Information requirements

The Swiss Data Protection Act (DPA) standardizes the information obligations of the controller vis-à-vis the data subject (Art. 19 DPA). In the GDPR, the catalog of information to be provided is formulated conclusively. However, this is not the case in the DSG. The controller must at least inform the person requesting information about the identity of the controller and the purpose of the processing. However, further information is only defined as mandatory in individual cases. Thus, the information obligations of the controller under the DPA are less extensive than under the GDPR. The controller is obliged to provide the data subject with the information required to enable the data subject to enforce his or her rights under the DPA and to ensure transparent data processing. The scope of the information obligations may be indicated by Art. 13, 14 DPA. The DPA also provides for a comprehensive catalog of exceptions where the obligation to provide information does not apply. This is particularly the case in the case of overriding interests of the controller or a third party (Art. 20 DPA). Overall, therefore, only a limited duty to inform can be said to exist. The FADP does not contain any specifications as to how the data subject is to be informed of the aforementioned information. The legal term “in an appropriate manner” is used, which needs to be filled in. Here, too, the GDPR can serve as a guide. The person concerned must only have the opportunity to take note of the information, e.g. in text form. Consent to this information is not required.

Group privilege

Although the FADP contains a legal basis for data processing within a corporate group and exceptions apply to the duty to inform and the right to information, the disclosure of personal data within a corporate group can violate personal rights. Therefore, a legal justification is required as a legal basis for the transfer of personal data within a corporate group. However, the justification for the intra-group transfer of personal data only applies if the personal data of the data subjects and the nature of their processing are relevant and necessary for economic competition. Therefore, the intra-group data processing must be carefully examined and assessed in each individual case. The DPA grants the controller a limited group privilege. However, the GDPR does not recognize such a group privilege and this is completely rejected by the GDPR.

Directory of all data processing

The DPA requires the controller and the order processors to create a directory of processing activities (Art. 12 DPA). This means that the FADP is the same as the GDPR and, as in the GDPR, a list of all data processing activities is required.
Mandatory information in the processing directory is at least the following:

• the identity of the person responsible;
• the purpose of the processing;
• a description of the categories of data subjects and the categories of personal data processed;
• the categories of recipients;
• if possible, the period of retention of the personal data or the criteria for determining this period;
• if possible, a general description of the measures taken to ensure data security (appropriate technical and organizational measures to prevent breaches of data security);
• if the data is disclosed abroad, an indication of the country and the guarantees by which appropriate data protection is ensured.

Companies in Switzerland are therefore confronted with the task of recording and documenting all data processing within the company. This can be done within the framework of a data mapping. This inventory is now required for the implementation of the DPA and can lead to an increased initial effort in many companies, as this documentation was not created in the past.

Role of the data protection advisor

The DPA standardizes the role of the data protection advisor, whose tasks are similar to the data protection officer under the GDPR. However, the DPA does not provide for an obligation to appoint the data protection advisor, but recommends the appointment of a data protection advisor pursuant to Art. 10 DPA. According to the DPA, the appointment of a data protection advisor leads to facilitations in case of data processing with a high risk for the personality or the fundamental rights of the data subject. The data protection advisor may be consulted to implement appropriate measures to mitigate the high risks to the data subjects. If appropriate IT security measures to mitigate this risk are possible and are implemented, consultation with the Swiss Federal Data Protection and Information Commissioner (FDPIC) is not required. This is in line with the requirements of the data protection impact assessment of the GDPR.

Data protection representation

In the case of data processing by a controller based abroad, a representative in Switzerland must be appointed if the controller processes personal data of individuals in Switzerland and the data processing is related to the offering of goods and services or the monitoring of the behavior of individuals in Switzerland. If the processing of personal data of individuals in Switzerland is extensive or regular, or if it involves a high risk for the data subjects, a representative in Switzerland must also be appointed. This provision also exists in the GDPR, so a Swiss company is also required to appoint a representative in the EU if the Swiss company processes personal data of individuals who are located in the EU and goods or services are offered to these individuals or their behavior is monitored (Art. 3 GDPR).

Sanctions and fines

The DPA provides for much milder fines than the GDPR. If a person, e.g. an employee, violates regulations of the DPA, this person faces a fine of up to CHF 250,000, – (approx. EUR 234,740). The limitation period in this case is 5 years. The difference to the GDPR is that the penalty is not linked to the responsible company, but explicitly to the natural person concerned. Should the identification of the responsible persons mean a disproportionate effort for the supervisory authority, in such a case the company instead of the responsible person can be fined CHF 50,000 (approx. EUR 46,940) (Art. 64 DPA).

Services of the law firm

We can support your company, organization or institution in the implementation of the DPA legally, as well as technically in all questions and problems. Our law firm offers the following services for this purpose:

