In an extensive investigation, the Swiss Federal Data Protection and Information Commissioner ("FDPIC") examined the processing of customer data by Digitec Galaxus AG ("Company"), one of Switzerland's largest online stores.
In his final report (in German), the FDPIC found that the principles of transparency and proportionality had been violated and issued several non-binding recommendations. The Company rejects part of these recommendations.
FDPIC's Recommendations in a Nutshell
In relation to the principle of transparency and information obligation, the FDPIC essentially held that the Company's privacy notice
In view of the principle of proportionality, the FDPIC further held that the Company must adapt its data processing to the effect that it does not unlawfully interfere with the right to informational self-determination. In consideration of the specific circumstances, the FDPIC arrived at the conclusion that a requirement for a data subject to open a customer account violates the principle of proportionality and is inadmissible. As a possible remedy, the FDPIC suggested offering an optional guest checkout.
Our Take on It
The FDPIC's recommendations were issued under the previous data protection legislation, are not legally binding as such and relate to the specific processing activities carried out by the Company. Nevertheless, the recommendations are of general importance, also under the current Swiss Federal Act on Data Protection, which has entered into force on 1 September 2023 and provides for a significantly extended information obligation.
While we generally welcome a clarification of the legal situation – in particular with regard to the requirements arising from the principle of transparency and information obligation – and while we also agree with some of the statements in the FDPIC's final report, it is our view that, overall, his recommendations go far beyond what Swiss data protection law provides for. In addition, it seems hardly feasible to fully and correctly implement the recommendations in practice, and privacy notices may not only become unnecessarily lengthy, complicated and difficult to understand, but would also have to be constantly amended to comply with the requirements. This does not serve the ultimate purpose of improving transparency.
This holds also true in light of the potential sanctions. Certain infringements of the information obligation can lead to criminal fines of up to CHF 250,000, which are primarily directed against the person(s) responsible, such as employees. In this context, we refer to our detailed commentary on Article 60 of the Swiss Federal Act on Data Protection in the "Basler Kommentar" (in German), which has been published this March.
What's Next and What Does This Mean for You?
As soon as the Company's suggestions for improvements are implemented, the FDPIC will examine whether and to what extent he will take legal action against the Company's potentially unlawful data processing and may possibly file a complaint with the Federal Administrative Court.
As the FDPIC's recommendations are not binding, there is no specific need to implement them for the time being and we recommend waiting for a possible court ruling providing binding authority on the recommendations to be implemented. This will clarify whether you should adapt your privacy notice. We will of course update you on further developments.