing of personal data is further
restricted by provisions in other laws, mainly with
regard to the public sector and regulated markets.
FEDERAL ACT ON DATA PROTECTION OF 19
JUNE 1992 (STATUS AS OF 1 JANUARY 2011)
This Swiss Federal Data Protection Law provides
the legal protection of privacy and fundamental
rights of persons when their data is processed
and applies to the processing of data pertaining
to natural persons and legal persons by private
persons and federal bodies.
FEDERAL ACT ON DATA PROTECTION OF 19
JUNE 1992 (STATUS AS OF 1 JANUARY 2011)
MAIN DEFINITIONS PROVIDED BY THE FADP
a. personal data (data): all information relating to an
identified or identifiable person;
b. data subjects: natural or legal persons whose data is
processed;
c. sensitive personal data: data on:
1. religious, ideological, political or trade union-related views
or activities
2. health, the intimate sphere or the racial origin
3. social security measures
4. administrative or criminal proceedings and sanctions
FEDERAL ACT ON DATA PROTECTION OF 19
JUNE 1992 (STATUS AS OF 1 JANUARY 2011)
MAIN DEFINITIONS PROVIDED BY THE FADP
d. personality profile: a collection of data that permits an
assessment of essential characteristics of the personality
of a natural person;
e. processing: any operation with personal data,
irrespective of the means applied and the procedure, and
in particular the collection, storage, use, revision,
disclosure, archiving or destruction of data;
f. disclosure: making personal data accessible, for
example by permitting access, transmission or publication;
FEDERAL ACT ON DATA PROTECTION OF 19
JUNE 1992 (STATUS AS OF 1 JANUARY 2011)
MAIN DEFINITIONS PROVIDED BY THE FADP
g. data file: any set of personal data that is structured in
such a way that the data is accessible by data subject;
h. federal bodies: federal authorities and services as well
as persons who are entrusted with federal public tasks;
i. controller of the data file: private persons or federal
bodies that decide on the purpose and content of a data
file.
FEDERAL ACT ON DATA PROTECTION:
COLLECTING AND PROCESSING DATA –
GENERAL PRINCIPLES
The following principles apply to the collection and
processing of personal data (including data of legal
entities):
• personal data may only be processed lawfully, in good
faith and according to the principle of proportionality;
• the collection of personal data and, in particular, the
purpose of its processing must be evident to the data
subject;
FEDERAL ACT ON DATA PROTECTION:
COLLECTING AND PROCESSING DATA –
GENERAL PRINCIPLES
• personal data should only be processed for a purpose
that is indicated or agreed at the time of collection, evident
from the circumstances at the time of collection, or
provided for by law;
• the data controller and any processor must ensure that
the data processed is accurate;
• personal data must not be transferred abroad if the
privacy of the data subject may be seriously endangered;
FEDERAL ACT ON DATA PROTECTION:
COLLECTING AND PROCESSING DATA –
GENERAL PRINCIPLES
• personal data must be protected from unauthorised
processing by appropriate technical and organisational
measures;
• personal data must not be processed against the explicit
will of the data subject, unless this is justified by:
 the consent of the data subject (which must be given
voluntarily and based upon adequate information);
 an overriding private or public interest; or
 law.
FEDERAL ACT ON DATA PROTECTION:
COLLECTING AND PROCESSING DATA –
GENERAL PRINCIPLES
• sensitive personal data or personality files must not be
disclosed to a third party, unless this is justified by:
 the consent of the data subject (which must be given
expressly in addition to the voluntariness and adequate
information requirement);
 an overriding private or public interest; or
 law.
FEDERAL ACT ON DATA PROTECTION:
REGISTRATION OR NOTIFICATION TO THE
FEDERAL DATA PROTECTION AND
INFORMATION COMMISSIONER ("FDPIC")
The processing of personal data by private persons does
not usually have to be notified or registered, respectively.
However, private persons must register their data files
before the data files are opened, if:
• they regularly process sensitive personal data or
personality profiles; or
• they regularly disclose personal data to third parties;
FEDERAL ACT ON DATA PROTECTION:
REGISTRATION OR NOTIFICATION TO THE
FEDERAL DATA PROTECTION AND
INFORMATION COMMISSIONER ("FDPIC")
and unless some exemptions applies (for
example: because the data controller has
designated a data protection officer who
independently monitors internal compliance with
data protection regulations and maintains a list of
the data files; or the data controller has acquired a
data protection quality mark under a certification
procedure).
FEDERAL ACT ON DATA PROTECTION: DATA
PROTECTION OFFICERS
There is no requirement under Swiss data protection law
to appoint a data protection officer.
