You are here:
20 February 2019 / news

DATA PROTECTION - GLOSSARY

Certain definitions under the draft Swiss data protection act (D-DPA) are different as under the European General Data Protection Regulation (GDPR). But do you know what the differences are and what they mean in practice? This article provides an overview of the definitions included in the D-DPA and GDPR and compares their scope.

Definition

D-DPA definition

GDPR definition

What does this difference mean in practice?

Accountability

N/A

Art. 5 sub (2) GDPR: the Controller shall be responsible for, and be able to demonstrate compliance with, art. 5 sub (1) GDPR, i.e. Lawfulness, Fairness and Transparency, Purpose Limitation, Data Minimisation, Accuracy, Storage Limitation and Integrity and Confidentiality.

The D-DPA does not provide for any general Accountability requirement. However, art. 11 D-DPA requires the Controller and the Processor to keep an inventory of their Processing activities.

Accuracy

Not directly defined, but art. 5 para. 5 D-DPA states that anyone who processes Personal Data must ascertain that the Personal Data is accurate, and that they must take all appropriate measures so that Personal Data which is inaccurate or incomplete with regard to the purposes for which it was collected or processed is corrected, deleted or destroyed.

Art. 5 sub (1) under (d) GDPR: Personal Data shall be accurate and, where necessary, kept up to date, and every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Same meaning, although wordings are different.

Binding Corporate Rules

Not defined in the D-DPA, although this concept is treated in the D-DPA. More specifically, art. 13 para. 2 let. e D-DPA states that, in case Binding Corporate Rules are approved by the Federal Data Protection and Information Commissioner or by a competent foreign authority of a state with an adequate level of data protection (e.g. Supervisory Authority of EU countries), such Binding Corporate Rules constitute appropriate safeguards in case of abroad transfer of Personal Data.

Art. 4 sub (20) GDPR: Personal Data protection policies which are adhered to by a Controller or Processor established on the territory of a Member State for transfers or a set of transfers of Personal Data to a Controller or Processor in one or more third countries within a Group of Undertakings, or group of Enterprises engaged in a joint economic activity.

Art. 46 sub (2) under (b) GDPR states that Binding Corporate Rules which have been approved by a Supervisory Authority constitute appropriate safeguards in case of transfer of Personal Data in a third country (i.e. outside EU). The (strict) requirements for such approval by a Supervisory Authority are set forth in Art. 47 GDPR.

Both the D-DPA and the GDPR provide for similar consequences with respect to approved Binding Corporate Rules (i.e. adequate safeguard in case of transfer of Personal Data in a country without an adequate level of data protection). However, the GDPR provides stricter and more detailed rules regarding approval of Binding Corporate Rules by the competent Supervisory Authority.

Biometric Data

Not directly defined, although art. 4 let. c ciph. 4 D-DPA does identify Biometric Data that clearly identifies a natural person as Sensitive Personal Data.

Art. 4 sub (14) GDPR: Personal Data resulting from specific technical Processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

Although Biometric Data is not defined as such in the D-DPA, this concept is similar in both texts (see p. 7020 of the Federal Gazette).

Moreover, both the D-DPA and the GDPR consider Biometric Data as Sensitive Personal Data.

Consent

Not directly defined, although art. 5 para. 6 D-DPA states that Consent is valid only when it has been given freely and unambiguously for one or several specific Processing activities after adequate information. In case of Processing of Sensitive Personal Data, of Profiling, or of abroad data transfer, it must be given explicitly.

Art. 4 sub (11) GDPR: Any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her. Art. 7 GDPR further sets out the conditions for consent.

Although Consent is not defined as such in the D-DPA, the D-DPA and the GDPR generally applies the same rules with respect to Consent of a Data Subject.

However, a notable exception applies relating to the nature of Consent of a Data Subject, which must be, under application of the GDPR, in each case explicitly given, while the D-DPA requires an explicit Consent only in some cases (for more information on this topic, see our newsletter).

