Main section
Data protection policy
1. Purpose and scope
This data protection policy of SwissSign AG and all its affiliated subsidiaries {hereinafter referred to as "SwissSign") defines the importance and significance of data protection in terms of respect for the privacy and personal rights of its customers, business partners and employees. lt is binding for all processing of personal data and serves as the basis for all measures and activities in the data protection-relevant areas of SwissSign, namely for the processing of
-
Personal data in connection with the business activities of SwissSign {in particular identity services under the SwisslD brand and certificate services);
-
Administrative data of customers, business partners, suppliers and other external parties of SwissSign as far as personal data is concerned;
-
Personal data of internal and external employees, including data of job applicants and former employees.
2. Legal basis
This data protection policy for SwissSign is based on the revised Federal Data Protection Act of 19 June 1992 (FADP, SR 235.1) and the Ordinance to the Federal Data Protection Act of 14 June 1993 (DPO, SR 235.11).
The FADP aims to protect the personality and fundamental rights of natural persons and legal entities (e.g. public limited companies, limited liability companies) about whom data is processed (Art. 1 FADP).
3. Terms
The terms used in this policy are defined in Appendix 1.
4. Scope
The data protection policy applies equally and without restriction to all SwissSign employees who have access to personal data in the course of performing their professional duties. The data protection policy also applies to external persons and companies who work on behalf of SwissSign. These are obliged to comply with it by corresponding written agreements.
The content of this data protection policy applies to all personal data, in particular to personal data of customers, employees, business partners and suppliers, irrespective of the way in which it is processed and in what form (on paper, digitally, verbally).
5. Goals of the data protection
5.1 Protection of personality
The main goal of data protection is to protect the personality against unlawful or disproportionate processing of personal data. The following sub-goals can be derived from this main goal:
-
Restrictive processing of personal data from the point of view of data protection ("data minimisation");
-
Transparency and controllability for internal and external control bodies;
-
Transparency and controllability (of the data) for the data subjects;
-
The employees of SwissSign know the data protection regulations applicable to their area of work and comply with them.
This data protection policy forms the basis for ensuring that the processing of personal data by SwissSign employees is carried out in compliance with the statutory and internal provisions and that the personal rights of those affected by the processing are not unlawfully infringed.
The focus is on the proper and legally compliant processing of customer data, personnel data and other personal data processed by SwissSign, in particular of business partners, suppliers and other external parties.
5.2 Company-wide data protection
A uniform level of data protection is maintained within SwissSign and the following objectives are thus pursued:
-
The agreements/contracts with the customers regarding data protection are permanently complied with for all services offered by SwissSign;
-
Personaldata is processed transparently and comprehensibly and only in compliance with the relevant legal regulations;
-
Data protection incidents are prevented;
-
Violations / infringements of applicable data protection regulations, namely in data protection legislation and labour law provisions, are avoided;
-
All employees, business partners and suppliers of SwissSign are aware of their own responsibility with regard to data protection and undertake to fulfil this responsibility.
5.3 Data protection principles
When processing personal data, the FADP and other provisions tobe observed in this context must be complied with. Personal data may only be processed lawfully and, as a matter of principle, only to the extent that is absolutely necessary for the course of business. SwissSign undertakes in particular to comply with the following principles:
-
Method and manner of processing - Personal data is obtained lawfully, in good faith and proportionately.
-
Legitimacy - Personal data may only be processed lawfully. This means that a justification is required, either in the form of the consent of the data subject, an overriding interest, the fulfilment of a contract or a law.
-
Bound to purpose - Personal data may only be obtained for a specific and identifiable purpose for the data subject; it may only be processed in a way that is compatible with that purpose.
-
Proportionality - The principles of data avoidance and data minimisation must be observed, especially when using IT systems. Consequently, only data that is really necessary for the fulfilment of the task is stored and processed.
-
Good faith - Personal data may not be obtained without the knowledge and against the will of the data subject. Data subjects may trust that persons who process personal data will handle it with care.
-
Retention period - Personal data may only be kept for as lang as it is required for the purpose of processing. After that, they must be deleted or destroyed. A longer retention obligation resulting from a corresponding legal provision remains reserved.
-
Transparency - The data subject must be informed about the handling of his or her data. This means that the data subject must know or be able to recognise what data is being obtained and for what purpose. Secretly obtaining data violates this principle.
-
Correctness of data - Anyone who processes personal data must ensure that it is accurate or must take all reasonable steps to ensure that data which is inaccurate or incomplete in relation to the purpose for which it was obtained or processed is corrected, erased or destroyed.