• Assumption of the function of the external data protection advisor
• Support of the internal data protection advisor
• Carrying out an as-is analysis or an audit on data protection
• Preparation of an action plan for implementing the DSG according to liability risk
• Annual planning meeting on data protection with management, commercial management
• Derivation of the measures required by the DSG for the following year in order to ensure an appropriate level of data protection in the company, organization or institution
• Creation of a data mapping as part of the recording of the most important IT applications
• Preparation of the data protection documents required under the Data Protection Act (DSG)
• Creation of a data workflow as part of the legal safeguarding of international and intra-group data transmission
• Fulfillment of requirements for international data transfer and group data processing (HR systems, ERP systems, etc.)
• Data protection and IT security for cloud applications
• Data protection in hospitals, medical practices, medical care centers and pharmacies
• Data protection in social institutions (addiction counseling, family counseling, child and youth welfare, care facilities, residential homes, daycare centers, etc.)
• Preparation and conclusion of agreements on commissioned processing
• Creation of a directory of all data processing activities
• Data protection compliant handling of the topic “mobile working (agreement on mobile working, work instructions on mobile working)
• Creation of visitor form with questions on the pandemic
• Creation of a corporate policy on the pandemic
• Creation of documents to fulfill information obligations
• Conducting the necessary data protection impact assessments (MS Office 365, video surveillance, electronic personnel file, applicant management)
• Review of technical and organizational measures (IT security measures)
• Implementation of employee data protection requirements (electronic personal file/ paper file, applicant management)
• Review of the company website (privacy policy, imprint, cookie alerts, tracking tools)
• Creation and negotiation of policies in the company, organization or institution (email/internet use, access control/time recording, video monitoring, MS-Office 365, cloud solutions, electronic personnel file, etc.)
• Creation of training materials and delivery of data protection training (general classroom training, special training for executives, HR, IT, branding, sales, and public relations)
• Creation of training materials on data protection as e-learning
• Creation of training videos on data privacy and IT security
• Introduction of a process for handling data protection violations
• Implementation of data subject rights requirements (information, deletion, correction, etc.)
• Preparation of consent forms, especially for filming and photographs
• Data protection in public relations, press, marketing and sales
• Data protection in social media (social media guideline, implementation of the ECJ’s Facebook ruling, WhatsApp)
• Regulation of legal conditions for video surveillance (IT security, product assessment, contract for order processing, pictogram)
• Fulfillment of legal requirements for access control and time recording
• Advice on the use of drones
• Assessment of new IT systems (system data protection)
• Workshops on data protection issues (data protection forum)
• Creation of work and organizational instructions (mobile working, systems for video conferencing, dealing with social media, etc.)

Technical measures include: Use of an up-to-date virus scanner and firewall, password protection, backups, encryption of data carriers, building security, securing the server room, use of alarm systems, fire protection measures, VPN, lockable filing cabinets, logging, etc.

Organizational measures include: Authorization concepts according to task and function, regular data protection training, data protection audits, visitor concepts, definition of authority to issue directives, implementation of a data protection officer or internal data protection coordinators, provision of declarations of consent and other documents required under data protection law, applicant management, etc.

The purpose of technical and organizational measures is, in particular, to ensure and demonstrate the security of the processing of personal data. On the other hand, comprehensive technical and organizational measures stand for a high quality feature.

The selection of relevant and necessary technical and organizational measures results from several criteria. These include, above all, the state of the art, the cost of implementation, the probability and severity of the risk to the rights and freedoms of natural persons, and the nature, scope, circumstances and purpose of the processing. It is also important that the technical and organizational measures are regularly reviewed and updated as necessary (e.g., as part of data protection audits).

The successful implementation and documentation of technical and organizational measures that meet the legal (minimum) requirements require comprehensive advice and ongoing support from specialized lawyers in order to avoid fines, the assertion of claims for damages, damage to image, the loss of contracts to competitors, and ultimately to minimize liability risks.

Our law firm advises on technical and organizational measures, including the following topics:

• Preparation of a comprehensive checklist on technical and organizational measures (TOM checklist)
• Creation of a checklist for the procurement of software and its data protection-friendly basic settings (Data Protection by Design and by Default)
• Advice on the selection of software and mobile apps and their implementation (role-based authorization concept, data security concept, deletion concept, input logging, log files, export of master data and transaction data as part of an information procedure)
• Examination of general terms and conditions and IT contracts of software vendors for their legal validity
• Support in the selection, implementation and documentation of the required technical and organizational measures (best practice)
• Inspections of various departments, HR, IT, server rooms, data centers
• Training of employees in IT security and data protection (awareness)
• Special training for managers, HR, IT, marketing, sales, etc. on IT security and data protection
• Conducting data protection audits to identify weaknesses
• Review and auditing of technical and organizational measures of external service providers in the context of contract processing
• Review of suitable guarantees from commissioned subcontractors (e.g., order processors) with regard to their technical and organizational measures
• Integration of technical and organizational measures into an IT security management system (ISMS) in accordance with ISO 27001
• Cooperation with the IT security officer(s)

Advertising measures must comply with data protection and copyright requirements, some of which are very strict and which, in the event of violations, are associated with sometimes high fines and other sanctions imposed by data protection supervisory authorities, government agencies or by cease-and-desist letters (e.g., from lawyers). The European General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the Unfair Competition Act (UWG), consumer protection rights, trademark rights and copyrights play a central role as legal requirements.

When selecting the advertising strategy, the specific requirements of the group of people to be addressed (entrepreneurs or consumers) and the selection of the means of communication or the distribution channel of the advertising measures must be taken into account (e.g., e-mail, telephone, mail, newsletter, radio, television, apps, advertising on the Internet or in social media).

A selection of required measures includes the selection and evaluation of data sources, compliance with legal and technical requirements when processing customer data using IT applications with complex algorithms for evaluating and analyzing customer data (Big Data), specifications when tracking customer behavior on websites and in social media, and compliance with requirements when creating profiles and with anonymization and pseudonymization.

The successful planning and implementation of advertising measures require comprehensive advice and ongoing support from specialized lawyers in order to avoid fines, the assertion of claims for damages, image damage, the loss of orders to competitors, and to minimize overall liability risks.

