On June 28, 2013, the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) issued its 20th annual Report of Activities (the “Report”), highlighting the FDPIC’s main activities during the period from April 2012 to March 2013. The Report is available in French and in German, and the FDPIC also has prepared a summary of the Report in English.
The Report includes several items that are particularly relevant for international businesses with operations in Switzerland. For example:
Monitoring of Social Media
Businesses that monitor social media (e.g., to find out more about how users perceive their brand) should limit their processing of personal data in this context to a minimum. It should not be possible to use the results of such monitoring to draw conclusions about individuals.
The Report includes information on the FDPIC’s compliance efforts in the area of employee monitoring. It notes that generally businesses are not permitted to use surveillance and control systems to monitor employee behavior at work. The report also details the circumstances under which employee email accounts may be accessed and managed by employers.
Employee Data Shared with U.S. Agencies
With respect to Swiss banks sharing employee personal data with U.S. agencies, the FDPIC notes that this activity may be lawful, provided several safeguards are put in place (e.g., informing the affected employees and providing them with access to the relevant documents).
The FDPIC strongly recommends that whistleblowing systems be registered with the Commissioner. The Report also confirms that Swiss law does not currently contain specific requirements for whistleblowing systems used in the private sector.
Loyalty Programs and Purchase Analyses
Triggered by an industry request for clarification, the FDPIC describes the circumstances under which the operators of loyalty programs can introduce purchase analytics tools to better understand their customers. Among other requirements, the use of such tools requires clear, opt-in consent from the users and increased transparency.
Data Sharing in the Postal Sector
The FDPIC comments on recent changes in Swiss postal law and analyzes the circumstances under which postal service providers may share personal data with third parties. For example, such sharing requires opt-in consent, and the affected individuals need to be provided with detailed information about how their personal data will be shared.
The FDPIC reviewed several biometrics systems from a data protection point of view. It recommends using systems that provide the greatest protection for user privacy (e.g., certain systems that rely on vein patterns or keyboard use patterns).
Health Insurance Providers
Following a review of an insurance provider’s processing operations, the FDPIC emphasizes that access to a patient’s health data should be restricted both in terms of what can be accessed and by whom it can be accessed. Access rights also should be revoked once a claim has been processed.