However, a data controller can be dispensed from
registering its data files if it has designated a data
protection officer who:
• carries out his/her duties autonomously and
independently, i.e. without being subject to instructions;
• has a certain level of expertise that is appropriate for the
relevant data processing at the company (whereas it is not
relevant if the respective expertise was not acquired in
Switzerland);
FEDERAL ACT ON DATA PROTECTION: DATA
PROTECTION OFFICERS
• must check and audit the processing of personal data
within the company;
• must be in a position to recommend corrective measures
when detecting any breaches of applicable data protection
rules;
• must have access to all data files and all data processing
within the company as well as to all other information that
he/she requires to fulfill his/her duties;
• must maintain records of all data files controlled by the
company and provide this list to the FDPIC or affected
data subjects upon request;
FEDERAL ACT ON DATA PROTECTION: DATA
PROTECTION OFFICERS
• may not carry out any other activities that are
incompatible with his/her duties as data protection officer.
The data controller must notify the FDPIC of the
appointment of a data protection officer to be listed on the
public list of companies exempted from the requirement to
register their data files.
ORDINANCE TO THE FEDERAL ACT ON DATA
PROTECTION: SECURITY MEASURES AND
PROCEDURES
The data controller and any processor must take adequate
technical and organisational measures to protect personal
data against unauthorised processing and ensure its
confidentiality, availability and integrity.
In particular, personal data shall be protected against the
following risks:
•
unauthorised or accidental destruction;
•
accidental loss;
•
technical errors;
•
forgery, theft or unlawful use; and
•
unauthorised altering, copying, accessing or other
unauthorised processing.
.
ORDINANCE TO THE FEDERAL ACT ON DATA
PROTECTION: SECURITY MEASURES AND
PROCEDURES
The technical and organisational measures must be
appropriate, in particular with regard to:
1.
2.
3.
4.
the purposes of the data processing
the scope and manner of the data processing
the risks for the data subjects and
the current technological standards.
The technical and organisational measures must be
periodically reviewed.
ORDINANCE TO THE FEDERAL ACT ON DATA
PROTECTION: SPECIAL SECURITY MEASURES
AND PROCEDURES WITHIN THE COMPANY
The controller of the data file shall, in particular for the
automated processing of personal data, take the technical
and organisational measures that are suitable for
achieving the following goals in particular:
a. entrance control: unauthorised persons must be denied
the access to facilities in which personal data is being
processed;
b. personal data carrier control: unauthorised persons
must be prevented from reading, copying, altering or
removing data carriers;
ORDINANCE TO THE FEDERAL ACT ON DATA
PROTECTION: SPECIAL SECURITY MEASURES
AND PROCEDURES WITHIN THE COMPANY
c. transport control: on the disclosure of personal data as
well as during the transport of data carriers, the
unauthorised reading, copying, alteration or deletion of
data must be prevented;
d. disclosure control: data recipients to whom personal
data is disclosed by means of devices for data
transmission must be identifiable;
e. storage control: unauthorised storage in the memory as
well as the unauthorised knowledge, alteration or deletion
of stored personal data must be prevented;
ORDINANCE TO THE FEDERAL ACT ON DATA
PROTECTION: SPECIAL SECURITY MEASURES
AND PROCEDURES WITHIN THE COMPANY
f. usage control: the use by unauthorised persons of
automated data processing systems by means of devices
for data transmission must be prevented;
g. access control: the access by authorized persons must
be limited to the personal data that they required to
fulfillment their task;
h. input control: in automated systems, it must be possible
to carry out a retrospective examination of what personal
data was entered at what time and by which person.
ORDINANCE TO THE FEDERAL ACT ON DATA
PROTECTION: SPECIAL SECURITY MEASURES AND
PROCEDURES WITHIN THE COMPANY
The Records
The controller of the data file shall maintain a record of the
automated processing of sensitive personal data or
personality profiles if preventive measures cannot ensure
data protection. Records are necessary in particular if it
would not otherwise be possible to determine
subsequently whether data has been processed for the
purposes for which it was collected or disclosed. The
Commissioner may also recommend that records be
maintained of other processing.
ORDINANCE TO THE FEDERAL ACT ON DATA
PROTECTION: SPECIAL SECURITY MEASURES AND
PROCEDURES WITHIN THE COMPANY
The Records
The records must be stored for one year in a state
suitable for auditing.
They are accessible only to those bodies or
private persons whose duty it is to supervise
compliance with the data protection regulations,
and may be used only for this purpose.
ORDINANCE TO THE FEDERAL ACT ON DATA
PROTECTION: SPECIAL SECURITY MEASURES
AND PROCEDURES WITHIN THE COMPANY
The processing policy document
The controller of an automated data file who regularly
processes sensitive personal data or personality profiles or
who regularly disclose personal data to third parties must
issue a processing policy that describes in particular the
internal organization and the data processing and control
procedures and contain documents on the planning,
realization and operation of the data file and the
information technology used.