Our firm advises on all areas of advertising, including the following:

• Evaluation of the acquisition and use of data sources of customer data.
• Legal and technical evaluation of IT applications with complex algorithms for the evaluation and analysis of customer data (Big Data)
• Data protection-compliant design of customer databases (CRM systems)
• Review of requirements when tracking customer behavior on websites and in social media
• Compliance with requirements when creating profiles
• Use of the possibilities of anonymization and pseudonymization
• Data protection compliant address trading
• Legal assessment of advertising campaigns via various sales channels
• Support for data protection-compliant (advertising) measures in marketing (e.g., expert opinions, statements and recommendations)
• Data protection in market and opinion research
• Data privacy in research projects
• Data privacy protection in crowd-funding
• Data privacy in the advertising of donations
• Implementation of data protection requirements for ecclesiastical, charitable or non-profit purposes
• Data protection-compliant implementation of the website (e.g. privacy policy, imprint, contact form, cookie banner, obtaining image rights)
• Data protection-compliant use of so-called tracking tools (e.g. Google Analytics)
• Data protection-compliant use of drones for image and advertising films
• Review of advertising measures in social media applications
• Creation of social media guidelines with regard to advertising measures
• Creation of user agreements with regard to image and text rights
• Data protection-compliant implementation of discount and sweepstakes promotions, surveys, etc.
• Creation of terms of use in connection with advertising measures
• Implementation of a privacy-compliant newsletter procedure
• Data protection-compliant implementation of trade fair booths
• Training of employees in marketing, public relations, etc. on the data protection-compliant implementation of advertising measures
• Preparation of required data protection documents (e.g. consent forms, information letters, confidentiality declarations)
• Examination of and defense against warnings

In addition to the existence of a concrete necessity of the surveillance measure, the suitability, proportionality and appropriateness of the measures in the context of video surveillance must be reviewed and determined. In this context, video surveillance may only be used as a last resort if milder means are not available, e.g., to safeguard the right of the premises, to prevent vandalism or to prevent criminal acts (ultima ratio).

In addition to the necessary review of the legality of video surveillance, the co-determination rights of works councils or employee representatives (MAV) must be observed. When video surveillance systems are used, a company guideline, a works agreement or a service agreement must be drawn up and concluded. Another necessity are regulations on the handling and storage of the accumulated data. Both access and the scope of processing must be clearly regulated. Depending on the technical equipment used and the scope of its functions, the analysis procedures used and the storage periods for personal data must also be designed in accordance with data protection requirements.

Our law firm will be happy to advise you on the use of optical-electronic equipment (video surveillance) and we can offer you the following services in this regard:

• Data protection-compliant design of video surveillance installations
• Preparation of legal opinions on planned video surveillance installations
• Consultation on the installation of video surveillance systems (site and building plot with the locations of the video cameras and their surveillance sectors)
• Verification of technical functions of fixed or mobile video cameras
• Legal requirements for the surveillance of publicly accessible areas (public paths, roads, parking lots)
• Video surveillance on company premises, inside organizations, in the server room, in production facilities, in fire hazard areas, in visitor parking lots, etc.
• Video surveillance in social facilities to monitor access to and exit from the facility
• Video surveillance in shopping centers and parking garages
• Performance and behavior monitoring in the context of video surveillance
• Data protection review of possible evaluations during video surveillance
• Compliance with storage periods for video images and video streams in the context of video surveillance (personal data)
• Inspection and acceptance under data protection law of newly installed video surveillance systems
• Creation of the required inventory of processing activities for the video surveillance system.
• Preparation and conclusion of a contract for commissioned processing in the event of maintenance or remote access to the video surveillance system by outside companies or other third parties
• Implementation and documentation of the required data protection impact assessment
• Video surveillance in the context of criminal offenses and forwarding of video data to law enforcement authorities
• Involving and informing works councils or employee representatives within the framework of statutory co-determination on planned or expanded video surveillance installations
• Creation, negotiation and conclusion of a company policy, a works agreement or a service agreement on video surveillance
• Creation and implementation of data protection training on video surveillance for employees in order to reduce fears

Furthermore, we provide training for internal data protection officers and employees in the company.

The firm’s services in the area of support and training of internal data protection officers include in particular:

• Support for internal company data protection officers (DSGVO, KDG, EKD-DSG).
• Conducting an as-is analysis or an audit on data protection
• Consulting and implementation of data protection requirements
• Preparation of the required data protection documents
• Hotline for answering all data protection-related inquiries by telephone or via e-mail
• Preparation of documents for the fulfillment of information obligations
• Preparation and conclusion of agreements for commissioned processing
• Data protection for cloud applications
• Recording of existing files and IT procedures and creation of the required directories of processing activities
• Conducting the required data protection impact assessment (MS Office 365, video surveillance, electronic personnel file)
• Review of technical-organizational measures (IT security measures)
• Support in the creation and implementation of a deletion concept
• Establishment of an ISMS (IT security management system)
• Implementation of requirements for encryption of mobile storage media, e-mail encryption and VPN
• Implementation of employee data protection requirements (electronic personnel file/ paper file, applicant management)
• Data protection for client information systems (authorizations, file structure, IT security)
• Implementation of data protection for cloud solutions (MS Azure, Amazon Web Services)
• Support in the area of IT security and data protection for IT applications e.g. MS-Dynamics, SAP SuccessFactors, Personio, SAGE, Salesforce, Workday, DMS systems, email archiving, etc.
• Assessment of apps in the area of social media, in particular facebook, WhatsApp, Instagram, Signal, threema, TikTok, telegram, etc.
• Data protection-compliant destruction of paper and data carriers
• Data protection during internal exchanges in the facilities (internal consulting, supervisions, etc.)
• Implementation of data protection requirements in the event of data transfer to church and official bodies (youth welfare office, social welfare office, courts, etc.)
• Review of the website of the church institution (privacy policy, imprint)
• Creation and negotiation of service agreements (e-mail/internet use, access control/time recording, video surveillance, MS Office 365, cloud solutions, electronic personnel file, home office, etc.)
• Creation of training documents and implementation of data protection training courses
• Creation of training materials on data protection as e-learning
• Introduction of a process for handling data protection violations
• Implementation of data subject rights requirements (information, deletion, correction, etc.)
• Preparation of consent forms, especially for filming and photographs
• Implementation of data protection in charitable and other social institutions and parishes
• Compliance with data protection requirements in medical facilities and hospitals, telemedicine
• Data protection in social media (social media guideline, implementation of the Facebook ruling of the European Court of Justice)
• Regulation of legal conditions for video surveillance (IT security, product assessment, service agreement, AV contract, pictogram)
• Fulfillment of legal requirements for access control and time recording
• Advice on the use of drones
• Assessment of new IT systems (system data protection)
• Workshops on data protection topics (data protection forum)

In the area of social data protection, there is an extensive exchange of data between social institutions and government and private agencies, e.g. other institutions, family doctors, psychologists, social workers, schools, parents, youth welfare offices, pension offices, law enforcement agencies, etc. The authority to transfer data to internal and external agencies must be carefully examined in order to avoid social and economic disadvantages for the persons concerned.

