The four cornerstones of the new data protection law

The new, harmonised EU basic regulation on data protection came into force on 24 May 2016 and is to be applied from 24 May 2018 without any further transitional period. For us, this is a reason to examine the basic data protection regulation in more detail in a series of articles.

The four cornerstones of data protection

The cornerstones regarding data protection are (based on: Markus Schäffter, 2016, procedural directory 2.0)

• Legality: purpose limitation and necessity
• Transparency: respect for the rights of data subjects
• Proportionality: risk-based measures
• Controllability: documented procedures

Legality

With regard to the lawfulness of the processing, three important principles in particular play a role: First, a prohibition subject to authorisation applies. In other words, any processing of personal data is prohibited in principle. However, precisely defined exceptions (whitelist) allow processing. For most companies these primarily include the first two of the following conditions (Art. 6):

1. The data subject has given his/her consent to the processing of personal data relating to him/her for specific purposes. Note the word specific, i.e. consent with a cloudy, flexible general authorisation does not fulfil this.
2. The processing is necessary for the performance of a contract to which the data subject is party or at the request of the data subject.
3. The processing serves to fulfil legal obligations to which the controller is subject. This condition will primarily enable public authorities and companies close to public authorities to carry out the processing. It is also an important basis for HR departments in companies.
4. The processing is necessary to protect the vital interests of the data subject or of another natural person.
5. The public interest and the exercise of official authority by one may be a legitimate ground for processing.
6. The processing is necessary for the protection of legitimate interests, except where fundamental rights and freedoms override the protection of the data subject (in particular in the case of children).

Secondly, in the first part of this series of articles we have already touched on the subject of earmarking. The admissibility of a processing operation must be assessed in each case for a specific purpose. The use of the same information for other purposes requires a renewed examination of these conditions. For example, if the first processing operation was based on the consent of the data subject, consent must therefore be obtained again if further processing operations serve a new purpose. Lastly, the principle of necessity applies. This principle makes it impossible, for example, to carry out processing operations that are not directly necessary for the authorised purpose.

Practical information

In practice, the consent of the data subject is usually obtained in the General Terms and Conditions (GTC). By accepting the GTC, the data subject therefore also accepts the processing of personal data (consent). Obtaining consent by accepting the GTC is also permissible under the new basic regulation. But: Clauses in the GTC that are claused and difficult to understand are not legal. Consent for data processing must be formulated clearly and in simple language. After all, the company must be able to prove at any time that the data subject has given his or her consent to the processing operation. In this case, the data processor risks fines of up to 4 percent of his annual turnover. Children and young people under the age of 16 years may give their consent to the processing of their data not ...for the first time. The consent of their parents or legal representation is required.

Transparency

Under the title of transparency we summarize a number of personal rights related to data protection: the right to information and disclosure allows the data subject to know what personal data are processed and for what purpose. The right of opposition and rectification enables the person concerned to have incorrect information about him or her corrected. If, for example, he is not creditworthy due to a debt collection case, but there is a mix-up of names, the person concerned can demand that the data be corrected. The person concerned therefore has the right to have his personal data deleted, and finally, there is the right to data transferability, which is of great interest to us technicians. This means that every person concerned has the right to receive a data extract in a machine-readable format of all the data stored about him. This "detail" could potentially have a relatively large impact. For example, in principle it enables a person concerned to build up his or her personal electronic patient file with all examination and treatment data in a machine-readable format by requesting the data in this form from hospitals and doctors. It offers beside the useful applications for this accordingly also wonderful possibilities around enterprises with itself to occupy, until an automatism for it is converted.

Practical information

Every company should appoint a data protection officer or (for larger companies) a data protection team. The requirements of the new basic ordinance are complex and the tasks involved are time-consuming. if the person concerned requests information, the following information, among other things, must be provided within one month: Namely,

1. whether personal data concerning them are processed,
2. what the processing purposes are, and
3. who the recipients or categories of recipients are

This of course presupposes that it is known in which systems data with what meaning about a person are kept in the first place: a copy of the data which are the subject of the processing must be given to the data subject free of charge. For all further copies requested by the data subject, the company may charge a reasonable fee (in practice approx. CHF 0.40 - 0.70 per A4 page). The right to deletion (right to be forgotten) is limited. Check whether the conditions for deletion (Art. 17 EU-DSGVO) are actually met.

