Since 1 September 2023, private controllers and their private processors have been obliged to log certain steps in the automated processing of sensitive personal data. This includes the storage, modification, reading, disclosure, deletion and destruction of data, provided certain conditions are met. The FDPIC has issued specific technical recommendations for logging in accordance with Art. 4 GDPR. These non-binding recommendations are intended to provide a clear guide to fulfil the requirements of Art. 4 GDPR. This article is intended to show private individuals what needs to be considered when implementing the logging obligation.
What is regulated by Art. 4 DSV
Logging in accordance with Art. 4 of the Ordinance of 31 August 2022 on Data Protection (Data Protection Ordinance, DPO; SR 235.11) must be carried out by private controllers , including their processors, if particularly sensitive personal data is processed automatically on a large scale or if high-risk profiling is carried out. However, this only applies if preventive measures do not guarantee data protection. However, logging must be carried out in particular if it is otherwise not possible to subsequently determine whether the data was processed for the purposes for which it was obtained (collection) or disclosed (disclosure).
Logging includes at least the following steps
- Saving,
- Modify,
- Reading,
- Disclosure,
- Deletion and
- Destruction of the data.
In addition, the logging must provide the following information (see Art. 4 para. 4 GDPR):
- Identity of the person who carried out the processing;
- Type of processing (e.g. persons or machines);
- Date and time of processing;
- Identity of the data recipient.
The logs must be stored separately from the system in which the personal data is processed for at least one year (cf. Art. 4 para. 5 GDPR).
Purpose of this logging
To ensure adequate data security, the controller and the processor must take technical and organisational measures to ensure that the processed data is processed in a traceable manner in accordance with its protection requirements. Logging makes it possible to achieve this protection objective of traceability in accordance with Art. 2 para. 1 lit. d GDPR and thus ensure conformity of purpose and appropriate data security. Logging can also be used to detect and even clarify breaches of data security, but must not be evaluated for the purpose of monitoring behaviour. In this respect, logging is a data security measure in the broader sense.
“The three cornerstones of logging”
Logging in data protection law refers to the systematic recording of information about the processing of personal data and covers three aspects:
- The recording of log data includes the logging of access to personal data, including the above-mentioned information in accordance with Art. 4 para. 4 GDPR);
- Storage requires secure and protected storage of the log data, separate from the data processing systems, in order to ensure availability even in the event of disruptions to the primary system, in particular due to ransomware. Access is only permitted to authorised persons.
- Analysing the log data makes it possible to detect data breaches and ensure lawful data access. This requires powerful analysis tools that are only available to authorised persons.
Create a concept for logging
The FDPIC recommends the creation of a logging concept in which the following points should be taken into account:
- Definition of clear objectives to be achieved by logging, e.g. security monitoring, troubleshooting;
- Logging guidelines: Which events are logged? What data is recorded? What storage time is planned? Who is authorised to access the log data?
- Logging tools: Which systems/tools are used, e.g. SIEM?
- Alerting: Which events generate an alert and how are they responded to?
- Responsibilities and roles: To be defined for the management of logging
- Staff training
- Review: Logging policy and procedures should be reviewed regularly
Technical recommendations of the FDPIC
In connection with logging in information security or data protection, the FDPIC recommends the following from a technical point of view:
- Use standardised logging formats: The use of standardised logging formats such as Syslog or Common Event Format (CEF) ensures uniform logging of events.
- Reading and interpreting logs: Logs should not only be stored, but also read in and interpreted. This forms the basis for monitoring, alerting and recognising deviations.
- Regular review of log data: Log data should be reviewed at regular intervals to ensure that it is complete and complies with security policies.
- Anomaly detection mechanisms: Implement anomaly detection mechanisms in the log data to identify suspicious activity, such as access from unusual geolocations
- Security precautions for log data: Implement appropriate access controls to protect log data from unauthorised access.
- Timestamping: Each log file should be timestamped to capture the exact time of an event and to understand the temporal relationship between different events in the system.
- Time synchronisation: Ensure that all systems on the network have reliable and accurate time synchronisation to ensure accurate time stamps.
- Data Enrichment: Enhance log data with additional information such as geo-information, user context or system configuration data to enable better analysis and faster detection of potential security threats.
- Alerting: Your log analytics applications should notify managers immediately when anomalies or security-related events occur.
The challenge of logging: required storage volume
One of the challenges of logging is the storage volume required. If log data is no longer required directly for the analysis, it is recommended that it be moved to a longer-term storage system. The FDPIC recommends the following:
- Use of suitable storage media: Reliable and durable storage media should be used for the long-term storage of log data.
- Storage duration: Define a clear storage duration for log data to ensure that it is not stored for an unnecessarily long time and that the legal requirements for storage duration are met.
- Calculate the storage volume: Take into account the amount of log data generated, the number of systems in the network and the duration of storage to provide sufficient storage capacity.
The long-term storage of log data is part of your data backup strategy. It should be stored separately from data processing systems to ensure integrity and availability. According to the FDPIC, an additional backup of log data is not normally necessary if a robust storage solution is in place and the data is regularly checked for integrity and completeness.
Logging for existing applications
Since, according to the FDPIC, the transitional provisions of Art. 46 DPA apply to existing applications, account is taken of the fact that it is not always possible to adapt the application itself for existing older applications. For example, the implementation of logging depends on aspects of the programming language, runtime environment and the development method used. The FDPIC provides a step-by-step guide for the implementation of logging (point 3.3 of the recommendations)
Implementation of the recommendation?
The FDPIC’s recommendations on logging are non-binding and of a general nature for private individuals. However, logging is necessary in order to guarantee the information security of systems. According to the FDPIC, Art. 4 GDPR does not stipulate whether and which analysis tool should be used, which is why the FDPIC assumes that many data processing systems fulfil the logging requirements “out of the box”. If you are unsure whether your data processing system fulfils the requirements or need legal support in implementing the logging obligation, we will be happy to assist you.
Sources
- Baeriswyl Bruno, Pärli Kurt, Blonski Dominika (eds.), Stämpflis Handkommentar zum Datenschutzgesetz, 2nd ed., Zurich/Basel 2023.
- Federal Act of 25 September 2020 on Data Protection (Data Protection Act, DPA; SR 235.1).
- Husi-Stämpfli Sandra, Morand Anne-Sophie, Sury Ursula, Data Protection Law, 2nd ed., Zurich 2023.
- Federal Data Protection and Information Commissioner (FDPIC), Technical recommendations for logging in accordance with Art. 4 FADP of the FDPIC of 15 September 2023.
- Ordinance of 31 August 2022 on Data Protection (Data Protection Ordinance, DPO; SR 235.11).