We offer the following services in particular for social institutions:

• Implementation of data protection in social institutions
• Preparation of the required data protection documents
• Data protection at reception, discretion zone, waiting area
• Data protection during contact with relatives
• Data protection during administrative intake (data collection, documentation)
• Mail distribution and mail withdrawal
• Data protection requirements for persons in charge (psychologists, educators, pedagogues)
• Power of attorney lists for contact persons of children
• Data protection at interdisciplinary team meetings and supervision sessions
• Release from confidentiality and documentation
• Social secrecy, data secrecy and telecommunications secrecy
• Consent management (wording of consent with reference to right of revocation)
• Publication of photographs of children and employees, lists and therapy plans, in the social facility
• Data protection in the facility (filing cabinets, file trolleys, tidy desk, desktop lock, access authorizations, printer, copier, shredder, data garbage can)
• Data protection in the office of the facility management, psychologists’ and educators’ rooms, and in group rooms
• Data transfer by telephone in compliance with data protection regulations (calls from guardians, family doctor, youth welfare office, Federal Employment Agency, cost units, etc.)
• Statutory powers of disclosure to family doctor, youth welfare office, guardians, health insurance companies, pension insurance company, Federal Employment Agency, psychologists, police, public prosecutor’s office, courts and school.
• Behavior in case of child welfare endangerment, child welfare officer
• Data protection in appointment scheduling, access rights to appointment calendars
• Creation of a deletion concept in compliance with the retention periods for files and handwritten records
• Data protection with modern media, smartphones, tablets, etc.
• Data protection requirements for apps and social media (Signal, Threema, Facebook, WhatsApp, Instagram, TikTok, etc.)
• Data protection in client documentation in paper form (file) or as an electronic file
• Technical and organizational data protection in social institutions
• Data protection-compliant destruction of paper and data carriers
• Data protection requirements for video surveillance (monitoring and recording)
• Data protection training on social data protection (classroom training, webinar, video training)
• Collection, processing and use of personal data by external service providers in the context of commissioned data processing
• Data protection on the social institution’s website (privacy policy, imprint)
• Data protection requirements on the intranet (birthday lists, photographs, anniversaries, trainees, etc.)
• Data protection for print products (employee newsletter or info)
• Assumption of the function of external data protection officer for social institutions
• Training and consulting of internal data protection officers of social institutions

Critics fear that as RFID becomes more widespread, personal data may be collected unnoticed and without the consent of those concerned, or linked to objects. In extreme cases, it could even be possible to derive usage or movement profiles. For this reason, data security and the protection of the right to informational self-determination are important issues with regard to the introduction of this technology.

Our law firm can support you on the subject of RFID with the following services:

• Expert opinions regarding data protection aspects of the use of RFID
• Review of various use cases for the application of RFID, e.g. RFID in discounters, RFID in the automotive industry, RFID in logistics, etc.
• Use of RFID in access control and time recording
• Advice on the use of RFID in compliance with data protection regulations
• Examination of technical-organizational measures for the use of RFID
• Consulting on the use of pseudonymization and anonymization in the use of RFID
• Preparation of information letters for customers, employees, suppliers, etc.
• Preparation of the required register of processing activities (VVT)
• Creation and conclusion of order processing contracts with external service providers
• Carrying out the legally required data protection impact assessment
• Creation and technical implementation of an erasure concept when using RFID
• Legal advice on the collection, processing and use of personal data using RFID
• Creation of a company policy, works agreement or service agreement on the use of RFID
• Performance and behavior control in the context of the use of RFID
• Creation of work and organizational instructions for employees on the use of RFID
• Creation and implementation of data protection and IT security training on RFID

We assume the function of external data protection officer for companies and institutions, e.g. administrations, hospitals, academies, funding agencies and child and youth welfare institutions of the Catholic Church. Our services include in particular:

• Position of the external company data protection officer for church companies, agencies and associations (KDG, KDG-DVO)
• Support of internal company data protection officers (KDG, KDG-DVO)
• Carrying out an as-is analysis or audit of data protection
• Consulting and implementation of the data protection requirements of the Catholic Church
• Preparation of the required data protection documents
• Hotline for answering all data protection-related inquiries by telephone or via e-mail
• Preparation of documents for the fulfillment of information obligations
• Preparation and conclusion of agreements for commissioned processing
• Data protection for cloud applications
• Recording of existing files and IT procedures and creation of the required directories of processing activities
• Conducting the required data protection impact assessment (MS Office 365, video surveillance, electronic personnel file)
• Review of technical-organizational measures (IT security measures)
• Support in the creation and implementation of a deletion concept
• Establishment of an ISMS (IT security management system)
• Implementation of requirements for encryption of mobile storage media, e-mail encryption and VPN
• Implementation of employee data protection requirements (electronic personnel file/paper file, applicant management)
• Data protection for client information systems (authorizations, file structure, IT security)
• Implementation of data protection for cloud solutions (MS Azure, Amazon Web Services)
• Support in the area of IT security and data protection for IT applications e.g. MS-Dynamics, SAP SuccessFactors, Personio, SAGE, Salesforce, Workday, DMS systems, email archiving, etc.
• Assessment of apps in the area of social media, in particular Facebook, WhatsApp, Instagram, Signal, Threema, TikTok, Telegram, etc.
• Data protection-compliant destruction of paper and data carriers
• Data protection during internal exchanges in the facilities (internal consulting, supervisions, etc.)
• bodies (youth welfare office, social welfare office, courts, etc.)
• Review of the website of the church institution (privacy policy, imprint)
• Creation and negotiation of service agreements (e-mail/internet use, access control/time recording, video surveillance, MS Office 365, cloud solutions, electronic personnel files, home office, etc.)
• Creation of training documents and implementation of data protection training courses
• Creation of training materials on data protection as e-learning
• Introduction of a process for handling data protection violations
• Implementation of data subject rights requirements (information, deletion, correction, etc.)
• Preparation of consent forms, especially for filming and photographs
• Implementation of data protection in charitable and other social institutions and parishes
• Compliance with data protection requirements in medical facilities and hospitals, telemedicine
• Data protection in social media (social media guideline, implementation of the Facebook ruling of the European Court of Justice)
• Regulation of legal conditions for video surveillance (IT security, product assessment, service agreement, AV contract, pictogram)
• Fulfillment of legal requirements for access control and time recording
• Advice on the use of drones
• Assessment of new IT systems (system data protection)
• Workshops on data protection topics (data protection forum)