-
Data security - The data controller ensures that data security commensurates with the risk by taking appropriate technical and organisational measures. The measures must make it possible to avoid breaches of data security.
-
Privacy by Design - Technical systems must incorporate data protection from the outset. Data protection measures should be proactive, not reactive, and preventive, not repressive.
-
Privacy by Default - The data processing is set up as data protection-friendly as possible by default, e.g. an opt-in (explicit consent procedure).
-
Training/awareness raising - Employees receive the appropriate awareness training regarding their responsibility for data protection and their activities. They receive access to documents, forms, notifications and information on the topic of data protection.
-
Processing of special categories of personal data - The processing of particularly sensitive personal data is subject to additional requirements. Justifications include a specific legal obligation or the explicit consent of the data subject.
-
Consent - Where the data subject's consent is required, such consent is only valid if it is given freely and unambiguously for one or more specific processing operations after adequate information has been provided.
-
Profiling - Any kind of automated aggregation of personal data for the purpose of creating a usable overall picture of a data subject's personality is prohibited.
5.4 Data protection principles in the context of «SwisslD»
The following principles are followed in connection with the "SwisslD":
-
Transparent and secure handling of user data - Data is only exchanged between the identity provider (ldP) and an online service provider with the consent of the user (opt-in; privacy by default). The user must consent to the transfer of data.
-
The user has control over his data and to which online service providers he releases which data at all times. The user can view these releases in a dashboard on www.swissid.ch or on the SwisslD app and can end the exchange at any time.
-
Each user receives a different technical identifier (UUID) per online service provider - Technical consolidation of customer data across several online service providers is not possible on the basis of the technical identifier (Privacy by Design).
-
Distinction between self-declared identities and verified identities - After registration, SwisslD users have a self-declared identity (SDID). They have the option of adding verified identities (GPID).
-
Attribute provider services can make data of persons available to online service providers with the support of SwisslD - With the consent of the data subjects, attribute provider services can contribute data of persons to the eco-system (e.g. creditworthiness information, correspondence addresses, etc.).
-
Blindness - No user based evaluation takes place, neither by SwissSign itself nor by commissioned third parties. The statistical evaluation of anonymised data records remains reserved.
-
Data minimisation - An online service provider may only request data from a user that is necessary for the execution of business processes. The user must agree to the transfer of data.
-
Possibility of use on an pseudonymous basis - lf an online service provider does not require verified personal data to carry out its business processes, each user has the option of using a self-declared alias identity to log in.
-
Relationship between SwissSign and online service providers - The SwisslD login is voluntary. Onlineservice providers are not obliged to deactivate their existing login procedures. There is no obligation to introduce the SwisslD login exclusively. The login procedure of the online service providers can remain in place or is at their discretion.
5.5 Adequacy of technical and organisational measures
SwissSign takes all necessary precautions, in compliance with the legal requirements, to protect personal data against unauthorised processing by means of appropriate technical and organisational measures.
All data collections processed within SwissSign shall be reported to the data protection coordinator (cf. section 6.4) by the data owner responsible for them. He examines the data and the measures necessary for their protection to determine whether they comply with the provisions of data protection.
6. Data protection organisation
6.1 Board of Directors
The Board of Directors approves this data protection policy and supports its implementation. lt bears the overall responsibility for data protection and delegates its implementation to the Executive Board.
6.2 Executive Board
The main operational responsibility for the protection of the personal data processed lies with the Executive Board. lt issues and reviews the "Data Protection Ordinance" and the "Personnel Data Protection Ordinance" on an ongoing basis.
6.3 Data Protection Officer
SwissSign has appointed an external Data Protection Officer. The {external) Data Protection Officer provides support in the enforcement and implementation of data protection at SwissSign. He keeps an internal list of data collections in accordance with Art. lla para. 3 FADP (Art. 12b para. 1 lit. b DPO) and checks whether all relevant data collections are included in this list.
The Data Protection Officer monitors and takes into account the development of legal requirements in the area of data protection.
Further information (in German)
6.4 Data Protection Coordinator
In addition to the (external) Data Protection Officer, SwissSign has appointed an internal person responsible for data protection - the Data Protection Coordinator. The Data Protection Coordinator is the internal contact point (first point of contact) for data protection issues at SwissSign. He works closely with the Data Protection Officer and supports him in the fulfilment of his tasks.
Contact: [email protected]
6.5 Head HR (Human Resources)
The Head of HR and the employees working in HR are responsible for the careful and data-protection compliant processing of personnel data.
