(This seems to be quite different from EDPB wp248 – then again, CH is not EU/EEA)
From the Datenschutzbeauftragte des Kanton Zuerich:
“Die Datenschutzbeauftragte erstellte ein Formular und ein Merkblatt, das die datenbearbeitenden Stellen bei der Datenschutz-Folgenabschätzung unterstützt. Es hilft, alle wesentlichen Angaben zu sammeln und auszuwerten.
Die DSFA dient auch dazu, die Pflicht zur Vorabkontrolle abzuklären. Wenn besondere Risiken erkennbar sind, muss das Projekt der Datenschutzbeauftragten zur Vorabkontrolle unterbreitet werden.”
from https://www.datenschutz-mv.de/static/DS/Dateien/Datenschutzmodell/SDM-Methode_V20b_EN.pdf Emphasis incl reformatting for emphasis by me.
D2.1 Levels of a Processing or Processing Activity
In order to fully cover personal data processing, it has proved useful to distinguish at least three different levels of representation of material parameters or elements when designing or auditing processing activities. It is essential to understand that a ‘processing activity’, for example, is not congruent with the use of a certain technology or a certain technical program.
Level 1 is the processing of personal data in the sense of data protection law.
- This processing takes place, for example, within the framework of a company operating under private or an authority subject to public law, for whose activities the controller is responsible. This level corresponds to what is often understood as a ‘specialised procedure’ and ‘business process’ with a certain functional sequence of the processing activity. At this level of the understanding of a processing operation, the personal data necessary for a processing operation as well as the legal requirements are determined. The controller defines corresponding roles and authorisations for the personal data and determines the IT systems and processes to be used. The determination of the purpose or purposes of the processing activity is essential for the adequate functioning of this level in terms of data protection.
The practical implementation of the processing and the purpose is located at level 2.
- On the one hand, this usually includes the role of the clerking as well as the IT application(s), which can also be described more precisely as the ‘specialised application of a specialist procedure’. The processing and the specialist application must completely fulfil the functional and (data protection) legal requirements to which the processing is subject. The specialised application must ensure the purpose limitation. The application must exclude the processing of additional data or additional forms of processing, even if they may befunctionally particularly convenient. The aim is to minimise the risk of undermining the purpose limitation or overstretching the purpose.
Level 3 houses the IT infrastructure that provides functions that are used by a level 2 application.
- This level of ‘technical services’ includes operating systems, virtual systems, databases, authentication and authorisation systems, routers and firewalls, storage systemssuch as SAN or NAS, CPU clusters, and the communications infrastructure of an organizationsuch as the telephone, LAN, or Internet access. These systems must be designed and used within a processing activity in such a way that the purpose limitation is retained. Typically, technical and organisational measures must be taken to ensure that the purpose limitation or segregation of purposes can be enforced at this level.
and from D2.3:
“The concrete functional design takes place at level 1, at which the need for protection is to be determined or specified by the controller on the basis of the data. This need for protection is inherited by all data, systems and processes used in concrete processing at the various levels. The catalogue of reference measures can be used to check whether technical and organisational measures taken or planned are appropriate to the need for protection “
A Right to Reasonable Inferences: Re-Thinking Data Protection Law in the Age of Big Data and AI
Columbia Business Law Review, 2019(2)
130 Pages Posted: 5 Oct 2018 Last revised: 25 Jun 2019
University of Oxford – Oxford Internet Institute
University of Oxford – Oxford Internet Institute
Date Written: October 5, 2018
“Finally, the Court states that the processing of personal data that are liable indirectly to reveal sensitive information concerning a natural person is not excluded from the strengthened protection regime, (5) since such exclusion might well compromise the effectiveness of that regime and the protection of the fundamental rights and freedoms of natural persons that it is intended to ensure. Thus, the publication on the Chief Ethics Commission’s website of personal data that are liable to disclose indirectly the data subjects’ sexual orientation constitutes processing of sensitive data.”
In German: Commentary from Switzerland – https://datenrecht.ch/eugh-c-184-20-verarbeitung-besonderer-kategorien-personenbezogener-daten-auch-bei-moeglichen-schluessen-auf-sensible-informationen/