Proportionality

Let us start with the basic principle of data economy. On the one hand, there is as little data to be processed as necessary for the purpose of processing. On the other hand, the data must be stored and processed only as detailed as necessary. If it is possible to fulfil the purpose using average values for a period instead of individual measurements, only average values are to be stored and processed. If it is not necessary to clearly assign the data to a specific person, the data shall be anonymised or pseudonymised. Privacy by Design or Privacy by Default requires that settings that affect data protection are set as restrictive as possible by default. If a social network such as Facebook lists my birthday, this may not be displayed to visitors on my profile by default. The most pragmatic component of the basic data protection regulation, but also the one that generates the most legal uncertainty, is the risk-based protection requirement. Personal data must be protected with proportionate measures. If the stored data is not very sensitive, this allows in principle a more pragmatic, less costly implementation of protective measures than with data of a large scope: What are the points of attack? How are unauthorised data manipulations prevented? How can access to data and processing operations be prevented, tracked and audited? In addition to this classic risk assessment, it is also necessary that the individual data subject is also personally protected. When assessing risks, therefore, not only the damage of an occurring risk for the company must be evaluated. The question must also be asked as to what damage may arise for the respective persons concerned. If information becomes accessible to unauthorised persons or even public: will the person ever find a job again? Will an insurance company ever conclude a contract with him again? Is there a danger that spouses will leave him or her because of this information? Questions whose answers are not asked in classic risk analyses are therefore raised. But a follow-up question is almost of greater interest: How should the personal damage be set against the costs of protective measures? What costs are proportionate to the protection of the privacy of individuals?

Practical information

For small and medium-sized enterprises, the proportionality requirement is the sticking point of the new basic regulation: each enterprise must keep a register of data processing activities. This list contains at least:

1. The name and contact details of the person responsible;
2. The purposes of the processing;
3. A description of the categories of data subjects and the categories of personal data;
4. The categories of recipients to whom the personal data have been disclosed.

Then, in turn, any processing of personal data must be checked for possible risks (risk assessment). The risk assessment is carried out from the perspective of the data subject (rights and freedoms) but also from the perspective of the company itself (risk of consequences of violations of data protection regulations). Based on the risks now defined, suitable technical and organisational measures must be determined. Such measures may be considered, for example:

1. Pseudonymisation and encryption of personal data;
2. Ensure confidentiality, integrity, availability and resilience of systems and services;
3. Definition of a procedure for regular review, assessment and evaluation of the effectiveness of technical and organisational measures.

Controllability

The last and generally easiest - though not the cheapest - cornerstone of data protection to implement is control. This requires clear agreements, documented procedures. And particularly comprehensible trade-offs, especially with regard to the risk analysis discussed in detail above. Accordingly, not only the final result of a risk analysis should be kept, but also considerations which, for example, have led to a certain damage assessment.

Our series of articles on the topic

• In the lead-in article we drew attention to the need for action.
• In part 1 of the series we introduce the different actors and set the framework.
• In this part 2, we will look at the principles of data protection based on four pillars.
• Part 3 explained the specific requirements for the processing of special categories of personal data and for profiling, which is considered as particularly critical.
• Part 4 examines legally privileged, desired processing methods.
• Part 5 of the series concludes with a framework for the pragmatic and appropriate implementation of data protection in your IT project.

About the authors

Stefan Haller is an IT expert specialized in risk management, information security and data protection at linkyard. He supports companies and authorities in risk analysis in projects, the conception and implementation of compliance requirements in software solutions as well as in the creation of IT security and authorization concepts. He is certified in risk management and has carried out numerous security audits based on the ISO standard 27001 as an internal auditor for more than 10 years. Do you have questions about the implementation in your company? Please contact: stefan.haller@linkyard.ch | +41 78 746 51 16

Benjamin Domenig works as a business lawyer in Bern. He is an expert in the legal fields of information technology, telecommunications and data protection law and is active both in litigation and in an advisory capacity. In addition to established telecommunications companies, he advises SMEs and accompanies start-ups. Should you have any questions on these or other legal topics, please contact us without obligation: domenig@dkg-consulting.ch | +41 79 510 24 12