ORDINANCE TO THE FEDERAL ACT ON DATA
PROTECTION: SPECIAL SECURITY MEASURES AND
PROCEDURES WITHIN THE COMPANY
The Certification procedure
According to art. 11 of the FDPA, in order to improve data
protection and data security, the manufacturers of data
processing systems or programs as well as private persons
or federal bodies that process personal data may submit their
systems, procedures and organization for evaluation by
recognised independent certification organisations.
The rules on the recognition of certification procedures and
on the introduction of a data protection quality label are set
forth within the Ordinance on Data protection Certification
(”ODPC”).
.
ORDINANCE TO THE FEDERAL ACT ON DATA
PROTECTION: SPECIAL SECURITY MEASURES
AND PROCEDURES WITHIN THE COMPANY
The processing policy document
The controller of an automated data file who regularly
processes sensitive personal data or personality profiles or
who regularly disclose personal data to third parties must
issue a processing policy that describes in particular the
internal organization and the data processing and control
procedures and contain documents on the planning,
realization and operation of the data file and the
information technology used.
ORDINANCE TO THE FEDERAL ACT ON DATA
PROTECTION: SPECIAL SECURITY MEASURES AND
PROCEDURES WITHIN THE COMPANY
Art. 5 FDPA - Correctness of the data
Anyone who processes personal data must make certain that
it is correct. He must take all reasonable measures to ensure
that data that is incorrect or incomplete in view of the purpose
of its collection is either corrected or destroyed.
This article is linked with the critical issue of unaware
breach by employees.
THE FEDERAL ACT ON DATA PROTECTION
Breaches of privacy
Anyone who processes personal data must not unlawfully
breach the privacy of the data subjects in doing so.
In particular, he must not:
a. process personal data in contravention of the principles of
Articles 4, 5 paragraph 1 and 7 paragraph 1;
b. process data pertaining to a person against that person's
express wish without justification;
c. disclose sensitive personal data or personality profiles to third
parties without justification.
Normally there is no breach of privacy if the data subject has
made the data generally accessible and has not expressly
prohibited its processing.
THE FEDERAL ACT ON DATA PROTECTION
Justification
A breach of privacy is unlawful unless it is justified by the
consent of the injured party, by an overriding private or public
interest or by law.
An overriding interest of the person processing the data shall in
particular be considered if that person (amongst the others):
a. processes personal data in direct connection with the
conclusion or the performance of a contract and the personal
data is that of a contractual party;
b. is or intends to be in commercial competition with another
and for this purpose processes personal data without disclosing
the data to third parties;
THE FEDERAL ACT ON DATA PROTECTION
Justification
c. process data that is neither sensitive personal data nor a
personality profile in order to verify the creditworthiness of
another, and discloses such data to third parties only if the data
is required for the conclusion or the performance of a contract
with the data subject;
d. collects data on a person of public interest, provided the data
relates to the public activities of that person.
THE FEDERAL ACT ON DATA PROTECTION
Processing of personal data by third parties
The processing of personal data may be assigned to third
parties by agreement or by law if:
a. the data is processed only in the manner permitted for the
instructing party itself; and
b. it is not prohibited by a statutory or contractual duty of
confidentiality.
The instructing party must in particular ensure that the third
party guarantees data security.
Third parties may claim the same justification as the instructing
party.
THE FEDERAL ACT ON DATA PROTECTION
Monitoring employees personal data and emails
Section 328 of the Code of Obligations establishes the
general conditions for workplace monitoring.
The
Federal
Data
Protection
and
Information
Commissioner has issued a number of statements that
appear to make the monitoring of email difficult, if not
illegal.
In any case, the guidance documents issued by the
Commissioner do not specifically state that monitoring in
the workplace is illegal.
THE FEDERAL ACT ON DATA PROTECTION
Monitoring employees personal data and emails
Instead, the Commissioner has identified a number of measures
that would be considered illegal and thus should be avoided by
employers. Employers should have in place clear policies that
set forth the proper uses of networks, emails, Internet and other
electronic communications media. If monitoring is to take place,
the employer should set forth the specific basis for monitoring,
explain how and when monitoring will take place, and provide
information to employees sufficient to enable to employee to
understand his or her rights of access, etc. Where feasible, the
employer should obtain an employee’s specific consent to
monitoring. Monitoring should be tailored to target specific
violations of policy – and where possible, immediate notice
should be provided to the employee for suspected violations.
THANKS FOR YOUR ATTENTION !