On 31 August 2023, the FDPIC published a fact sheet on the procedure for preparing a data protection impact assessment (DPIA) in accordance with Art. 22 and 23 DPA. Due to the entry into force of the revised Data Protection Act (revDSG) on 1 September 2023, data controllers are now obliged to carry out a risk assessment, especially when using new technologies. The purpose of this data protection impact assessment (DPIA) is to determine whether the processing poses a high risk to the personality or fundamental rights of the data subjects, or more precisely to the right to privacy and/or informational self-determination of those affected by the personal data processing.
The DPIA provides for a staged procedure: first, a preliminary risk assessment must be carried out to define the “risk threshold”, so to speak. If the preliminary assessment shows that the planned processing could be associated with a “high risk”, a DPIA must then be carried out.
In addition to the fact that carrying out a DPIA is one of the new obligations of the revised Swiss Data Protection Act, a DPIA offers a welcome opportunity for in-house documentation and can be implemented pragmatically with the help of the preliminary risk assessment. The entire documentation effort is not always necessary. We will show you how the DPIA can be implemented pragmatically and used as a means of documentation.
Subject matter and purpose of the DPIA
The DPIA is nothing more than a risk assessment of (new) technologies in relation to the processing of personal data.
The DPIA is therefore used to determine how high the risk to the rights of data subjects is when certain (new) processes and technologies are used or existing ones are further developed, particularly in the context of large digitalisation projects. The DPIA must therefore be carried out not only in the case of the use of new data processing, but also in the case of technological development and expansion of existing projects, if and insofar as personal data is processed through the use of technologies.
The good thing about the DPIA is that it helps to transparently document the derivation and analysis of security risks and to reduce them to an acceptable level under data protection law by means of suitable measures.
Characterisation of the “high risk”
What exactly is a “high risk”? There is no clear definition in Articles 22 and 23 revDSG. However, there is an “assessment aid” in Article 22 (2) revDSG, which even specifies two absolute criteria:
- A high risk is (always) present if it involves extensive processing of personal data that is particularly worthy of protection; or in the case of
- Systematic and extensive surveillance of public areas.
For example, if GPS is used or another tracking method is used, or if information about a person’s illnesses or impairments is disclosed.
And then, according to the “assessment aid” of Art. 22 para. 2 revDSG, the high risk arises “from the nature, scope, circumstances and purpose of the processing”. What exactly does that mean?
It helps to realise that the DPIA is intended to identify risks to the privacy and informational self-determination of individuals. The “technology test” should therefore aim to determine whether, for example, the use of the technology severely restricts the data subject’s freedom of disposal over their data and the individual’s informational self-determination is therefore severely affected. Or the technology makes it possible to assess key aspects of the data subject’s personality in accordance with the criteria of “high-risk profiling” pursuant to Article 5 lit. g revFADP.
This is the case, for example, if data is processed and linked automatically so that key aspects of a person, such as health, work performance, economic situation (see Art. 5 lit. f revFADP) can be assessed. The high risk is centred on the fact that this processing and linking takes place automatically, i.e. without any assessment by a person, and this can have serious consequences for the data subjects. It is important that possible physical and financial consequences of the use of technology and the associated data protection violations are also taken into account.
Preliminary risk assessment in accordance with Art. 22 para. 1 and 2 revDSG
Now that we know roughly how the risk is to be defined, let’s move on to the practical procedure:
-
Preliminary review:
Here, one should proceed on the basis of certain “thresholds” and document whether and to what extent a risk could arise with regard to the rights of the data subjects outlined above, given the scope of processing, type of data, number of data subjects and generally given the planned use of the technology:
- The criteria in the context of the preliminary assessment are the same as those of the detailed DPIA, i.e. if you look at the entirety of the processing (see above, criteria of type, scope, circumstances and purpose of the processing), which group of people and what kind of data (e.g. personal data or particularly sensitive personal data) are affected, how many people are affected, what is the aim of the use of the technology and what are the consequences for the individuals or their rights.
- For example, will they lose control over their data, or do they run the risk that the use of technology will automatically filter and evaluate key aspects of their personality in such a way that they will subsequently suffer disadvantages (see above for an explanation of what “high risk” means).
-
Complete DPIA:
If the preliminary assessment shows that a planned processing operation could be associated with a “high risk” for the data subjects, a DPIA must be drawn up; preferably at the project planning stage for / in advance of the use of the technology.
According to Article 22 para. 3 revDSG, this must contain a description of the planned processing, an assessment of the risks and the measures to protect the privacy and fundamental rights of the data subjects. It can therefore be seen that the preliminary review is worthwhile because the processing operations and the risk have already been documented on this basis, and now risk minimisation measures are added. This can be, for example, a catalogue of measures that also takes into account data protection-friendly default settings when using technology, in the sense of data protection by design and by default. It is important that these measures are used to reduce feared “high gross risks” to an appropriately lower level. If this is not possible, the FDPIC also allows risky data processing to still exceed the “high risk” threshold even after protective measures have been taken. However, the processing of personal data must be compatible with the requirements of data protection legislation as a whole and be reasonable for the data subjects and therefore justifiable overall. What sounds like a lot of room for judgement actually offers an opportunity.
Procedure after completion of the DPIA
If the net risk is not categorised as high after the DPIA has been completed, the controller must still check whether the planned processing is compatible with all requirements of the DPA. However, the DPIA does not have to be submitted to the FDPIC.
The situation is different if the net risk is assessed as high. In this case, the controller must disclose the residual risks to the data subjects and the DPIA must be submitted to the FDPIC in accordance with Art. 23 para. 1 FADP. Consultation with the FDPIC may be waived if the data protection advisor fulfils the requirements of Art. 10 FADP and, in particular, if their contact details have been reported to the FDPIC.
Conclusion
The FDPIC’s information sheet makes it clear that a detailed DPIA is not always necessary from the outset. However, it is worth documenting how the (new) technology is used as part of the preliminary review, both for your own documentation and with a view to a possible fully comprehensive DPIA. As part of the preliminary review, you can get a general picture of the technology in question and its mode of operation based on the parameters shown and clearly assess and document whether a full DPIA is required or why this is not necessary. This saves resources and nerves and still creates security for those responsible.
Annex 1 of the FDPIC fact sheet on data protection impact assessment (DPIA) in accordance with Art. 22 and 23 FADP (as of August 2023), adapted/supplemented by HÄRTING Rechtsanwälte AG
Sources
Information from the FDPIC on data protection impact assessments, available at: https://www.edoeb.admin.ch/edoeb/de/home/datenschutz/grundlagen/dsfa.html#context-sidebar (last accessed: 05.09.2023).