6.6 CCO (Chief Commercial Officer)
The CCO is responsible for the enforcement of and compliance with data protection in his area of responsibility, in particular within the framework of product development and product support. He or she takes data protection requirements into account both in the planning and in the implementation of a processing operation.
6.7 CIO (Chief Information Officer)
The CIO is responsible for ensuring that data security and data protection measures are technically implemented. In particular, he supports the application and system managers. He works closely with the Data Protection Officer to check the conformity of the measures. He assesses risks, incidents and near incidents that could endanger data protection.
6.8 Superiors
Superiors at all levels are responsible for the enforcement of and compliance with data protection in their areas of responsibility, especially within the framework of business processes. In cooperation with the data protection officer, they ensure that employees are trained and sensitised. They act as role models and promote the motivation of employees to comply with data protection measures.
6.9 Data Owner
The data owner is the person responsible for the individual data collections and determines the persons authorised to process the data and their access rights according to the need-to-know principle. Data owners must ensure compliance with the requirements of data protection law in technical and organisational respects.
6.10 Employees
All employees are responsible for data protection and are obliged to process personal data in accordance with internal and statutory regulations. Critical attention and responsible behaviour are required.
Employees are sensitised and trained with regard to their responsibility for data protection in accordance with their function.
7. Auditing and Reporting
The Data Protection Officer is responsible for conducting internal audits on a regular basis. The audit is intended to ensure that the data protection policy and data protection regulations are complied with throughout the company.
Regular reporting is ensured so that the Executive Board is informed about data protection-relevant risks, identified deficits and measures taken. As a rule, the Executive Board is informed by the Data Protection Officer once a year {e.g. in connection with budgeting). Based on the results of the report, the Executive Board defines guidelines regarding the necessary measures.
8. Supplementary applicable documents
This data protection policy must be seen in the context of the "Data Protection Ordinance", which contains regulations on the protection of personal data that must be taken into account for SwissSign as well as for all of its affiliated subsidiaries. Furthermore, in addition to this data protection policy, the "Personnel Data Protection Ordinance" contains data protection regulations for the processing of personnel data. lf required, further documents will be developed that are necessary in connection with the processing of personal data.
9. Deviations / procedure in the absence of specific regulations
Deviations from the data protection policy are possible in justified exceptional cases. However, they must be approved in writing by the Data Protection Officer.
lf no data protection regulations exist for a specific area of data processing, the data protection officer must be contacted.
10. Entry into force
This data protection policy comes into force on 01 January 2022.
Appendix 1: Terms
Processing of personal data: Any handling of personal data, regardless of the means and procedures used, such as obtaining, storing, using, modifying, disclosing, archiving, deleting or destroying data.
Disclosure of personal data: Any transmission or making accessible of personal data, such as granting access, providing information, passing on or publishing
Special categories of personal data:
-
data regarding political opinions, religious or philosophical beliefs, or trade union membership;
-
data concerning health, private sphere or racial or ethnic origin;
-
genetic data;
-
biometric data for the purpose of uniquely identifying a natural person;
-
data on administrative and criminal prosecutions or sanctions;
-
data on social assistance measures.
Data collection: Any set of personal data that is structured in such a way that the data is discoverable by the data subjects.
Data owner: Responsible for a data collection within SwissSign. He is responsible for the proper classification of data and information. He decides on access, modification or forwarding of his data and protects it from unauthorised access with appropriate measures.
Data Protection Officer: External independent body that monitors internal compliance with data protection regulations and maintains a register of data collections.
Data Protection Coordinator: lnternally appointed person responsible for data protection, who primarily supports the external data protection officer in the area of data protection.
Point of contact for data protection within SwissSign.
Contact: [email protected]
Data Controller: Responsible for data processing. He/she decides alone or together with others on the purpose and means of processing.
HR-employees: All employees (internal as well as external persons and companies working on behalf of SwissSign) who have access to personal data of SwissSign employees in the course of their professional duties.
Personal data: Data about an identified or identifiable natural or legal person.
Personality profile: Compilation of data that allows an assessment of essential aspects of the personality of a natural person.
Profiling: The usable creation of an overall image of a personality for specific purposes through the automated merging of personal data.
Breach of data security: A breach of security which, regardless of intent or illegality, results in personal data being lost, deleted, destroyed or altered, or disclosed or made available to unauthorised persons.
Verified identity: Information on an identity, which has been verified by an accordingly authorised body.
ldO: ldentity Owner
ldP: ldentity Provider
Self-declared identity: Information on an identity, which the user has made himself.