We assume the function of external data protection officer for companies and institutions, e.g., administrations, hospitals, academies, funding agencies, and child and youth welfare facilities, which are under the control of an agency of the Protestant Church. We also provide expert opinions on all data protection issues in the Protestant Church.

• Position of the external company data protection officer for church companies, agencies and associations (DSG-EKD)
• Support of internal company data protection officers (DSG-EKD)
• Conducting an as-is survey or audit on data protection
• Consulting and implementation of the requirements in the data protection of the Protestant Church
• Preparation of the required data protection documents
• Hotline for answering all data protection-related inquiries by telephone or via e-mail
• Preparation of documents for the fulfillment of information obligations
• Preparation and conclusion of agreements for commissioned processing
• Data protection for cloud applications
• Recording of existing files and IT procedures and creation of the required directories of processing activities
• Conducting the required data protection impact assessment (MS Office 365, video surveillance, electronic personnel file)
• Review of technical-organizational measures (IT security measures)
• Support in the creation and implementation of a deletion concept
• Establishment of an ISMS (IT security management system)
• Implementation of requirements for encryption of mobile storage media, e-mail encryption and VPN
• Implementation of employee data protection requirements (electronic personnel file/paper file, applicant management)
• Data protection for client information systems (authorizations, file structure, IT security)
• Implementation of data protection for cloud solutions (MS Azure, Amazon Web Services)
• Support in the area of IT security and data protection for IT applications e.g. MS-Dynamics, SAP SuccessFactors, Personio, SAGE, Salesforce, Workday, DMS systems, email archiving, etc.
• Assessment of apps in the area of social media, in particular Facebook, WhatsApp, Instagram, Signal, Threema, TikTok, Telegram, etc.
• Data protection-compliant destruction of paper and data carriers
• Data protection during internal exchanges in the facilities (internal consulting, supervisions, etc.)
• Implementation of data protection requirements in the event of data transfer to church and official bodies (youth welfare office, social welfare office, courts, etc.)
• Review of the website of the church institution (privacy policy, imprint)
• Creation and negotiation of service agreements (e-mail/internet use, access control/time recording, video surveillance, MS Office 365, cloud solutions, electronic personnel files, home office, etc.)
• Creation of training documents and implementation of data protection training courses
• Creation of training materials on data protection as e-learning
• Introduction of a process for handling data protection violations
• Implementation of data subject rights requirements (information, deletion, correction, etc.)
• Preparation of consent forms, especially for filming and photographs
• Implementation of data protection in charitable and other social institutions and parishes
• Compliance with data protection requirements in medical facilities and hospitals, telemedicine
• Data protection in social media (social media guideline, implementation of the Facebook ruling of the European Court of Justice)
• Regulation of legal conditions for video surveillance (IT security, product assessment, service agreement, AV contract, pictogram)
• Fulfillment of legal requirements for access control and time recording
• Advice on the use of drones
• Assessment of new IT systems (system data protection)
• Workshops on data protection topics (data protection forum)

On June 4, 2021, the EU Commission published revised SDKs that are intended to be in line with the GDPR and the requirements formulated in the “Schrems II” decision. The revised EU standard data protection clauses are intended to better meet the requirements for transparency and accountability in particular.

However, when transferring personal data to third countries, it is the responsibility of the companies concerned to check whether the new modular standard data protection clauses meet the legal requirements for a transfer to a third country, or whether additional measures are required on the part of the companies to protect personal data from access by governments, cf. the US Administration’s Cloud Act. Adequate encryption of data or its anonymization are recognized as suitable measures.

The standard data protection clauses (SDK) now have a modular structure. This modular structure (modules 1 – 4) now takes into account the possible constellations between the actors in a third country transfer. 4 modules have been offered for use by the EU Commission. These are in detail:

• Module 1: Transfer from controllers to controllers
• Module 2: Transfer from controllers to processors
• Module 3: Transfer from processors to processors
• Module 4: Transmission from processors to controllers

Within these modules, it is necessary to check whether sub-options apply, as is the case, for example, in clause 9 (use of subcontractors) for module 2. Here, according to clause 9 lit. a of the SDK, the responsible party can decide for itself whether the processor must obtain prior authorization for the use of subcontractors (option 1) or not (option 2).

Companies are encouraged to analyze their data workflow of personal data in detail in order to select the right modules of the standard data protection clauses. Then, the modules corresponding to the data flow and their annexes must be filled in. In the annexes, the information about the data processing (Annex I) and if sub-processors are used, they must be indicated in the list of sub-processors (Annex III). Particularly important is the annex on the documentation of technical-organizational measures including the guarantee of data security (Annex II).

Note that for Modules 1 – 3, specific rather than general technical and organizational measures are specified for each data transfer/category of data transfers. In Annex II, information is also provided here as part of an example catalog. However, this sample catalog is not exhaustive and cannot be used as a to-do list. Therefore, the contracting parties must deal intensively with the data processing and define concrete protective measures related to the data processing to ensure an adequate level of data protection. The nature, scope, circumstances, purpose of the processing of the personal data and the risks to the rights and freedoms, of the data subjects affected by the data processing must be taken into account. In many cases, a data protection impact assessment must be carried out and documented for the data processing concerned.

