Data protection and data security – What companies need to know
An increasing number of companies collect personal data. This may be those of customers in order to provide them with personalized offers, or those of employees for performance evaluation. However, caution is required when processing data. Various rules must be observed to ensure data security.
The basic legal norms governing the processing of personal data can be found in the Federal Act on Data Protection (FADP)
Principles of data security
Art. 7 FADP stipulates that personal data must be protected against unauthorised processing by adequate technical and organisational measures. This obligation also applies to companies. However, the FADP leaves the precise form of data security open, i.e. the concrete form of the protective measures is largely subject to self-regulation by the companies. Some indications can be found in the Ordinance to the Federal Act on Data Protection. In particular, the security measures must prevent the unauthorised modification, copying, destruction, processing or falsification of data. In addition, various industry standards (e.g. ISO standard on cybersecurity) are used in practice as a template for the optimal design of data security. However, these standards are not legally binding.
Transfer of data within the country
An important question in the context of data protection law is the extent to which companies are permitted to pass on the data they have collected. Many companies do not have their own IT departments, but have personal data processed or at least stored by third-party providers (cloud computing). This is not without risk, because the more people have access to the data, the greater the risk of misuse. According to Art. 10a FADP, the involvement of third parties for data processing is permitted, provided that the data is only processed in the way the company itself would be permitted to do so and no legal obligation of secrecy prohibits disclosure. The company must therefore ensure that the third party fulfils the above requirements for data security.
Transfer of data abroad
The requirements for the transfer of personal data abroad are somewhat stricter. In particular, the transfer of data abroad is only permitted if the country in which the recipient resides has adequate data protection standards and/or the recipient of the data is otherwise certified to meet comparable data protection standards. Data should therefore only be transferred abroad with the consent of the data subjects or if data protection is ensured in some other way, such as through so-called data transfer agreements.
Do you have any innovative business idea you would like to make come true? Use STARTUPS.CH experts to become self-employed.
» Blog» Found online