Controller

Art. 4 let. i D-DPA: Private person or Federal Body that, alone or jointly with others, decides on the purpose and the means of Processing of Personal Data

Art. 4 sub (7) GDPR: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Same meaning, although wordings are slightly different. (n.b.: the D-DPA applies only for federal (and not cantonal) bodies).

Cross-Border Processing

N/A

Either:

(a)   Processing of Personal Data which takes place in the context of the activities of establishments in more than one Member State of a Controller or Processor in the Union where the Controller or Processor is established in more than one Member State; or

(b)   Processing of Personal Data which takes place in the context of the activities of a single establishment of a Controller or Processor in the Union but which substantially affects or is likely to substantially affect Data Subjects in more than one Member State.

Art. 4 sub (23) GDPR

Cross-Border Processing is specific to the EU (Processing of Personal Data between different EU countries).

Data Concerning Health

Not directly defined, although art. 4 let. c ciph. 2 D-DPA does identify Data Concerning Health as Sensitive Personal Data.

Art. 4 sub (15) GDPR: Personal Data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

Although Data Concerning Health is not defined as such in the D-DPA, this concept is similar in both texts (see p. 7020 of the Federal Gazette).

Moreover, both the D-DPA and the GDPR consider Biometric Data as Sensitive Personal Data.

Data Minimisation

Not directly defined, but art. 5 para. 2 D-DPA states that Processing must be carried out in good faith and must be proportionate.

Art. 5 sub (1) under (c) GDPR: Means that Processing of Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Similar meaning, although different wordings.

Data Subject

Art. 4 let. b D-DPA: Natural person whose Personal Data is processed.

Art. 4 sub (1) GDPR: An identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Same meaning, although wordings are slightly different.

Disclosure

Art. 4 let. e D-DPA: Transmitting or making Personal Data accessible.

N/A

Although Disclosure is not defined in the GDPR, there should be no relevant practical difference relating to the understanding of this term.

Enterprise

N/A

Art. 4 sub (18) GDPR: A natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.

Although Enterprise is not defined in the D-DPA, there should be no relevant practical difference relating to the understanding of this term.

Federal Body

Art. 4 let. h D-DPA: Federal authority or service or person that is entrusted with federal public tasks.

N/A

Definition is specific to Switzerland.

Filing System

N/A

Art. 4 sub (6) GDPR: Any structured set of Personal Data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

Filing System is not a concept used under the D-DPA.

Genetic Data

Not directly defined, although art. 4 let. c ciph. 3 D-DPA does identify Genetic Data as Sensitive Personal Data.

Art. 4 sub (13) GDPR: Personal Data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

Although Genetic Data is not defined as such in the D-DPA, this concept is similar in both texts (see p. 7020 of the Federal Gazette).

Moreover, both the D-DPA and the GDPR consider Genetic Data as Sensitive Personal Data.

Group of Undertakings

N/A

Art. 4 sub (19) GDPR: A controlling undertaking and its controlled undertakings.

Group of Undertakings is not a concept used under the D-DPA.

Information Society Service

N/A

Art. 4 sub (25) GDPR: A service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council.

Information Society Service is not a concept used under the D-DPA.

Integrity and Confidentiality

Not directly defined, but art. 7 para. 1 and 2 D-DPA state that the Controller and Processor must, through adequate technical and organisational measures, ensure security of the Personal Data that appropriately addresses the risk, and that these measures must enable the avoidance of data security breaches.

Art. 5 sub (1) under (f) GDPR: Personal Data shall be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Same meaning, although wordings are slightly different (n.b.: terminology under the D-DPA: data security).

International Organisation

Not defined, although art. 17 para. 4 D-DPA states that the Controller has to inform the Data Subject of the name of the “international body” in case of abroad Disclosure of Personal Data.

Art. 4 sub (26) GDPR: An organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

Although International Organisation is not defined in the D-DPA, there should be no relevant practical difference relating to the understanding of this term (n.b. terminology under the D-DPA: “international body”).

