The four cornerstones of the new data protection law

Die new, harmonised EU General Data Protection Regulation came into force on May 24, 2016 and is applicable from May 24, 2018 without any further transition period. This is a reason for us to take a closer look at the General Data Protection Regulation in a series of articles.

The four cornerstones of data protection

The cornerstones of data protection are (based on: Markus Schäffter, 2016, list of procedures 2.0):

• legality: Purpose and necessity
• transparency: Safeguarding the rights of data subjects
• proportionality: Risk-based measures
• controllability: Documented procedures

legality

With regard to the lawfulness of processing, three important principles in particular play a role. First, Prohibition subject to permission. In other words, any processing of personal data is generally prohibited. However, precisely defined exceptions (white list) allow processing. For most companies, this primarily includes the first two of the following conditions (Art. 6):

1. The data subject has given his or her consent to the processing of personal data concerning him or her for specific purposes. To note is the word destined, i.e. consent with a cloudy, flexible general power of attorney does not fulfill this.
2. Processing is necessary to fulfill a contract, in which case the data subject is either a party to the contract or the processing is carried out at the request of the data subject.
3. The processing serves to fulfill legal obligations to which the person responsible is subject. This condition will primarily enable authorities and government-related companies to process. It is also an important basis for HR departments in companies.
4. Processing is necessary to protect the vital interests of the data subject or another natural person.
5. Public interest and the exercise of official authority by a may be a valid reason for processing.
6. Processing is necessary to protect legitimate interests, unless fundamental rights and freedoms outweigh the protection of the person concerned (in particular in the case of children).

Second: already in first part of this series of articles We have touched on the topic of earmarking. The admissibility of processing must be assessed for a specific purpose in each case. Using the same information for other purposes requires a reconsideration of these terms. For example, if the initial processing was based on the consent of the data subject, consent must therefore be obtained again if further processing serves a new purpose. And finally, the principle of necessity. This principle makes it impossible, for example, to carry out processing that is not directly necessary for the approved purpose.

Practical tips

In practice, the consent of the person concerned is usually obtained in the General Terms and Conditions (GTC). By accepting the terms and conditions, the data subject therefore also accepts the processing of personal data (consent). Obtaining consent by accepting the terms and conditions is also permitted under the new basic regulation. But: Claused and difficult to understand clauses in the terms and conditions are not legal. Consent to data processing must be formulated clearly and in simple language. Finally, the company must be able to prove at any time that the data subject has given their consent to the processing process. If the consent is not clear to the data subject, he has not given consent. In this case, the data processor risks fines of up to 4 percent of its annual turnover. Children and adolescents who are under 16 years of age can consent to the processing of their data not grant. This requires the consent of their parents or legal representation.

transparency

Under the title of transparency, we summarize a number of personal rights related to data protection.The Right to information and information allows the data subject to know which personal data is being processed and for what purpose.The right to object and correct enables the person concerned to have incorrect information about him corrected. If, for example, he is not considered creditworthy due to a debt recovery case, but there is a confusion in the name, the person concerned may request that the data be corrected. Furthermore, the persons concerned have the Right to be forgotten (become). The data subject therefore has the right to delete personal data. After all, there is a very interesting right for us technicians to data portability. This states that every person concerned has the right to receive a data extract of all the data stored about him in a machine-readable format. This “detail” is likely to have a relatively large potential impact. For example, it basically enables a person concerned to set up their personal, electronic patient record with all examination and treatment data in machine-readable form by requesting the data in this form from hospitals and doctors. In addition to useful use cases, it also offers wonderful opportunities for companies to deal with themselves until an automatic process is implemented.

Practical tips

Every company should appoint a data protection officer or (for larger companies) a data protection team. The requirements of the new basic regulation are complex and the tasks involved are time-consuming. If the data subject requires information, the following content must be provided to the person within one month: Namely

1. whether personal data concerning them is processed,
2. What are the processing purposes and
3. Who the recipients or categories of recipients are.

