Representation of data processors under the new Swiss Data Protection Act (FADP)
a. Introduction
If a private controller residing abroad processes personal data, the regulation in art. 14 et seq. revised FADP (SR 235.1) might be applicable and a representative must be designated. Art. 14 para. 1 lit. a FADP requires a prespresentative in Switzerland when goods and services are offert or if monitoringf user behavior of data subjects is done. This article is therefore very similar to Art. 27 GDPR.
The wording of the provision does not state whether the requirements in art. 14 para. 1 lit. a-d FADP must be fulfilled alternatively or cumulatively by the processor. However, the doctrine claims that the conditions are cumulative requirements.
b. Requirements regarding Art. 14 rev.FADP
Firstly, a representative in Switzerland must be appointed if the data processing of data subjects in Switzerland is connected with the offer of goods and services or if observations are made about the behavior of data subjects. Thereby it is irrelevant whether the data subject is a Swiss citizen, permanently resides in Switzerland or is only on vacation in Switzerland. Decisive is that the person concerned is located in Switzerland at the time of the data processing.
According to art. 14 revized FADP, only if the data processing is carried out by a data controller according to art. 5 lit. j revFADP a representative must be determined. Therefore, no representation is requiered should a processor according to art. 5 lit. k revFADP carry out the data processing.
In addition to the above, the data processing must
- be extensive;
- take place regularly, and must have
- a high risk potential for the personality of the data subjects.
Jurisprudence will have to clarify in which cases the data processing becomes extensive. In our opinion it can be assumed that this condition will be interpreted accordingly to art. 35 GDPR and – in contrast to art. 27 GDPR – refers to all categories of data. Regular data processing describes recurring processing of data. This includes, for example, data processing that is necessary in order to be able to offer the service at all. The term “high risk” is defined in art. 22 para. 2 revFADP, which deals with the data protection impact assessment, in the case of extensive processing of personal data requiring special protection as well as the systematic monitoring of a public area.
c. Tasks of the representative
The representative serves as point of contact for the Federal Data Protection and Public Information Officer (FDPIC) and for the persons affected by the data processing. Hence, the representative must be known and his or her name and address must be published (see art. 14 para. 3 revFADP). If the FDPIC requests information about the contents of the directory, the representative must release the information.
Additionally, the representative lists the processing activities and provides information (art. 15 para. 1 and 2 revFADP). This directory must comply with the requirements established in art. 12 revFADP. No formal requirements are placed on the maintenance of the directory in the revFADP. Upon request, the representative shall also explain to a data subject how he or she can assert his or her rights against the data controller.
d. Contractual relationship between representative and data controller
The contractual relationship between the representative and the data controller qualifies as a agency contract pursuant to art. 394 et seq. of the Swiss Code of Obligations (CO). The representative is therefore obliged to perform diligently and faithfully (art. 398 para. 2 CO).
e. Criminal Provisions
There are no specific penal provisions in art. 60 et seq. revFADP for the missbehaviour of the representative. However, the representative will face criminal sanctions if he or she infringes any other penalized provisions of the revFADP. Even though there is no civil liability provided in the revFADP, a non-contractual liability according to art. 41 et seq. CO can take place between the representative and the data subject if the requirements of art. 41 CO are met.
f. Conclusion
To conclude, it can be stated that a representation within the meaning of art. 14 revFADP must be determined if data of data subjects residing in Switzerland are processed in connection with the offering of goods or services or in the context of user behavioral monitoring. Furthermore, the data processing must be extensive and regular and brings an increased risk for the privacy of data subjects. The representative shall keep a directory of all the data processing activities and has to provide information upon request.Time after the revFADP comes into force will show how the provisions on the representative will be interpreted and applied by the courts. Since the art. 14 revFADP has not been discussed during the drafting of the revFADP by the Swiss Parliament, there are currently no further indications on how the provision might be interpreted.
Article provided by INPLP member: Nicole Beranek (HÄRTING Rechtsanwälte AG, Switzerland)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)