Lawfulness, Fairness and Transparency

Not directly defined, although art. 5 para. 1 D-DPA states that Personal Data must be processed lawfully and art. 5 para. 2 D-DPA states that Processing must be carried out in good faith.

Art. 5 sub (1) under (a) GDPR: Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject.

Similar meaning, although wordings are different. Although the D-DPA does not explicitly mention transparency as a principle, such requirement arises from other provisions of the law (e.g. information duties in art. 17 D-DPA; see our newsletter on this topic).

Main Establishment

N/A

 

Art. 4 sub (16) under a GDPR: As regards a Controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the Processing of Personal Data are taken in another establishment of the Controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the Main Establishment.

Art. 4 sub (16) under b GDPR: As regards a Processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the Processor has no central administration in the Union, the establishment of the Processor in the Union where the main Processing activities in the context of the activities of an establishment of the Processor take place to the extent that the Processor is subject to specific obligations under the GDPR.

Main Establishment is not a concept used under the D-DPA (the D-DPA does not provide for conflict of law rules).

Personal Data

Art. 4 let. a D-DPA: All information relating to a Data Subject.

Art. 4 sub (1) GDPR: Any information relating to a Data Subject.

Same meaning.

Personal Data Breach

Art. 4 let. g D-DPA: A security breach, irrespective of whether intentional or unlawful, leading to a loss, deletion, destruction or modification of Personal Data or to Personal Data being disclosed or made accessible to unauthorised persons.

Art. 4 sub (12) GDPR: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised Disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

 

Same meaning, although wordings are slightly different (n.b. terminology under the D-DPA: “data security breach”).

Processing

Art. 4 let. d D-DPA: Any handling of Personal Data, irrespective of the means and the procedures applied, and in particular the collection, recording, storage, use, modification, Disclosure, archiving, deletion or destruction of data.

Art. 4 sub (2) GDPR: Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, Disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Same meaning, although wordings are slightly different.

Processor

Art. 4 let. j D-DPA: Private person or Federal Body that processes Personal Data on behalf of the Controller.

Art. 4 sub (8) GDPR: A natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

 

Same meaning, although wordings are slightly different (n.b.: the D-DPA applies only to federal (and not cantonal) bodies).

Profiling

Art. 4 lit f. D-DPA: The evaluation of certain characteristics of a person on the basis of Personal Data processed in an automated manner, in particular in order to analyse or to predict a person’s performance at work, his financial situation, his health, his behaviour, his preferences, his location or his mobility .

Art. 4 sub (4) GDPR: Any form of automated Processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Same meaning, although wordings are slightly different.

Pseudonymisation

N/A

Art. 4 sub (5) GDPR: The Processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person.

The text of the D-DPA does not explicitly refer to Pseudonymisation, although this concept may also play a role under the D-DPA, e.g. with respect to data security (see p. 7031 of the Federal Gazette).

Purpose Limitation

Not directly defined, but art. 5 para. 3 D-DPA states that Personal Data may only be collected for a specific purpose which is evident to the Data Subject and that Personal Data may only be processed in a way which is compatible with such purpose.

Art. 5 sub (1) under (b) GDPR: Means that Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1) GDPR, not be considered to be incompatible with the initial purpose.

Similar meaning, although different wordings.

Recipient

Not defined, although the D-DPA regularly refers to this term, see e.g. art. 11 para. 2 let. d, art. 17 para. 2 let. c and art. 23 para. 2 let. g D-DPA

 

Art. 4 sub (9) GDPR: A natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a Third Party or not. However, public authorities which may receive Personal Data in the 4.5.2016 L 119/33 Official Journal of the European Union EN framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as Recipients; the Processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the Processing.

Although Recipient is not defined in the D-DPA, there should be no relevant practical difference relating to the understanding of this term. The exception contained in the second sentence of the GDPR definition is specific to EU.

