Webtracking on Swiss Websites and the protection of natural persons in relation to the processing of personal data
A study about 374 Swiss websites conducted in March 2018 by Nico Ebert (Professor for Business Informatics at the ZHAW Zurich School of Management and Law) showed that at least 24% of these websites use so-called fingerprinting procedures (including Digitec, NZZ, Swiss and Zalando). Almost eight percent of these websites use so-called session replay procedures (including doodle, jobs.ch, Migros-Magazin, Moneyhouse, Siroop).
The results of this study are hardly surprising, at least for online marketing professionals. However, from a legal perspective, it’s worth noting that some website service providers applying web tracking tools do not disclose the application of these tools and/or the purpose of the procurement and the way of processing personal data in their Data Protection Policies or such use is disclosed in intransparent language or in another way which does not satisfy the requirements of the Swiss Federal Act on Data Protection (DSG) and the EU General Data Protection Regulation (GDPR) adopted by the European Parliament and the European Council on April 27, 2016.
Article 4 DSG [Principles]:
3 Personal data may only be processed for the purpose indicated at the time of collection, that is evident from the circumstances, or that is provided for by law.
4 The collection of personal data and in particular the purpose of its processing must be evident to the data subject.
Article 5 GDPR [Priciples relating to processing of personal data]:
(1) Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”);
As of May 25, 2018 the provisions of the GDPR will also be applicable to many Swiss companies and persons processing personal data, either as controllers or processors of personal data. As data subjects concerned citizens will then have specific rights for more control of their own personal data. According to article 80 GDPR persons concerned will also be entitled to mandate a not-for-profit body, organisation or association which (a) has been properly constituted in accordance with the law of a Member State, (b) has statutory objectives which are in the public interest, and (c) is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to exercise rights under the GDPR on his or her behalf.
End of 2017 the NGO NOYB – European Center for Digital Rights (NOYB is an acronym of “Non Of Your Business”) was co-founded by Maximilian Schrems (an Austrian lawyer, author and privacy activist) in a crowdfunding project as an organization in the sense of article 80 GDPR. One of the goals of NOYB ist “to ensure an efficient enforcement of the fundamental right of personal privacy in relation to large companies“.
- Blog of Nico Ebert (Professor for Business Informatics at the ZHAW Zurich School of Management and Law dated March 15, 2018: Webtracking auf Schweizer Websites – Fingerprinting und Session Replay [PDF, 160 KB]
- Publication of the Swiss Federal Data Protection and Information Commissioner dated November 2018: Die EU-Datenschutzgrundverordnung und ihre Auswirkungen auf die Schweiz [PDF, 1.2 MB]
- Blog of Doc Searls (@dsearls) dated August 26, 2017 : «How the personal data extraction industry ends»