We can offer you the following services in the field of international data transfer:

• Support in recording the data flow within a parent company, its subsidiaries and at subcontractors (data workflow)
• Support in recording the main IT processes affected by a data transfer to third countries (data mapping)
• Depending on the data workflow, structuring of the required data protection contracts, in particular selection of the required modules of the standard data protection clauses (SDK)
• Support in the preparation of the individual annexes, in particular information on data processing (Annex I), documentation of technical-organizational measures including data security (Annex II) and list of sub-processors (Annex III)
• Assistance in recording and documenting the nature, scope, circumstances and purpose of the processing of the personal data
• Conducting the required data protection impact assessment
• Advising on the implementation of appropriate measures to prevent access to personal data by governments in third countries, e.g., by anonymizing or sufficiently encrypting the data
• Legal advice on laws in third countries that legally allow their governments to access personal data, e.g., US-Cloud Act
• Conducting reliability checks of external service providers, e.g., through a data protection audit
• On-site visits, inspection of the IT and TC infrastructure to check the reliability of the external service provider under data protection law

Our law firm offers the following services in the area of health data protection, for example:

• Position of external company data protection officer for hospitals, medical care centers, doctors and pharmacies, medical technology companies, etc. (DS-GVO)
• Support for internal company data protection officers (DS-GVO)
• Position of the external company data protection officer for church hospitals, medical care centers, other medical facilities, etc. (KDG, DSG-EKD)
• Support for the church’s in-house data protection officers (KDG, DSG-EKD)
• Creation of a plan of measures to implement the DS-GVO, KDG, DSG-EKD according to liability risk
• Annual planning meeting on data protection with management, commercial management or vicar general
• Conducting an as-is survey or audit on data protection
• Data protection during administrative admission (medical history form, consent)
• Data protection requirements on ward, base
• Implementation of data protection in hospital administration
• Requirements for physicians and medical staff in the context of medical confidentiality
• Obligation to inform relatives versus medical confidentiality
• Data protection in the doctor’s room, psychologist’s room, support point
• Effective and comprehensible consent management
• Data protection-compliant patient record management
• Implementation of data protection in the hospital information system (HIS)
• Data protection at the hospital reception/gate
• Data protection around the patient room (labels, patient wristband, ward rounds, patient interviews)
• Power of attorney lists for child visitors
• Authority to transmit patient data to other treating physicians in the hospital
• Data protection when transmitting patient data to the hospital administration
• Data protection-compliant transmission of patient data to the family doctor, relatives, health insurance company, medical service, external service providers of the hospital, etc.
• Behavior in the event of a risk to the well-being of a child, representative
• Data protection-compliant handling of the topic “mobile working” (agreement on mobile working, work instructions on mobile working)
• Creation of visitor form with questions on the pandemic
• Creation of company/service agreement/company policy on the pandemic
• Creation of documents for the fulfillment of information obligations
• Creation and conclusion of agreements for commissioned processing
• Fulfillment of requirements for international data transfer and group data processing (HR systems, ERP systems, etc.)
• Data protection and IT security for cloud applications
• Recording of existing files and IT procedures and creation of the required directories of processing activities (data mapping)
• Implementation of the required data protection impact assessments (MS-Office 365, video surveillance, electronic personnel file, applicant management)
• Implementation of employee data protection requirements (electronic personnel file/ paper file, applicant management)
• Fulfillment of legal requirements for access control and time recording
• Retention requirements for patient documentation and concept for deletion of patient data and personal data in administration
• Data protection in appointment scheduling, access authorizations to the appointment calendar
• Data protection at the workplace
• Data protection-compliant destruction of paper and data media
• Review of technical and organizational measures (IT security measures)
• Review of website (data privacy statement, imprint, cookie alerts, tracking tools)
• Creation and negotiation of service agreements (e-mail/internet use, access control/time recording, video surveillance, MS Office 365, cloud solutions, electronic personnel file, etc.)
• User regulations for Wi-Fi use and telephone use by patients
• Creation of training documents and implementation of data protection training (general classroom training, special training for managers, HR, IT, marketing, sales, public relations, etc.)
• Creation of training materials on data privacy as e-learning
• Creation of training videos on data privacy and IT security
• Introduction of a process for handling data protection violations
• Implementation of data subject rights requirements (information, deletion, correction, etc.)
• Preparation of consents, especially for filming and photographs
• Data privacy in public relations, press, marketing and sales
• Data protection in social media (social media guideline, implementation of the ECJ’s Facebook ruling, WhatsApp)
• Regulation of legal conditions for video surveillance (IT security, product assessment, service agreement, AV contract, pictogram)
• Advice on the use of drones
• Assessment of new IT systems (system data protection)
• Workshops on data protection topics (data protection forum)
• Creation of work and organizational instructions (mobile working, systems for video conferencing, dealing with social media, etc.)

Our law firm offers the following services on the topic of geolocation:

• Data protection law and technical expert opinions on the use of geolocation
• Technical-organizational measures for the use of geolocalization
• General IT security measures in the use of geolocalization
• Use of pseudonymization and anonymization in geolocalization
• Preparation of the required list of processing activities (VVT)
• Creation and conclusion of order processing contracts with external service providers
• Conducting the legally required data protection impact assessment
• Legal assessment of the collection, analysis and transmission of geolocation data to third parties, authorities, etc.
• Creation of a concept for the storage and deletion of geolocation data
• Creation of a company policy, works agreement or service agreement on the use of geolocation
• Performance and behavior control in the context of geolocation
• Geolocation in Wi-Fi networks
• Advice on data protection law when using geolocation for (company) cars, forklifts, cell phones and for monitoring people (movement profiles)
• Creation of work and organizational instructions for employees on how to deal with geolocation measures
• Creation and implementation of data protection and IT security training on geolocation measures

Attorney Thomas Costard is a certified data protection officer (TÜV), data protection manager (TÜV) and data protection auditor (TÜV) and ISO 27001/BSI basic protection expert (TÜV). We also check the agenda of an upcoming data protection audit by the selected certification body, e.g. TÜV, DEKRA, etc. We accompany the audit and support to pass the audit and to receive the certificate.