Relevant and Reasoned Objection

N/A

Art. 4 sub (24) GDPR: An objection to a draft decision as to whether there is an infringement of the GDPR, or whether envisaged action in relation to the Controller or Processor complies with the GDPR, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of Data Subjects and, where applicable, the free flow of Personal Data within the Union.

Definition is specific to EU.

Representative

N/A

Art. 4 sub (17) GDPR: A natural or legal person established in the Union who, designated by the Controller or Processor in writing pursuant to Article 27 GDPR, represents the Controller or Processor with regard to their respective obligations under the GDPR.

Representative is not a concept used under the D-DPA.

Restriction of Processing

N/A

Art. 4 sub (3) GDPR: The marking of stored Personal Data with the aim of limiting their Processing in the future.

Even though Restriction of Processing is not explicitly mentioned in the D-DPA, such right of the Data Subjects may be exercised under the D-DPA as well (see our newsletter on this topic).

Sensitive Personal Data

Art. 4 let. c D-DPA:

Data on religious, ideological, political or trade union-related views or activities;

Data on health, the intimate sphere or the racial or ethnical origin;

Genetic Data;

Biometric Data which clearly identifies a natural person;

Data on administrative or criminal proceedings and sanctions; and

Data on social security measures.

Not directly defined, although art. 9 sub (1) GDPR and art. 10 GDPR do identify the following Personal Data as Sensitive Personal Data:

Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;

Genetic Data, Biometric Data for the purpose of uniquely identifying a natural person, Data Concerning Health or data concerning a natural person's sex life or sexual orientation; and

Data relating to criminal convictions and offences.

Although Sensitive Personal Data is not defined as such in the GDPR, this concept is similar in both texts (n.b. terminology: “special categories of data”). However, the definition of Sensitive Personal Data is slightly broader under the D-DPA, including data on intimate sphere (i.e. not limited to sex life of sexual orientation) and data on social security measures.

Storage Limitation

Not directly defined, but art. 5 para. 4 D-DPA states that Personal Data shall be destroyed or anonymized as soon as it is no longer needed with regard to the purpose of the processing.

Art. 5 sub (1) under (e) GDPR: Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed; Personal Data may be stored for longer periods insofar as the Personal Data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the Data Subject.

Similar meaning, although different wordings.

Supervisory Authority

Not directly defined, although art. 3 para. 1 D-DPA states that the Federal Data Protection and Information supervises the proper application of the D-DPA.

Art. 4 sub (21) GDPR: An independent public authority which is established by a Member State pursuant to Art. 51 GDPR.

Definition is specific to Switzerland and EU, respectively.

Supervisory Authority Concerned

N/A

Art. 4 sub (22) GDPR: A Supervisory Authority which is concerned by the Processing of Personal Data because:

(a)   the Controller or Processor is established on the territory of the Member State of that Supervisory Authority;

(b)   Data Subjects residing in the Member State of that Supervisory Authority are substantially affected or likely to be substantially affected by the Processing; or

(c)   a complaint has been lodged with that Supervisory Authority.

 

Supervisory Authority Concerned is specific to EU, since there are different Supervisory Authorities for each EU country (in Switzerland: only the Federal Data Protection and Information with respect to the application of the federal D-DPA).

Third Party

Not defined, although the D-DPA regularly refers to this term, see e.g. art. 8 para. 3 D-DPA and art. 14 para. 1 lit. d D-DPA.

Art. 4 sub (10) GDPR: A natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorised to process Personal Data.

Although Third Party is not defined in the D-DPA, there should be no relevant practical difference relating to the understanding of this term.



Key Lock (2)

Legal grounds for processing personal data under GDPR / D-DPA

How can you lawfully process personal data? And what are the differences between GDPR and D-DPA in this respect? read more

Switzerland as a European hub for CBD and related products

Recent regulatory and political developments around the world prove the topicality of business transactions relating to cannabis products. read more

Sanctions under GDPR

What are the sanctions under GDPR? Can they be enforced in Switzerland? read more