This, of course, requires that it is known in which systems data with what meaning about a person is kept in the first place. A copy of the data that is the subject of processing must be provided free of charge to the data subject. For all further copies requested by the data subject, the company may charge an appropriate fee (in practice approx. CHF 0.40 — 0.70 per A4 page). The right to delete (right to be forgotten) is restricted. Check whether the requirements for deletion (Art. 17 EU GDPR) have actually been met.

proportionality

Let's start with the basic principle of Data economy. On the one hand, it is necessary to process as little data as is necessary for the purpose of processing. In addition, these can only be stored and processed in as much detail as necessary. If it is also possible to fulfill the purpose with average values for a period instead of individual measurement values, only average values can be stored and processed. If it is not necessary to clearly assign the data to a specific person, the data must be anonymized or pseudonymized.Privacy by Design or Privacy by Default Requires that settings with an impact on data protection are set as restrictive as possible by default. If a social network such as Facebook tells me my birthday, it may not be shown to visitors on my profile by default. However, I can explicitly allow the display afterwards. After all, the most pragmatic component of the General Data Protection Regulation, but also the one that generates the most legal uncertainty, is the risk-based protection requirements. Personal data must be protected with proportionate measures. If what is stored is less sensitive, this in principle enables a more pragmatic, less complex implementation of protective measures than with large-scale data. When considering the risk, it should be noted that, on the one hand, classic IT security risks must be assessed: What points of attack exist? How is unauthorised data manipulation prevented? How can access to data and processing be prevented, traced and audited? In addition to this classic risk assessment, however, it is also necessary that the individual data subject is also personally protected. When assessing risks, it is therefore not only necessary to assess the damage caused by an occurring risk to the company. The question must also be asked as to what damage can occur to the respective persons concerned. Does information become available to unauthorised persons or even become public: Will the person ever find a job again afterwards? Will an insurance company ever sign a contract with him again? Is there a risk that spouses will leave him based on this information? There are therefore questions whose answers are not asked in traditional risk analyses. But a follow-up question is still almost of greater interest: How can personal damage be counteracted against the costs of protective measures? What are the proportionate costs of protecting individuals' privacy?

Practical tips

The proportionality requirements are the crux of the new basic regulation for small and medium-sized enterprises: Every company must keep a record of data processing activities. This directory includes at least:

1. The name and contact details of the person responsible;
2. The purposes of processing;
3. A description of the categories of data subjects and the categories of personal data;
4. The categories of recipients to whom the personal data has been disclosed.

Each processing of personal data must then be checked for any risks (risk assessment). The risk assessment is carried out on the one hand from the perspective of the person concerned (rights and freedoms) but on the company itself (risk of consequences of breaches of data protection requirements). Based on the risks that have now been defined, appropriate technical and organizational measures must be defined. Examples of possible examples include:

1. pseudonymization and encryption of personal data;
2. ensure the confidentiality, integrity, availability and resilience of systems and services;
3. Definition of a process for regularly reviewing, evaluating and evaluating the effectiveness of technical and organizational measures.

controllability

The last cornerstone of data protection, which tends to be the easiest — though not the most cost-effective — to implement is control options. This sets clear agreements ahead, documented procedures. And particularly comprehensible considerations, especially with regard to the previously discussed risk analysis. Accordingly, not only should the final result of a risk analysis be kept, but also considerations that have led to a specific damage assessment, for example.

Our series of articles on the subject

• In We have lead-in articles on the need for action alerted.
• In 1st part of the series Let's introduce the various players and set the framework.
• In this part 2, we look at the principles of data protection based on four pillars.
• Part 3 explained the specific requirements for processing special categories of personal data and profiling, which is considered particularly critical.
• Part 4 highlights legally privileged, desired processing methods.
• Part 5 of the series concludes with a framework for pragmatic and appropriate implementation of data protection in their IT project.

About the authors

Stefan Haller is an IT expert specializing in risk management, information security and data protection at linkyard. He supports companies and authorities in risk analysis in projects, the design and implementation of compliance requirements in software solutions and in the preparation of IT security and authorization concepts. He is certified in risk management and has carried out numerous security audits based on ISO standard 27001 over 10 years as an internal auditor. Do you have any questions about the implementation in your company? Sign in to: stefan.haller@linkyard.ch | +41 78 746 51 16

Benjamin Domenig works as a business lawyer in Bern. He is an expert in the areas of IT, telecommunications and data protection law and acts both as a litigator and as an advisor. In addition to established telecommunications companies, he advises SMEs and supports start-ups. If you have any questions about these or other legal topics, please contact: domenig@dkg-consulting.ch | +41 79 510 24 12