Our firm offers to conduct an as-is assessment of data protection and to prepare a data protection audit. We conduct a pre-audit in preparation for the audit by the certification body. Here we put on the “glasses” of the auditor. If the auditor identifies minor deviations and recommendations during the audit, we support you in implementing them and closing gaps. We accompany you during the execution of surveillance audits and re-certification audits.

Furthermore, we conduct audits of processors on behalf of our clients and prepare the required audit report, which reflects the status of the data protection measures at the auditee.

The services of our law firm include in particular:

• Conducting an as-is survey on data protection (determining the current status)
• Discussion of the report on the current status with the management and other responsible parties (HR, IT, marketing, sales, public relations, etc.)
• Establishment of a data privacy management system, definition of a data privacy strategy
• Preparation of the necessary documents (data protection concept, guideline, directories of processing activities, data protection impact assessments, technical/organizational measures, contracts for commissioned processing, face-to-face training, webinars and video training, inspections, etc.)
• Support in the selection of the auditor
• Review and internal coordination of the external auditor’s agenda
• Accompaniment of the audit for certification in data protection, ISO 27701
• Presentation and discussion of the data protection audit report with management
• Support with the deviations (minor deviations, recommendations) identified by the auditor
• Support during surveillance and recertification audits, ISO 27701

Facebook, WhatsApp, Instagram, TikTok, Twitter, YouTube, LinkedIn, XING, etc. are used across the board in both private and professional life.

The constant expansion of the possibilities of social interaction allows any kind of data (texts, images, videos) to be posted, exchanged and shared. From a data protection perspective, however, expansions and changes to the options offered also harbor dangers and increasing responsibility for providers and users.

The integration of social networks into websites, blogs and apps by means of “social media plugins” such as the “Like” button from Facebook or the “Share” button from Google+ is becoming increasingly popular and makes responsible use of social networks indispensable.

For website operators who decide to integrate social media plugins, it is therefore advisable, in addition to implementing an imprint, to prepare a data protection statement tailored to the use of the plugins and to make it available online.

Companies are also recommended to introduce regulations for their employees that clearly define the handling of social networks and private e-mail and Internet use in order to thus exclude possible risks in a legally secure manner.

Our law firm can advise you comprehensively on possible risks with the appropriate expertise and provide you with legal protection when implementing the necessary measures for a data protection-compliant handling of social networks.

We can offer you the following services in particular regarding the use of social networks:

• Preparation of a legal opinion on the use of social networks based on the legal requirements (in particular, the DSGVO, BDSG)
• Legal advice on the analysis, evaluation and transmission of users’ personal data
• Legal advice on the disclosure of personal data and data protection law awareness
• Legal assessment of terms of use for social networks
• Preparation of terms of use (TOS) for social networks
• Creation of the required privacy policy and imprint
• Privacy compliance through settings in the user’s profile
• Support in deactivating profiles and deleting data (right to be forgotten)
• Legal advice on measures in the context of applicant management via social networks
• Legal and technical advice on setting up profiles for companies, organizations and institutions
• Legal and technical framework for own social networks in the company, organization or institution
• Advice on the development, hiring and implementation of own mobile apps in the company, organization or institution
• Drafting of consents and declarations of commitment under data protection law
• Drafting of a company agreement, company guideline or service agreement on the use of social networks by employees
• Creation of a work and organizational instruction (OA) for the use of social networks by employees
• Creation of handouts and training materials for employees on how to use social media
• Conducting classroom training, webinars and video training on how employees use social networks in companies, organizations and institutions
• Consulting in the area of IT security in social networks
• Case law on the publication of information in social networks
• Liability for posts, blogs, chats, etc. (limits of “Stoererhaftung” (Breach of Duty of Care))

We offer the following services for educational institutions and schools:

• Data protection at the registration of pupils
• Data protection in the secretary’s office of the school
• Privacy compliant principal’s office
• Requirements to data protection regarding pupils files
• Data protection in the administrative structure of the educational institution
• Privacy compliant staffroom
• Distribution and taking of the post
• Protection of the employee data in the educational institution
• Administration of the school’s administration servers (server room and admins)
• Consents and consent management
• Data protection on the educational institution’s website (data protection notice, imprint, publication of photographies)
• Data protection regarding the publication of annual reports, festschrift, flyers, brochures
• Usage of LAN and WLAN by employees of the educational institution, pupils
• EDP classroom, internet café (supervision and user policy)
• Data protection within the classroom (class registers, notices, photographies, projects, participant lists)
• Requirements for publications in showcases, at the bulletin board of the school
• Data protection at the liasions teacher’s and the school psychologist‘s room
• Data transfer to the office for youth welfare, social institutions and hospitals
• Copyright compliant use of teaching media (audio-visual media, documents)
• Data protection by the usage of photographs in the context of pupil and teacher pictures, school events
• Permissions for the press and media for interviews, photographs and film recordings at the school grounds
• Data protection in the context of scheduling, access privileges to appointment diaries
• Preservation period for pupil and teacher files and handwritten notes
• Data protection at the workspace
• Technical organizational data protection in educational institutes
• Privacy compliant destruction of paper and data media
• Requirements to data protection in the context of video surveillance (monitoring and recording)
• Data protection trainings for teaching staff
• Data protection trainings for pupils including the use of social networks
• Collecting, processing and use of personal data by external service providers in the context of order details processing
• Preparation of internal procedure directories and public procedure directories
• Requirements on data protection regarding the intranet (birthday lists, photographies, anniversaries, pupil projects, etc.)
• We function as external data protection commissioner for educational institutions and schools (e.g. for private and church educational institutions)

