Data protection 2021

By Darko Djordjevic

No specific definition exists for the term data protection. Rather, it is essentially about protecting information that is not intended for the general public. In data protection, the focus is on information that is directly or indirectly related to a specific person. Simply explained, data protection describes the protection against improper data processing and the protection of the right to informational self-determination enshrined in the German Basic Law.

This includes, for example, personal and private data. In particular, the following data are considered personal data. However, a distinction is made between direct and indirect personal data

Direct personal data

• Name, first name
• AHV number
• Biometric data (e.g. fingerprint)
• E-mail address
• Address
• Phone number
• Date of birth
• Login/online identifications

Indirect personal data

• Economic data (e.g. credit card number)
• IP address$
• Cultural or social information
• Physical, genetic and mental data
• Pseudonymized data
• Geo data

Furthermore, there are other data worthy of protection with regard to fundamental rights and freedoms.

• Data on religious, ideological, political or trade union views or activities
• Data about health, privacy, sexual orientation, or racial or ethnic origin
• genetic data
• biometric data that uniquely identify a natural person – data on administrative and criminal prosecutions or sanctions
• Data on social assistance measures
• Data from children under 16

Legal situation

The Data Protection Act (DPA) is a Swiss framework law and as such allows a great deal of leeway in the assessment of data and privacy protection violations. In addition to the DSG, Swiss companies often also come into contact with the DSGVO (EU General Data Protection Regulation). Both the EU and Switzerland also have special “shield agreements” with the U.S. authorities, which are theoretically still in force. There are some differences between the Swiss DPA and the European GDPR. Here are now the most important ones shown:

CH DSG

• Collecting and processing pers. Data basically allowed (with restrictions)
• Consent not required
• Fines up to CHF 250,000, personal
• Violation = application offense
• Duty to inform

GDPR

• Collecting and processing pers. Data prohibited in principle
• Consent required
• Fines up to € 20 million or 4% of sales
• Violation = official offense
• Duty to inform

The cookie problem

• The information stored in cookies can uniquely identify a website visitor and is therefore personal information.
• Cookies can be set by any web server that delivers a piece of web page content (images, text, JavaScript, etc.).
• With each new download of content from this web server, the existing cookie is sent back to the web server and the cookie can be updated.
• Cookies can also be set, read and modified by the code on the website (e.g. with JavaScript)

Key lessons learned

• Personal data should be treated like a hot potato. You don’t want them if you don’t need them.
• Every record with personal data over which one has control increases responsibility.
• Every reasonable measure should be taken to protect the data (encryption, hashing, access control, pseudonymization, etc.).
• Record when a data subject has given consent to processing and for what purpose.
• Data may only be used for the purpose for which consent was obtained.