The fact sheet published by the Federal Data Protection and Information Commissioner (FDPIC) on 18 July 2023 regarding the investigation of breaches of data protection regulations is intended to provide a brief overview of the investigation instrument and summarises the FDPIC’s detailed explanations of Art. 49-53 of the Federal Act on Data Protection (FADP; SR 235.1), which comes into force in just over two weeks. In this article, HÄRTING has briefly summarised what you need to know about the FDPIC’s investigations and the possible measures.
Supervision activities of the FDPIC in the area of data protection
As a supervisory body in the area of data protection, the FDPIC must ensure that both federal bodies and private individuals comply with federal data protection regulations. As part of his supervisory activities, the FDPIC can investigate violations of such data protection regulations (see Art. 49 ff. nDSG) and, under certain circumstances, order measures to enforce the regulations (see Art. 51 nDSG).
Investigation by the FDPIC briefly explained
The investigation in general
In accordance with Art. 49 para. 1 nDSG, the FDPIC opens an investigation ex officio (namely through observations in the course of his supervisory and advisory activities) or on complaint (through information from data subjects or third parties) against federal bodies or private persons (natural or legal persons) if there are sufficient indications that data processing could violate data protection regulations. The term “data processing” is to be understood broadly and to the effect that there are indications that those responsible are disregarding regulatory provisions or obligations towards data subjects. “Sufficient indications” will exist if it can be assumed with a certain degree of probability that the data processing could violate data protection regulations. As a formal administrative procedure, the investigation serves to ascertain and establish the legally relevant facts.
Preliminary clarification
Based on initial indications of a breach of data protection regulations, the FDPIC conducts an informal preliminary investigation to determine whether the conditions for opening an investigation are met. The preliminary investigation is an informal procedure, which is why we are not yet in formal administrative proceedings. The subject of a preliminary enquiry could include clarifying whether the FDPIC is competent at all or against whom an enquiry should be directed. The next step is to obtain information from publicly accessible sources, the data controllers themselves, data subjects or third parties regarding the suspected breach of data protection regulations. As this is not a formal administrative procedure at this stage, the controller has no obligation to co-operate. However, a certain degree of voluntary co-operation on the part of the controller may be appropriate in order to prevent the FDPIC from opening a formal investigation. This is because, according to the FDPIC, if the controller voluntarily provides conclusive arguments during the preliminary investigation that no offence has been committed, there is “generally no need to open an investigation”.
Investigation
Under previous law, there was an obligation to open an investigation into breaches by federal bodies or private individuals if a large number of people were affected. Under the new DPA, the FDPIC opens an investigation if the breach of data protection regulations is not of minor importance (see Art. 49 para. 2 DPA). The obligation to open an investigation therefore applies to minor violations, i.e. in cases in which the possible violation of the privacy or informational self-determination of the potentially affected persons is of such minor intensity that it is not necessary to open an investigation. The FDPIC has a certain degree of discretion due to the vague definition of the term.
The opening of an investigation is an internal administrative action that cannot be contested. The federal body or private individual affected by the investigation is informed of the investigation by means of an opening letter. At the same time, a questionnaire is usually sent out to request the information and documents required to clarify the facts of the case. In contrast to the preliminary investigation, the investigation procedure is a formal administrative procedure that is governed by the Federal Administrative Procedure Act (VwVG). As a party to the proceedings, the person responsible is therefore obliged to cooperate in establishing the facts of the case. In principle, they have a duty to provide and disclose information, although they also have the right to refuse to provide information under certain circumstances. If the controller fails to fulfil their duty to cooperate, the FDPIC can also order procedural measures such as access to premises on the basis of Art. 50 nDSG.
Conclusion of the investigation procedure and possible ordering of measures
If the investigation procedure does not substantiate the assumption of a breach of data protection regulations, the FDPIC shall close the procedure or dismiss it on the grounds of irrelevance.
However, if the FDPIC can prove a breach of data protection regulations, he has the option of issuing administrative measures in accordance with Art. 51 nDSG. These are divided into two categories:
- Measures in the event of a breach of data protection regulations:
If there has been a breach of data protection regulations, the FDPIC may order that the processing be adapted, interrupted or cancelled in whole or in part and that the personal data be deleted or destroyed in whole or in part (cf. Art. 51 para. 1 FADP). In the case of data transfers abroad, he may postpone or prohibit the disclosure abroad if it violates the requirements of Art. 16 and 17 FADP or provisions concerning the disclosure of personal data abroad in other federal laws (cf. Art. 51 para. 2 FADP).
- Measures in the event of non-compliance with regulatory provisions or the rights of the data subject:
The FDPIC may, for example, order the federal body or private individual to carry out a data protection impact assessment in accordance with Art. 22 FADP (cf. Art. 51 para. 3 let. d FADP). Or he can order that the data subject be provided with the information to which he or she is entitled in accordance with Art. 25 FADP if the private person or federal body refuses to provide this information (cf. Art. 51 para. 3 let. g FADP).
If the lawful situation is restored during the investigation by the federal body or the private individual, the FDPIC may also only issue a warning (cf. Art. 51 para. 5 FADP).
In addition, the new DPA provides for a catalogue of penal provisions in Art. 60 et seq. of the DPA, which you can read more about in our article “New Swiss Data Protection Act: Stricter penal provisions”.
Sources (links, citation of books)