A cloud service is identified by five characteristic features. First, the on-demand self-service. This means that the provisioning of resources (e.g., computing power, storage) runs automatically without interaction with the service provider. Second, broad network access. This means that the services are available via the network using standard mechanisms and are not tied to a specific client. Third, resource pooling. This means that the provider’s resources are available in a pool from which many users can draw (multi-tenant model). Users do not know where the resources are located, but they can contractually specify the storage location, e.g. region, country or data center. Fourth, rapid elasticity. This means the services can be provisioned quickly and elastically, in some cases automatically. From the user’s point of view, the resources therefore appear to be infinite. Fifthly, Measured Services. This means that resource utilization can be measured and monitored and also made available to cloud users on a measured basis.

Furthermore, according to the Cloud Security Alliance (CSA), a cloud service is determined by the following characteristics in addition to the elasticity and self-service mentioned above. Service oriented architecture (SOA) is one of the basic requirements for cloud computing. The cloud services are usually offered via a so-called REST API. In a cloud environment, many users share common resources, which must therefore be multitenant. Only the resources that have actually been used are paid for (pay per use model), although flat rate models can also exist.

Basically, a distinction can be made between three different categories of service models. With Infrastructure as a Service (IaaS), IT resources such as computing power, data storage or networks are offered as a service. A cloud customer buys these virtualized and highly standardized services and builds its own services on them for internal or external use. For example, a cloud customer can rent computing power, RAM and data storage and run an operating system with applications of his choice on them. With Platform as a Service (PaaS), a PaaS provider provides a complete infrastructure and offers the customer standardized interfaces on the platform that are used by the customer’s services. For example, the platform can provide multi-tenancy, scalability, access control, database access, etc. as a service. The customer has no access to the underlying layers (operating system, hardware), but he can run his own applications on the platform, for the development of which the CSP usually offers his own tools. In the case of Software as a Service (SaaS), all offers of applications that meet the criteria of cloud computing fall into this category. There are no limits to the range of offerings. Examples include contact data management, financial accounting, word processing or collaboration applications.

In order to avoid a large number of potential problems, it is necessary to structure the relationship between the contracting parties in a way that is in line with their interests and to legally secure it already during the drafting of the contracts. Since many cloud computing service providers are based in non-European countries, the law firm also examines and draws up the necessary supplementary agreements to ensure compliance with data protection regulations.

Existing risks and dangers in the use of services in the area of cloud computing are also discussed with the contractual partners, weighed up and minimized where possible.

From the planning and implementation based on the needs of the company, organization or institution, to the signing of the necessary contracts, our law firm accompanies and assists you in all legal matters for a successful and safe use of cloud computing services.

Our law firm advises on cloud computing in the following areas:

• Legal requirements for the cloud service
• Assessment and mitigation of the legal and technical risks associated with the use of cloud services
• Selection of applications and type of personal data for the cloud service
• Recording and documentation of the data flow (data mapping, data workflow)
• Selection of the appropriate cloud provider together with the cloud user
• Compliance with technical and organizational measures for the cloud service
• Encryption and decryption of data in the cloud
• Migration of existing data to the data cloud
• Change of cloud provider, support services
• Creation, review and negotiation of cloud contracts (IT law)
• Legal protection of the cloud service by drafting and signing the necessary data protection contracts, e.g., agreements on commissioned processing, EU standard data protection clauses
• Apps for the use of data clouds for mobile devices (smartphone, iPad) and their legal classification

The use of employees’ private end devices gives rise to particular risks for the company, the organization or the institution, especially because the employee, as the owner of the end device in question, can basically dispose of it as he or she wishes. Further risks arise in the event of loss or theft of the private end device or if the employee leaves the company. In this context, measures must be taken to safeguard against the aforementioned cases and to minimize the risk of damage. When deciding whether private mobile devices are to be used for business purposes, measures must be taken to deal with the private mobile devices, the use of business data, technical security and specifications for use in compliance with data protection requirements.

When using Bring Your Own Device (BYOD), our law firm can offer you the following services in particular:

• Assessment of the legal risks involved in the use of BYOD
• Assistance in the decision-making process for the use of BYOD
• Requirements for technical and organizational data protection
• Protecting company and business secrets when using BYOD
• Deletion of company, organization or institution data when using BYOD
• Failure of data deletion and its consequences
• Inadvertent deletion of employee private data
• Company rights to content on private devices
• Implementation of mobile device management (MDM)
• Use of encryption techniques on mobile devices
• Legal opinion on the use of BYOD
• Data protection training on the use of private end devices
• Creation of a company policy, works agreement or service agreement on the use of BYOD
• Creation of terms of use for employees when using BYOD
• Creation of work and organizational instructions for the use of BYOD

Our law firm advises on the following issues in the area of commissioned processing:

• Assessment of whether the case of a commissioned processing according to Art. 28 DSGVO exists
• Review of the company’s list of creditors in order to identify active processors
• Delineation whether a contract jointly responsible party according to Art. 26 DSGVO is required
• Support in the recording of the Data Workflow in various IT applications in group structures
• Depending on the data workflow, structuring of the required data protection agreements (Art. 28, Art. 26 DSGVO, framework agreements)
• Design of data protection-compliant agreements for commissioned processing
• Design of joint processing agreements
• Examination of the required information on technical-organizational data protection
• Conducting reliability checks of external service providers, e.g. by means of a data protection audit
• On-site visits, inspection of the IT and TC infrastructure to check the reliability of the external service provider under data protection law
• In the case of external service providers in a third country outside the EU, data protection assessment of the present case groups for concluding the necessary agreements on commissioned processing/shared responsibility and/or EU standard data protection clauses (selection of the modules)