February 18th, 2025
The Federal Data Protection and Information Commissioner (‘FDPIC’) is the Swiss Federal Data Protection Authority. Recently on the 25 January and early February, it published two important guidelines to help with interpret the national data protection legislation.
The ‘Guidelines on data processing using cookies and similar technologies’ (link) bring some clarity to this interdisciplinary issue. It provides key definitions such as those of technical elements (e.g., ‘cookie’, ‘tracking’), the differences between cookies (e.g., based on storage duration, based on their function, based on the party that sets them and, based on their purpose) and the interplay with the rules on data protection, for instance:
When are cookies considered as personal data?
In two situations:
- If the processed information itself has an identifying characteristic: For example, the unique user ID for Android or Ad ID for Apple
- If a personal reference may arise due to the circumstances of the collection and subsequent evaluation of the data by the website operator or third parties.
What is profiling or high-risk profiling and when it is performed by website operators?
- Profiling: Defined in Art. 5(f) FADP as the evaluation personal aspects of an individual, such as work performance, health, preferences, or location, to analyze or predict certain behaviors. The logic is that more data leads to better predictions of preferences and better tailored advertisement.
- High-Risk Profiling: As defined in Art. 5(g) FADP, involves linking data to assess essential aspects of an individual’s personality, with stricter requirements for such profiling. Examples:
- the collection of geolocation data supported by cookies and similar technologies may result in high-risk profiling depending on the duration and radius of the data collection or if profiling involves a large number of different data sets.
- the use cookies to record the behavior and interests of visitors in order to enable third parties to place personalized advertising on the basis of this data or to sell them the placement of personalized advertisements by auction.
- Combining data with data collected by other companies of the same group operating in different sectors and processing taking place for a long period of time.
What is the Data Protection role of website operators?
They are the controllers of the website as they control what data is processed through the cookies and for what purposes.
In the case of third-party cookies, the provider of such services is considered to be the controller (e.g., these cookies are set for their own purposes), but the website operator is considered to be a joint controller as it has control over its website and enables the third party to obtain data by integrating the third-party services (e.g., by providing the means).
What are the obligations of website operators when using cookies, in particular the so-called non-essential cookies?
The obligations include:
- the provision of information,
- the application of the data protection principles, in particular transparency and proportionality,
- the provision of a justification (e.g., legal basis) for the use of non-essential cookies which, in the case of unexpected cookies (e.g., cookies not related to the service of the website) and cookies containing sensitive information or enabling high-risk profiling, must be subject to consent
- objection (‘op-out’) or withdrawal of consent functionality
- DPIA in cases of sensitive processing and high-risk profiling
The concrete application of these obligations requires an analysis of the circumstances of each case, and the Guidelines provide some examples help interpret the obligations when using these technologies, as well as references to recent enforcement actions.
Later, the FDPIC published its ‘Guidelines on reporting personal data breaches and informing individuals’ (link). These guidelines set out the criteria for determining when a data breach presents a high risk and therefore requires notification. Two elements are crucial to this assessment: The severity of the consequences and the likelihood of those consequences.
In a nutshell, the risk assessment must take into account the sensitivity of the personal data involved and the context in which such data are used (e.g., identity cards or bank credit cards, even if not containing sensitive data, can lead to identify theft or fraud), the circumstances of the breach with a focus on the motives and identification of those responsible (e.g., internal human or external malicious breach), the involvement of vulnerable individuals (e.g., minors or people with disabilities), the effort required to identify the individuals affected in terms of time and money, which. No authorized recipient may need. On this last point, the FDPIC confirms that the loss of encrypted data does not need to be reported because it is considered anonymous to third parties who are not authorized to access it, which is not the case for data that has only been pseudonymized, which is still considered personal data.
In addition, the controller must assess the likelihood that the effects of the data security breach will actually cause harm to those most affected. A clear example is illustrated with a security breach occurring in a hospital: the potential likelihood of a high risk can be anticipated -even if the concrete details of the impact are not yet available- due to the amount of sensitive personal data in addition to administrative and scientific data, so the notification cannot be delayed. The same applies where the controller has planned, announced or initiated measures, in which case the controller may not wait for the measures to be implemented and evaluated before informing the FDPIC.
How and when to notify to the FDPIC?
The FDPIC provides a reporting portal (www.databreach.edoeb.admin.ch) for mandatory reporting, which ensures the secure transmission of data to the FDPIC.
The notification must be made as soon as possible after becoming aware of the breach. This is different from the GDPR which imposes a 72 hours deadline.
When should the controller inform the affected individuals?
The controller must inform the data subjects of the data security breach if they can or must take action themselves to minimise or avert harm from a data security breach or if the FDPIC requires it. In other words, it may be necessary to inform them even if the breach doesn’t pose a high risk. Some examples of required communication to individuals are:
- if they have to change access data or passwords,
- if credit cards need to be blocked,
- if account statements or messages and request, i.e. phishing e-mails, need to be critically examined
The need for this information can also be triggered when individuals are unsure of the situation and expect the worst. In this situation, the FDPIC may order the notification considering that there is a public interest in knowing more detailed information about the consequences of a data security breach.
The content of the notification and information:
However, the information provided to data subjects must be done in simple and understandable language and can be dispensed in some cases.
What happens if a data controller fails to notify or inform about a security breach?
Failure to comply, in whole or in part, with the reporting obligation to the FDPIC or to individuals is not a criminal offence. In this case, the FDPIC may order the controller to comply. Nevertheless, a data security breach may be a criminal offence if, for example, the controller has not complied with the minimum data security requirements. In this case, the fine is up to CHF 250.000.
At MyData-TRUST, our team of experts is well-equipped to help organizations navigate the complexities of Swiss Data Protection regulations, including compliance with the latest FDPIC guidelines on cookies and similar technologies. Whether you need guidance on interpreting these new requirements, assessing your current practices, or implementing compliant solutions, we are here to support you. Our deep expertise in Global Data Privacy ensures that your organization remains aligned with evolving legal standards while maintaining a strong Data Protection framework. Contact us to discuss how we can assist you in achieving compliance with confidence.
