Sensitive personal data

What should you consider?

Philipp Rosenauer
Partner Legal, PwC Switzerland

The term “sensitive personal data” has been an important topic during the pandemic, be it in relation to the COVID-App or to measures at the workplace. How is sensitive data different from non-sensitive personal data and what needs to be considered in their processing?

What type of personal data qualifies as sensitive data?

  • Ethnicity, origin, and race
  • Political opinions
  • Health data
  • Biometric data
  • Genetic data
  • Religion and philosophical beliefs
  • Sexual orientation

How is sensitive personal data handled under Swiss Data Protection?

With the revised Federal Act on Data Protection (revFADP), biometric and genetic data have been added. The Swiss revFADP follows a different concept than the European General Data Protection Regulation (GDPR). In principle, no legal ground is required, but you need to provide a “justification” to lawfully process sensitive personal data. Unlike its European counterpart, “sensitive personal data” under the revFADP also includes data on administrative or criminal proceedings and sanctions, data on social security measures and data on the intimate sphere. Switzerland follows a “risk-based approach”. This means that the higher the risks for the data subjects, the stricter the general data processing principles must be. Hence, the processing of sensitive personal data must meet higher standards.

What should you consider when processing sensitive data?

If there are reasons that sensitive data is stored and processed, it must be ensured that no unauthorised person can access the data. Employees who work with sensitive data are also obliged to maintain confidentiality. The data must be protected in such a way that access is only granted to those employees who must work with it. This applies to both electronic and physical data. On the one hand, if the data is in electronic form, security can be ensured by encrypting the data. On the other hand, paper documents must be kept safe and out of reach of unauthorised persons.

In short, what should I avoid?

You should avoid collecting sensitive personal data to the best possible extent. Unless not needed for the relationship with your client or for work purposes regarding your employee, you should not process personal sensitive data. However, if you need to do so, you should strengthen your data protection principles and implement appropriate technical and organisational measures. 


Do you have any questions?

https://pages.pwc.ch/core-contact-page?form_id=7014L000000kkHMQAY&embed=true&lang=en

#social#