Eco‑responsible  images

Image compression reduces page weight and loading times.

Read more about it

Search in

The principles of the law

Table of contents

Principles, compliance analysis grid
Key principles
Other principles


 

Principles, compliance analysis grid

The Data Protection Act is based on legal principles, which are broad guidelines used to analyse whether or not the processing of personal data complies with the Data Protection Act.

These principles are to be found in all laws that derive from the Council of Europe's Convention 108+ and are therefore almost universal in nature.

The principles of legality, finality, proportionality, transparency, accuracy and security form the six main principles that it is essential to master in order to carry out a compliance analysis.

Key principles

The principle of lawfulness provides that data processing is only authorised if it meets the requirements of the DPA, which differ according to the type of personal data:

  • Personal data non-sensitive may be the subject of data processing under two alternatives: if a legal basis so authorises; if the processing serves à the performance of a public task.
  • Personal data sensitive may be the subject of data processing according to three alternatives : if a law in the formal sense authorises it; if the processing is absolutely required for the performance of a public task clearly defined in a law in the formal sense; if the person concerned has consented to it or has made his or her data accessible to everyone.

The principle of finality states that data processing is only authorised for the purpose indicated when the data is collected.

The purpose principle applies to the collection of personal data and subsequent processing.

The principle of proportionality states that data processing is only authorised if it is proportional in the broadest sense of the term. To meet this requirement, data processing must meet the criteria of fitness, necessity and proportionality in the strict sense of the term.

Fitness requires that the data processing must be capable of achieving its intended purpose.

Necessity requires data processing to use only those means that are necessary for the purpose of the processing, i.e. the least intrusive means possible and on the most limited amount of data.

Proportionality in the strict sense of the term requires that the processing of data bears a reasonable relationship between the aim pursued and the infringement of personal rights. In other words, the processing must bear a reasonable relationship between the legitimate result sought and the means used, while protecting the rights of the individuals concerned as far as possible.

The principle of transparency states that data processing is only authorised if it is recognisable to the data subject and it is not carried out without their knowledge. Both the processing and its purposes must be recognisable to the data subject.

The principle of accuracy states that data processing is only authorised if the personal data collected is accurate, up-to-date and complete with regard to the purposes of the processing.

It is up to the entities defined by art. 3 para. 2 LPrD to verify the accuracy of the personal data collected and therefore, in particular, to legal entities to which the canton or a commune entrusts public tasks, in the performance of said tasks.

The person responsible for the processing must take all appropriate measures to delete or rectify inaccurate or incomplete data with regard to the purposes for which it is collected or processed.

Any person concerned may request the rectification of inaccurate data.

The principle of security requires the data controller to take technical or organisational measures (MTO) to guarantee the security of files and personal data, in particular against their loss, destruction, and any unlawful processing.

For example:

  • an organisational security measure may be to prevent access to the business, the infrastructure, or to put in place cyber security measures to prevent piracy.

Other principles

The principle of « Privacy by Design » requires the data controller to take technical or organisational measures to ensure that the data processing complies with the data protection rules from its conception.

The principle of « Privacy by Default » requires the data controller to take technical or organisational measures to ensure that data processing only concerns personal data that is necessary for the purposes pursued. Where the user is offered data processing options, the default setting must be the least restrictive.

.

The principle of conservation states that the personal data collected must be destroyed or rendered anonymous as soon as it is no longer required to perform the task for which it was collected.

Exceptions are made for specific legal bases for data retention.

The principle of consent is read as an alternative to the principle of leacute;galité. To be valid, consent must be given by a person who expresses his or her freely will and after having been fully informed.

When data is collected for several purposes at the same time, consent must be additionally specific.

When the data collection concerns sensitive data or is carried out for a personal profile, consent must also be explicit.